https://wiki.mikrotik.com/api.php?action=feedcontributions&user=Guntis&feedformat=atomMikroTik Wiki - User contributions [en]2024-03-29T06:54:05ZUser contributionsMediaWiki 1.38.2https://wiki.mikrotik.com/index.php?title=Manual:TR069-client&diff=34616Manual:TR069-client2024-02-28T16:13:43Z<p>Guntis: </p>
<hr />
<div>TR069-client implements CPE WAN Management Protocol (CWMP) for remote device management, which is standardized by the Broadband Forum (BBF).<br />
CWMP works over IP network using HTTP(S) to communicate with an Auto Configuration Server (ACS), which can monitor, configure attributes and update the firmware of a remote device.<br />
<br />
Typically used by ISPs to manage CPEs, but also can be used for Network Infrastructure Device management.<br />
<br />
==Configuration Settings==<br />
<br />
TR069-client menu Parameters. <br />
When the package is installed (first available in RouterOS 6.38). The configuration is in ''/tr069-client''<br />
<br />
====Writable Settings====<br />
<br />
Client configuration settings.<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''enabled'''<br />
|style="border-bottom:1px solid gray;" valign="top"|enable/disable CWMP protocol<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''acs-url'''<br />
|style="border-bottom:1px solid gray;" valign="top"|URL of ACS. Examples: "https://example.com:8080/path/", "http://192.168.1.100/"<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''username'''<br />
|style="border-bottom:1px solid gray;" valign="top"|HTTP authentication username (used by CPE to "login" into ACS)<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''password'''<br />
|style="border-bottom:1px solid gray;" valign="top"|HTTP authentication password (used by CPE to "login" into ACS)<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''periodic-inform-enabled'''<br />
|style="border-bottom:1px solid gray;" valign="top"|enable/disable CPE periodical session initiation. Timer is started after every successful session. When session is started by periodic interval then Inform RPC contains "2 PERIODIC" event. Maps to "Device.ManagementServer.PeriodicInformEnable" Parameter<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''periodic-inform-interval'''<br />
|style="border-bottom:1px solid gray;" valign="top"|timer interval of periodic inform. Maps to "Device.ManagementServer.PeriodicInformInterval"<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''client-certificate'''<br />
|style="border-bottom:1px solid gray;" valign="top"|certificate of client/CPE, which can be used by ACS for extra authentication<br />
|}<br />
<br />
====Read-only Settings====<br />
Reald only parameters to monitor state of the client.<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"| '''status'''<br />
|style="border-bottom:1px solid gray;" valign="top"| informative status of CWMP. <br />
*disabled - protocol disabled, <br />
*waiting-URL - protocol enabled, but ACS URL not configured, <br />
*running - CWMP is configured correctly and will communicate with ACS on events<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''last-session-error'''<br />
|style="border-bottom:1px solid gray;" valign="top"|user-friendly error description indicating why the previous session didn't finish successfully<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''retry-count'''<br />
|style="border-bottom:1px solid gray;" valign="top"|consecutive unsuccessful session count. If > 0, then last-session-error should indicate error. Resets to 0 on a successful session, disabled protocol or reboot<br />
|}<br />
<br />
====Commands====<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Command<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''reset-tr069-config'''<br />
|style="border-bottom:1px solid gray;" valign="top"|completely resets and forgets tr069-client configuration and state (without affecting other ROS configurations). Use when CWMP goes into unresponsive/hanged state and should be restored without re-installation of the RouterOS.<br />
|}<br />
<br />
==CWMP Session==<br />
CWMP client usually starts communication(Session) with ACS on different events - first boot, reboot, periodic interval, remote request, value change etc.<br />
In each session, CPE and ACS can call RPCs to be "executed" on the other side. CPE always starts with Inform RPC, which contains connection reason, device info and some Parameter values depending on configuration.<br />
When CPE has nothing more to say, then ACS executes its RPCs (which most of the time are Parameter management RPCs).<br />
<br />
==Parameters and Data Models==<br />
Parameters are simple name+value pairs and each vendor can decide which Parameters to support in its devices. A combination of all supported Parameters is called Data Model (DM). BBF defines three root Data Models(TR-098, TR-181:1, TR-181:2) on which vendors should base their supported Parameters. '''RouterOS Data Model is based on "TR-181 Issue 2 Amendment 11"''', which is the newest DM and recommended by BBF.<br />
<br />
[https://help.mikrotik.com/docs/display/ROS/TR-069#TR069-ParametersandDataModels RouterOS TR069 client supported parameter reference document]<br />
<br />
==Download RPC==<br />
<br />
<br />
====RouterOS Update (1 Firmware Upgrade Image)====<br />
CWMP standard defines that CPE's firmware can be updated using Download RPC with FileType="1 Firmware Upgrade Image" and single URL of a downloadable file (HTTP and HTTPS are supported). Standard also states that downloaded file can be any type and vendor specific process can be applied to finish firmware update. Because MikroTik's update is package based (and also for extra flexibility), an XML file is used to describe firmware upgrade/downgrade. For now, XML configuration supports providing multiple URLs of files, which will be downloaded and applied similarly as regular RouterOS update through firmware/package file upload.<br />
<br />
An example of RouterOS bundle package and tr069-client package update (don't forget to also update tr069-client package).<br />
An XML file should be put on some HTTP server, which is accessible from CPE for download.<br />
Also, downloadable RouterOS package files should be accessible the same way (can be on any HTTP server).<br />
Using ACS execute Download RPC with URL pointing to XML file (e.g. "https://example.com/path/upgrade.xml") with contents:<br />
<br />
<upgrade version="1" type="links"><br />
<config/><br />
<links><br />
<link><br />
<url>https://example.com/routeros-mipsbe-X.Y.Z.npk</url><br />
</link><br />
<link><br />
<url>https://example.com/tr069-client-X.Y.Z-mipsbe.npk</url><br />
</link><br />
</links><br />
</upgrade><br />
<br />
CPE will download XML, parse/validate its contents, download files from provided URLs and try to upgrade. The result will be reported with TransferComplete RPC.<br />
<br />
{{Warning|Use HTTPS in production for firmware management}}<br />
<br />
{{Note|Always make firmware updates incremental - first, update locally tested device and make sure that CWMP communication is resumed with a new version and required ROS functionality works. Secondly, repeat steps by updating groups of CPEs incrementally. We do not recommend updating all remote devices at once.}}<br />
<br />
====Configuration Change (3 Vendor Configuration File)====<br />
The same Download RPC can be used to perform complete configuration overwrite (as intended by standard) OR configuration alteration (when URL's filename extension is ".alter").<br />
<br />
======Alter configuration ======<br />
RouterOS has a lot of configuration attributes and not everything can be ported to CWMP Parameters, that's why RouterOS provides a possibility to execute its powerful scripting language to configure any attribute. A configuration alteration (which is really a regular script execution) can be performed using Download RPC FileType="3 Vendor Configuration File" with downloadable file extension ".alter". This powerful feature can be used to configure any ROS attributes which are not available through CWMP Parameters.<br />
<br />
======Overwrite all configurations======<br />
<br />
<br />
Full ROS configuration overwrite can be performed using Download RPC FileType="3 Vendor Configuration File" with any URL file name (except with ".alter" extension).<br />
<br />
<br />
{{warning|Provided configuration file(script) must be "smart" enough to apply configuration correctly right after reboot. This is especially important when using uploaded configuration file with Upload RPC, because it only contains values export. Some things that should be added manually:<br />
* delay at beginning, for interfaces to show up;<br />
* hidden passwords for users;<br />
* certificates.<br />
<br />
}}<br />
<br />
====RouterOS default configuration change (X MIKROTIK Factory Configuration File)====<br />
This vendor specific FileType allows the change of the RouterOS default configuration script that is executed when '''/system reset-configuration''' command is executed (or the other means when router configuration is beeing reset).<br />
{{Warning|Use this with caution as the failure of uploaded script may render device inoperable and/or inaccessible by the ACS}}<br />
{{Note|If the default configuration script is changed it will not be displayed by '''/system default-configuration print''' as it is the case if that script is altered via Netinstall tool. That command will always show the default script set up by MikroTik}}<br />
<br />
==FactoryReset RPC==<br />
This is CWMP standard RPC, which performs RouterOS configuration factory-reset. The reset process is performed in the same way as executing the command:<br />
/system reset-configuration skip-backup=yes<br />
<br />
Note that the default factory configuration can be different for each device (see [http://wiki.mikrotik.com/wiki/Manual:Default_Configurations]) and execution of this command removes all configurations and executes internally stored default-configuration script.<br />
<br />
[Best Practices Guide for preparing CPE with custom factory settings for TR069 http://wiki.mikrotik.com/wiki/Tr069-best-practices]<br />
<br />
==Upload RPC==<br />
====Upload current configuration (1 Vendor Configuration File)====<br />
The result of this is file uploaded to the ACS same as the output of '''/export''' command in the RouterOS<br />
<br />
====Upload log file (2 Vendor Log File)====<br />
The result of this is file uploaded to the ACS is similar to the output of '''/log print''' command in the RouterOS<br />
<br />
====Upload default configuration (X MIKROTIK Factory Configuration File)====<br />
The result of this is file uploaded to the ACS that has contents of the current set default configuration script that will be executed if '''/system reset-configuration''' command is executed. It may differ from one returned using '''/system default-configuration print'''.<br />
<br />
==Security==<br />
* HTTP should only be used when testing initial setup in the secured/private network because Man-in-the-middle attacker could read/change configuration parameters. '''In the production environment, HTTPS is a MUST'''.<br />
* CWMP's incoming connection validation by design is safe because CPE will not communicate with any other device except previously configured ACS. Connection Request only signals CPE to start a new connection + new session with previously configured ACS.<br />
<br />
==Tested ACSs==<br />
Ordering is alphabetical. MikroTik does not imply any one vendor superiority of another. If some ACS is missing you can notify us of the existence of it and it might be added to the list.<br />
<br />
====Commercial====<br />
<br />
We have tested and verified to be working the following commercial ACS solutions: <br />
<br />
* [https://www.avsystem.com AVSystem]<br />
* [http://axiros.com Axiros]<br />
* [http://friendly-tech.com Friendly Tech]<br />
<br />
====Open Source====<br />
<br />
* [https://github.com/zaidka/genieacs GenieACS]<br />
<br />
<br />
Note: these ACS systems below seem to be not maintained and thus is not suggested as useful options<br />
* [https://github.com/freeacs FreeACS]<br />
* [https://github.com/navisidhu/libreacs LibreACS]</div>Guntishttps://wiki.mikrotik.com/index.php?title=MikroTik_Wiki:About&diff=34610MikroTik Wiki:About2024-01-22T15:14:19Z<p>Guntis: </p>
<hr />
<div>=== Welcome to the MikroTik Wiki!! ===<br />
{{ Note | '''Our new documentation site can be found here:''' [https://help.mikrotik.com/docs/ help.mikrotik.com/docs/.]wiki.mikrotik.com is no longer being updated. }}<br />
<br />
The MikroTik documentation can be identified by the article address, all official documents are prefixed with '''Manual:''', they [[:Category:Manual#list|are listed here]].</div>Guntishttps://wiki.mikrotik.com/index.php?title=RouterBOARD_hardware&diff=34609RouterBOARD hardware2024-01-22T15:12:24Z<p>Guntis: </p>
<hr />
<div>{{ Note | '''Our new documentation site can be found here:''' [https://help.mikrotik.com/docs/ help.mikrotik.com/docs/.]wiki.mikrotik.com is no longer being updated. }}<br />
<br />
== MikroTik product guides == <br />
<br />
These articles contain the first steps to start using our products, as well as specific information about ports, LED status indicators and other seful information. <br />
<br />
=== Wireless systems ===<br />
<br />
* [[SXT 6]]<br />
<br />
== General hardware information ==<br />
<br />
* [[RouterBOARD Troubleshooting]]<br />
* [[MikroTik Password Recovery]]<br />
* [[Manual:Netinstall|Netinstall]] - How to install or re-install RouterOS on to a RouterBoard<br />
* [[Bootloader upgrade|Upgrading RouterBOARD Bootloader]]<br />
* [[Serial Console]] - How to access the Comand Console via the Serial Port of a RouterBoard<br />
* [[Manual:Default_Configurations|List of Default Configuration files for RouterBOARD devices]]<br />
* [[RouterBOOT changelog]]<br />
<br />
== Compatibility related articles == <br />
<br />
* [[Manual:PoE-Out|PoE-Out on MikroTik devices]]<br />
* [[Manual:TOC/MikroTik_POE_in_compatibility_table|MikroTik POE in compatibility table]]<br />
* [[Switch_Chip_Features|RouterBOARD Switch chips]]<br />
* [[Manual:USB_Features|RouterBOARD USB port capability table]]<br />
* [[MikroTik wired interface compatibility]]<br />
<br />
* [[Manual:Peripherals|Peripherals]] - MikroTik and other vendor supported/unsupported peripheral list.<br />
* [[Media:RouterOS_6_Encryption_Details.pdf|RouterOS encryption compatibility for Russia]]<br />
* [[Media:PowerLine_product_encryption_details.pdf|PowerLine encryption details for Russia]]<br />
<br />
== Legacy articles ==<br />
<br />
* [[Manual:Grounding|Grounding and ESD protection]]<br />
* [[Mini-PCI_(In)Compatibility]] - List of Mini-PCI radios which are known to work well or (and not at all).<br />
* [[Solar Power HOWTO]] - How to design and build a solar power system for Routerboard devices (includes examples).<br />
* [[Manual:RB500_Linux_SDK|RouterBOARD 532 Linux SDK]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:TOC&diff=34608Manual:TOC2024-01-22T15:11:49Z<p>Guntis: </p>
<hr />
<div>{{ Note | '''Our new documentation site can be found here:''' [https://help.mikrotik.com/docs/ help.mikrotik.com/docs/.]wiki.mikrotik.com is no longer being updated. }}<br />
<br />
__NOTOC__<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''General'''<br />
|title-center=<br />
|title-right=<br />
|content-left=<br />
'''Basic'''<br />
* [[M:First_time_startup | First Time Startup]]<br />
* [[M:Initial_Configuration | Initial Configuration using WebFig]]<br />
* [[M:Console_login_process | Console Login Process]]<br />
* [[Manual:Troubleshooting_tools | Troubleshooting Tools]]<br />
* [[Manual:Support_Output_File | Support output file]]<br />
* [[Manual:Securing_Your_Router | Securing your router]]<br />
* [[Manual:RouterOS_FAQ | RouterOS FAQ]]<br />
* [[Manual:Connection_oriented_communication_(TCP/IP) | Connection Oriented Communication (TCP/IP)]]<br />
* [[Manual:Router AAA | Router users and groups]]<br />
<br />
<br />
'''Management tools'''<br />
* [[M:Console | Console]]<br />
* [[M:Winbox | Winbox]]<br />
* [[M:Webfig | WebFig]]<br />
* [[M:Quickset | QuickSet]]<br />
* [[M:CAPsMAN | CAPsMAN]]<br />
<br />
|content-center=<br />
'''RouterOS Licensing'''<br />
* [[M:License | License]]<br />
* [[M:Purchasing_a_License_for_RouterOS | Purchasing a License for RouterOS]]<br />
* [[M:Entering_a_RouterOS_License_key | Entering a RouterOS License key]]<br />
* [[M:Replacement_Key | Replacement Key]]<br />
<br />
'''Hardware'''<br />
* [[Manual:RouterBOARD_settings | RouterBOARD settings]]<br />
* [[Manual:RouterBOOT | RouterBOOT]]<br />
* [[M:PoE-In | PoE input for RouterBOARD]]<br />
* [[M:Product_Naming | Product Naming]]<br />
* [[Manual:Peripherals | Supported peripherals]]<br />
* [[Manual:CHR | CHR]]<br />
<br />
|content-right=<br />
'''What's New'''<br />
* <span class="plainlinks">[https://mikrotik.com/download/changelogs What's new in v6]</span><br />
<br />
<br />
'''RouterOS Installation and packages'''<br />
* [[M:Default_Configurations | Default Configurations on RouterBOARDS]]<br />
* [[M:System/Packages | RouterOS package types]]<br />
* [[M:Upgrading_RouterOS | Upgrading RouterOS]]<br />
* [[M:Netinstall | Netinstall]]<br />
* [[M:Configuration_Management | Configuration Management]] <br />
<br />
}}<br />
<br />
<br />
=Bridging and switching=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Multicast=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Wireless=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Interface=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Interface<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Interface<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Interface<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=IP=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:IP<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = IP<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = IP<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
}}<br />
<br />
=IPv6=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:IPv6<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = IPv6<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = IPv6<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Routing=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Routing protocol case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Routing<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<br />
'''BGP'''<br />
<DynamicPageList><br />
ordermethod = sortkey<br />
order = ascending<br />
category = Routing<br />
category = Manual<br />
category = BGP<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
'''OSPF'''<br />
<DynamicPageList><br />
ordermethod = sortkey<br />
order = ascending<br />
category = Routing<br />
category = Manual<br />
category = OSPF<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
'''Other'''<br />
<DynamicPageList><br />
notcategory = BGP<br />
notcategory = OSPF<br />
category = Routing<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Routing<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
}}<br />
<br />
=MPLS=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<br />
* '''Interface'''<br />
**[[M:Interface/VPLS | vpls ]]<br />
**[[M:Interface/Traffic_Engineering | traffic-eng]]<br />
<br />
* '''MPLS'''<br />
**[[M:MPLS/LDP | ldp ]]<br />
<br />
<br />
|content-center=<br />
'''General'''<br />
* [[M:MPLS/Overview|MPLS Overview and RouterOS MPLS Implementation Status]]<br />
* [[M:MPLS/EXP bit behaviour | EXP bit behaviour]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards#MPLS.2FLayer-2.5.2FL2.5_MTU|L2MTU]]<br />
<br />
<br />
'''Layer2 VPN'''<br />
* [[M:MPLSVPLS|LDP and LDP based VPLS]]<br />
* [[M:BGP_based_VPLS|BGP based VPLS]]<br />
* [[M:Cisco_VPLS|Cisco style VPLS]]<br />
* [[M:VPLS_Control_Word|VPLS Control Word]]<br />
<br />
<br />
'''Layer3 VPN'''<br />
* [[M:Virtual Routing and Forwarding | Virtual Routing and Forwarding (VRF)]]<br />
* [[M:OSPF as PE-CE routing protocol | OSPF as PE-CE routing protocol]]<br />
* [[M:EBGP as PE-CE routing protocol | EBGP as PE-CE routing protocol]]<br />
<br />
<br />
'''Traffic Engineering'''<br />
* [[M:TE_Tunnels|TE Tunnels]]<br />
* [[M:TE_tunnel_auto_bandwidth|TE Tunnel Bandwidth Control]]<br />
<br />
<br />
<br />
|content-right=<br />
'''General'''<br />
* [[M:MPLS over PPPoE | MPLS over PPPoE]]<br />
<br />
<br />
'''Layer2 VPN'''<br />
* [[Manual:MPLS_L2VPN_vs_Juniper | P2P L2VPN to Juniper router]]<br />
<br />
<br />
'''Layer3 VPN'''<br />
* [[M:Layer-3 MPLS VPN example|A complete Layer-3 MPLS VPN example]]<br />
* [[VRF_Route_Leaking|VRF Route Leaking]]<br />
* [[M:Internet access from VRF|Internet access from VRF]]<br />
* [[M:Internet access from VRF with NAT|Internet access from VRF with NAT]]<br />
<br />
<br />
'''Traffic Engineering'''<br />
* [[M:Simple_TE | Simple TE configuration]]<br />
* [[M:TE Tunnels Example | TE tunnels for VPLS]]<br />
<br />
}}<br />
<br />
=System=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:System<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = System<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = System<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
}}<br />
<br />
=Tools=<br />
<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Tools<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Tools<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Tools<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}</div>Guntishttps://wiki.mikrotik.com/index.php?title=Main_Page&diff=34607Main Page2024-01-22T14:52:16Z<p>Guntis: </p>
<hr />
<div>=== Welcome to the MikroTik documentation wiki ===<br />
<br />
{{ Note | '''Our new documentation site can be found here:''' [https://help.mikrotik.com/docs/ help.mikrotik.com/docs/.]wiki.mikrotik.com is no longer being updated. }}<br />
<br />
{|style="width:700px"<br />
|[[Image:Ros.png|48px|link=M:TOC]] <br />
|'''[[M:TOC|MikroTik RouterOS]]''' <br/> RouterOS software documentation.<br />
|-<br />
|[[Image:Routerboard.png|link=RouterBOARD hardware]] <br />
|'''[[RouterBOARD hardware]]''' <br/> RouterBOARD hardware documentation.<br />
|-<br />
|[[Image:Dude.png|48px|link=The Dude]] <br />
|'''[[The Dude]]''' <br/> The Dude network monitoring utility for Windows.<br />
|-<br />
|[[Image:RB250GS.png|48px|link=SwOS]]<br />
|'''[[SwOS]]''' <br/>SwOS software for MikroTik switch products.<br />
|-<br />
|[[Image:News.png|48px|link=Newsletter]] <br />
|'''[[MikroTik News|MikroTik News]]''' <br/> The PDF newsletter with product announcements and software news. <br />
|}</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Scripting&diff=34599Manual:Scripting2023-08-16T13:32:48Z<p>Guntis: </p>
<hr />
<div>{{Versions| any}}<br />
<br />
==Scripting language manual==<br />
<br />
This manual provides an introduction to RouterOS built-in powerful scripting language.<br />
<br />
Scripting host provides a way to automate some router maintenance tasks by means of executing user-defined scripts bounded to some event occurrence.<br />
<br />
Scripts can be stored in [[#Script_repository|Script repository]] or can be written directly to [[M:Console|console]].<br />
The events used to trigger script execution include, but are not limited to the [[M:System/Scheduler | System Scheduler]], the [[Manual:Tools/Traffic_Monitor | Traffic Monitoring Tool]], and the [[M:Tools/Netwatch | Netwatch Tool]] generated events.<br />
<br />
<br />
<br />
If you are already familiar with scripting in RouterOS, you might want to see our [https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks Tips & Tricks].<br />
<br />
===Line structure===<br />
<br />
RouterOS script is divided into a number of command lines. Command lines are executed one by one until the end of the script or until a runtime error occurs.<br />
<br />
<br />
====Command line====<br />
<br />
RouterOS console uses following command syntax:<br />
<br />
<code>[prefix] [path] command [uparam] [param=[value]] .. [param=[value]]</code><br />
<ul class="bullets"><br />
<li>[prefix] - ":" or "/" character which indicates if command is [[#Commands|ICE]] or path. May or may not be required.<br />
<li>[path] - relative path to the desired menu level. May or may not be required.<br />
<li>command - one of the [[#Commands|commands]] available at the specified menu level.<br />
<li>[uparam] - unnamed parameter, must be specified if command requires it.<br />
<li>[params] - sequence of named parameters followed by respective values<br />
</ul><br />
<br />
The end of command line is represented by the token <i>“;”</i> or <i>NEWLINE</i>. Sometimes <i>“;”</i> or <i>NEWLINE</i> is not required to end the command line. <br />
<br />
Single command inside <code>(), [] or {}</code> does not require any end of command character. End of command is determined by content of whole script<br />
<pre><br />
:if ( true ) do={ :put "lala" }<br />
</pre><br />
Each command line inside another command line starts and ends with square brackets "[ ]" [[#Other_Operators|(command concatenation)]]. <br /><br />
<pre><br />
:put [/ip route get [find gateway=1.1.1.1]]; <br />
</pre><br />
Notice that code above contains three command lines:<br />
<ul class="bullets"><br />
<li>:put <br />
<li>/ip route get<br />
<li> find gateway=1.1.1.1<br />
</ul><br />
<br />
Command-line can be constructed from more than one physical line by following [[#Line_joining|line joining rules]].<br />
<br />
<br />
====Physical Line====<br />
<p>A physical line is a sequence of characters terminated by an end-of-line (EOL) sequence. Any of the standard platform line termination sequences can be used:<br />
<ul class="bullets"><br />
<li><b><var>unix</var></b> – ASCII LF;<br />
<li><b><var>windows</var></b> – ASCII CR LF;<br />
<li><b><var>mac</var></b> – ASCII CR;<br />
</ul><br />
Standard C conventions for new line characters can be used ( the \n character).<br />
</p><br />
<br />
====Comments====<br />
<p>A comment starts with a hash character (#) and ends at the end of the physical line. Whitespace or any other symbols are not allowed before hash symbol. Comments are ignored by syntax. If (#) character appear inside string it is not considered a comment.<br />
<h5>Example</h5><br />
<pre><nowiki><br />
# this is a comment<br />
# bad comment<br />
:global a; # bad comment<br />
<br />
:global myStr "lala # this is not a comment"<br />
</nowiki></pre><br />
</p><br />
<br />
<br />
====Line joining====<br />
<p>Two or more physical lines may be joined into logical lines using the backslash character (\). A line ending in a backslash cannot carry a comment. A backslash does not continue a comment. A backslash does not continue a token except for string literals. A backslash is illegal elsewhere on a line outside a string literal. <br />
<br />
<h5>Example</h5><br />
<pre><nowiki><br />
:if ($a = true \<br />
and $b=false) do={ :put “$a $b”; }<br />
<br />
:if ($a = true \ # bad comment<br />
and $b=false) do={ :put “$a $b”; }<br />
<br />
# comment \<br />
continued – invalid (syntax error)<br />
<br />
</nowiki></pre><br />
</p><br />
<br />
<br />
====Whitespace between tokens====<br />
<p><br />
Whitespace can be used to separate tokens. Whitespace is necessary between two tokens only if their concatenation could be interpreted as a different token.<br />
<br />
Example:<br />
<pre><nowiki><br />
{ <br />
:local a true; :local b false; <br />
# whitespace is not required <br />
:put (a&&b); <br />
# whitespace is required<br />
:put (a and b); <br />
}<br />
</nowiki></pre><br />
Whitespace characters are not allowed<br />
<ul class="bullets"><br />
<li>between '<nowiki><parameter></nowiki>='<br />
<li>between 'from=' 'to=' 'step=' 'in=' 'do=' 'else='<br />
</ul><br />
Example:<br />
<pre><nowiki><br />
#incorrect:<br />
:for i from = 1 to = 2 do = { :put $i }<br />
#correct syntax:<br />
:for i from=1 to=2 do={ :put $i }<br />
:for i from= 1 to= 2 do={ :put $i } <br />
<br />
#incorrect<br />
/ip route add gateway = 3.3.3.3<br />
#correct<br />
/ip route add gateway=3.3.3.3<br />
<br />
</nowiki></pre><br />
<br />
</p><br />
<br />
====Scopes====<br />
<p><br />
Variables can be used only in certain regions of the script. These regions are called scopes. Scope determines visibility of the variable. There are two types of scopes - <var>global</var> and <var>local</var>.<br />
A variable declared within a block is accessible only within that block and blocks enclosed by it, and only after the point of declaration.<br />
</p><br />
<br />
=====Global scope=====<br />
<br />
Global scope or root scope is the default scope of the script. It is created automatically and can not be turned off.<br />
<br />
<br />
=====Local scope=====<br />
<p><br />
User can define their own groups to block access to certain variables, these scopes are called local scopes. Each local scope is enclosed in curly braces ("{ }").<br />
<pre><br />
{<br />
:local a 3;<br />
{<br />
:local b 4;<br />
:put ($a+$b);<br />
}<br />
#line below will show variable b in light red color since it is not defined in scope<br />
:put ($a+$b);<br />
}<br />
</pre><br />
<br />
In code above variable <var>b</var> has local scope and will not be accessible after closed curly brace. <br /><br />
</p><br />
<br />
{{Note | Each line written in terminal is treated as local scope }}<br />
So for example, defined local variable will not be visible in next command line and will generate syntax error<br />
<pre><br />
[admin@MikroTik] > :local myVar a;<br />
[admin@MikroTik] > :put $myVar<br />
syntax error (line 1 column 7)<br />
</pre><br />
{{ Warning | <b>Do not define global variables inside local scopes.</b><br /> }}<br />
<p><br />
<br />
Note that even variable can be defined as global, it will be available only from its scope unless it is not already defined.<br /><br />
<pre><br />
{<br />
:local a 3;<br />
{<br />
:global b 4;<br />
}<br />
:put ($a+$b);<br />
}<br />
</pre><br />
Code above will generate an error.<br /><br />
<br />
</p><br />
<br />
===Keywords===<br />
<p><br />
<br />
The following words are keywords and cannot be used as variable and function names:<br />
<pre><nowiki><br />
and or in<br />
</nowiki></pre><br />
<!--<br />
and or not<br />
do for foreach<br />
in from to while<br />
global local if else<br />
--><br />
</p><br />
<br />
<!-- ---------------------------------------------------------------------- --><br />
===Delimiters===<br />
<p><br />
The following tokens serve as delimiters in the grammar:<br />
<pre><nowiki><br />
() [] {} : ; $ / <br />
</nowiki></pre><br />
</p><br />
<br />
<br />
===Data types===<br />
<p><br />
RouterOS scripting language has following data types:<br />
<table class="styled_table"><br />
<tr><br />
<th width="150">Type</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td ><b><var>num (number)</var></b></td><br />
<td >- 64bit signed integer, possible hexadecimal input;</td><br />
</tr><br />
<tr><br />
<td ><b><var>bool (boolean)</var></b></td><br />
<td >- values can bee <code>true</code> or <code>false</code>;</td><br />
</tr><br />
<tr><br />
<td ><b><var>str (string)</var></b></td><br />
<td >- character sequence;</td><br />
</tr><br />
<tr><br />
<td ><b><var>ip</var></b></td><br />
<td >- IP address;</td><br />
</tr><br />
<tr><br />
<td ><b><var>ip-prefix</var></b></td><br />
<td >- IP prefix;</td><br />
</tr><br />
<tr><br />
<td ><b><var>ip6</var></b></td><br />
<td >- IPv6 address</td><br />
</tr><br />
<tr><br />
<td ><b><var>ip6-prefix</var></b></td><br />
<td >- IPv6 prefix</td><br />
</tr><br />
<tr><br />
<td ><b><var>id (internal ID)</var></b></td><br />
<td >- hexadecimal value prefixed by '*' sign. Each menu item has assigned unique number - internal ID;</td><br />
</tr><br />
<tr><br />
<td ><b><var>time</var></b></td><br />
<td >- date and time value;</td><br />
</tr><br />
<tr><br />
<td ><b><var>array</var></b></td><br />
<td >- sequence of values organized in an array;</td><br />
</tr><br />
<tr><br />
<td ><b><var>nil</var></b></td><br />
<td >- default variable type if no value is assigned;</td><br />
</tr><br />
</table><br />
<br />
</p><br />
<br />
====Constant Escape Sequences====<br />
<p><br />
Following escape sequences can be used to define certain special character within string:<br />
<table class="styled_table"><br />
<tr><br />
<td ><b>\"</b></td><br />
<td >Insert double quote</td><br />
</tr><br />
<tr><br />
<td ><b>\\</b></td><br />
<td >Insert backslash</td><br />
</tr><br />
<tr><br />
<td ><b>\n</b></td><br />
<td >Insert newline</td><br />
</tr><br />
<tr><br />
<td ><b>\r</b></td><br />
<td >Insert carriage return</td><br />
</tr><br />
<tr><br />
<td ><b>\t</b></td><br />
<td >Insert horizontal tab</td><br />
</tr><br />
<tr><br />
<td ><b>\$</b></td><br />
<td >Output $ character. Otherwise $ is used to link variable.</td><br />
</tr><br />
<tr><br />
<td ><b>\?</b></td><br />
<td >Output ? character. Otherwise ? is used to print "help" in console.</td><br />
</tr><br />
<tr><br />
<td ><b>\_</b></td><br />
<td > - space</td><br />
</tr><br />
<tr><br />
<td ><b>\a</b></td><br />
<td > - BEL (0x07)</td><br />
</tr><br />
<tr><br />
<td ><b>\b</b></td><br />
<td > - backspace (0x08)</td><br />
</tr><br />
<tr><br />
<td ><b>\f</b></td><br />
<td > - form feed (0xFF)</td><br />
</tr><br />
<tr><br />
<td ><b>\v</b></td><br />
<td >Insert vertical tab</td><br />
</tr><br />
<tr><br />
<td ><b>\xx</b></td><br />
<td >Print character from hex value. Hex number should use capital letters.</td><br />
</tr><br />
</table><br />
<br />
<h5>Example</h5><br />
<pre><nowiki><br />
:put "\48\45\4C\4C\4F\r\nThis\r\nis\r\na\r\ntest";<br />
</nowiki></pre><br />
<br />
which will show on display<br /><br />
<code><br />
HELLO<br /><br />
This<br /><br />
is<br /><br />
a<br /><br />
test<br /><br />
</code><br />
</p><br />
<br />
===Operators===<br />
<p><br />
</p><br />
<br />
====Arithmetic Operators====<br />
<p><br />
Usual arithmetic operators are supported in RouterOS scripting language<br /><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th >Example</th><br />
</tr><br />
<tr><br />
<td><b><var>"+"</var></b></td><br />
<td>binary addition</td><br />
<td><code>:put (3+4);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"-"</var></b></td><br />
<td>binary subtraction</td><br />
<td><code>:put (1-6);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"*"</var></b></td><br />
<td>binary multiplication</td><br />
<td><code>:put (4*5);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"/"</var></b></td><br />
<td>binary division</td><br />
<td><code>:put (10 / 2); :put ((10)/2)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"%"</var></b></td><br />
<td>modulo operation</td><br />
<td><code>:put (5 % 3);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"-"</var></b></td><br />
<td>unary negation</td><br />
<td><code>{ :local a 1; :put (-a); }</code></td><br />
</tr><br />
</table><br />
</p><br />
<br />
{{note| for division to work you have to use braces or spaces around dividend so it is not mistaken as IP address}}<br />
<br />
====Relational Operators====<br />
<p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th>Example</th><br />
</tr><br />
<tr><br />
<td><b><var>"<"</var></b></td><br />
<td>less</td><br />
<td><code>:put (3<4);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>">"</var></b></td><br />
<td>greater</td><br />
<td><code>:put (3>4);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"="</var></b></td><br />
<td>equal</td><br />
<td><code>:put (2=2);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>"<="</var></b></td><br />
<td>less or equal</td><br />
<td></td><br />
</tr><br />
<tr><br />
<td><b><var>">="</var></b></td><br />
<td>greater or equal</td><br />
<td></td><br />
</tr><br />
<tr><br />
<td><b><var>"!="</var></b></td><br />
<td>not equal</td><br />
<td></td><br />
</tr><br />
</table><br />
<br />
</p><br />
<br />
====Logical Operators====<br />
<p><br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th >Example</th><br />
</tr><br />
<tr><br />
<td><b><var>“!”</var></b></td><br />
<td>logical NOT</td><br />
<td><code>:put (!true);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“&&” , “and”</var></b></td><br />
<td>logical AND</td><br />
<td><code>:put (true&&true)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“||” , “or”</var></b></td><br />
<td>logical OR</td><br />
<td><code>:put (true||false);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“in”</var></b></td><br />
<td></td><br />
<td><code>:put (1.1.1.1/32 in 1.0.0.0/8);</code></td><br />
</tr><br />
</table><br />
</p><br />
<br />
====Bitwise Operators====<br />
<br />
Bitwise operators are working on number, IP and IPv6 address [[#Data_types|data types]].<br />
<br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th>Example</th><br />
</tr><br />
<tr><br />
<td><b><var>“~”</var></b></td><br />
<td>bit inversion</td><br />
<td><code>:put (~0.0.0.0)</code><br/><code>:put (~::ffff)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“|”</var></b></td><br />
<td>bitwise OR. Performs logical OR operation on each pair of corresponding bits. In each pair the result is “1” if one of bits or both bits are “1”, otherwise the result is “0”.</td><br />
<td><code>:put (192.168.88.0|0.0.0.255)</code><br/><code>:put (2001::1|::ffff)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“^”</var></b></td><br />
<td>bitwise XOR. The same as OR, but the result in each position is “1” if two bits are not equal, and “0” if bits are equal.</td><br />
<td><code>:put (1.1.1.1^255.255.0.0)</code><br/><code>:put (2001::ffff:1^::ffff:0)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“&”</var></b></td><br />
<td>bitwise AND. In each pair the result is “1” if first and second bit is “1”. Otherwise the result is “0”.</td><br />
<td><code>:put (192.168.88.77&255.255.255.0)</code><br/><code>:put (2001::1111&ffff::)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“<<”</var></b></td><br />
<td>left shift by given amount of bits, not supported for IPv6 address data type</td><br />
<td><code>:put (192.168.88.77<<8)</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“>>”</var></b></td><br />
<td>right shift by given amount of bits, not supported for IPv6 address data type</td><br />
<td><code>:put (192.168.88.77>>24)</code></td><br />
</tr><br />
</table><br />
<br />
<br />
Calculate subnet address from given IP and CIDR Netmask using "&" operator:<br />
<pre><br />
{<br />
:local IP 192.168.88.77;<br />
:local CIDRnetmask 255.255.255.0;<br />
:put ($IP&$CIDRnetmask);<br />
}<br />
</pre><br />
<br />
Get last 8 bits from given IP addresses:<br />
<pre><br />
:put (192.168.88.77&0.0.0.255);<br />
</pre><br />
<br />
Use "|" operator and inverted CIDR mask to calculate the broadcast address:<br />
<pre><br />
{<br />
:local IP 192.168.88.77;<br />
:local Network 192.168.88.0;<br />
:local CIDRnetmask 255.255.255.0;<br />
:local InvertedCIDR (~$CIDRnetmask);<br />
:put ($Network|$InvertedCIDR)<br />
}<br />
</pre><br />
<br />
====Concatenation Operators====<br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th>Example</th><br />
</tr><br />
<tr><br />
<td><b><var>“.”</var></b></td><br />
<td>concatenates two strings</td><br />
<td><code>:put (“concatenate” . “ “ . “string”);</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“,”</var></b></td><br />
<td>concatenates two arrays or adds element to array</td><br />
<td><code>:put ({1;2;3} , 5 );</code></td><br />
</tr><br />
</table><br />
<br />
<br />
It is possible to add variable values to strings without concatenation operator:<br />
<pre><br />
:global myVar "world";<br />
<br />
:put ("Hello " . $myVar);<br />
# next line does the same as above<br />
:put "Hello $myVar";<br />
</pre><br />
<br />
By using $[] and $() in string it is possible to add expressions inside strings:<br />
<pre><br />
:local a 5;<br />
:local b 6;<br />
:put " 5x6 = $($a * $b)";<br />
<br />
:put " We have $[ :len [/ip route find] ] routes";<br />
</pre><br />
<br />
====Other Operators====<br />
<br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100">Operator</th><br />
<th width="300">Description</th><br />
<th>Example</th><br />
</tr><br />
<tr><br />
<td><b><var>“[]”</var></b></td><br />
<td>command substitution. Can contain only single command line</td><br />
<td><code>:put [ :len "my test string"; ];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“()”</var></b></td><br />
<td>sub expression or grouping operator</td><br />
<td><code>:put ( "value is " . (4+5));</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“$”</var></b></td><br />
<td>substitution operator</td><br />
<td><code>:global a 5; :put $a;</code></td><br />
</tr><br />
<tr><br />
<td><b><var>“~”</var></b></td><br />
<td>binary operator that matches value against POSIX extended regular expression</td><br />
<td>Print all routes which gateway ends with 202<br /><br />
<code>/ip route print where gateway~"^[0-9 \\.]*202\$"</code></td><br />
</tr><br />
<td><b><var>“->”</var></b></td><br />
<td>Get an array element by key</td><br />
<td><pre>[admin@x86] >:global aaa {a=1;b=2}<br />
[admin@x86] > :put ($aaa->"a")<br />
1<br />
[admin@x86] > :put ($aaa->"b")<br />
2</pre></td><br />
</tr><br />
</table><br />
<br />
===Variables===<br />
<br />
Scripting language has two types of variables: <br />
<ul class="bullets"><br />
<li> <var>global</var> - accessible from all scripts created by current user, defined by [[#Global_commands|global]] keyword;<br />
<li> <var>local</var> - accessible only within the current [[#Scopes|scope]], defined by [[#Global_commands|local]] keyword. <br />
</ul><br />
{{Note | Starting from v6.2 there can be undefined variables. When variable is undefined parser will try to look for variables set, for example, by [[M:IP/DHCP_Server | DHCP]] <var>lease-script</var> or [[Hotspot]] <var>on-login</var> }}<br />
{{Note | Variable value size is limited to 4096bytes }}<br />
<br />
Every variable, except for built in RouterOS variables, must be declared before usage by local or global keywords. Undefined variables will be marked as undefined and will result in compilation error.<br />
Example:<br />
<pre><br />
# following code will result in compilation error, because myVar is used without declaration<br />
:set myVar "my value";<br />
:put $myVar<br />
</pre><br />
<br />
Correct code:<br />
<pre><br />
:local myVar;<br />
:set myVar "my value";<br />
:put $myVar;<br />
</pre><br />
<br />
Exception is when using variables set, for example, by DHCP <var>lease-script</var><br />
<pre><br />
/system script<br />
add name=myLeaseScript policy=\<br />
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \<br />
source=":log info \$leaseActIP\r\<br />
\n:log info \$leaseActMAC\r\<br />
\n:log info \$leaseServerName\r\<br />
\n:log info \$leaseBound"<br />
<br />
/ip dhcp-server set myServer lease-script=myLeaseScript<br />
</pre><br />
<br />
Valid characters in variable names are letters and digits. If variable name contains any other character, then variable name should be put in double quotes. Example:<br />
<pre><br />
#valid variable name<br />
:local myVar; <br />
#invalid variable name<br />
:local my-var; <br />
#valid because double quoted<br />
:global "my-var"; <br />
</pre><br />
<br />
If variable is initially defined without value then [[#Data_types|variable data type]] is set to <i>nil</i>, otherwise data type is determined automatically by scripting engine. Sometimes conversion from one data type to another is required. It can be achieved using [[#Global_commands|data conversion commands]]. Example:<br />
<pre><br />
#convert string to array<br />
:local myStr "1,2,3,4,5";<br />
:put [:typeof $myStr];<br />
:local myArr [:toarray $myStr];<br />
:put [:typeof $myArr]<br />
</pre><br />
<br />
Variable names are case sensitive.<br />
<pre><br />
:local myVar "hello"<br />
# following line will generate error, because variable myVAr is not defined<br />
:put $myVAr<br />
# correct code<br />
:put $myVar<br />
</pre><br />
<br />
Set command without value will un-define the variable (remove from environment, new in v6.2)<br />
<pre><br />
#remove variable from environment<br />
:global myVar "myValue"<br />
:set myVar;<br />
</pre><br />
==== Reserved variable names====<br />
<br />
All built in RouterOS properties are reserved variables. Variables which will be defined the same as the RouterOS built in properties can cause errors. To avoid such errors, use custom designations.<br />
<br />
For example, following script will not work:<br />
<pre><br />
{<br />
:local type "ether1";<br />
/interface print where name=$type;<br />
} <br />
</pre><br />
But will work with different defined variable:<br />
<pre><br />
{<br />
:local customname "ether1";<br />
/interface print where name=$customname;<br />
} <br />
</pre><br />
<br />
===Commands===<br />
<h4>Global commands</h4><br />
<p>Every global command should start with <i>":"</i> token, otherwise it will be treated as variable.<br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="100" align="left">Command</th><br />
<th width="200" align="left">Syntax</th><br />
<th width="250" align="left">Description</th><br />
<th align="left">Example</th><br />
</tr><br />
<tr><br />
<td><b><var>/</var></b></td><br />
<td></td><br />
<td>go to root menu</td><br />
<td></td><br />
</tr><br />
<tr><br />
<td><b><var>..</var></b></td><br />
<td></td><br />
<td>go back by one menu level</td><br />
<td></td><br />
</tr><br />
<tr><br />
<td><b><var>?</var></b></td><br />
<td></td><br />
<td>list all available menu commands and brief descriptions</td><br />
<td></td><br />
</tr><br />
<tr><br />
<td><b><var>global</var></b></td><br />
<td><code><nowiki>:global <var> [<value>]</nowiki></code></td><br />
<td>define global variable</td><br />
<td><code>:global myVar "something"; :put $myVar;</code></td><br />
</tr><br />
<tr><br />
<td><b><var>local</var></b></td><br />
<td><code><nowiki>:local <var> [<value>]</nowiki></code></td><br />
<td>define local variable</td><br />
<td><code>{ :local myLocalVar "I am local"; :put $myVar; }</code></td><br />
</tr><br />
<tr><br />
<td><b><var>beep</var></b></td><br />
<td><code><nowiki>:beep <freq> <length></nowiki></code></td><br />
<td>beep built in speaker</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>delay</var></b></td><br />
<td><code><nowiki>:delay <time></nowiki></code></td><br />
<td>do nothing for a given period of time</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>put</var></b></td><br />
<td><code><nowiki>:put <expression></nowiki></code></td><br />
<td>put supplied argument to console</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>len</var></b></td><br />
<td><code><nowiki>:len <expression></nowiki></code></td><br />
<td>return string length or array element count</td><br />
<td><code>:put [:len "length=8"];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>typeof</var></b></td><br />
<td><code><nowiki>:typeof <var></nowiki></code></td><br />
<td>return data type of variable</td><br />
<td><code>:put [:typeof 4];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>pick</var></b></td><br />
<td><code><nowiki>:pick <var> <start>[<end>]</nowiki></code></td><br />
<td>return range of elements or substring. If end position is not specified, will return only one element from an array.</td><br />
<td><code>:put [:pick "abcde" 1 3]</code></td><br />
</tr><br />
<tr><br />
<td><b><var>log</var></b></td><br />
<td><code><nowiki>:log <topic> <message></nowiki></code></td><br />
<td>write message to [[log | system log]]. Available topics are <code>"debug, error, info and warning"</code></td><br />
<td><code>:log info "Hello from script";</code></td><br />
</tr><br />
<tr><br />
<td><b><var>time</var></b></td><br />
<td><code><nowiki>:time <expression></nowiki></code></td><br />
<td>return interval of time needed to execute command</td><br />
<td><code>:put [:time {:for i from=1 to=10 do={ :delay 100ms }}];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>set</var></b></td><br />
<td><code><nowiki>:set <var> [<value>]</nowiki></code></td><br />
<td>assign value to declared variable.</td><br />
<td><code>:global a; :set a true;</code></td><br />
</tr><br />
<tr><br />
<td><b><var>find</var></b></td><br />
<td><code><nowiki>:find <arg> <arg> <start></nowiki></code></td><br />
<td>return position of substring or array element</td><br />
<td><code>:put [:find "abc" "a" -1];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>environment</var></b></td><br />
<td><code><nowiki>:environment print <start></nowiki></code></td><br />
<td>print initialized variable information</td><br />
<td><code>:global myVar true; :environment print;</code></td><br />
</tr><br />
<tr><br />
<td><b><var>terminal</var></b></td><br />
<td><code><nowiki></nowiki></code></td><br />
<td>terminal related commands</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>error</var></b></td><br />
<td><code><nowiki>:error <output> </nowiki></code></td><br />
<td>Generate console error and stop executing the script</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>execute</var></b></td><br />
<td><code><nowiki>:execute <expression> </nowiki></code></td><br />
<td>Execute the script in background. Result can be written in file by setting <var>file</var> parameter.</td><br />
<td><pre>{<br />
:local j [:execute {/interface print follow where [:log info ~Sname~]}];<br />
:delay 10s;<br />
:do { /system script job remove $j } on-error={}<br />
}</pre></td><br />
</tr><br />
<tr><br />
<td><b><var>parse</var></b></td><br />
<td><code><nowiki>:parse <expression> </nowiki></code></td><br />
<td>parse string and return parsed console commands. Can be used as function.</td><br />
<td><code>:global myFunc [:parse ":put hello!"];<br /><br />
$myFunc;</code></td><br />
</tr><br />
<tr><br />
<td><b><var>resolve</var></b></td><br />
<td><code><nowiki>:resolve <arg> </nowiki></code></td><br />
<td>return IP address of given DNS name</td><br />
<td><code>:put [:resolve "www.mikrotik.com"];</code></td><br />
</tr><br />
<tr><br />
<td><b><var>toarray</var></b></td><br />
<td><code><nowiki>:toarray <var> </nowiki></code></td><br />
<td>convert variable to array</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>tobool</var></b></td><br />
<td><code><nowiki>:tobool <var> </nowiki></code></td><br />
<td>convert variable to boolean</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>toid</var></b></td><br />
<td><code><nowiki>:toid <var> </nowiki></code></td><br />
<td>convert variable to internal ID</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>toip</var></b></td><br />
<td><code><nowiki>:toip <var> </nowiki></code></td><br />
<td>convert variable to IP address</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>toip6</var></b></td><br />
<td><code><nowiki>:toip6 <var> </nowiki></code></td><br />
<td>convert variable to IPv6 address</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>tonum</var></b></td><br />
<td><code><nowiki>:tonum <var> </nowiki></code></td><br />
<td>convert variable to integer</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>tostr</var></b></td><br />
<td><code><nowiki>:tostr <var> </nowiki></code></td><br />
<td>convert variable to string</td><br />
<td><code></code></td><br />
</tr><br />
<tr><br />
<td><b><var>totime</var></b></td><br />
<td><code><nowiki>:totime <var> </nowiki></code></td><br />
<td>convert variable to time</td><br />
<td><code></code></td><br />
</tr><br />
</table><br />
</p><br />
<br />
====Menu specific commands====<br />
<h5>Common commands</h5><br />
<p><br />
Following commands available from most sub-menus:<br />
<table class="styled_table"><br />
<tr><br />
<th width="55">Command</th><br />
<th width="300">Syntax</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><b><var>add</var></b></td><br />
<td><code><nowiki> add <param>=<value>..<param>=<value></nowiki></code></td><br />
<td>add new item</td><br />
</tr><br />
<tr><br />
<td><b><var>remove</var></b></td><br />
<td><code><nowiki> remove <id></nowiki></code></td><br />
<td>remove selected item</td><br />
</tr><br />
<tr><br />
<td><b><var>enable</var></b></td><br />
<td><code><nowiki> enable <id></nowiki></code></td><br />
<td>enable selected item</td><br />
</tr><br />
<tr><br />
<td><b><var>disable</var></b></td><br />
<td><code><nowiki> disable <id></nowiki></code></td><br />
<td>disable selected item</td><br />
</tr><br />
<tr><br />
<td><b><var>set</var></b></td><br />
<td><code><nowiki> set <id> <param>=<value>..<param>=<value></nowiki></code></td><br />
<td>change selected items parameter, more than one parameter can be specified at the time. Parameter can be unset by specifying '!' before parameter. <br /><br />
Example: <br /><br />
<code>/ip firewall filter<br />
add chain=blah action=accept protocol=tcp port=123 nth=4,2 <br /><br />
print <br /><br />
set 0 !port chain=blah2 !nth protocol=udp<br />
</code></td><br />
</tr><br />
<tr><br />
<td><b><var>get</var></b></td><br />
<td><code><nowiki> get <id> <param>=<value></nowiki></code></td><br />
<td>get selected items parameter value</td><br />
</tr><br />
<tr><br />
<td><b><var>print</var></b></td><br />
<td><code><nowiki> print <param><param>=[<value>]</nowiki></code></td><br />
<td>print menu items. Output depends on print parameters specified. Most common print parameters are described [[#print_parameters|here]]</td><br />
</tr><br />
<tr><br />
<td><b><var>export</var></b></td><br />
<td><code><nowiki> export [file=<value>]</nowiki></code></td><br />
<td>export configuration from current menu and its sub-menus (if present). If file parameter is specified output will be written to file with extension '.rsc', otherwise output will be printed to console. Exported commands can be imported by [[#import|import command]]</td><br />
</tr><br />
<tr><br />
<td><b><var>edit</var></b></td><br />
<td><code><nowiki> edit <id> <param></nowiki></code></td><br />
<td>edit selected items property in built-in [[text editor]]</td><br />
</tr><br />
<tr><br />
<td><b><var>find</var></b></td><br />
<td><code><nowiki> find <expression></nowiki></code></td><br />
<td>Returns list of internal numbers for items that are matched by given expression. For example: <code> :put [/interface find name~"ether"]</code></td><br />
</tr><br />
</table><br />
<br />
</p><br />
=====import=====<br />
Import command is available from root menu and is used to import configuration from files created by [[#Common_commands|export]] command or written manually by hand.<br />
<p><br />
<br />
</p><br />
<br />
=====print parameters=====<br />
<p><br />
<br />
Several parameters are available for print command:<br />
<table class="styled_table"><br />
<tr><br />
<th width="55">Parameter</th><br />
<th width="400">Description</th><br />
<th >Example</th><br />
</tr><br />
<tr><br />
<td><b><var>append</var></b></td><br />
<td></td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>as-value</var></b></td><br />
<td>print output as an array of parameters and its values</td><br />
<td><code><nowiki>:put [/ip address print as-value]</nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>brief</var></b></td><br />
<td>print brief description</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>detail</var></b></td><br />
<td>print detailed description, output is not as readable as brief output, but may be useful to view all parameters</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>count-only</var></b></td><br />
<td>print only count of menu items</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>file</var></b></td><br />
<td>print output to file</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>follow</var></b></td><br />
<td>print all current entries and track new entries until ctrl-c is pressed, very useful when viewing log entries </td><br />
<td><code><nowiki>/log print follow</nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>follow-only</var></b></td><br />
<td>print and track only new entries until ctrl-c is pressed, very useful when viewing log entries</td><br />
<td><code><nowiki>/log print follow-only</nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>from</var></b></td><br />
<td>print parameters only from specified item</td><br />
<td><code><nowiki>/user print from=admin</nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>interval</var></b></td><br />
<td>continuously print output in selected time interval, useful to track down changes where <code>follow</code> is not acceptable</td><br />
<td><code><nowiki>/interface print interval=2</nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>terse</var></b></td><br />
<td>show details in compact and machine friendly format</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>value-list</var></b></td><br />
<td>show values one per line (good for parsing purposes)</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>without-paging</var></b></td><br />
<td>If output do not fit in console screen then do not stop, print all information in one piece</td><br />
<td><code><nowiki></nowiki></code></td><br />
</tr><br />
<tr><br />
<td><b><var>where</var></b></td><br />
<td>expressions followed by where parameter can be used to filter out matched entries</td><br />
<td><code><nowiki>/ip route print where interface="ether1"</nowiki></code></td><br />
</tr><br />
</table><br />
<br /><br />
More than one parameter can be specified at a time, for example, <code> /ip route print count-only interval=1 where interface="ether1" </code><br />
</p><br />
<br />
===Loops and conditional statements===<br />
<p><br />
</p><br />
<h4>Loops</h4><br />
<p><br />
<table class="styled_table"><br />
<tr><br />
<th width="55">Command</th><br />
<th width="300">Syntax</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><b><var>do..while</var></b></td><br />
<td><code><nowiki>:do { <commands> } while=( <conditions> ); :while ( <conditions> ) do={ <commands> };</nowiki></code></td><br />
<td>execute commands until given condition is met.</td><br />
</tr><br />
<tr><br />
<td><b><var>for</var></b></td><br />
<td><code><nowiki>:for <var> from=<int> to=<int> step=<int> do={ <commands> }</nowiki></code></td><br />
<td>execute commands over a given number of iterations</td><br />
</tr><br />
<tr><br />
<td><b><var>foreach</var></b></td><br />
<td><code><nowiki>:foreach <var> in=<array> do={ <commands> };</nowiki></code></td><br />
<td>execute commands for each element in a list</td><br />
</tr><br />
</table><br />
</p><br />
<h4>Conditional statement</h4><br />
<p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="55">Command</th><br />
<th width="300">Syntax</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><b><var>if</var></b></td><br />
<td><code><nowiki>:if (<condition>) do={<commands>} else={<commands>} <expression></nowiki></code></td><br />
<td>If a given condition is <code>true</code> then execute commands in the <code>do</code> block, otherwise execute commands in the <code>else</code> block if specified.</td><br />
</tr><br />
</table><br />
<br />
Example:<br />
<pre><br />
{<br />
:local myBool true;<br />
:if ($myBool = false) do={ :put "value is false" } else={ :put "value is true" }<br />
}<br />
</pre><br />
</p><br />
<br />
===Functions===<br />
<br />
Scripting language does not allow to create functions directly, however you could use :parse command as a workaround.<br />
<br />
Starting from v6.2 new syntax is added to easier define such functions and even pass parameters. <br />
It is also possible to return function value with ''':return''' command.<br />
<br />
See examples below:<br />
<br />
<pre><br />
#define function and run it<br />
:global myFunc do={:put "hello from function"}<br />
$myFunc<br />
<br />
output:<br />
hello from function<br />
</pre><br />
<br />
<pre><br />
#pass arguments to the function<br />
:global myFunc do={:put "arg a=$a"; :put "arg '1'=$1"} <br />
$myFunc a="this is arg a value" "this is arg1 value"<br />
<br />
output:<br />
arg a=this is arg a value<br />
arg '1'=this is arg1 value<br />
<br />
</pre><br />
<br />
Notice that there are two ways how to pass arguments:<br />
* pass arg with specific name ("a" in our example)<br />
* pass value without arg name, in such case arg "1", "2" .. "n" are used.<br />
<br />
<br />
'''Return example'''<br />
<pre><br />
:global myFunc do={ :return ($a + $b)}<br />
:put [$myFunc a=6 b=2]<br />
<br />
output:<br />
8<br />
</pre><br />
<br />
<br />
<br />
You can even clone existing script from script environment and use it as function.<br />
<pre><br />
#add script<br />
/system script add name=myScript source=":put \"Hello $myVar !\""<br />
</pre><br />
<br />
<pre><br />
:global myFunc [:parse [/system script get myScript source]]<br />
$myFunc myVar=world<br />
<br />
output:<br />
Hello world !<br />
</pre><br />
<br />
{{Warning | If function contains defined global variable which name matches the name of passed parameter, then globally defined variable is ignored, for compatibility with scripts written for older versions. This feature can change in future versions. '''Avoid using parameters with same name as global variables.''' }}<br />
<br />
For example:<br />
<pre><br />
:global my2 "123"<br />
<br />
:global myFunc do={ :global my2; :put $my2; :set my2 "lala"; :put $my2 }<br />
$myFunc my2=1234<br />
:put "global value $my2"<br />
</pre><br />
<br />
Output will be:<br />
<pre><br />
1234<br />
lala<br />
global value 123<br />
</pre><br />
<br />
<br />
'''Nested function example'''<br />
<br />
{{Note | to call another function its name needs to be declared (the same as for variables)}}<br />
<br />
<pre><br />
:global funcA do={ :return 5 }<br />
:global funcB do={ <br />
:global funcA;<br />
:return ([$funcA] + 4)<br />
}<br />
:put [$funcB]<br />
<br />
<br />
Output:<br />
9 <br />
</pre><br />
<br />
===Catch run-time errors===<br />
<br />
Starting from v6.2 scripting has ability to catch run-time errors.<br />
<br />
For example, [code]:reslove[/code] command if failed will throw an error and break the script.<br />
<br />
<pre><br />
[admin@MikroTik] > { :put [:resolve www.example.com]; :put "lala";}<br />
failure: dns name does not exist<br />
</pre><br />
<br />
Now we want to catch this error and proceed with our script:<br />
<pre><br />
:do {<br />
:put [:resolve www.example.com];<br />
} on-error={ :put "resolver failed"};<br />
:put "lala" <br />
<br />
output:<br />
<br />
resolver failed<br />
lala<br />
</pre><br />
<br />
<br />
===Operations with Arrays===<br />
<br />
{{Warning| Key name in array contains any character other than lowercase character, it should be put in quotes}}<br />
<br />
For example:<br />
<pre><br />
[admin@ce0] > {:local a { "aX"=1 ; ay=2 }; :put ($a->"aX")}<br />
<br />
1<br />
</pre><br />
<br />
<br />
'''Loop through keys and values'''<br />
<br />
:foreach command can be used to loop through keys and elements:<br />
<br />
<pre><br />
[admin@ce0] > :foreach k,v in={2; "aX"=1 ; y=2; 5} do={:put ("$k=$v")}<br />
<br />
0=2<br />
1=5<br />
aX=1<br />
y=2<br />
<br />
</pre><br />
<br />
:if foreach command is used with one argument, then element value will be returned:<br />
<br />
<pre><br />
[admin@ce0] > :foreach k in={2; "aX"=1 ; y=2; 5} do={:put ("$k")}<br />
<br />
2<br />
5<br />
1<br />
2<br />
<br />
</pre><br />
<br />
{{Note | If array element has key then these elements are sorted in alphabetical order, elements without keys are moved before elements with keys and their order is not changed (see example above). }}<br />
<br />
<br />
'''Change the value of single array element'''<br />
<br />
<pre><br />
[admin@MikroTik] > :global a {x=1; y=2}<br />
[admin@MikroTik] > :set ($a->"x") 5 <br />
[admin@MikroTik] > :environment print <br />
a={x=5; y=2}<br />
<br />
</pre><br />
<br />
==Script repository==<br />
<br />
<p><b>Sub-menu level:</b> <code>/system script</code></p><br />
<br />
<p>Contains all user created scripts. Scripts can be executed in several different ways:</p><br />
<ul class="bullets"><br />
<li><b>on event</b> - scripts are executed automatically on some facility events ([[M:System/Scheduler | scheduler]], [[M:Tools/Netwatch | netwatch]], [[M:Interface/VRRP | VRRP]])<br />
<li><b>by another script</b> - running script within script is allowed<br />
<li><b>manually</b> - from console executing [[#run|run]] command or in winbox<br />
</ul> <br />
<br />
{{Note | Only scripts (including schedulers, netwatch etc) with equal or higher permission rights can execute other scripts. }}<br />
<br />
<br /><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>comment</b></var> (<em>string</em>; Default: <i></i>)</td><br />
<td> Descriptive comment for the script</td><br />
</tr><br />
<tr><br />
<td><var><b>dont-require-permissions</b></var> (<em>yes | no</em>; Default: <i>no</i>)</td><br />
<td> Bypass permissions check when script is being executed, useful when scripts are being executed from services that have limited permissions, such as [[ Manual:Tools/Netwatch | Netwatch]]</td><br />
</tr><br />
<br />
<tr><br />
<td><var><b>name</b></var> (<em>string</em>; Default: <i>"Script[num]"</i>)</td><br />
<td> name of the script</td><br />
</tr><br />
<tr><br />
<td><var><b>policy</b></var> (<em>string</em>; Default: <i></i>)</td><br />
<td> list of applicable policies:<br /><br />
<ul class="bullets"><br />
<li><b>ftp</b> - can log on remotely via ftp and send and retrieve files from the router<br />
<li><b>password</b> - change passwords<br />
<li><b>policy</b> - manage user policies, add and remove user<br />
<li><b>read</b> - can retrieve the configuration <br />
<li><b>reboot</b> - can reboot the router<br />
<li><b>sensitive</b> - allows to change "hide sensitive" parameter<br />
<li><b>sniff</b> - can run sniffer, torch etc<br />
<li><b>test</b> - can run ping, traceroute, bandwidth test <br />
<li><b>write</b> - can change the configuration <br />
</ul><br />
Read more detailed policy descriptions [[Manual:Router_AAA#Properties | here]]<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>source</b></var> (<em>string</em>;)</td><br />
<td> Script source code</td><br />
</tr><br />
</table><br />
<br />
<br /><br />
Read only status properties:<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>last-started</b></var> (<em>date</em>)</td><br />
<td> Date and time when the script was last invoked.</td><br />
</tr><br />
<tr><br />
<td><var><b>owner</b></var> (<em>string</em>)</td><br />
<td> User who created the script</td><br />
</tr><br />
<tr><br />
<td><var><b>run-count</b></var> (<em>integer</em>)</td><br />
<td> Counter that counts how many times script has been executed</td><br />
</tr><br />
</table><br />
<br />
<br /><br />
Menu specific commands<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Command</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>run</b></var> (<em>run [id|name]</em>)</td><br />
<td> Execute specified script by ID or name</td><br />
</tr><br />
</table><br />
<br />
<br />
===Environment===<br />
<br />
<p><b>Sub-menu level:</b></p><br />
<ul><br />
<li><code>/system script environment</code></li><br />
<li><code>/environment</code></li><br />
</ul><br />
<br />
<p>Contains all user defined variables and their assigned values.</p><br />
<br />
[admin@MikroTik] > :global example;<br />
[admin@MikroTik] > :set example 123<br />
[admin@MikroTik] > /environment print <br />
"example"=123<br />
<br />
<br /><br />
Read only status properties:<br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>name</b></var> (<em>string</em>)</td><br />
<td> Variable name</td><br />
</tr><br />
<tr><br />
<td><var><b>user</b></var> (<em>string</em>)</td><br />
<td> User who defined variable</td><br />
</tr><br />
<tr><br />
<td><var><b>value</b></var> (<em></em>)</td><br />
<td> Value assigned to variable</td><br />
</tr><br />
</table><br />
<br />
===Job===<br />
<br />
<p><b>Sub-menu level:</b> <code>/system script job</code></p><br />
<br />
<p><br />
Contains list of all currently running scripts.<br />
<br />
<br /><br />
Read only status properties:<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>owner</b></var> (<em>string</em>)</td><br />
<td> User who is running script</td><br />
</tr><br />
<tr><br />
<td><var><b>policy</b></var> (<em>array</em>)</td><br />
<td> List of all policies applied to script</td><br />
</tr><br />
<tr><br />
<td><var><b>started</b></var> (<em>date</em>)</td><br />
<td> Local date and time when script was started</td><br />
</tr><br />
</table><br />
<br />
</p><br />
<br />
== See also == <br />
<br />
* [[M:Scripting-examples | Scripting Examples]]<br />
* User submitted [[Scripts]]<br />
* [[Manual:Scripting Tips and Tricks]]<br />
<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|S]]<br />
[[Category:System|S]]<br />
[[Category:Console|S]]<br />
[[Category:Case Studies|S]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:SNMP&diff=34591Manual:SNMP2023-03-09T14:55:12Z<p>Guntis: </p>
<hr />
<div>{{Versions|v5|v6}}<br />
<br />
__TOC__<br />
<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code>RFC 1157</code> <code>RFC 3414</code> <code>RFC 3416</code><br /><br />
<b>Package:</b> <code>system</code><br />
</p><br />
<br />
<br />
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG or [http://www.mikrotik.com/thedude.php The Dude]<br />
<br />
SNMP write support is only available for some OIDs. For supported OIDs SNMP v1, v2 or v3 write is supported<br />
<br />
<br />
[[File:Total-download-cacti.png|400px|Example Cacti graph made with data from SNMP]]<br />
<br />
<br />
{{Note| SNMP will respond to the query on the interface SNMP request was received from forcing responses to have same source address as request destination sent to the router}}<br />
<br />
{{Note| starting 6.18 SNMP implements OID blacklisting. Timeout for OID is 30s when it is blacklisted for 600s.}}<br />
<br />
== Quick Configuration ==<br />
<br />
To enable SNMP in RouterOS:<br />
<br />
<pre><br />
[admin@MikroTik] /snmp> print <br />
enabled: no<br />
contact: <br />
location: <br />
engine-id: <br />
trap-community: (unknown)<br />
trap-version: 1<br />
[admin@MikroTik] /snmp> set enabled yes<br />
</pre><br />
<br />
You can also specify administrative contact information in the above settings. All SNMP data will be available to communities configured in [[#Community | ''community'' menu]].<br />
<br />
==General Properties==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/snmp</code></p><br />
<br />
<br />
This sub menu allows to enable SNMP and to configure general settings.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=contact<br />
|type=string<br />
|default=""<br />
|desc=Contact information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Used to disable/enable SNMP service<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=engine-id<br />
|type=string<br />
|default=""<br />
|desc=for SNMP v3, used as part of identifier. You can configure suffix part of engine id using this argument. If SNMP client is not capable to detect set engine-id value then this prefix hex have to be used 0x80003a8c04<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=location<br />
|type=string<br />
|default=""<br />
|desc=Location information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-community<br />
|type=string<br />
|default=public<br />
|desc=Which communities configured in [[#Community | ''community'' menu]] to use when sending out the trap.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-generators<br />
|type=interfaces {{!}} start-trap<br />
|default=<br />
|desc=What action will generate traps:<br />
* interfaces - interface changes;<br />
* start-trap - snmp server starting on the router<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-interfaces<br />
|type=string {{!}} all<br />
|default=<br />
|desc=List of interfaces that traps are going to be sent out.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-target<br />
|type=list of IP/IPv6<br />
|default=0.0.0.0<br />
|desc=IP (IPv4 or IPv6) addresses of SNMP data collectors that have to receive the trap<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-version<br />
|type=1{{!}}2{{!}}3<br />
|default=1<br />
|desc=Version of SNMP protocol to use for trap<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=src-address<br />
|type=IPv4 or IPv6 address<br />
|default=::<br />
|desc=Force the router to always use the same IP source address for all of the SNMP messages<br />
}}<br />
<br />
{{Note| engine-id field holds the suffix value of engine-id, usually SNMP clients should be<br />
able to detect the value, as SNMP values, as read from the router. However there is a<br />
possibility that this is not the case. In which case, the engine-ID value has to be set<br />
according to this rule: <engine-id prefix> + <hex-dump suffix>, so as an example, if you<br />
have set 1234 as suffix value you have to provide 80003a8c04 + 31323334, combined hex (the<br />
result) is 80003a8c0431323334 }}<br />
<br />
== Community Properties ==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/snmp community</code></p><br />
<br />
<br />
This sub-menu allows to set up access rights for the SNMP data. <br />
<br />
There is little security in v1 and v2c, just Clear text community string („username“) and ability for Limiting access by IP adress. <br />
<br />
In production environment SNMP v3 should be used as that provides security - Authorisation (User + Pass) with MD5/SHA1, Encryption with DES (and since v6.16, AES). <br />
<br />
<pre><br />
<br />
[admin@MikroTik] /snmp community> print value-list <br />
name: public<br />
address: 0.0.0.0/0<br />
security: none<br />
read-access: yes<br />
write-access: no<br />
authentication-protocol: MD5<br />
encryption-protocol: DES<br />
authentication-password: *****<br />
encryption-password: *****<br />
<br />
</pre><br />
<br />
{{Warning| Default settings only have one community named ''public'' without any additional security settings. These settings should be considered insecure and should be adjusted according required security profile.}}<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address<br />
|type=IP/IPv6 address<br />
|default=0.0.0.0/0<br />
|desc=Addresses from which connections to SNMP server is allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-password<br />
|type=string<br />
|default=""<br />
|desc=Password used to authenticate connection to the server (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-protocol<br />
|type=MD5 {{!}} SHA1<br />
|default=MD5<br />
|desc=Protocol used for authentication (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=encryption-password<br />
|type=string<br />
|default=""<br />
|desc=password used for encryption (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=encryption-protocol<br />
|type=DES {{!}} AES<br />
|default=DES<br />
|desc=encryption protocol to be used to encrypt the communication (SNMPv3). AES (see rfc3826) available since v6.16.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=read-access<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether read access is enabled for this community<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security<br />
|type=authorized {{!}} none {{!}} private<br />
|default=none<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=write-access<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether write access is enabled for this community. [[#SNMP_write | <code>Read more >></code>]]<br />
}}<br />
<br />
== Management information base (MIB) == <br />
<br />
The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik RouterOS MIB file from here: www.mikrotik.com/downloads <br />
<br />
MIBs used in RouterOS v6.x:<br />
* MIKROTIK-MIB<br />
* MIB-2<br />
* HOST-RESOURCES-MIB<br />
* IF-MIB<br />
* IP-MIB<br />
* IP-FORWARD-MIB<br />
* IPV6-MIB<br />
* BRIDGE-MIB<br />
* DHCP-SERVER-MIB<br />
* CISCO-AAA-SESSION-MIB<br />
* ENTITY-MIB<br />
* UPS-MIB<br />
* SQUID-MIB<br />
<br />
== Object identifiers (OID)==<br />
<br />
Each OID identifies a variable that can be read via SNMP. Although the MIB file contains all the needed OID values, you can also print individual OID information in the console with the '''print oid''' command at any menu level:<br />
<br />
<pre><br />
[admin@MikroTik] /interface> print oid<br />
<br />
Flags: D - dynamic, X - disabled, R - running, S - slave <br />
0 R name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1 <br />
mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1 <br />
oper-status=.1.3.6.1.2.1.2.2.1.8.1 bytes-in=.1.3.6.1.2.1.2.2.1.10.1 <br />
packets-in=.1.3.6.1.2.1.2.2.1.11.1 discards-in=.1.3.6.1.2.1.2.2.1.13.1 <br />
errors-in=.1.3.6.1.2.1.2.2.1.14.1 bytes-out=.1.3.6.1.2.1.2.2.1.16.1 <br />
packets-out=.1.3.6.1.2.1.2.2.1.17.1 discards-out=.1.3.6.1.2.1.2.2.1.19.1 <br />
errors-out=.1.3.6.1.2.1.2.2.1.20.1 <br />
</pre><br />
<br />
== Traps ==<br />
<br />
SNMP traps enable router to notify data collector of interface changes and SNMP service status changes by sending traps. It is possible to send out traps with security features to support SNMPv1 (no security). SNMPv2 and variants and SNMPv3 with encryption and authorization. <br />
<br />
For SNMPv2 and v3 you have to set up appropriately configured community as a ''trap-community'' to enable required features (password or encryption/authorization)<br />
<br />
== SNMP write ==<br />
<br />
Since RouterOS v3, SNMP write is supported for some functions. SNMP write allows to change router configuration with SNMP requests. Consider to secure access to router or to router's SNMP, when SNMP and write-access are enabled.<br />
<br />
To change settings by SNMP requests, use the command below to allow SNMP write for the selected community,<br />
Write-access option for SNMP is available from v3.14,<br />
<br />
<pre><br />
/snmp community set <number> write-access=yes<br />
</pre><br />
<br />
<br />
<br />
====System Identity====<br />
<br />
It's possible to change router system identity by SNMP set command,<br />
<br />
<pre><br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.2.1.1.5.0 s New_Identity<br />
</pre><br />
<br />
* ''snmpset'' - SNMP application used for SNMP SET requests to set information on a network entity;<br />
* ''public'' - router's community name;<br />
* ''192.168.0.0'' - IP address of the router;<br />
* ''1.3.6.1.2.1.1.5.0'' - SNMP value for router's identity;<br />
<br />
SNMPset command above is equal to the RouterOS command,<br />
<br />
<pre><br />
/system identity set identity=New_Identity<br />
</pre><br />
<br />
====Reboot====<br />
<br />
It's possible to reboot the router with SNMP set commamd, you need to set value for reboot SNMP settings, which is not equal to 0,<br />
<br />
<pre><br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s 1<br />
</pre><br />
<br />
* '''1.3.6.1.4.1.14988.1.1.7.1.0''', SNMP value for the router reboot;<br />
* '''s 1''', snmpset command to set value, value should not be equal to 0;<br />
<br />
Reboot snmpset command is equal to the RouterOS command,<br />
<br />
<pre><br />
/system reboot<br />
</pre><br />
<br />
====Run Script====<br />
<br />
SNMP write allows to run scripts on the router from '''system script''' menu, when you need to set value for SNMP setting of the script,<br />
<br />
<pre> <br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.8.1.1.3.X s 1<br />
</pre><br />
<br />
* '''X''', script number, numeration starts from 1;<br />
* '''s 1''', snmpset command to set value, value should not be equal to 0;<br />
<br />
The same command on RouterOS,<br />
<br />
<pre><br />
<br />
/system script> print <br />
Flags: I - invalid <br />
0 name="test" owner="admin" policy=ftp,reboot,read,write,policy,<br />
test,winbox,password,sniff last-started=jan/01/1970<br />
01:31:57 run-count=23 source=:beep <br />
<br />
/system script run 0<br />
</pre><br />
<br />
==== Runing scripts with GET ====<br />
<br />
It is possible to run '''/system scripts''' via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.<br />
<br />
Add script:<br />
/system script<br />
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\<br />
"/sy reboot "<br />
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\<br />
"[:put output]"<br />
<br />
<br />
Get the script OID table<br />
$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0<br />
<br />
To run script use table 18<br />
$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2<br />
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"<br />
<br />
== See Also ==<br />
<br />
* [[SNMP MRTG]]<br />
<br />
<br />
<br />
{{cont}}<br />
<br />
<br />
[[Category:Manual]]<br />
[[Category:SNMP]]<br />
[[Category:Tools]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:SNMP&diff=34590Manual:SNMP2023-03-09T14:53:15Z<p>Guntis: </p>
<hr />
<div>{{Versions|v5|v6}}<br />
<br />
__TOC__<br />
<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code>RFC 1157</code> <code>RFC 3414</code> <code>RFC 3416</code><br /><br />
<b>Package:</b> <code>system</code><br />
</p><br />
<br />
<br />
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG or [http://www.mikrotik.com/thedude.php The Dude]<br />
<br />
SNMP write support is only available for some OIDs. For supported OIDs SNMP v1, v2 or v3 write is supported<br />
<br />
<br />
[[File:Total-download-cacti.png|400px|Example Cacti graph made with data from SNMP]]<br />
<br />
<br />
{{Note| SNMP will respond to the query on the interface SNMP request was received from forcing responses to have same source address as request destination sent to the router}}<br />
<br />
{{Note| starting 6.18 SNMP implements OID blacklisting. Timeout for OID is 30s when it is blacklisted for 600s.}}<br />
<br />
== Quick Configuration ==<br />
<br />
To enable SNMP in RouterOS:<br />
<br />
<pre><br />
[admin@MikroTik] /snmp> print <br />
enabled: no<br />
contact: <br />
location: <br />
engine-id: <br />
trap-community: (unknown)<br />
trap-version: 1<br />
[admin@MikroTik] /snmp> set enabled yes<br />
</pre><br />
<br />
You can also specify administrative contact information in the above settings. All SNMP data will be available to communities configured in [[#Community | ''community'' menu]].<br />
<br />
==General Properties==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/snmp</code></p><br />
<br />
<br />
This sub menu allows to enable SNMP and to configure general settings.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=contact<br />
|type=string<br />
|default=""<br />
|desc=Contact information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Used to disable/enable SNMP service<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=engine-id<br />
|type=string<br />
|default=""<br />
|desc=for SNMP v3, used as part of identifier. You can configure suffix part of engine id using this argument. If SNMP client is not capable to detect set engine-id value then this prefix hex have to be used 0x80003a8c04<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=location<br />
|type=string<br />
|default=""<br />
|desc=Location information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-community<br />
|type=string<br />
|default=public<br />
|desc=Which communities configured in [[#Community | ''community'' menu]] to use when sending out the trap.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-generators<br />
|type=interfaces {{!}} start-trap<br />
|default=<br />
|desc=What action will generate traps:<br />
* interfaces - interface changes;<br />
* start-trap - snmp server starting on the router<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-interfaces<br />
|type=string {{!}} all<br />
|default=<br />
|desc=List of interfaces that traps are going to be sent out.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-target<br />
|type=list of IP/IPv6<br />
|default=0.0.0.0<br />
|desc=IP (IPv4 or IPv6) addresses of SNMP data collectors that have to receive the trap<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trap-version<br />
|type=1{{!}}2{{!}}3<br />
|default=1<br />
|desc=Version of SNMP protocol to use for trap<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=src-address<br />
|type=IPv4 or IPv6 address<br />
|default=::<br />
|desc=Force the router to always use the same IP source address for all of the SNMP messages<br />
}}<br />
<br />
{{Note| engine-id field holds the suffix value of engine-id, usually SNMP clients should be<br />
able to detect the value, as SNMP values, as read from the router. However there is a<br />
possibility that this is not the case. In which case, the engine-ID value has to be set<br />
according to this rule: <engine-id prefix> + <hex-dump suffix>, so as an example, if you<br />
have set 1234 as suffix value you have to provide 80003a8c04 + 31323334, combined hex (the<br />
result) is 80003a8c0431323334 }}<br />
<br />
== Community Properties ==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/snmp community</code></p><br />
<br />
<br />
This sub-menu allows to set up access rights for the SNMP data. <br />
<br />
There is little security in v1 and v2c, just Clear text community string („username“) and ability for Limiting access by IP adress. <br />
<br />
In production environment SNMP v3 should be used as that provides security - Authorisation (User + Pass) with MD5/SHA1, Encryption with DES (and since v6.16, AES). <br />
<br />
<pre><br />
<br />
[admin@MikroTik] /snmp community> print value-list <br />
name: public<br />
address: 0.0.0.0/0<br />
security: none<br />
read-access: yes<br />
write-access: no<br />
authentication-protocol: MD5<br />
encryption-protocol: DES<br />
authentication-password: *****<br />
encryption-password: *****<br />
<br />
</pre><br />
<br />
{{Warning| Default settings only have one community named ''public'' without any additional security settings. These settings should be considered insecure and should be adjusted according required security profile.}}<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address<br />
|type=IP/IPv6 address<br />
|default=0.0.0.0/0<br />
|desc=Addresses from which connections to SNMP server is allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-password<br />
|type=string<br />
|default=""<br />
|desc=Password used to authenticate connection to the server (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-protocol<br />
|type=MD5 {{!}} SHA1<br />
|default=MD5<br />
|desc=Protocol used for authentication (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=encryption-password<br />
|type=string<br />
|default=""<br />
|desc=password used for encryption (SNMPv3)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=encryption-protocol<br />
|type=DES {{!}} AES<br />
|default=DES<br />
|desc=encryption protocol to be used to encrypt the communication (SNMPv3). AES (see rfc3826) available since v6.16.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=read-access<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether read access is enabled for this community<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security<br />
|type=authorized {{!}} none {{!}} private<br />
|default=none<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=write-access<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether write access is enabled for this community. [[#SNMP_write | <code>Read more >></code>]]<br />
}}<br />
<br />
== Management information base (MIB) == <br />
<br />
The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik [www.mikrotik.com/downloads RouterOS MIB] file from here.<br />
<br />
MIBs used in RouterOS v6.x:<br />
* MIKROTIK-MIB<br />
* MIB-2<br />
* HOST-RESOURCES-MIB<br />
* IF-MIB<br />
* IP-MIB<br />
* IP-FORWARD-MIB<br />
* IPV6-MIB<br />
* BRIDGE-MIB<br />
* DHCP-SERVER-MIB<br />
* CISCO-AAA-SESSION-MIB<br />
* ENTITY-MIB<br />
* UPS-MIB<br />
* SQUID-MIB<br />
<br />
== Object identifiers (OID)==<br />
<br />
Each OID identifies a variable that can be read via SNMP. Although the MIB file contains all the needed OID values, you can also print individual OID information in the console with the '''print oid''' command at any menu level:<br />
<br />
<pre><br />
[admin@MikroTik] /interface> print oid<br />
<br />
Flags: D - dynamic, X - disabled, R - running, S - slave <br />
0 R name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1 <br />
mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1 <br />
oper-status=.1.3.6.1.2.1.2.2.1.8.1 bytes-in=.1.3.6.1.2.1.2.2.1.10.1 <br />
packets-in=.1.3.6.1.2.1.2.2.1.11.1 discards-in=.1.3.6.1.2.1.2.2.1.13.1 <br />
errors-in=.1.3.6.1.2.1.2.2.1.14.1 bytes-out=.1.3.6.1.2.1.2.2.1.16.1 <br />
packets-out=.1.3.6.1.2.1.2.2.1.17.1 discards-out=.1.3.6.1.2.1.2.2.1.19.1 <br />
errors-out=.1.3.6.1.2.1.2.2.1.20.1 <br />
</pre><br />
<br />
== Traps ==<br />
<br />
SNMP traps enable router to notify data collector of interface changes and SNMP service status changes by sending traps. It is possible to send out traps with security features to support SNMPv1 (no security). SNMPv2 and variants and SNMPv3 with encryption and authorization. <br />
<br />
For SNMPv2 and v3 you have to set up appropriately configured community as a ''trap-community'' to enable required features (password or encryption/authorization)<br />
<br />
== SNMP write ==<br />
<br />
Since RouterOS v3, SNMP write is supported for some functions. SNMP write allows to change router configuration with SNMP requests. Consider to secure access to router or to router's SNMP, when SNMP and write-access are enabled.<br />
<br />
To change settings by SNMP requests, use the command below to allow SNMP write for the selected community,<br />
Write-access option for SNMP is available from v3.14,<br />
<br />
<pre><br />
/snmp community set <number> write-access=yes<br />
</pre><br />
<br />
<br />
<br />
====System Identity====<br />
<br />
It's possible to change router system identity by SNMP set command,<br />
<br />
<pre><br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.2.1.1.5.0 s New_Identity<br />
</pre><br />
<br />
* ''snmpset'' - SNMP application used for SNMP SET requests to set information on a network entity;<br />
* ''public'' - router's community name;<br />
* ''192.168.0.0'' - IP address of the router;<br />
* ''1.3.6.1.2.1.1.5.0'' - SNMP value for router's identity;<br />
<br />
SNMPset command above is equal to the RouterOS command,<br />
<br />
<pre><br />
/system identity set identity=New_Identity<br />
</pre><br />
<br />
====Reboot====<br />
<br />
It's possible to reboot the router with SNMP set commamd, you need to set value for reboot SNMP settings, which is not equal to 0,<br />
<br />
<pre><br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s 1<br />
</pre><br />
<br />
* '''1.3.6.1.4.1.14988.1.1.7.1.0''', SNMP value for the router reboot;<br />
* '''s 1''', snmpset command to set value, value should not be equal to 0;<br />
<br />
Reboot snmpset command is equal to the RouterOS command,<br />
<br />
<pre><br />
/system reboot<br />
</pre><br />
<br />
====Run Script====<br />
<br />
SNMP write allows to run scripts on the router from '''system script''' menu, when you need to set value for SNMP setting of the script,<br />
<br />
<pre> <br />
snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.8.1.1.3.X s 1<br />
</pre><br />
<br />
* '''X''', script number, numeration starts from 1;<br />
* '''s 1''', snmpset command to set value, value should not be equal to 0;<br />
<br />
The same command on RouterOS,<br />
<br />
<pre><br />
<br />
/system script> print <br />
Flags: I - invalid <br />
0 name="test" owner="admin" policy=ftp,reboot,read,write,policy,<br />
test,winbox,password,sniff last-started=jan/01/1970<br />
01:31:57 run-count=23 source=:beep <br />
<br />
/system script run 0<br />
</pre><br />
<br />
==== Runing scripts with GET ====<br />
<br />
It is possible to run '''/system scripts''' via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.<br />
<br />
Add script:<br />
/system script<br />
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\<br />
"/sy reboot "<br />
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\<br />
"[:put output]"<br />
<br />
<br />
Get the script OID table<br />
$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0<br />
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0<br />
<br />
To run script use table 18<br />
$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2<br />
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"<br />
<br />
== See Also ==<br />
<br />
* [[SNMP MRTG]]<br />
<br />
<br />
<br />
{{cont}}<br />
<br />
<br />
[[Category:Manual]]<br />
[[Category:SNMP]]<br />
[[Category:Tools]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Queues_-_PCQ_Examples&diff=34576Manual:Queues - PCQ Examples2022-11-15T08:10:53Z<p>Guntis: </p>
<hr />
<div>Per Connection Queue (PCQ) is a queuing discipline that can be used to dynamically equalize or shape traffic for multiple users, using little administration. It is possible to divide PCQ scenarios into three major groups: equal bandwidth for a number of users, certain bandwidth equal distribution between users, unknown bandwidth equal distribution between users.<br />
<br />
=== Equal Bandwidth for a Number of Users ===<br />
<br />
Use PCQ type queue when you need to equalize the bandwidth [and set max limit] for a number of users. We will set the 64kbps download and 32kbps upload limits.<br />
<br />
[[Image:PCQ.png]]<br />
<br />
There are two ways how to make this: using mangle and queue trees, or, using simple queues.<br />
<br />
1. Mark all packets with packet-marks upload/download: (lets constider that ether1-WAN is public interface to the Internet and ether2-LAN is local interface where clients are connected<br />
<br />
/ip firewall mangle add chain=prerouting action=mark-packet \<br />
in-interface=ether2-LAN new-packet-mark=client_upload<br />
/ip firewall mangle add chain=prerouting action=mark-packet \<br />
in-interface=ether1-WAN new-packet-mark=client_download<br />
<br />
2. Setup two PCQ queue types - one for download and one for upload. ''dst-address'' is classifier for user's download traffic, ''src-address'' for upload traffic:<br />
<br />
/queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-address<br />
/queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=src-address<br />
<br />
<br />
3. Finally, two queue rules are required, one for download and one for upload:<br />
<br />
/queue tree add parent=global queue=PCQ_download packet-mark=client_download<br />
/queue tree add parent=global queue=PCQ_upload packet-mark=client_upload<br />
<br />
If you don't like using mangle and queue trees, you can skip step 1, do step 2, and step 3 would be to create one simple queue as shown here:<br />
<br />
/queue simple add target=192.168.0.0/24 queue=PCQ_upload/PCQ_download<br />
<br />
<br />
{{Note | More information about certain and unknown Distribution between routers can be found in [[M:Queues_-_PCQ | PCQ]] manual.}}<br />
<br />
== See Also ==<br />
<br />
* [[Manual:Queues_-_PCQ | PCQ]]<br />
<br />
[[Category:Manual|QueuesPCQexapmles]]<br />
[[Category:QoS|QueuesPCQexapmles]]<br />
[[Category:Examples|QueuesPCQexapmles]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34574Manual:Interface/Wireless2022-10-27T15:13:51Z<p>Guntis: Undo revision 34573 by Guntis (talk)</p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
* ''station-bridge'' - Provides support for transparent protocol-independent L2 bridging on the station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode, the AP maintains a forwarding table with information on which MAC addresses are reachable over which station device. Only works with RouterOS APs. With station-bridge mode, it is not possible to connect to CAPsMAN-controlled CAP.<br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable. Only applies to bands B and G. Other bands will have it enabled regardless of this setting [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected.<br />
Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries.<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in the previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55..0<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34573Manual:Interface/Wireless2022-10-27T14:53:32Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
* ''station-bridge'' - Provides support for transparent protocol-independent L2 bridging on the station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode, the AP maintains a forwarding table with information on which MAC addresses are reachable over which station device. Only works with RouterOS APs. With station-bridge mode, it is not possible to connect to CAPsMAN-controlled CAP.<br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable. Only applies to bands B and G. Other bands will have it enabled regardless of this setting [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected.<br />
Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries.<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in the previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55..0<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>5,10,20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34565Manual:Interface/Wireless2022-08-23T09:36:16Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
* ''station-bridge'' - Provides support for transparent protocol-independent L2 bridging on the station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode, the AP maintains a forwarding table with information on which MAC addresses are reachable over which station device. Only works with RouterOS APs. With station-bridge mode, it is not possible to connect to CAPsMAN-controlled CAP.<br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable. Only applies to bands B and G. Other bands will have it enabled regardless of this setting [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected.<br />
Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries.<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in the previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55..0<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:IP/DNS&diff=34564Manual:IP/DNS2022-08-16T10:26:24Z<p>Guntis: </p>
<hr />
<div>{{Versions|v4.6}}<br />
<br />
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple DNS cache with local items.<br />
<br />
==Specifications==<br />
<br />
*Packages required: system<br />
*License required: Level1<br />
*Submenu level: /ip dns<br />
*Standards and Technologies: DNS<br />
*Hardware usage: Not significant<br />
<br />
==Description==<br />
<br />
A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, MikroTik router can be specified as a primary DNS server under its dhcp-server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.<br />
<br />
==DNS Cache Setup==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ip dns</code></p><br />
<br />
DNS facility is used to provide domain name resolution for router itself as well as for the clients connected to it.<br />
<br />
====Properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-remote-requests<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Specifies whether to allow network requests<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cache-max-ttl<br />
|type=time<br />
|default=1w<br />
|desc=Maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cache-size<br />
|type=integer[64..4294967295]<br />
|default=2048<br />
|desc=Specifies the size of DNS cache in KiB<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-concurrent-queries<br />
|type=integer<br />
|default=100<br />
|desc=Specifies how much concurrent queries are allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-concurrent-tcp-sessions<br />
|type=integer<br />
|default=20<br />
|desc=Specifies how much concurrent TCP sessions are allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-udp-packet-size<br />
|type=integer [50..65507]<br />
|default=4096<br />
|desc=Maximum size of allowed UDP packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-server-timeout<br />
|type=time<br />
|default=2s<br />
|desc=Specifies how long to wait for query response from one server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-total-timeout<br />
|type=time<br />
|default=10s<br />
|desc=Specifies how long to wait for query response in total. Note that this setting must be configured taking into account <var>query-server-timeout</var> and number of used DNS server.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=servers<br />
|type=list of IPv4/IPv6 addresses<br />
|default=<br />
|desc=List of DNS server IPv4/IPv6 addresses <br />
}}<br />
<br />
Read-only Properties<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=cache-used<br />
|type=integer<br />
|desc=Shows the currently used cache size in KiB<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=dynamic-server<br />
|type=IPv4/IPv6 list<br />
|desc=List of dynamically added DNS server from different services, for example, DHCP.<br />
}}<br />
<br />
<br />
<br><br />
<br />
When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred).<br />
<br />
{{Note| If '''''allow-remote-requests''''' is used make sure that you limit access to your server over TCP and UDP protocol.}}<br />
<br />
====Example====<br />
<br />
To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do the following:<br />
<pre><br />
[admin@MikroTik] ip dns> set servers=159.148.60.2 \<br />
\... allow-remote-requests=yes<br />
[admin@MikroTik] ip dns> print<br />
servers: 159.148.60.2<br />
allow-remote-requests: yes<br />
cache-size: 2048KiB<br />
cache-max-ttl: 1w<br />
cache-used: 7KiB<br />
[admin@MikroTik] ip dns><br />
</pre><br />
<br />
==Cache Monitoring==<br />
<br />
* Submenu level: '''/ip dns cache'''<br />
<br />
====Description====<br />
<br />
This menu provides a list with all address (DNS type "A") records stored on the server<br />
<br />
====Property Description====<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''address''' (read-only: IP address)<br />
|style="border-bottom:1px solid gray;" valign="top"|IP address of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (read-only: name)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (read-only: time)<br />
|style="border-bottom:1px solid gray;" valign="top"|remaining time-to-live for the record<br />
|}<br />
<br />
==All DNS Entries==<br />
<br />
* Submenu level: '''/ip dns cache all'''<br />
<br />
===Description===<br />
<br />
This menu provides a complete list with all DNS records stored on the server<br />
<br />
===Property Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''data''' (read-only: text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS data field. IP address for type "A" records. Other record types may have different contents of the data field (like hostname or arbitrary text)<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (read-only: name)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (read-only: time)<br />
|style="border-bottom:1px solid gray;" valign="top"|remaining time-to-live for the record<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''type''' (read-only: text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS record type<br />
|}<br />
<br />
== Static DNS Entries == <br />
<br />
* Submenu level: '''/ip dns static'''<br />
<br />
===Description===<br />
<br />
The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients. For example, resolving any DNS request for a certain set of domains (or for the whole Internet) to your own page.<br />
<br />
The server is capable of resolving DNS requests based on POSIX basic regular expressions, so that multiple requets can be matched with the same entry. In case an entry does not conform with DNS naming standards, it is considered a regular expression and marked with ‘R’ flag. The list is ordered and is checked from top to bottom. Regular expressions are checked first, then the plain records.<br />
<br />
===Property Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''address''' (IP address)<br />
|style="border-bottom:1px solid gray;" valign="top"|IP address to resolve domain name with<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name to be resolved to a given IP address.<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''regex''' (text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS regex<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (time)<br />
|style="border-bottom:1px solid gray;" valign="top"|time-to-live of the DNS record<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''type''' (text)<br />
|style="border-bottom:1px solid gray;" valign="top"|type of the DNS record. Available values are: A, AAAA, CNAME, FWD, MX, NS, NXDOMAIN, SRV, TXT<br />
|}<br />
<br />
===Notes===<br />
<br />
Reverse DNS lookup (Address to Name) of the regular expression entries is not possible. You can, however, add an additional plain record with the same IP address and specify some name for it.<br />
<br />
Remember that the meaning of a dot (.) in regular expressions is any character, so the expression should be escaped properly. For example, if you need to match anything within example.com domain but not all the domains that just end with ''example.com'', like ''www.another-example.com'', use ''regexp=".*\\.example\\.com\$"''<br />
<br />
Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves.<br />
Example<br />
<br />
To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:<br />
<br />
<pre><br />
[admin@MikroTik] ip dns static> add name=www.example.com address=10.0.0.1<br />
[admin@MikroTik] ip dns static> print<br />
Flags: D - dynamic, X - disabled, R - regexp<br />
# NAME ADDRESS TTL<br />
0 www.example.com 10.0.0.1 1d<br />
[admin@MikroTik] ip dns static><br />
<br />
</pre><br />
<br />
It is also possible to forward specific DNS requests to a different server using <var>FWD</var> type. This will fordward all subdomains of "example.com" to server 10.0.0.1:<br />
<br />
<pre><br />
[admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1<br />
</pre><br />
<br />
{{Note| '''''regexp''''' entries are case sensitive, but since DNS requests are not case sensitive, RouterOS converts DNS names to lowercase, you should write regex only with lowercase letters.}}<br />
<br />
==Flushing DNS cache==<br />
<br />
* Command name: '''/ip dns cache flush'''<br />
<br />
===Command Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Command<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''flush'''<br />
|style="border-bottom:1px solid gray;" valign="top"|clears internal DNS cache<br />
|}<br />
<br />
===Example===<br />
<br />
<pre><br />
[admin@MikroTik] ip dns> cache flush<br />
[admin@MikroTik] ip dns> print<br />
servers: 159.148.60.2<br />
allow-remote-requests: yes<br />
cache-size: 2048 KiB<br />
cache-max-ttl: 1w<br />
cache-used: 10 KiB<br />
[admin@MikroTik] ip dns><br />
</pre><br />
<br />
<br />
==DNS over HTTPS==<br />
<br />
Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man in the middle attacks (MITM). Currently DoH is not compatible with FWD type static entries, in order to utilize FWD entries, DoH must not be configured.<br />
<br />
===Example===<br />
<br />
It is advised to import the root CA certificate of the DoH server you have chosen to use for increased security.<br />
<br />
{{Warning | We strongly suggest not use third-party download links for certificate fetching. Use the Certificate Authority's own website.}}<br />
<br />
There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the websites security. Using Firefox we can see that DigiCert Global Root CA is used by CloudFlare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.<br />
<br />
[[file:Rootca.PNG]]<br />
<br />
Download the certificate and import it:<br />
<br />
<pre><br />
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"<br />
/certificate import file-name=DigiCertGlobalRootCA.crt.pem<br />
</pre><br />
<br />
Configure the DoH server:<br />
<br />
<pre><br />
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes<br />
</pre><br />
<br />
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, you can configure a static DNS entry like this:<br />
<br />
<pre><br />
/ip dns static<br />
add address=1.1.1.1 name=cloudflare-dns.com<br />
</pre><br />
{{Note| RouterOS prioritize DoH over DNS server if both are configured on the device. }}<br />
<br />
==See Also==<br />
<br />
* https://en.wikibooks.org/wiki/Regular_Expressions/POSIX_Basic_Regular_Expressions<br />
* http://www.freesoft.org/CIE/Course/Section2/3.htm<br />
* http://www.networksorcery.com/enp/protocol/dns.htm<br />
* [http://www.ietf.org/rfc/rfc1035.txt?number=1035 RFC1035]<br />
<br />
[[Category:Manual|D]]<br />
[[Category:IP|D]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Tools/Netwatch&diff=34553Manual:Tools/Netwatch2022-06-16T13:08:45Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Netwatch}}<br />
<br />
==Summary==<br />
<br />
Netwatch monitors state of hosts on the network. It does so by sending ICMP pings to the list of specified IP addresses. For each entry in netwatch table you can specify IP address, ping interval and console scripts. The main advantage of netwatch is it's ability to issue arbitrary console commands on host state changes.<br />
<br />
{{Warning | Netwatch executes scripts as *sys user, so any defined global variable in netwatch script will not be readable by scheduler or other users }}<br />
<br />
==Properties==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/tool netwatch</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=down-script<br />
|type=string<br />
|default=<br />
|desc=Console script that is executed once when state of a host changes to '''down'''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=host<br />
|type=IP<br />
|default=0.0.0.0<br />
|desc=IP address of the host that should be monitored<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interval<br />
|type=time<br />
|default=1m<br />
|desc=Time interval between pings. Lowering this will make state changes more responsive, but can create unnecessary traffic and consume system resources.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=timeout<br />
|type=time<br />
|default=1s<br />
|desc=Timeout in seconds after which host is considered down<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=up-script<br />
|type=string<br />
|default=<br />
|desc=Console script that is executed once when state of a host changes to '''up'''<br />
}}<br />
<br /><br />
<br />
{{ Warning | Since RouterOS v6.42 Netwatch is limited to <code>read,write,test,reboot</code> script policies. If the owner of the script does not have enough permissions to execute a certain command in the script, then the script will not be executed. If the script has greater policies than <code>read,write,test,reboot</code>, then the script will not be executed as well, make sure your scripts do not exceed the mentioned policies. }}<br />
<br />
{{ Note | It is possible to disable permission checking for RouterOS scripts under <code>/system scripts</code> menu. This is useful when Netwatch does not have enough permissions to execute a script, though this decreases overall security. It is recommended to assign proper permissions to a script instead. }}<br />
<br />
==Status==<br />
<br />
Command <code>/tool netwatch print</code> will show current status of netwatch and <b>read-only</b> properties listed in table below:<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=since<br />
|type=time<br />
|desc=Indicates when state of the host changed last time<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=status<br />
|type=up {{!}} down {{!}} unknown<br />
|desc=Shows the current status of the host<br />
}}<br />
<br />
==Basic examples==<br />
<br />
This example will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the gateways:<br />
<pre><br />
[admin@MikroTik] system script> add name=gw_1 source={/ip route set<br />
{... [/ip route find dst 0.0.0.0] gateway 10.0.0.1}<br />
[admin@MikroTik] system script> add name=gw_2 source={/ip route set <br />
{.. [/ip route find dst 0.0.0.0] gateway 10.0.0.217}<br />
[admin@MikroTik] system script> /tool netwatch<br />
[admin@MikroTik] tool netwatch> add host=10.0.0.217 interval=10s timeout=998ms \<br />
\... up-script=gw_2 down-script=gw_1<br />
[admin@MikroTik] tool netwatch> print<br />
Flags: X - disabled<br />
# HOST TIMEOUT INTERVAL STATUS<br />
0 10.0.0.217 997ms 10s up<br />
[admin@MikroTik] tool netwatch> print detail<br />
Flags: X - disabled<br />
0 host=10.0.0.217 timeout=997ms interval=10s since=feb/27/2003 14:01:03<br />
status=up up-script=gw_2 down-script=gw_1<br />
<br />
[admin@MikroTik] tool netwatch><br />
</pre><br />
<br />
<br />
Without scripts, netwatch can be used just as an information tool to see which links are up, or which specific hosts are running at the moment.<br />
<br />
Let's look at the example above - it changes default route if gateway becomes unreachable. How it's done? There are two scripts. The script "gw_2" is executed once when status of host changes to up. In our case, it's equivalent to entering this console command:<br />
<pre><br />
[admin@MikroTik] > /ip route set [find dst-address="0.0.0.0/0"] gateway=10.0.0.217<br />
</pre><br />
The '''find''' command returns list of all routes whose dst-address value is 0.0.0.0/0. Usually, that is the default route. It is substituted as first argument to /ip route set command, which changes gateway of this route to 10.0.0.217<br />
<br />
<br />
The script "gw_1" is executed once when status of host becomes down. It does the following:<br />
<pre><br />
[admin@MikroTik] > /ip route set [find dst-address="0.0.0.0/0"] gateway=10.0.0.1<br />
</pre><br />
It changes the default gateway if 10.0.0.217 address has become unreachable.<br />
<br />
Here is another example, that sends e-mail notification whenever the 10.0.0.215 host goes down:<br />
<pre><br />
[admin@MikroTik] system script> add name=e-down source={/tool e-mail send<br />
{... from="support@mt.lv" server="159.148.147.198" body="Router down"<br />
{... subject="Router at second floor is down" to="user@example.com"}<br />
[admin@MikroTik] system script> add name=e-up source={/tool e-mail send<br />
{... from="support@mt.lv" server="159.148.147.198" body="Router up"<br />
{.. subject="Router at second floor is up" to="user@example.com"}<br />
[admin@MikroTik] system script><br />
[admin@MikroTik] system script> /tool netwatch<br />
[admin@MikroTik] system netwatch> add host=10.0.0.215 timeout=999ms \<br />
\... interval=20s up-script=e-up down-script=e-down<br />
[admin@MikroTik] tool netwatch> print detail<br />
Flags: X - disabled<br />
0 host=10.0.0.215 timeout=998ms interval=20s since=feb/27/2003 14:15:36<br />
status=up up-script=e-up down-script=e-down<br />
<br />
[admin@MikroTik] tool netwatch><br />
</pre><br />
<br />
<br />
{{cont}}<br />
<br />
[[Category:Manual|N]]<br />
[[Category:Tools|N]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Quickset&diff=34546Manual:Quickset2022-05-23T07:19:38Z<p>Guntis: </p>
<hr />
<div>{{Versions|v5.15+}}<br />
__TOC__ <br />
<br />
==Summary==<br />
<br />
'''Quickset''' is a simple configuration wizard page that prepares your router in a few clicks. It is the first screen a user sees, when opening the default IP address 192.168.88.1 in a web browser. <br />
<br />
[[File:Quickset639.png|thumb]]<br />
<br />
Quickset is available for all devices that have some sort of default configuration from factory. Devices that do not have configuration must be configured by hand. <br />
The most popular and recommended mode is the HomeAP (or HomeAP dual, depending on the device). This Quickset mode provides the simplest of terminology and the most common options for the home user. <br />
<br />
== Modes == <br />
<br />
Depending on the router model, different Quickset modes might be available from the Quickset dropdown menu: <br />
<br />
* '''CAP''': Controlled Access Point, an AP device, that will be managed by a centralised CAPsMAN server. Only use if you have already set up a CAPsMAN server.<br />
* '''CPE''': Client device, which will connect to an Access Point (AP) device. Provides option to scan for AP devices in your area. <br />
* '''HomeAP''': The default Access Point config page for most home users. Provides less options and simplified terminology. <br />
* '''HomeAP dual''': Dual band devices (2GHz/5GHz). The default Access Point config page for most home users. Provides less options and simplified terminology. <br />
* '''Home Mesh''': Made for making bigger WiFi networks. Enables the CAPsMAN server in the router, and places the local WiFi interfaces under CAPsMAN control. Just boot other MikroTik WiFi APs with the reset button pressed, and they will join this HomeMesh network (see their Quick guide for details)<br />
* '''PTP Bridge AP''': When you need to transparently interconnect two remote locations together in the same network, set one device to this mode, and the other device to the next (PTP Bridge CPE) mode. <br />
* '''PTP Bridge CPE''': When you need to transparently interconnect two remote locations together in the same network, set one device to this mode, and the other device to the previous (PTP Bridge AP) mode. <br />
* '''WISP AP''': Similar to the HomeAP mode, but provides more advanced options and uses industry standard terminology, like SSID and WPA. <br />
<br />
== HomeAP == <br />
<br />
This is the mode you should use if you would like to quickly configure a home access point. <br />
<br />
=== Wireless ===<br />
<br />
* '''Network Name''': How will your smartphone see your network? Set any name you like here. In HomeAP dual, you can set the 2GHz (legacy) and 5GHz (modern) networks to the same, or different names (see FAQ). Use any name you like, in any format. <br />
* '''Frequency''': Normally you can leave "Auto", in this way, the router will scan the environment, and select the least occupied frequency channel (it will do this once). Use a custom selection if you need to experiment. <br />
* '''Band''': Normally leave this to defaults (2GHz b/g/n and 5GHz A/N/AC). <br />
* '''Use Access List (ACL)''': Enable this if you would like to restrict who can connect to your AP, based on the users MAC (hardware) address. To use this option, first you need to allow these clients to connect, and then use the below button "Copy to ACL". This will copy the selected client to the access list. After you have build an Access list (ACL), you can enable this option to forbid anyone else to attempt connections to your device. Normally you can leave this alone, as the Wireless password already provides the needed restrictions. <br />
* '''WiFi Password''': The most important option here. Sets a secure password that also encrypts your wireless communications. <br />
* '''WPS accept''': Use this button to grant access to a specific device that supports the WPS connection mode. Useful for printers and other peripherals where typing a password is difficult. First start WPS mode in your client device, then once click the WPS button here to allow said device. Button works for a few seconds and operates on a per-client basis. <br />
* '''Guest network''': Useful for house guests who don't need to know your main WiFi password. Set a separate password for them in this option. Important! Guest users will not be able to access other devices in your LAN and other guest devices. This mode enabled Bridge filters to prevent this. <br />
* '''Wireless clients''': This table shows the currently connected client devices (their MAC address, if they are in your Access List, their last used IP address, how long are they connected, their signal level in dBm and in a bar graph).<br />
<br />
=== Internet === <br />
<br />
* '''Port''': Select which port is connected to the ISP (internet) modem. Usually Eth1. <br />
* '''Address Acquisition''': Select how the ISP is giving you the IP address. Ask your service provider about this and the other options (IP address, Netmask, Gateway).<br />
* '''MAC address''': Normally should not be changed, unless your ISP has locked you to a specific MAC address and you have changed the router to a new one. <br />
* '''Firewall router''': This enables secure firewall for your router and your network. Always make sure this box is selected, so that no access is possible to your devices from the internet port. <br />
* '''MAC server / MAC Winbox''': Allows connection with the [Winbox utility http://mt.lv/winbox] from the LAN port side in MAC address mode. Useful for debugging and recovery, when IP mode is not available. Advanced use only. <br />
* '''Discovery''': Allows the device to be identified by model name from other RouterOS devices. <br />
<br />
=== Local Network ===<br />
<br />
* '''IP address''': Mostly can stay at the default 192.168.88.1 unless your router is behind another router. To avoid IP conflict, change to 192.168.89.1 or similar<br />
* '''Netmask''': In most situations can leave 255.255.255.0 <br />
* '''Bridge all LAN ports''': Allows your devices to communicate to each other, even if, say, your TV is connected via ethernet LAN cable, but your PC is connected via WiFi. <br />
* '''DHCP server''': Normally, you would want automatic IP address configuration in your home network, so leave the DHCP settings ON and on their defaults. <br />
* '''NAT''': Turn this off ONLY if your ISP has provided a public IP address for both the router and also the local network. If not, leave NAT on. <br />
* '''UPnP''': This option enables automatic port forwarding ("opening ports to the local network" as some call it) for supported programs and devices, like your NAS disks and peer-to-peer utilities. Use with care, as this option can sometimes expose internal devices to the internet without your knowledge. Enable only if specifically needed. <br />
<br />
=== VPN === <br />
<br />
If you want to access your local network (and your router) from the internet, use a secure VPN tunnel. This option gives you a domain name where to connect to, and enables PPTP and L2TP/IPsec (the second one is recommended). The username is 'vpn' and you can specify your own password. All you need to do is enable it here, and then provide the address, username and password in your laptop or phone, and when connected to the VPN, you will have a securely encrypted connection to your home network. Also useful when travelling - you will be able to browse the internet through a secure line, as if connecting from your home. This also helps to avoid geographical restrictions that are set up in some countries. <br />
<br />
=== System ===<br />
<br />
* '''Check for updates''': Always make sure your device is up to date with this button. Checks if an updated RouterOS release is available, and installs it. <br />
* '''Password''': Sets the password for the device config page itself. Make sure nobody can access your router config page and change the settings.<br />
<br />
==F.A.Q==<br />
; How is Quickset different from the Webfig tab, where a whole bunch of new menus appear? <br />
: If you need more options, do not use any Quickset settings at all, click on "Webfig" to open the advanced configuration interface. The full functionality is unlocked. <br />
; Can I use Quickset and Webfig together? <br />
: While settings that are not conflicting can be configured this way, it is not recommended to mix up these menus. If you are going to use Quickset, use only Quickset and vice versa. <br />
; What's is difference between Router and Bridge mode?<br />
: Bridge mode adds all interfaces to the bridge allowing to forward Layer2 packets (acts as a hub/switch).<br />
: In Router mode packets are forwarded in Layer3 by using IP addresses and IP routes (acts as a router). <br />
; In HomeAP mode, should the 2GHz and 5GHz network names be the same, or different? <br />
: If you prefer that all your client devices, like TV, phones, game consoles, would automatically select the best preferred network, set the names identically. If you would like to force a client device to use the faster 5GHz 802.11ac connection, set the names unique. <br />
; Can I create an AP without security settings - no password or connect to such AP while using QuickSet?<br />
: QuickSet uses WPA2 pre-shared key by default. It means that the minimal password length is 8 symbols and the device can only connect to WPA2 secured AP or serve as AP itself. For configurations with no security settings, you need to configure them manually using WinBox, Webfig, or console.<br />
<br />
[[Category:Webfig]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Bridge&diff=34544Manual:Interface/Bridge2022-05-19T08:57:07Z<p>Guntis: </p>
<hr />
<div>{{Versions| v3, v4+}}<br />
<br />
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching}}<br />
<br />
=Summary=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code><br />
<br /><br />
<b>Standards:</b> <code>[https://en.wikipedia.org/wiki/IEEE_802.1D IEEE 802.1D] , [https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q]</code><br />
</p><br />
<br /><br />
<br />
<p><br />
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).<br />
</p><br />
<br />
<p><br />
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.<br />
</p><br />
<br />
=Bridge Interface Setup=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p><br />
<br /><br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address from slave (secondary) ports will be assigned to the bridge interface, the MAC address will be chosen automatically, depending on "port-number", and it can change after a reboot. To avoid unwanted MAC address changes, it is recommended to disable "auto-mac", and to manually specify MAC by using "admin-mac".</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=add-dhcp-option82<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=admin-mac<br />
|type=MAC address<br />
|default=none<br />
|desc=Static MAC address of the bridge. This property only has effect when <var>auto-mac</var> is set to <code>no</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ageing-time<br />
|type=time<br />
|default=00:05:00<br />
|desc=How long a host's information will be kept in the bridge database.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=Address Resolution Protocol setting<br />
* <code>disabled</code> - the interface will not use ARP<br />
* <code>enabled</code> - the interface will use ARP<br />
* <code>proxy-arp</code> - the interface will use the ARP proxy feature<br />
* <code>reply-only</code> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the [[Manual:IP/ARP | IP/ARP]] table. No dynamic entries will be automatically stored in the [[Manual:IP/ARP | IP/ARP]] table. Therefore for communications to be successful, a valid static entry must already exist.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value <code>auto</code> equals to the value of <var>arp-timeout</var> in [[Manual:IP/Settings | IP/Settings]], default is 30s.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-mac<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboot, the bridge MAC can change depending on the port-number.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables DHCP Snooping on the bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Changes whether the bridge is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ether-type<br />
|type=0x9100 {{!}} 0x8100 {{!}} 0x88a8<br />
|default=0x8100<br />
|desc=Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-forward<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Special and faster case of [[Manual:Fast_Path | FastPath]] which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the [[ Manual:Interface/Bridge#Fast_Forward | Fast Forward]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forward-delay<br />
|type=time<br />
|default=00:00:15<br />
|desc=Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-version<br />
|type=2 {{!}} 3<br />
|default=2<br />
|desc=Selects the IGMP version in which IGMP general membership queries will be generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=read-only<br />
|default=<br />
|desc=L2MTU indicates the maximum size of the frame without MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-interval<br />
|type=time<br />
|default=1s<br />
|desc=If a port has <var>fast-leave</var> set to <code>no</code> and a bridge port receives a IGMP Leave message, then a IGMP Snooping enabled bridge will send a IGMP query to make sure that no devices has subscribed to a certain multicast stream on a bridge port. If a IGMP Snooping enabled bridge does not receive a IGMP membership report after amount of <var>last-member-interval</var>, then the bridge considers that no one has subscribed to a certain multicast stream and can stop forwarding it. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=How many times should <var>last-member-interval</var> pass until a IGMP Snooping bridge will stop forwarding a certain multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-hops<br />
|type=integer: 6..40<br />
|default=20<br />
|desc=Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-message-age<br />
|type=time: 6s..40s<br />
|default=00:00:20<br />
|desc=Changes the Max Age value in BPDU packets, which is transmitted by the root bridge. A root bridge sends a BPDUs with Max Age set to <var>max-message-age</var> value and a Message Age of 0. Every sequential bridge will increment the Message Age before sending their BPDUs. Once a bridge receives a BPDU where Message Age is equal or greater than Max Age, the BPDU is ignored. This property only has effect when <var>protocol-mode</var> is set to <code>stp</code> or <code>rstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=membership-interval<br />
|type=time<br />
|default=4m20s<br />
|desc=Amount of time after an entry in the Multicast Database (MDB) is removed if a IGMP membership report is not received on a certain port. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mld-version<br />
|type=1 {{!}} 2<br />
|default=1<br />
|desc=Selects the MLD version. Version 2 adds support for source-specific multicast. This property only has effect when RouterOS IPv6 package is enabled and <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer<br />
|default=auto<br />
|desc= Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the actual-mtu of the bridge (set by the <var>mtu</var> property), then manually set value will be ignored and the bridge will act as if <code>mtu=auto</code> is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-querier<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Multicast querier generates IGMP general membership queries to which all IGMP capable devices respond with an IGMP membership report, usually a PIM (multicast) router or IGMP proxy generates these queries. When RouterOS IPv6 package is enabled, the bridge will also generate MLD general membership queries.<br />
<br />
By using this property you can make an IGMP Snooping enabled bridge to generate IGMP/MLD general membership queries. This property should be used whenever there is no active querier (PIM router or IGMP proxy) in a Layer2 network. Without a multicast querier in a Layer2 network, the Multicast Database (MDB) is not being updated and IGMP Snooping will not function properly. Only untagged IGMP/MLD general membership queries are generated. This property only has an effect when <var>igmp-snooping</var> is set to yes. Additionally, the <var>igmp-snooping</var> should be disabled/enabled after changing <var>multicast-querier</var> property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge itself if IGMP membership reports are going to be forwarded to it. This property can be used to forward IGMP membership reports to the bridge for statistics or to analyse them.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded to the bridge itself regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this the bridge itself regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=text<br />
|default=bridgeN<br />
|desc=Name of the bridge interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..65535 decimal format or 0x0000-0xffff hex format<br />
|default=32768 / 0x8000<br />
|desc=Bridge priority, used by STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protocol-mode<br />
|type=none {{!}} rstp {{!}} stp {{!}} mstp<br />
|default=rstp<br />
|desc=Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in '''01:80:C2:00:00:0X''' range, this can be done by setting the <var>protocol-mode</var> to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer: 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=querier-interval<br />
|type=time<br />
|default=4m15s<br />
|desc=Used to change the interval how often a bridge checks if it is the active multicast querier. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-interval<br />
|type=time<br />
|default=2m5s<br />
|desc=Used to change the interval how often IGMP general membership queries are sent out. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-response-interval<br />
|type=time<br />
|default=10s<br />
|desc=Interval in which a IGMP capable device must reply to a IGMP query with a IGMP membership report. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-name<br />
|type=text<br />
|default=<br />
|desc=MSTP region name. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-revision<br />
|type=integer: 0..65535<br />
|default=0<br />
|desc=MSTP configuration revision number. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=Specifies how many times must <var>startup-query-interval</var> pass until the bridge starts sending out IGMP general membership queries periodically. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-interval<br />
|type=time<br />
|default=31s250ms<br />
|desc=Used to change the amount of time after a bridge starts sending out IGMP general membership queries after the bridge is enabled. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=transmit-hold-count<br />
|type=integer: 1..10<br />
|default=6<br />
|desc=The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Globally enables or disables VLAN functionality for bridge.<br />
}}<br />
<br /><br />
<br />
{{ Warning | Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <var>vlan-filtering</var>, <var>protocol-mode</var>, <var>igmp-snooping</var>, <var>fast-forward</var> and others. }}<br />
<br />
<br />
==Example==<br />
<br />
<p>To add and enable a bridge interface that will forward all the protocols:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> add <br />
[admin@MikroTik] /interface bridge> print <br />
Flags: X - disabled, R - running <br />
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled <br />
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 <br />
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s <br />
forward-delay=15s transmit-hold-count=6 ageing-time=5m <br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Spanning Tree Protocol=<br />
<br />
RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. <br />
<br />
{{ Warning | In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 }}<br />
<br />
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Hardware Offloading ]] section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backwards compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol ]] section. In RouterOS the <var>protocol-mode</var> property controls the used STP variant.<br />
<br />
{{ Note | By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly. }}<br />
<br />
== Per port STP ==<br />
There might be certain situations where you want to limit STP functionality on a single or multiple ports. Below you can find some examples for different use cases.<br />
<br />
{{ Warning | Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behaviour. }}<br />
<br />
* Don't send out BPDUs from a certain port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
/interface bridge filter<br />
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1<br />
</pre><br />
<br />
In this example BPDUs will not be sent out through '''ether1'''. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to '''ether1''', then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well.<br />
<br />
{{ Note | You can use [[ Manual:Interface/List | Interface Lists]] to specify multiple interfaces. }}<br />
<br />
* Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge.<br />
<br />
On CRS3xx:<br />
<pre><br />
/interface ethernet switch rule<br />
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1<br />
</pre><br />
<br />
Or on CRS1xx/CRS2xx with [[Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models | Access Control List (ACL) support]]:<br />
<pre><br />
/interface ethernet switch acl<br />
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1<br />
</pre><br />
<br />
In this example all received BPDUs on '''ether1''' are dropped. This will prevent other bridges on that port becoming a root bridge.<br />
<br />
{{ Warning | If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously. }}<br />
<br />
* Don't allow BPDUs on a port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1 bpdu-guard=yes<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
</pre><br />
<br />
In this example if '''ether1''' receives a BPDU, it will block the port and will require you to manually re-enable it.<br />
<br />
=Bridge Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge settings</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing ([[Manual:Packet_Flow_v6 | Packet Flow]]). This does not apply to routed traffic. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to traffic in a bridge. Property <var>use-ip-firewall-for-vlan</var> is required in case bridge <var>vlan-filtering</var> is used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-pppoe<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged un-encrypted PPPoE traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to PPPoE traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-vlan<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged VLAN traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to VLAN traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-fast-path<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to enable a bridge [[Manual:Fast_Path | FastPath]] globally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-active<br />
|type=yes {{!}} no<br />
|default=''<br />
|desc=Shows whether a bridge FastPath is active globally, FastPatch status per bridge interface is not displayed. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge FastPath.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Path.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-forward-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=bridge-fast-forward-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{ Note | In case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] (Simple QoS) or global [[ Manual:Queue#Queue_Tree | Queue Trees]] to traffic that is being forwarded by a bridge, then you need to enable the <var>use-ip-firewall</var> property. Without using this property the bridge traffic will never reach the postrouting chain, [[Manual:Queue#Simple_Queues | Simple Queues]] and global [[ Manual:Queue#Queue_Tree | Queue Trees]] are working in the postrouting chain. To assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Trees]] for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well. }}<br />
<br />
=Port Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port</code></p><br />
<br /><br />
<p>Port submenu is used to enslave interfaces in a particular bridge interface.</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-isolate<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when <var>protocol-mode</var> is set to <code>rstp</code> or <code>mstp</code> and <var>edge</var> is set to <code>no</code>. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bpdu-guard<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface the respective interface is grouped in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=broadcast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses '''FF:FF:FF:FF:FF:FF''' as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall) and others. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=edge<br />
|type=auto {{!}} no {{!}} no-discover {{!}} yes {{!}} yes-discover<br />
|default=auto<br />
|desc=Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
* <code>no</code> - non-edge port, will participate in learning and listening states in STP.<br />
* <code>no-discover</code> - non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become edge port if no BPDU is received.<br />
* <code>yes</code> - edge port without discovery, will transit directly to forwarding state.<br />
* <code>yes-discover</code> - edge port with enabled discovery, will transit directly to forwarding state.<br />
* <code>auto</code> - same as <code>no-discover</code>, but will additionally detect if bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=external-fdb<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Whether to use wireless registration table to speed up bridge host learning. If there are no Wireless interfaces in a bridge, then setting <var>external-fdb</var> to <code>yes</code> will disable MAC learning and the bridge will act as a hub (disables hardware offloading). Replaced with <var>learn</var> parameter in RouterOS v6.42<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-leave<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables IGMP Fast leave feature on the port. Bridge will stop forwarding traffic to a bridge port whenever a IGMP Leave message is received for appropriate multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed ingress frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=learn<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Changes MAC learning behaviour on a bridge port<br />
* <code>yes</code> - enables MAC learning<br />
* <code>no</code> - disables MAC learning<br />
* <code>auto</code> - detects if bridge port is a Wireless interface and uses Wireless registration table instead of MAC learning, will use Wireless registration table if the [[Manual:Interface/Wireless | Wireless interface]] is set to one of <var>ap-bridge,bridge,wds-slave</var> mode and bridge mode for the [[Manual:Interface/Wireless | Wireless interface]] is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge port whether IGMP membership reports are going to be forwarded to this port. By default IGMP membership reports (most importantly IGMP Join messages) are only forwarded to ports that have a multicast router or a IGMP Snooping enabled bridge connected to. Without at least one port marked as a <code>multicast-router</code> IPTV might not work properly, it can be either detected automatically or forced manually.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded through this port regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this port regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges.<br />
You can improve security by forcing ports that have IPTV boxes connected to never become ports marked as <code>multicast-router</code>. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=horizon<br />
|type=integer 0..429496729<br />
|default=none<br />
|desc=Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about [[MPLSVPLS#Split_horizon_bridging | Bridge split horizon]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=internal-path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface for MSTI0 inside a region. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface, used by STP to determine the "best" path, used by MSTP to determine "best" path between regions. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=point-to-point<br />
|type=auto {{!}} yes {{!}} no<br />
|default=auto<br />
|desc=Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to <code>yes</code>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits BPDUs from other devices from this single link, by setting this property to <code>no</code>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to <code>yes</code>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to <code>no</code> if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex, <code>auto</code> enables point-to-point functionality. And this property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..240<br />
|default=128<br />
|desc=The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-role<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable the restricted role on a port, used by STP to forbid a port becoming a root port. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-tcn<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable topology change notification (TCN) sending on a port, used by STP to forbid network topology changes to propagate. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tag-stacking<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the <var>pvid</var> value and will use EtherType that is specified in <var>ether-type</var>. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trusted<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, it allows to forward DHCP packets towards DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unknown-multicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in <code>/interface bridge mdb</code> are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when <var>unknown-multicast-flood</var> is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=unknown-unicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in <code>/interface bridge host</code>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
==Example==<br />
<br />
<p>To group <b>ether1</b> and <b>ether2</b> in the already created <b>bridge1</b> bridge</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1<br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2<br />
[admin@MikroTik] /interface bridge port> print <br />
Flags: X - disabled, I - inactive, D - dynamic <br />
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON <br />
0 ether1 bridge1 0x80 10 none <br />
1 ether2 bridge1 0x80 10 none <br />
[admin@MikroTik] /interface bridge port> <br />
</pre><br />
<br />
=Interface lists=<br />
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules, you can read more about interface lists at the [[Manual:Interface/List | Interface List ]] section. Below is an example how to add interface list to a bridge:<br />
<pre><br />
/interface list member<br />
add interface=ether1 list=LAN1<br />
add interface=ether2 list=LAN1<br />
add interface=ether3 list=LAN2<br />
add interface=ether4 list=LAN2<br />
/interface bridge port<br />
add bridge=bridge1 interface=LAN1<br />
add bridge=bridge1 interface=LAN2<br />
</pre><br />
<br />
Ports from a interface list added to a bridge will show up as dynamic ports:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN1 bridge1<br />
1 D ether1 bridge1<br />
2 D ether2 bridge1<br />
3 LAN2 bridge1<br />
4 D ether3 bridge1<br />
5 D ether4 bridge1 <br />
</pre><br />
<br />
It is also possible to sort the order of lists in which they appear in the <code>/interface bridge port</code> menu. This can be done using the <code>move</code> command. Below is an example how to sort interface lists:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port move 3 0<br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN2 bridge1<br />
1 D ether3 bridge1<br />
2 D ether4 bridge1<br />
3 LAN1 bridge1<br />
4 D ether1 bridge1<br />
5 D ether2 bridge1<br />
</pre><br />
<br />
{{ Note | The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.}}<br />
<br />
=Hosts Table=<br />
<br />
MAC addresses that have been learned on a bridge interface can be viewed in the <code>/interface bridge host</code> menu. Below is a table of parameters and flags that can be viewed.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>age</b></var> (<em>read-only: time</em>)</td><br />
<td>The time since the last packet was received from the host. Appears only for dynamic, non-external and non-local host entries</td><br />
</tr><br />
<tr><br />
<td><var><b>bridge</b></var> (<em>read-only: name</em>)</td><br />
<td>The bridge the entry belongs to</td><br />
</tr><br />
<tr><br />
<td><var><b>disabled</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the static host entry is disabled</td><br />
</tr><br />
<tr><br />
<td><var><b>dynamic</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been dynamically created</td><br />
</tr><br />
<tr><br />
<td><var><b>external</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td><br />
</tr><br />
<tr><br />
<td><var><b>invalid</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td><br />
</tr><br />
<tr><br />
<td><var><b>local</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td><br />
</tr><br />
<tr><br />
<td><var><b>mac-address</b></var> (<em>read-only: MAC address</em>)</td><br />
<td>Host's MAC address</td><br />
</tr><br />
<tr><br />
<td><var><b>on-interface</b></var> (<em>read-only: name</em>)</td><br />
<td>Which of the bridged interfaces the host is connected to</td><br />
</tr><br />
</table><br />
<br />
==Monitoring==<br />
<p>To get the active hosts table:</p><br />
<pre><br />
[admin@MikroTik] > interface bridge host print <br />
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external <br />
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE<br />
0 D E D4:CA:6D:E1:B5:7E ether2 bridge1<br />
1 DL E4:8D:8C:73:70:37 bridge1 bridge1<br />
2 D D4:CA:6D:E1:B5:7F ether3 bridge2 27s<br />
3 DL E4:8D:8C:73:70:38 bridge2 bridge2<br />
</pre><br />
<br />
==Static entries==<br />
<br />
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is for protecting the device resources by disabling the dynamic learning and rely only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the hosts table.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface to which the MAC address is going to be assigned to.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disables/enables static MAC address entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=MAC address that will be added to the hosts table statically.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vid<br />
|type=integer: 1..4094<br />
|default=<br />
|desc=VLAN ID for the statically added MAC address entry.<br />
}}<br />
<br />
For example, if it was required that all traffic destined to '''4C:5E:0C:4D:12:43''' is forwarded only through '''ether2''', then the following commands can be used:<br />
<pre><br />
/interface bridge host<br />
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43<br />
</pre><br />
<br />
=Bridge Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge monitor</code></p><br />
<br /><br />
<p>Used to monitor the current status of a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="35%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>current-mac-address</b></var> (<em>MAC address</em>)</td><br />
<td>Current MAC address of the bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>designated-port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of designated bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of the bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether bridge is the root bridge of the spanning tree</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge-id</b></var> (<em>text</em>)</td><br />
<td>The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td><br />
</tr><br />
<tr><br />
<td><var><b>root-path-cost</b></var> (<em>integer</em>)</td><br />
<td>The total cost of the path to the root-bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>root-port</b></var> (<em>name</em>)</td><br />
<td>Port to which the root bridge is connected to</td><br />
</tr><br />
<tr><br />
<td><var><b>state</b></var> (<em>enabled | disabled</em>)</td><br />
<td>State of the bridge</td><br />
</tr><br />
</table><br />
<br />
<h3>Example</h3><br />
<br />
<p>To monitor a bridge:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> monitor bridge1 <br />
state: enabled<br />
current-mac-address: 00:0C:42:52:2E:CE<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
<br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Bridge Port Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port monitor</code></p><br />
<br /><br />
<p>Statistics of an interface that belongs to a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is an edge port or not.</td><br />
</tr><br />
<tr><br />
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is set to automatically detect edge ports.</td><br />
</tr><br />
<tr><br />
<td><var><b>external-fdb</b></var> (<em>yes | no</em>)</td><br />
<td>Whether registration table is used instead of forwarding data base.</td><br />
</tr><br />
<tr><br />
<td><var><b>forwarding</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is not blocked by (R/M)STP.</td><br />
</tr><br />
<tr><br />
<td><var><b>hw-offload-group</b></var> (<em>switchX</em>)</td><br />
<td>Switch chip used by the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>learning</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether the port is capable of learning MAC addresses.</td><br />
</tr><br />
<tr><br />
<td><var><b>multicast-router</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if a multicast router is detected on the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td><br />
<td>port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot internal numbering will be used.</td><br />
</tr><br />
<tr><br />
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td><br />
</tr><br />
<tr><br />
<td><var><b>role</b></var> (<em>designated | root port | alternate | backup | disabled</em>)</td><br />
<td><br />
(R/M)STP algorithm assigned role of the port:<br />
* <code>Disabled port</code> - not strictly part of STP, a network administrator can manually disable a port<br />
* <code>Root port</code> - a forwarding port that is the best port from Nonroot-bridge to Rootbridge<br />
* <code>Alternative port</code> - an alternate path to the root bridge. This path is different than using the root port<br />
* <code>Designated port</code> - a forwarding port for every LAN segment<br />
* <code>Backup port</code> - a backup/redundant path to a segment where another bridge port already connects.<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>sending-rstp</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is sending RSTP or MSTP BPDU types. A port will transit to STP type when RSTP/MSTP enabled port receives a STP BPDU</td><br />
</tr><br />
<tr><br />
<td><var><b>status</b></var> (<em>in-bridge | inactive</em>)</td><br />
<td>Port status:<br />
* <code>in-bridge</code> - port is enabled.<br />
* <code>inactive</code> - port is disabled.<br />
</td><br />
</tr><br />
</table><br />
<br />
==Example==<br />
<br />
<p>To monitor a bridge port:</p><br />
<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor 0 <br />
status: in-bridge<br />
port-number: 1<br />
role: designated-port<br />
edge-port: no<br />
edge-port-discovery: yes<br />
point-to-point-port: no<br />
external-fdb: no<br />
sending-rstp: no<br />
learning: yes<br />
forwarding: yes<br />
<br />
[admin@MikroTik] /interface bridge port><br />
</pre><br />
<br />
=Bridge Hardware Offloading=<br />
<br />
Since RouterOS v6.41 it is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly. In previous versions (prior to RouterOS v6.41) you had to use the <var>master-port</var> property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example, [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol]]. More details about the outdated <var>master-port</var> property can be found in the [[Manual:Master-port | Master-port]] page.<br />
<br />
{{ Note | When upgrading from previous versions (before RouterOS v6.41), the old <var>master-port</var> configuration is automatically converted to the new '''Bridge Hardware Offloading''' configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old <var>master-port</var> configuration. }}<br />
<br />
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):<br />
<br />
{| border="1" class="wikitable collapsible sortable" style="text-align: center"<br />
| nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b><br />
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge DHCP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bonding</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS3xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>+ <small style="font-size:60%;">1</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [QCA8337]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8327]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|-<br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8227]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8316]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros7240]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [MT7621]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [RTL8367]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
|}<br />
<br />
<b>NOTES:</b><br />
# Feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example, <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code>. DHCP Option 82 will not contain any information regarding VLAN-ID. <br />
# Feature will not work properly in VLAN switching setups.<br />
<br />
{{ Note | When upgrading from older versions (before RouterOS v6.41), only the <var>master-port</var> configuration is converted. For each <var>master-port</var> a bridge will be created. VLAN configuration is not converted and should not be changed, check the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide to be sure how VLAN switching should be configured for your device. }}<br />
<br />
Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to processes packets using it's switching logic. The diagram below illustrates that switching occurs before any software related action:<br />
<br />
[[File:switch-png.png|center]]<br />
<br />
A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU, though it is possible in certain situations to allow a packet to be processed by the CPU. To allow the CPU process a packet you need to forward the packet to the CPU and not allow the switch chip to forward the packet through a switch port directly, this is usually called passing a packet to the switch CPU port (or the bridge CPU port in bridge VLAN filtering scenario).<br />
<br />
By passing a packet to the switch CPU port you are prohibiting the switch chip to forward the packet directly, this allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | non-CRS series switches]]<br />
<br />
{{ Warning | Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a '''switch chip reset''', that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control and others (exact settings that can trigger a switch chip reset depends on the device's model). }}<br />
<br />
==Example==<br />
<br />
Port switching with bridge configuration and enabled hardware offloading since RouterOS v6.41:<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2 hw=yes<br />
add bridge=bridge1 interface=ether3 hw=yes<br />
add bridge=bridge1 interface=ether4 hw=yes<br />
add bridge=bridge1 interface=ether5 hw=yes<br />
</pre><br />
<br />
Make sure that hardware offloading is enabled by checking the "H" flag:<br />
<pre><br />
[admin@MikroTik] > interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON<br />
0 H ether2 bridge1 yes 1 0x80 10 10 none<br />
1 H ether3 bridge1 yes 1 0x80 10 10 none<br />
2 H ether4 bridge1 yes 1 0x80 10 10 none<br />
3 H ether5 bridge1 yes 1 0x80 10 10 none<br />
</pre><br />
<br />
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}<br />
<br />
=Bridge VLAN Filtering=<br />
<br />
{{ Note | Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide. If an improper configuration method is used, your device can cause throughput issues in your network. }}<br />
<br />
<p>Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.<br />
This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged.<br />
Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</p><br />
<br />
<p>The main VLAN setting is <code>vlan-filtering</code> which globally controls vlan-awareness and VLAN tag processing in the bridge.<br />
If <code>vlan-filtering=no</code>, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.<br />
Turning on <code>vlan-filtering</code> enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.<br />
Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).</p><br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge vlan</code></p><br />
<br />
<p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<br />
<code>tagged</code> ports send out frames with a learned VLAN ID tag.<br />
<code>untagged</code> ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port <code>pvid</code>.<br />
</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface which the respective VLAN entry is intended for.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables Bridge VLAN entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. <code>tagged=ether1,ether2</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=untagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. <code>untagged=ether3,ether4</code><br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-ids<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. <code>vlan-ids=100-115,120,122,128-130</code>.<br />
}}<br />
<br /><br />
{{ Warning | The <var>vlan-ids</var> parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are tagged ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the <var>PVID</var> value. }}<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br />
<p>Bridge Host table allows monitoring learned MAC addresses and when <code>vlan-filtering</code> is enabled shows learned VLAN ID as well.</p><br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge host print where !local<br />
Flags: L - local, E - external-fdb <br />
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE <br />
bridge1 200 D4:CA:6D:77:2E:F0 ether3 7s <br />
bridge1 200 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 300 D4:CA:6D:74:65:9D ether4 3s <br />
bridge1 300 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 400 4C:5E:0C:4B:89:5C ether5 0s <br />
bridge1 400 E4:8D:8C:1B:05:F0 ether2 0s <br />
[admin@MikroTik] > <br />
</pre><br />
<br />
{{ Note | Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the [[Manual:Interface/Bridge#Management_port| Management port]] section.}}<br />
<br />
{{ Warning | When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.}}<br />
<br />
==VLAN Example #1 (Trunk and Access Ports)==<br />
<br />
{{ Note | Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how [[ Manual:Bridge_VLAN_Table | Bridge VLAN table]] works before deploying your device into production environments. }}<br />
<br />
[[File:portbased-vlan1.png|center|frame|alt=Alt text|Trunk and Access Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the device before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==VLAN Example #2 (Trunk and Hybrid Ports)==<br />
<br />
[[File:portbased-vlan2.png|center|frame|alt=Alt text|Trunk and Hybrid Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> on hybrid VLAN ports to assign untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | You don't have to add access ports as untagged ports, they will be added dynamically as untagged port with the VLAN ID that is specified in <code>PVID</code>, you can specify just the trunk port as tagged port. All ports that have the same <code>PVID</code> set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a <code>PVID</code> value, this means that the bridge port also will be added as untagged port for the ports that have the same <code>PVID</code>. You can circumvent this behaviour by either setting different <code>PVID</code> on all ports (even the trunk port and bridge itself), or to use <code>frame-type</code> set to <code>accept-only-vlan-tagged</code>. }}<br />
<br />
==VLAN Example #3 (InterVLAN Routing by Bridge)==<br />
<br />
[[File:bridge-vlan-routing.png|center|frame|alt=Alt text|InterVLAN Routing by Bridge]]<br />
<br />
Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured:<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN:<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example '''bridge1''' interface is the VLAN trunk that will send traffic further to do InterVLAN routing:<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
Configure VLAN interfaces on the '''bridge1''' to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned:<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=VLAN200 vlan-id=200<br />
add interface=bridge1 name=VLAN300 vlan-id=300<br />
add interface=bridge1 name=VLAN400 vlan-id=400<br />
<br />
/ip address<br />
add address=20.0.0.1/24 interface=VLAN200<br />
add address=30.0.0.1/24 interface=VLAN300<br />
add address=40.0.0.1/24 interface=VLAN400<br />
</pre><br />
<br />
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==Management access configuration==<br />
<br />
There are multiple ways to setup management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* In case VLAN filtering will not be used and access with untagged traffic is desired<br />
<br />
The only requirement is to create an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.99.1/24 interface=bridge1<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired<br />
<br />
In this example VLAN99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.<br />
<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=MGMT vlan-id=99<br />
/ip address<br />
add address=192.168.99.1/24 interface=MGMT<br />
</pre><br />
<br />
For example, if you want to allow access to the router/switch from access ports '''ether3''', '''ether4''' and from trunk port '''sfp-sfpplus1''', then you must add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired<br />
<br />
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.88.1/24 interface=bridge1<br />
</pre><br />
<br />
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports '''ether3''', '''ether4''' add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1<br />
</pre><br />
<br />
Make sure that PVID on the bridge interface matches the PVID value on these ports:<br />
<pre><br />
/interface bridge set bridge1 pvid=1<br />
/interface bridge port set ether3,ether4 pvid=1<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Note | If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way. }}<br />
<br />
==VLAN Tunneling (Q-in-Q)==<br />
Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100). The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common '''Provider bridge''':<br />
<br />
[[File:provider_bridge.png|700px|thumb|center|alt=Alt text|Provider bridge topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic by 802.1Q (CVID), but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by enabling <code>802.1ad</code> VLAN protocol on the bridge, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x88a8<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' are going to be access ports (untagged), use the <code>pvid</code> parameter to tag all ingress traffic on each port, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200<br />
add interface=ether2 bridge=bridge1 pvid=300<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. The difference between using different EtherTypes is that you must use a Service VLAN interface. Service VLAN interfaces can be created as regular VLAN interface, but the <var>use-service-tag</var> parameter toggles if the interface will use Service VLAN tag. }}<br />
<br />
{{ Note | Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering based on SVID (Service VLAN ID) tag when <var>ether-type</var> is set to 0x88a8. }}<br />
<br />
{{ Warning | When <code>ether-type&#61;0x8100</code>, then the bridge checks the outer VLAN tag if it is using EtherType <code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as <code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used. }}<br />
<br />
===Tag stacking===<br />
<br />
Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to [[ Manual:Interface/Bridge#VLAN_Tunneling_.28Q-in-Q.29 | Provider bridge]] setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:<br />
<br />
[[File:tag_stacking.png|700px|thumb|center|alt=Alt text|Tag stacking topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x8100<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' will ignore any VLAN tags that are present and add a new VLAN tag, use the <code>pvid</code> parameter to tag all ingress traffic on each port and allow <code>tag-stacking</code> on these ports, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes<br />
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <code>PVID</code> parameter have any effect, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. }}<br />
<br />
=Fast Forward=<br />
<br />
Fast Forward allows to forward packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge related checks, including MAC learning. Below you can find a list of conditions that '''MUST''' be met in order for Fast Forward to be active:<br />
* Bridge has <var>fast-forward</var> set to <code>yes</code><br />
* Bridge has only 2 running ports<br />
* Both bridge ports support [[ Manual:Fast_Path | Fast Path]], Fast Path is active on ports and globally on the bridge<br />
* [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] is disabled<br />
* [[ Manual:Interface/Bridge#Bridge_VLAN_Filtering | Bridge VLAN Filtering]] is disabled<br />
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | bridge DHCP snooping]] is disabled<br />
* <var>unknown-multicast-flood</var> is set to <code>yes</code><br />
* <var>unknown-unicast-flood</var> is set to <code>yes</code><br />
* <var>broadcast-flood</var> is set to <code>yes</code><br />
* MAC address for the bridge matches with a MAC address from one of the bridge slaves<br />
* <var>horizon</var> for both ports is set to <code>none</code><br />
<br />
{{ Note | Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out trough just one interface. }}<br />
<br />
{{ Warning | Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path. }}<br />
<br />
It is possible to check how many packets where processed by Fast Forward:<br />
<pre><br />
[admin@MikroTik] > /interface bridge settings print <br />
use-ip-firewall: no<br />
use-ip-firewall-for-vlan: no<br />
use-ip-firewall-for-pppoe: no<br />
allow-fast-path: yes<br />
bridge-fast-path-active: yes<br />
bridge-fast-path-packets: 0<br />
bridge-fast-path-bytes: 0<br />
bridge-fast-forward-packets: 1279812<br />
bridge-fast-forward-bytes: 655263744<br />
</pre><br />
<br />
{{ Note | If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator whether Fast Forward is active or not. }}<br />
<br />
Since RouterOS 6.44beta28 it is possible to monitor Fast Forward status, for example:<br />
<pre><br />
[admin@MikroTik] > /interface bridge monitor bridge1 <br />
state: enabled<br />
current-mac-address: D4:CA:6D:E1:B5:82<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
fast-forward: yes<br />
<br />
</pre><br />
<br />
{{ Warning | Disabling or enabling <var>fast-forward</var> will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped. }}<br />
<br />
=IGMP Snooping=<br />
<br />
<p>IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.<br /><br />
It's settings are placed in bridge menu and it works independently in every bridge interface.<br /><br />
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.</p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge mdb</code></p><br />
<br />
* Enabling IGMP Snooping on Bridge.<br />
<br />
<pre><br />
/interface bridge set bridge1 igmp-snooping=yes<br />
</pre><br />
<br />
* Monitoring multicast groups in the Bridge Multicast Database<br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge mdb print <br />
BRIDGE VID GROUP PORTS <br />
bridge1 200 229.1.1.2 ether3 <br />
ether2 <br />
ether1 <br />
bridge1 300 231.1.3.3 ether4 <br />
ether3 <br />
ether2 <br />
bridge1 400 229.10.10.4 ether4 <br />
ether3 <br />
bridge1 500 234.5.1.5 ether5 <br />
ether1 <br />
</pre><br />
<br />
* Monitoring ports that are connected to a multicast router<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor [f]<br />
interface: ether1 ether2<br />
status: in-bridge in-bridge<br />
port-number: 1 2<br />
role: designated-port designated-port<br />
edge-port: yes yes<br />
edge-port-discovery: yes yes<br />
point-to-point-port: yes yes<br />
external-fdb: no no<br />
sending-rstp: yes yes<br />
learning: yes yes<br />
forwarding: yes yes<br />
multicast-router: yes no<br />
</pre><br />
<br />
{{ Note | IGMP membership reports are only forwarded to ports that are connected to a multicast router or to another IGMP Snooping enabled bridge. If no port is marked as a <var>multicast-router</var> then IGMP membership reports will not be forwarded to any port. }}<br />
<br />
=DHCP Snooping and DHCP Option 82=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge port</code></p><br />
<br /><br />
Starting from RouterOS version 6.43, bridge supports DHCP Snooping and DHCP Option 82. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing a malicious information to users. In RouterOS you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is an additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allows identifying the device itself and DHCP clients.<br />
<br />
[[File:dhcp_snooping.png|700px|thumb|center|alt=Alt text|DHCP Snooping and Option 82 setup]]<br />
<br />
In this example, SW1 and SW2 are DHCP Snooping and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on <b>SW1</b>:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1<br />
add bridge=bridge interface=ether2 trusted=yes<br />
</pre><br />
<br />
For SW2 configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1 trusted=yes<br />
add bridge=bridge interface=ether2 trusted=yes<br />
add bridge=bridge interface=ether3<br />
</pre><br />
<br />
Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on <b>SW1</b> and <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes<br />
</pre><br />
<br />
Now both devices will analyze what DHCP messages are received on bridge ports. The <b>SW1</b> is responsible for adding and removing the DHCP Option 82. The <b>SW2</b> will limit rogue DHCP server form receiving any discovery messages and drop malicious DHCP server messages from ether3.<br />
<br />
{{ Note | Currently only CRS3xx devices fully support hardware DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN related configuration applied on the device, otherwise DHCP Snooping and Option 82 might not work properly. See [[ Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features.}}<br />
<br />
=Bridge Firewall=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter, /interface bridge nat</code></p><br />
<br /><br />
<p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.</p><br />
<br />
<p>[[Packet Flow | Packet flow diagram]] shows how packets are processed through router. It is possible to force bridge traffic to go through <code>/ip firewall filter</code> rules (see: [[#Bridge Settings | Bridge Settings]])</p><br />
<br />
<p><br />
There are two bridge firewall tables:<br />
<br />
*'''filter''' - bridge firewall with three predefined chains:<br />
**'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)<br />
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally)<br />
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)<br />
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<br />
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface<br />
**'''dstnat''' - used for redirecting some packets to other destinations<br />
</p><br />
<br />
<p><br />
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.<br />
</p><br />
<br />
<p><br />
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.<br />
</p><br />
<br />
==Properties==<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-sap<br />
|type=integer<br />
|default=<br />
|desc=DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-type<br />
|type=integer<br />
|default=<br />
|desc=Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=<br />
|desc= Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. Packet is not passed to next firewall rule<br />
* <var>drop</var> - silently drop the packet<br />
* <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code><br />
* <var>mark-packet</var> - place a mark specified by the new-packet-mark parameter on a packet that matches the rule<br />
* <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics)<br />
* <var>return</var> - passes control back to the chain from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP destination IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=ARP destination MAC address<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-gratuitous<br />
|type=yes {{!}} no<br />
|default=<br />
|desc=Matches ARP gratuitous packets.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-hardware-type<br />
|type=integer<br />
|default=1<br />
|desc=ARP hardware type. This is normally Ethernet (Type 1).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-opcode<br />
|type=arp-nak {{!}} drarp-error {{!}} drarp-reply {{!}} drarp-request {{!}} inarp-reply {{!}} inarp-request {{!}} reply {{!}} reply-reverse {{!}} request {{!}} request-reverse<br />
|default=<br />
|desc=ARP opcode (packet type)<br />
* <var>arp-nak</var> - negative ARP reply (rarely used, mostly in ATM networks) <br />
* <var>drarp-error</var> - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated <br />
* <var>drarp-reply</var> - Dynamic RARP reply, with a temporaty IP address assignment for a host <br />
* <var>drarp-request</var> - Dynamic RARP request to assign a temporary IP address for the given MAC address <br />
* <var>inarp-reply</var> - InverseARP Reply<br />
* <var>inarp-request</var> - InverseARP Request<br />
* <var>reply</var> - standard ARP reply with a MAC address <br />
* <var>reply-reverse</var> - reverse ARP (RARP) reply with an IP address assigned <br />
* <var>request</var> - standard ARP request to a known IP address to find out unknown MAC address <br />
* <var>request-reverse</var> - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-packet-type<br />
|type=integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=ARP Packet Type.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP source IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-mac-address<br />
|type=MAC addres<br />
|default=<br />
|desc=ARP source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=chain<br />
|type=text<br />
|default=<br />
|desc=Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-address<br />
|type=IP address<br />
|default=<br />
|desc=Destination IP address (only if MAC protocol is set to IP).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Destination port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-bridge<br />
|type=name<br />
|default=<br />
|desc=Bridge interface through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface<br />
|type=name<br />
|default=<br />
|desc=Physical interface (i.e., bridge port) through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>in-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-priority<br />
|type=integer 0..63<br />
|default=<br />
|desc=Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more&#187;]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ip-protocol<br />
|type=dccp {{!}} ddp {{!}} egp {{!}} encap {{!}} etherip {{!}} ggp {{!}} gre {{!}} hmp {{!}} icmp {{!}} icmpv6 {{!}} idpr-cmtp {{!}} igmp {{!}} ipencap {{!}} ipip {{!}} ipsec-ah {{!}} ipsec-esp {{!}} ipv6 {{!}} ipv6-frag {{!}} ipv6-nonxt {{!}} ipv6-opts {{!}} ipv6-route {{!}} iso-tp4 {{!}} l2tp {{!}} ospf {{!}} pim {{!}} pup {{!}} rdp {{!}} rspf {{!}} rsvp {{!}} sctp {{!}} st {{!}} tcp {{!}} udp {{!}} udp-lite {{!}} vmtp {{!}} vrrp {{!}} xns-idp {{!}} xtp<br />
|default=<br />
|desc=IP protocol (only if MAC protocol is set to IPv4)<br />
* <var>dccp</var> - Datagram Congestion Control Protocol<br />
* <var>ddp</var> - Datagram Delivery Protocol<br />
* <var>egp</var> - Exterior Gateway Protocol<br />
* <var>encap</var> - Encapsulation Header<br />
* <var>etherip</var> - Ethernet-within-IP Encapsulation<br />
* <var>ggp</var> - Gateway-to-Gateway Protocol<br />
* <var>gre</var> - Generic Routing Encapsulation<br />
* <var>hmp</var> - Host Monitoring Protocol<br />
* <var>icmp</var> - IPv4 Internet Control Message Protocol<br />
* <var>icmpv6</var> - IPv6 Internet Control Message Protocol<br />
* <var>idpr-cmtp</var> - Inter-Domain Policy Routing Control Message Transport Protocol <br />
* <var>igmp</var> - Internet Group Management Protocol<br />
* <var>ipencap</var> - IP in IP (encapsulation)<br />
* <var>ipip</var> - IP-within-IP Encapsulation Protocol<br />
* <var>ipsec-ah</var> - IPsec Authentication Header<br />
* <var>ipsec-esp</var> - IPsec Encapsulating Security Payload<br />
* <var>ipv6</var> - Internet Protocol version 6<br />
* <var>ipv6-frag</var> - Fragment Header for IPv6<br />
* <var>ipv6-nonxt</var> - No Next Header for IPv6<br />
* <var>ipv6-opts</var> - Destination Options for IPv6<br />
* <var>ipv6-route</var> - Routing Header for IPv6<br />
* <var>iso-tp4</var> - ISO Transport Protocol Class 4<br />
* <var>l2tp</var> - Layer Two Tunneling Protocol<br />
* <var>ospf</var> - Open Shortest Path First<br />
* <var>pim</var> - Protocol Independent Multicast<br />
* <var>pup</var> - PARC Universal Packet<br />
* <var>rdp</var> - Reliable Data Protocol<br />
* <var>rspf</var> - Radio Shortest Path First<br />
* <var>rsvp</var> - Reservation Protocol<br />
* <var>sctp</var> - Stream Control Transmission Protocol<br />
* <var>st</var> - Internet Stream Protocol<br />
* <var>tcp</var> - Transmission Control Protocol<br />
* <var>udp</var> - User Datagram Protocol<br />
* <var>udp-lite</var> - Lightweight User Datagram Protocol<br />
* <var>vmtp</var> - Versatile Message Transaction Protocol<br />
* <var>vrrp</var> - Virtual Router Redundancy Protocol<br />
* <var>xns-idp</var> - Xerox Network Systems Internet Datagram Protocol<br />
* <var>xtp</var> - Xpress Transport Protocol<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=jump-target<br />
|type=name<br />
|default=<br />
|desc=If <code>action=jump</code> specified, then specifies the user-defined firewall chain to process the packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit<br />
|type=integer/time,integer<br />
|default=<br />
|desc=Restricts packet match rate to a given limit.<br />
* <var>count</var> - maximum average packet rate, measured in packets per second (pps), unless followed by Time option <br />
* <var>time</var> - specifies the time interval over which the packet rate is measured <br />
* <var>burst</var> - number of packets to match in a burst<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=log-prefix<br />
|type=text<br />
|default=<br />
|desc=Defines the prefix to be printed before the logging information.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-protocol<br />
|type=802.2 {{!}} arp {{!}} homeplug-av {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} lldp {{!}} loop-protect {{!}} mpls-multicast {{!}} mpls-unicast {{!}} packing-compr {{!}} packing-simple {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} service-vlan {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a <var>vlan-encap</var> property should be used.<br />
* <var>802.2</var> - 802.2 Frames (0x0004)<br />
* <var>arp</var> - Address Resolution Protocol (0x0806)<br />
* <var>homeplug-av</var> - HomePlug AV MME (0x88E1)<br />
* <var>ip</var> - Internet Protocol version 4 (0x0800)<br />
* <var>ipv6</var> - Internet Protocol Version 6 (0x86DD)<br />
* <var>ipx</var> - Internetwork Packet Exchange (0x8137)<br />
* <var>length</var> - Packets with length field (0x0000-0x05DC)<br />
* <var>lldp</var> - Link Layer Discovery Protocol (0x88CC)<br />
* <var>loop-protect</var> - Loop Protect Protocol (0x9003)<br />
* <var>mpls-multicast</var> - MPLS multicast (0x8848)<br />
* <var>mpls-unicast</var> - MPLS unicast (0x8847)<br />
* <var>packing-compr</var> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)<br />
* <var>packing-simple</var> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)<br />
* <var>pppoe</var> - PPPoE Session Stage (0x8864)<br />
* <var>pppoe-discovery</var> - PPPoE Discovery Stage (0x8863)<br />
* <var>rarp</var> - Reverse Address Resolution Protocol (0x8035)<br />
* <var>service-vlan</var> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) <br />
* <var>vlan</var> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-bridge<br />
|type=name<br />
|default=<br />
|desc=Outgoing bridge interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface<br />
|type=name<br />
|default=<br />
|desc=Interface that the packet is leaving the bridge through.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>out-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-mark<br />
|type=name<br />
|default=<br />
|desc=Match packets with certain packet mark.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-type<br />
|type=broadcast {{!}} host {{!}} multicast {{!}} other-host<br />
|default=<br />
|desc=MAC frame type:<br />
* <var>broadcast</var> - broadcast MAC packet <br />
* <var>host</var> - packet is destined to the bridge itself <br />
* <var>multicast</var> - multicast MAC packet <br />
* <var>other-host</var> - packet is destined to some other unicast address, not to the bridge itself<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-address<br />
|type=IP address<br />
|default=<br />
|desc=Source IP address (only if MAC protocol is set to IPv4).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Source port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-flags<br />
|type=topology-change {{!}} topology-change-ack<br />
|default=<br />
|desc=The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<br />
* <var>topology-change</var> - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology <br />
* <var>topology-change-ack</var> - topology change acknowledgement flag is sent in replies to the notification packets <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-forward-delay<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Forward delay timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-hello-time<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP hello packets time.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-max-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Maximal STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-msg-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP port identifier.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-address<br />
|type=MAC address<br />
|default=<br />
|desc=Root bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-cost<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge cost.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-address<br />
|type=MAC address<br />
|default=<br />
|desc=STP message sender MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP sender priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-type<br />
|type=config {{!}} tcn<br />
|default=<br />
|desc=The BPDU type:<br />
* <var>config</var> - configuration BPDU <br />
* <var>tcn</var> - topology change notification<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-host<br />
|type=string<br />
|default=<br />
|desc=Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-encap<br />
|type=802.2 {{!}} arp {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} mpls-multicast {{!}} mpls-unicast {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Matches the MAC protocol type encapsulated in the VLAN frame.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-id<br />
|type=integer 0..4095<br />
|default=<br />
|desc=Matches the VLAN identifier field.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-priority<br />
|type=integer 0..7<br />
|default=<br />
|desc=Matches the VLAN priority (priority code point)<br />
}}<br />
<br />
<br />
<h3>Notes</h3><br />
<br />
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled.<br />
<br />
*ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code><br />
<br />
*VLAN matchers are only valid for <code>0x8100</code> or <code>0x88a8</code> ethernet protocols<br />
<br />
*IP or IPv6 related matchers are only valid if <var>mac-protocol</var> is either set to <code>ip</code> or <code>ipv6</code><br />
<br />
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.<br />
<br />
==Bridge Packet Filter==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p><br />
<br /><br />
<p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough<br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
==Bridge NAT==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p><br />
<br /><br />
<p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p><br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} mark-packet {{!}} redirect {{!}} set-priority {{!}} arp-reply {{!}} dst-nat {{!}} log {{!}} passthrough {{!}} return {{!}} src-nat<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule:<br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>arp-reply</var> - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>dst-nat</var> - change destination MAC address of a packet (only valid in dstnat chain) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - log the packet <br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>redirect</var> - redirect the packet to the bridge itself (only valid in dstnat chain) <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
* <var>src-nat</var> - change source MAC address of a packet (only valid in srcnat chain) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-arp-reply-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frame and ARP payload, when <code>action=arp-reply</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address to put in Ethernet frames, when <code>action=dst-nat</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=to-src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frames, when <code>action=src-nat</code> is selected<br />
}}<br />
<br />
=See also=<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | Swith chip features]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]<br />
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]<br />
* [[Manual:Bridge_VLAN_Table | Bridge VLAN Table]]<br />
* [[Manual:Wireless VLAN Trunk | Wireless VLAN Trunk]]<br />
* [[Manual:VLANs_on_Wireless | VLANs on Wireless]]<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|B]]<br />
[[Category:Interface|B]]<br />
[[Category:Bridging and switching]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interworking_Profiles&diff=34534Manual:Interworking Profiles2022-03-16T09:51:50Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Interworking+Profiles}}<br />
<br />
{{Versions|v6}}<br />
=Summary=<br />
===Interworking===<br />
Interworking is the occurrence of two or more things working together. For a better Wireless network experience information about the network must be exchanged between Access Points and Wireless client devices, the information that can be found in basic Wireless beacons and probe requests is limited. For this reason, the IEEE 802.11u™-2011 (Interworking with External Networks) standard was created, that specifies how devices should exchange information between each other. Network discovery and Access Point selection process can be enhanced with the interworking service. Wireless client devices can have more criteria upon which they can choose the network with which to associate.<br />
<br />
===Hotspot 2.0===<br />
Hotspot 2.0 is a specification developed and owned by the Wi-Fi Alliance. It was designed to enable a more cellular-like experience when connecting to Wi-Fi networks. In the attempt to increase Wireless network security Hotspot 2.0 access points use mandatory WPA2 authentication. Hotspot 2.0 relies on Interworking as well as adds some of its own properties and procedures.<br />
<br />
<br />
Interworking profiles are implemented according to IEEE 802.11u and Hotspot 2.0 Release 1 specifications.<br />
<br />
=Configuration Properties=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless interworking-profiles</code></p><br />
===Information elements in beacon and probe response===<br />
<br />
Some information can be added to beacon and probe response packets with a Interworking element. Following parameters of a Interworking element can be configured:<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=asra<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Additional Steps Required for Access. Set to <code>yes</code>, if a user should take additional steps to access the internet, like the walled garden.<br />
}}<br />
{{Mr-arg-table<br />
|arg=esr<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Emergency services reachable (ESR). Set to <code>yes</code> in order to indicate that emergency services are reachable through the access point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hessid<br />
|type=MAC address<br />
|default=<br />
|desc=Homogenous extended service set identifier (HESSID). Devices that provide access to same external networks are in one homogenous extended service set. This service set can be identified by HESSID that is the same on all access points in this set. 6-byte value of HESSID is represented as MAC address. It should be globally unique, therefore it is advised to use one of the MAC address of access point in the service set.<br />
}}<br />
{{Mr-arg-table<br />
|arg=internet<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether the internet is available through this connection or not. This information is included in the Interworking element.<br />
}}<br />
{{Mr-arg-table<br />
|arg=network-type<br />
|type=emergency-only {{!}} personal-device {{!}} private {{!}} private-with-guest {{!}} public-chargeable {{!}} public-free {{!}} test {{!}} wildcard<br />
|default=wildcard<br />
|desc=Information about network access type.<br />
* <code>emergency-only</code> - a network dedicated and limited to accessing emergency services;<br />
* <code>personal-device</code> - a network of personal devices. An example of this type of network is a camera that is attached to a printer, thereby forming a network for the purpose of printing pictures;<br />
* <code>private</code> - network for users with user accounts. Usually used in enterprises for employees, not guests;<br />
* <code>private-with-guest</code> - same as private, but guest accounts are available;<br />
* <code>public-chargeable</code> - a network that is available to anyone willing to pay. For example, a subscription to Hotspot 2.0 service or in-room internet access in a hotel;<br />
* <code>public-free</code> - network is available to anyone without any fee. For example, municipal network in city or airport Hotspot;<br />
* <code>test</code> - network used for testing and experimental uses. Not used in production;<br />
* <code>wildcard</code> - is used on Wireless clients. Sending probe request with a wildcard as network type value will make all Interworking Access Points respond despite their actual network-type setting.<br />
A client sends a probe request frame with network-type set to value it is interested in. It will receive replies only from access points with the same value (except the case of wildcard).<br />
}}<br />
{{Mr-arg-table<br />
|arg=uesa<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Unauthenticated emergency service accessible (UESA).<br />
* <code>no</code> - indicates that no unauthenticated emergency services are reachable through this Access Point;<br />
* <code>yes</code> - indicates that higher layer unauthenticated emergency services are reachable through this Access Point. <br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue<br />
|type=venue<br />
|default=unspecified<br />
|desc=Specify the venue in which the Access Point is located. Choose the value from available ones. Some examples:<br />
<pre><br />
venue=business-bank<br />
venue=mercantile-shopping-mall<br />
venue=educational-university-or-college<br />
</pre><br />
}}<br />
<br />
===ANQP elements===<br />
<br />
Access network query protocol (ANQP). Not all necessary information is included in probe response and beacon frames. For client device to get more information before choosing access point to associate with ANQP is used. The Access Point can have stored information in multiple ANQP elements. Client device will use ANQP to query only for the information it is interested in. This reduces the time needed before association.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Please see 3GPP TS 24.302. (Annex H) for a format of this field. This value is sent ANQP response if queried.<br />
}}<br />
{{Mr-arg-table<br />
|arg=3gpp-info<br />
|type=number/number<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Written as "mcc/mnc". Usage is identical to "3gpp-raw", but without using hex. Multiple mcc/mnc pairs can be defined, by separating them with a comma.<br />
}}<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=dns-redirection:<code>url</code> {{!}} https-redirection:<code>url</code> {{!}} online-enrollment:<code>url</code> {{!}} terms-and-conditions:<code>url</code><br />
|default=<br />
|desc=This property is only effective when <var>asra</var> is set to <code>yes</code>. Value of <code>url</code> is optional and not needed if <code>dns-redirection</code> or <code>online-enrollment</code> is selected. To set the value of <code>url</code> to empty string use double quotes. For example:<br />
<pre>authentication-types=online-enrollment:""</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=connection-capabilities<br />
|type=number:number:closed{{!}}open{{!}}unknown<br />
|default=<br />
|desc=This option allows to provide information about the allowed IP protocols and ports. This information can be provided in ANQP response. The first number represents the IP protocol number, the second number represents a port number.<br />
* <code>closed</code> - set if protocol and port combination is not allowed;<br />
* <code>open</code> - set if protocol and port combination is allowed;<br />
* <code>unknown</code> - set if protocol and port combination is either open or closed.<br />
Example:<br />
<pre>connection-capabilities=6:80:open,17:5060:closed</pre><br />
Setting such a value on an Access Point informs the Wireless client, which is connecting to the Access Point, that HTTP (6 - TCP, 80 - HTTP) is allowed and VoIP (17 - UDP; 5060 - VoIP) is not allowed.<br />
This property does not restrict or allow usage of these protocols and ports, it only gives information to station device which is connecting to Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=domain-names<br />
|type=list of strings<br />
|default=<br />
|desc=None or more fully qualified domain names (FQDN) that indicate the entity operating the Hotspot. A station that is connecting to the Access Point can request this AQNP property and check if there is a suffix match with any of the domain names it has credentials to.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv4-availability<br />
|type=double-nated {{!}} not-available {{!}} port-restricted {{!}} port-restricted-double-nated {{!}} port-restricted-single-nated {{!}} public {{!}} single-nated {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv4 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>public</code> - public IPv4 address available;<br />
* <code>port-restricted</code> - port-restricted IPv4 address available;<br />
* <code>single-nated</code> - single NATed private IPv4 address available;<br />
* <code>double-nated</code> - double NATed private IPv4 address available;<br />
* <code>port-restricted-single-nated</code> -port-restricted IPv4 address and single NATed IPv4 address available;<br />
* <code>port-restricted-double-nated</code> - port-restricted IPv4 address and double NATed IPv4 address available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv6-availability<br />
|type=available {{!}} not-available {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv6 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>available</code> - address type available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=realms<br />
|type=string:eap-sim{{!}}eap-tls{{!}}not-specified<br />
|default=<br />
|desc=Information about supported realms and the corresponding EAP method.<br />
<pre><br />
realms=example.com:eap-tls,foo.ba:not-specified<br />
</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=realms-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Set NAI Realm ANQP-element manually.<br />
}}<br />
{{Mr-arg-table<br />
|arg=roaming-ois<br />
|type=octet string in hex<br />
|default=<br />
|desc=Organization identifier (OI) usually are 24-bit is unique identifiers like organizationally unique identifier (OUI) or company identifier (CID). In some cases, OI is longer for example OUI-36.<br />
A subscription service provider (SSP) can be specified by its OI.<br />
<var>roaming-ois</var> property can contain zero or more SSPs OIs whose networks are accessible via this AP. <br />
Length of OI should be specified before OI itself. For example, to set E4-8D-8C and 6C-3B-6B:<br />
<pre><br />
roaming-ois=E48D8C,6C3B6B<br />
</pre><br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue-names<br />
|type=string:lang<br />
|default=<br />
|desc=Venue name can be used to provide additional info on the venue. It can help the client to choose a proper Access Point.<br />
Venue-names parameter consists of zero or more duple that contain Venue Name and Language Code:<br />
<pre><br />
venue-names=CoffeeShop:eng,TiendaDeCafe:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
<br />
===Hotspot 2.0 ANQP elements===<br />
<br />
Hotspot 2.0 specification introduced some additional ANQP elements. These elements use an ANQP vendor specific element ID. Here are available properties to change these elements.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hotspot20<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Indicate Hotspot 2.0 capability of the Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hotspot20-dgaf<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Downstream Group-Addressed Forwarding (DGAF). Sets value of DGAF bit to indicate whether multicast and broadcast frames to clients are disabled or enabled.<br />
* <code>yes</code> - multicast and broadcast frames to clients are enabled;<br />
* <code>no</code> - multicast and broadcast frames to clients are disabled.<br />
To disable multicast and broadcast frames set <code>multicast-helper=full</code>.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operational-classes<br />
|type=list of numbers<br />
|default=<br />
|desc=Information about other available bands of the same ESS.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operator-names<br />
|type=string:lang<br />
|default=<br />
|desc=Set operator name. Language must be specified for each operator name entry.<br />
Operator-names parameter consists of zero or more duple that contain Operator Name and Language Code:<br />
<pre><br />
operator-names=BestOperator:eng,MejorOperador:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-at-capacity<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the Access Point or the network is at its max capacity. If set to <code>yes</code> no additional mobile devices will be permitted to associate to the AP.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink<br />
|type=number<br />
|default=0<br />
|desc=The downlink speed of the WAN connection set in kbps. If the downlink speed is not known, set to 0.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink-load<br />
|type=number<br />
|default=0<br />
|desc=The downlink load of the WAN connection measured over <code>wan-measurement-duration</code>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-measurement-duration<br />
|type=number<br />
|default=0<br />
|desc=Duration during which <var>wan-downlink-load</var> and <code>wan-uplink-load</code> are measured. Value is a numeric value from 0 to 65535 representing tenths of seconds.<br />
* <code>0</code> - not measured;<br />
* <code>10</code> - 1 second;<br />
* <code>65535</code> - 1 hour 49 minutes or more.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-status<br />
|type=down {{!}} reserved {{!}} test {{!}} up<br />
|default=reserved<br />
|desc=Information about the status of the Access Point's WAN connection. The value <code>reserved</code> is not used.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-symmetric<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Weather the WAN link is symmetric (upload and download speeds are the same) or not.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-uplink<br />
|type=number<br />
|default=0<br />
|desc=The uplink speed of the WAN connection set in kbps. If the uplink speed is not known set to 0.<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=wan-uplink-load<br />
|type=number<br />
|default=0<br />
|desc=The uplink load of th WAN connection measured over <var>wan-measurement-duration</var>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
<br />
===Other Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the profile<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of the Interworking profile.<br />
}}<br />
<br />
=See also=<br />
<br />
<br />
* [[Manual:Interface/Wireless | Wireless manual]]<br />
<br />
[[Category:Manual]]<br />
[[Category:Wireless]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interworking_Profiles&diff=34533Manual:Interworking Profiles2022-03-16T09:46:32Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Interworking+Profiles}}<br />
<br />
{{Versions|v6}}<br />
=Summary=<br />
===Interworking===<br />
Interworking is the occurrence of two or more things working together. For a better Wireless network experience information about the network must be exchanged between Access Points and Wireless client devices, the information that can be found in basic Wireless beacons and probe requests is limited. For this reason, the IEEE 802.11u™-2011 (Interworking with External Networks) standard was created, that specifies how devices should exchange information between each other. Network discovery and Access Point selection process can be enhanced with the interworking service. Wireless client devices can have more criteria upon which they can choose the network with which to associate.<br />
<br />
===Hotspot 2.0===<br />
Hotspot 2.0 is a specification developed and owned by the Wi-Fi Alliance. It was designed to enable a more cellular-like experience when connecting to Wi-Fi networks. In the attempt to increase Wireless network security Hotspot 2.0 access points use mandatory WPA2 authentication. Hotspot 2.0 relies on Interworking as well as adds some of its own properties and procedures.<br />
<br />
<br />
Interworking profiles are implemented according to IEEE 802.11u and Hotspot 2.0 Release 1 specifications.<br />
<br />
=Configuration Properties=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless interworking-profiles</code></p><br />
===Information elements in beacon and probe response===<br />
<br />
Some information can be added to beacon and probe response packets with a Interworking element. Following parameters of a Interworking element can be configured:<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=asra<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Additional Steps Required for Access. Set to <code>yes</code>, if a user should take additional steps to access the internet, like the walled garden.<br />
}}<br />
{{Mr-arg-table<br />
|arg=esr<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Emergency services reachable (ESR). Set to <code>yes</code> in order to indicate that emergency services are reachable through the access point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hessid<br />
|type=MAC address<br />
|default=<br />
|desc=Homogenous extended service set identifier (HESSID). Devices that provide access to same external networks are in one homogenous extended service set. This service set can be identified by HESSID that is the same on all access points in this set. 6-byte value of HESSID is represented as MAC address. It should be globally unique, therefore it is advised to use one of the MAC address of access point in the service set.<br />
}}<br />
{{Mr-arg-table<br />
|arg=internet<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether the internet is available through this connection or not. This information is included in the Interworking element.<br />
}}<br />
{{Mr-arg-table<br />
|arg=network-type<br />
|type=emergency-only {{!}} personal-device {{!}} private {{!}} private-with-guest {{!}} public-chargeable {{!}} public-free {{!}} test {{!}} wildcard<br />
|default=wildcard<br />
|desc=Information about network access type.<br />
* <code>emergency-only</code> - a network dedicated and limited to accessing emergency services;<br />
* <code>personal-device</code> - a network of personal devices. An example of this type of network is a camera that is attached to a printer, thereby forming a network for the purpose of printing pictures;<br />
* <code>private</code> - network for users with user accounts. Usually used in enterprises for employees, not guests;<br />
* <code>private-with-guest</code> - same as private, but guest accounts are available;<br />
* <code>public-chargeable</code> - a network that is available to anyone willing to pay. For example, a subscription to Hotspot 2.0 service or in-room internet access in a hotel;<br />
* <code>public-free</code> - network is available to anyone without any fee. For example, municipal network in city or airport Hotspot;<br />
* <code>test</code> - network used for testing and experimental uses. Not used in production;<br />
* <code>wildcard</code> - is used on Wireless clients. Sending probe request with a wildcard as network type value will make all Interworking Access Points respond despite their actual network-type setting.<br />
A client sends a probe request frame with network-type set to value it is interested in. It will receive replies only from access points with the same value (except the case of wildcard).<br />
}}<br />
{{Mr-arg-table<br />
|arg=uesa<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Unauthenticated emergency service accessible (UESA).<br />
* <code>no</code> - indicates that no unauthenticated emergency services are reachable through this Access Point;<br />
* <code>yes</code> - indicates that higher layer unauthenticated emergency services are reachable through this Access Point. <br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue<br />
|type=venue<br />
|default=unspecified<br />
|desc=Specify the venue in which the Access Point is located. Choose the value from available ones. Some examples:<br />
<pre><br />
venue=business-bank<br />
venue=mercantile-shopping-mall<br />
venue=educational-university-or-college<br />
</pre><br />
}}<br />
<br />
===ANQP elements===<br />
<br />
Access network query protocol (ANQP). Not all necessary information is included in probe response and beacon frames. For client device to get more information before choosing access point to associate with ANQP is used. The Access Point can have stored information in multiple ANQP elements. Client device will use ANQP to query only for the information it is interested in. This reduces the time needed before association.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Please see 3GPP TS 24.302. (Annex H) for a format of this field. This value is sent ANQP response if queried.<br />
}}<br />
{{Mr-arg-table<br />
|arg=3gpp-info<br />
|type=number/number<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Written as "mcc/mnc".<br />
}}<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=dns-redirection:<code>url</code> {{!}} https-redirection:<code>url</code> {{!}} online-enrollment:<code>url</code> {{!}} terms-and-conditions:<code>url</code><br />
|default=<br />
|desc=This property is only effective when <var>asra</var> is set to <code>yes</code>. Value of <code>url</code> is optional and not needed if <code>dns-redirection</code> or <code>online-enrollment</code> is selected. To set the value of <code>url</code> to empty string use double quotes. For example:<br />
<pre>authentication-types=online-enrollment:""</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=connection-capabilities<br />
|type=number:number:closed{{!}}open{{!}}unknown<br />
|default=<br />
|desc=This option allows to provide information about the allowed IP protocols and ports. This information can be provided in ANQP response. The first number represents the IP protocol number, the second number represents a port number.<br />
* <code>closed</code> - set if protocol and port combination is not allowed;<br />
* <code>open</code> - set if protocol and port combination is allowed;<br />
* <code>unknown</code> - set if protocol and port combination is either open or closed.<br />
Example:<br />
<pre>connection-capabilities=6:80:open,17:5060:closed</pre><br />
Setting such a value on an Access Point informs the Wireless client, which is connecting to the Access Point, that HTTP (6 - TCP, 80 - HTTP) is allowed and VoIP (17 - UDP; 5060 - VoIP) is not allowed.<br />
This property does not restrict or allow usage of these protocols and ports, it only gives information to station device which is connecting to Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=domain-names<br />
|type=list of strings<br />
|default=<br />
|desc=None or more fully qualified domain names (FQDN) that indicate the entity operating the Hotspot. A station that is connecting to the Access Point can request this AQNP property and check if there is a suffix match with any of the domain names it has credentials to.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv4-availability<br />
|type=double-nated {{!}} not-available {{!}} port-restricted {{!}} port-restricted-double-nated {{!}} port-restricted-single-nated {{!}} public {{!}} single-nated {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv4 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>public</code> - public IPv4 address available;<br />
* <code>port-restricted</code> - port-restricted IPv4 address available;<br />
* <code>single-nated</code> - single NATed private IPv4 address available;<br />
* <code>double-nated</code> - double NATed private IPv4 address available;<br />
* <code>port-restricted-single-nated</code> -port-restricted IPv4 address and single NATed IPv4 address available;<br />
* <code>port-restricted-double-nated</code> - port-restricted IPv4 address and double NATed IPv4 address available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv6-availability<br />
|type=available {{!}} not-available {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv6 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>available</code> - address type available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=realms<br />
|type=string:eap-sim{{!}}eap-tls{{!}}not-specified<br />
|default=<br />
|desc=Information about supported realms and the corresponding EAP method.<br />
<pre><br />
realms=example.com:eap-tls,foo.ba:not-specified<br />
</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=realms-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Set NAI Realm ANQP-element manually.<br />
}}<br />
{{Mr-arg-table<br />
|arg=roaming-ois<br />
|type=octet string in hex<br />
|default=<br />
|desc=Organization identifier (OI) usually are 24-bit is unique identifiers like organizationally unique identifier (OUI) or company identifier (CID). In some cases, OI is longer for example OUI-36.<br />
A subscription service provider (SSP) can be specified by its OI.<br />
<var>roaming-ois</var> property can contain zero or more SSPs OIs whose networks are accessible via this AP. <br />
Length of OI should be specified before OI itself. For example, to set E4-8D-8C and 6C-3B-6B:<br />
<pre><br />
roaming-ois=E48D8C,6C3B6B<br />
</pre><br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue-names<br />
|type=string:lang<br />
|default=<br />
|desc=Venue name can be used to provide additional info on the venue. It can help the client to choose a proper Access Point.<br />
Venue-names parameter consists of zero or more duple that contain Venue Name and Language Code:<br />
<pre><br />
venue-names=CoffeeShop:eng,TiendaDeCafe:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
<br />
===Hotspot 2.0 ANQP elements===<br />
<br />
Hotspot 2.0 specification introduced some additional ANQP elements. These elements use an ANQP vendor specific element ID. Here are available properties to change these elements.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hotspot20<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Indicate Hotspot 2.0 capability of the Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hotspot20-dgaf<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Downstream Group-Addressed Forwarding (DGAF). Sets value of DGAF bit to indicate whether multicast and broadcast frames to clients are disabled or enabled.<br />
* <code>yes</code> - multicast and broadcast frames to clients are enabled;<br />
* <code>no</code> - multicast and broadcast frames to clients are disabled.<br />
To disable multicast and broadcast frames set <code>multicast-helper=full</code>.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operational-classes<br />
|type=list of numbers<br />
|default=<br />
|desc=Information about other available bands of the same ESS.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operator-names<br />
|type=string:lang<br />
|default=<br />
|desc=Set operator name. Language must be specified for each operator name entry.<br />
Operator-names parameter consists of zero or more duple that contain Operator Name and Language Code:<br />
<pre><br />
operator-names=BestOperator:eng,MejorOperador:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-at-capacity<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the Access Point or the network is at its max capacity. If set to <code>yes</code> no additional mobile devices will be permitted to associate to the AP.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink<br />
|type=number<br />
|default=0<br />
|desc=The downlink speed of the WAN connection set in kbps. If the downlink speed is not known, set to 0.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink-load<br />
|type=number<br />
|default=0<br />
|desc=The downlink load of the WAN connection measured over <code>wan-measurement-duration</code>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-measurement-duration<br />
|type=number<br />
|default=0<br />
|desc=Duration during which <var>wan-downlink-load</var> and <code>wan-uplink-load</code> are measured. Value is a numeric value from 0 to 65535 representing tenths of seconds.<br />
* <code>0</code> - not measured;<br />
* <code>10</code> - 1 second;<br />
* <code>65535</code> - 1 hour 49 minutes or more.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-status<br />
|type=down {{!}} reserved {{!}} test {{!}} up<br />
|default=reserved<br />
|desc=Information about the status of the Access Point's WAN connection. The value <code>reserved</code> is not used.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-symmetric<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Weather the WAN link is symmetric (upload and download speeds are the same) or not.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-uplink<br />
|type=number<br />
|default=0<br />
|desc=The uplink speed of the WAN connection set in kbps. If the uplink speed is not known set to 0.<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=wan-uplink-load<br />
|type=number<br />
|default=0<br />
|desc=The uplink load of th WAN connection measured over <var>wan-measurement-duration</var>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
<br />
===Other Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the profile<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of the Interworking profile.<br />
}}<br />
<br />
=See also=<br />
<br />
<br />
* [[Manual:Interface/Wireless | Wireless manual]]<br />
<br />
[[Category:Manual]]<br />
[[Category:Wireless]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34532Manual:Interface/Wireless2022-03-11T12:10:30Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable. Only applies to bands B and G. Other bands will have it enabled regardless of this setting [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected.<br />
Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries.<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in the previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55..0<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34523Manual:Interface/Wireless2022-02-01T11:07:51Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected.<br />
Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries.<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in the previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55..0<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34522Manual:Interface/Wireless2022-01-31T09:16:13Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34521Manual:Interface/Wireless2022-01-19T11:02:50Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
The default behaviour of the access list is to allow connection.<br />
<br />
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.<br />
<br />
There are the following parameters for access list rules:<br />
* client matching parameters:<br />
** address - MAC address of client<br />
** mask - MAC address mask to apply when comparing client address<br />
** interface - optional interface to compare with interface to which client actually connects to<br />
** time - time of day and days when rule matches<br />
** signal-range - range in which client signal must fit for rule to match<br />
** allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval<br />
* action parameter - specifies action to take when client matches:<br />
** accept - accept client<br />
** reject - reject client<br />
** query-radius - query RADIUS server if particular client is allowed to connect<br />
* connection parameters:<br />
** ap-tx-limit - tx speed limit in direction to client<br />
** client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)<br />
** client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface<br />
** private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used<br />
** radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client<br />
** vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).<br />
** vlan-id - VLAN ID to use if doing VLAN tagging.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If the remote device is matched by a rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default="MikroTik"<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication. If set to an empty value, value of '''mschapv2-username''' is used instead.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc= For interfaces in station mode, determines policy for handling the TLS certificate of the RADIUS server. For interfaces in AP mode, determines policy for handling the TLS certificate of station and so only has effect when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange i.e. without using certificates on either end.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:CHR_ProxMox_installation&diff=34509Manual:CHR ProxMox installation2021-12-20T09:30:17Z<p>Guntis: </p>
<hr />
<div>* Create a new guest with the system disk and other devices as required.<br />
<br />
* Then you have to manually upload the CHR disk (in qcow format) on the ProxMox host.<br />
<br />
* Use ''scp'' or any other comparable tool as that will use SSH for the upload and it does not require any additional configuration.<br />
<br />
* Either copy the file to the server and then manually edit the VM's .conf file or replace previously created system image file used for booting the guest.<br />
<br />
* Local storage on ProxMox is in ''/var/lib/vz'' directory. There should be a subdirectory called ''images'' with a directory for each VM (named by the VM number). You can copy the files directly there.<br />
<br />
* For adding the existing file to the VM, edit the VM's .conf file directly. Look in ''/etc/pve/qemu-server/'' for a file with the VM number followed by .conf.<br />
<br />
{{Note|It's a good idea to create a second test VM so you can refer to it's .conf file to make sure you get the syntax right}}<br />
<br />
==== Alternative approach ====<br />
<br />
* Create Basic VM via ProxMox web GUI.<br />
* Make sure that VM storage is on local storage (this way there will no need to work with LVM config side, and disk image can be moved later on to LVM or other desired storage if needed).<br />
* Log into ProxMox host via SSH and navigate to VM image directory. Default local storage is located in: ''var/lib/vz/images/(VM_ID)''<br />
* Via scp, wget or any other tool download CHR raw image (.img file) into this directory.<br />
* Now convert the CHR raw image to qcow2 format using qemu-img tool:<br />
<pre>qemu-img convert -f raw -O qcow2 chr-6.40.3.img vm-(VM_ID)-disk-1.qcow2</pre><br />
<br />
==== Bash script approach ====<br />
<br />
If you have access to ProxMox host then CHR VM can also be created quickly via BASH script. Below example of one such script.<br />
<br />
What this script does:<br />
* Stores tmp files in: ''/root/temp'' dir.<br />
* Downloads raw image archive from MikroTik download page.<br />
* Converts image file to qcow format.<br />
* Creates basic VM that is attached to MGMT bridge.<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
#vars<br />
version="nil"<br />
vmID="nil"<br />
<br />
echo "############## Start of Script ##############<br />
<br />
## Checking if temp dir is available..."<br />
if [ -d /root/temp ] <br />
then<br />
echo "-- Directory exists!"<br />
else<br />
echo "-- Creating temp dir!"<br />
mkdir /root/temp<br />
fi<br />
# Ask user for version<br />
echo "## Preparing for image download and VM creation!"<br />
read -p "Please input CHR version to deploy (6.38.2, 6.40.1, etc):" version<br />
# Check if image is available and download if needed<br />
if [ -f /root/temp/chr-$version.img ] <br />
then<br />
echo "-- CHR image is available."<br />
else<br />
echo "-- Downloading CHR $version image file."<br />
cd /root/temp<br />
echo "---------------------------------------------------------------------------"<br />
wget https://download.mikrotik.com/routeros/$version/chr-$version.img.zip<br />
unzip chr-$version.img.zip<br />
echo "---------------------------------------------------------------------------"<br />
fi<br />
# List already existing VM's and ask for vmID<br />
echo "== Printing list of VM's on this hypervisor!"<br />
qm list<br />
echo ""<br />
read -p "Please Enter free vm ID to use:" vmID<br />
echo ""<br />
# Create storage dir for VM if needed.<br />
if [ -d /var/lib/vz/images/$vmID ] <br />
then<br />
echo "-- VM Directory exists! Ideally try another vm ID!"<br />
read -p "Please Enter free vm ID to use:" vmID<br />
else<br />
echo "-- Creating VM image dir!"<br />
mkdir /var/lib/vz/images/$vmID<br />
fi<br />
# Creating qcow2 image for CHR.<br />
echo "-- Converting image to qcow2 format "<br />
qemu-img convert \<br />
-f raw \<br />
-O qcow2 \<br />
/root/temp/chr-$version.img \<br />
/var/lib/vz/images/$vmID/vm-$vmID-disk-1.qcow2<br />
# Creating VM<br />
echo "-- Creating new CHR VM"<br />
qm create $vmID \<br />
--name chr-$version \<br />
--net0 virtio,bridge=vmbr0 \<br />
--bootdisk virtio0 \<br />
--ostype l26 \<br />
--memory 256 \<br />
--onboot no \<br />
--sockets 1 \<br />
--cores 1 \<br />
--virtio0 local:$vmID/vm-$vmID-disk-1.qcow2<br />
echo "############## End of Script ##############"<br />
</pre><br />
<br />
==== Useful tips ====<br />
<br />
* Useful snippet to clean up the BASH script from Windows formatting that may interfere with script if it's edited on a Windows workstation:<br />
<pre>sed -i -e 's/\r$//' *.sh</pre></div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34468Manual:Interface/Wireless2021-08-24T12:39:54Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Wireless+Interface}}<br />
==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If remote device is matched by rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default=[[Manual:System/identity | Identity]]<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc=This property has effect only when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Security&diff=34467Manual:Security2021-08-20T07:00:12Z<p>Guntis: </p>
<hr />
<div>This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer. <br />
<br />
* All passwords on the router are hashed (SHA256) and encrypted (ECC);<br />
* all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;<br />
* WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);<br />
* WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;<br />
* WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);<br />
* Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;<br />
* MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;<br />
* WebFig uses ECDH for encryption key exchange;<br />
* Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34466Manual:Interface/Wireless2021-08-20T05:53:30Z<p>Guntis: </p>
<hr />
<div>==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If remote device is matched by rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
Is used to gather information<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=allowed-channels <br />
|type=<br />
|desc=List of available channels for each band<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=country-info<br />
|type=<br />
|desc=Takes country name as argument, shows available bands, frequencies and maximum transmit power for each frequency.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default=[[Manual:System/identity | Identity]]<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc=This property has effect only when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34462Manual:Interface/Wireless2021-08-06T06:09:20Z<p>Guntis: </p>
<hr />
<div>==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If remote device is matched by rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default=[[Manual:System/identity | Identity]]<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc=This property has effect only when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Wireless&diff=34389Manual:Interface/Wireless2021-06-02T10:39:54Z<p>Guntis: </p>
<hr />
<div>==Overview==<br />
<br />
<p id="shbox"><b>Standards:</b> <code></code><br /><br />
<b>Package:</b> <code>wireless</code><br />
</p><br />
<br />
<br />
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. [[Wireless_Matrix|Wireless features]] compatibility table for different wireless protocols.<br />
<br />
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found [[Manual:Wireless_Station_Modes | here]].<br />
<br />
==General interface properties==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=adaptive-noise-immunity<br />
|type= ap-and-client-mode {{!}} client-mode {{!}} none<br />
|default=none<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-sharedkey<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Allow WEP Shared Key clients to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ampdu-priorities<br />
|type= list of integer [0..7]<br />
|default=0<br />
|desc=Frame priorities for which AMPDU sending (aggregating frames and sending using block acknowledgment) should get negotiated and used. Using AMPDUs will increase throughput, but may increase latency, therefore, may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are enabled only for best-effort traffic.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-limit<br />
|type=integer [0..8192]<br />
|default=8192<br />
|desc=Max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may significantly increase throughput especially for small frames, but may increase latency in case of packet loss due to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=amsdu-threshold<br />
|type= integer [0..8192]<br />
|default=8192<br />
|desc=Max frame size to allow including in AMSDU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-gain<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc= Antenna gain in dBi, used to calculate maximum transmit power according to '''country''' regulations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=antenna-mode<br />
|type= ant-a {{!}} ant-b {{!}} rxa-txb {{!}} txa-rxb<br />
|default=<br />
|desc=Select antenna to use for transmitting and for receiving<br />
* ''ant-a'' - use only 'a' antenna<br />
* ''ant-b'' - use only 'b' antenna<br />
* ''txa-rxb'' - use antenna 'a' for transmitting, antenna 'b' for receiving<br />
* ''rxa-txb'' - use antenna 'b' for transmitting, antenna 'a' for receiving<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area<br />
|type=string<br />
|default=<br />
|desc=Identifies group of wireless networks. This value is announced by AP, and can be matched in [[#Connect List | connect-list]] by '''area-prefix'''. <br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value '''auto''' equals to the value of '''arp-timeout''' in '''/ip settings''', default is 30s<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=band<br />
|type=2ghz-b {{!}} 2ghz-b/g {{!}} 2ghz-b/g/n {{!}} 2ghz-onlyg {{!}} 2ghz-onlyn {{!}} 5ghz-a {{!}} 5ghz-a/n {{!}} 5ghz-onlyn {{!}} 5ghz-a/n/ac {{!}} 5ghz-onlyac {{!}} 5ghz-n/ac<br />
|default=<br />
|desc= Defines set of used data rates, channel frequencies and widths.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-a/g<br />
|type= 12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps<br />
|default=6Mbps<br />
|desc=Similar to the '''basic-rates-b''' property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=basic-rates-b<br />
|type=11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps<br />
|default=1Mbps<br />
|desc=List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.<br />
Client will connect to AP only if it supports all basic rates announced by the AP.<br />
AP will establish WDS link only if it supports all basic rates of the other AP.<br />
<br />
This property has effect only in AP modes, and when value of '''rate-set''' is configured.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-mode<br />
|type= disabled {{!}} enabled<br />
|default=enabled<br />
|desc=Allows to use station-bridge mode. [[Manual:Wireless_Station_Modes#Mode_station-bridge | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=burst-time<br />
|type= integer {{!}} disabled<br />
|default=disabled<br />
|desc=Time in microseconds which will be used to send data without stopping. Note that no other wireless cards in that network will be able to transmit data during burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-width<br />
|type= 20/40/80/160mhz-Ceeeeeee {{!}} 20/40/80/160mhz-XXXXXXXX {{!}} 20/40/80/160mhz-eCeeeeee {{!}} 20/40/80/160mhz-eeCeeeee {{!}} 20/40/80/160mhz-eeeCeeee {{!}} 20/40/80/160mhz-eeeeCeee {{!}} 20/40/80/160mhz-eeeeeCee {{!}} 20/40/80/160mhz-eeeeeeCe {{!}} 20/40/80/160mhz-eeeeeeeC {{!}} 20/40/80mhz-Ceee {{!}} 20/40/80mhz-eCee {{!}} 20/40/80mhz-eeCe {{!}} 20/40/80mhz-eeeC {{!}} 20/40/80mhz-XXXX {{!}} 20/40mhz-Ce {{!}} 20/40mhz-eC {{!}} 20/40mhz-XX {{!}} 40mhz-turbo {{!}} 20mhz {{!}} 10mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=compression<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Setting this property to ''yes'' will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=country<br />
|type= name of the country {{!}} no_country_set<br />
|default=etsi<br />
|desc= Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of '''scan-list'''. Value ''no_country_set'' is an FCC compliant set of channels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-ap-tx-limit<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''ap-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-authentication<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=For AP mode, this is the value of '''authentication''' for clients that do not match any entry in the [[#Access List | access-list]]. For station mode, this is the value of '''connect''' for APs that do not match any entry in the [[#Connect List | connect-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=This is the value of '''client-tx-limit''' for clients that do not match any entry in the [[#Access List | access-list]]. 0 means no limit<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=default-forwarding<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=This is the value of '''forwarding''' for clients that do not match any entry in the [[#Access List | access-list]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=When set to '''yes''' interface will always have running flag. If value is set to '''no'''', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Whether interface is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disconnect-timeout<br />
|type=time [0s..15s]<br />
|default=3s<br />
|desc=This interval is measured from third sending failure on the lowest data rate. At this point 3 * ('''hw-retries''' + 1) frame transmits on the lowest data rate had failed.<br />
<br />
During '''disconnect-timeout''' packet transmission will be retried with '''on-fail-retry-time''' interval. If no frame can be transmitted successfully during '''disconnect-timeout''', the connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=distance<br />
|type=integer {{!}} dynamic {{!}} indoors<br />
|default=dynamic<br />
|desc=How long to wait for confirmation of unicast frames ('''ACKs''') before considering transmission unsuccessful, or in short '''ACK-Timeout'''. Distance value has these behaviors:<br />
* ''Dynamic'' - causes AP to detect and use the smallest timeout that works with all connected clients. <br />
* ''Indoor'' - uses the default ACK timeout value that the hardware chip manufacturer has set. <br />
* ''Number'' - uses the input value in formula: ACK-timeout = (('''distance''' * 1000) + 299) / 300 us;<br />
Acknowledgments are not used in Nstreme/NV2 protocols.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-lifetime<br />
|type= integer [0..4294967295]<br />
|default=0<br />
|desc=Discard frames that have been queued for sending longer than '''frame-lifetime'''. By default, when value of this property is ''0'', frames are discarded only after connection is closed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Channel frequency value in MHz on which AP will operate.<br />
Allowed values depend on the selected band, and are restricted by '''country''' setting and wireless card capabilities.<br />
This setting has '''no effect''' if interface is in any of '''station''' modes, or in ''wds-slave'' mode, or if DFS is active. <br />
<br />
''Note'': If using mode "superchannel", any frequency supported by the card will be accepted, but on the RouterOS client, any non-standard frequency must be configured in the [[#scan-list | scan-list]], otherwise it will not be scanning in non-standard range. In Winbox, scanlist frequencies are in ''bold'', any other frequency means the clients will need scan-list configured. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-mode<br />
|type= manual-txpower {{!}} regulatory-domain {{!}} superchannel<br />
|default=regulatory_domain<br />
|desc=Three frequency modes are available:<br />
* ''regulatory-domain'' - Limit available channels and maximum transmit power for each channel according to the value of '''country'''<br />
* ''manual-txpower'' - Same as above, but do not limit maximum transmit power.<br />
* ''superchannel'' - Conformance Testing Mode. Allow all channels supported by the card.<br />
List of available channels for each band can be seen in '''/interface wireless info allowed-channels'''. This mode allows you to test wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in controlled environments, or if you have special permission to use it in your region. Before v4.3 this was called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without special key upgrades to all installations. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frequency-offset<br />
|type=integer [-2147483648..2147483647]<br />
|default=0<br />
|desc=Allows to specify offset if the used wireless card operates at a different frequency than is shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and can be positive or negative.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=guard-interval<br />
|type=any {{!}} long<br />
|default=any<br />
|desc=Whether to allow use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hide-ssid<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc= '' ''<br />
* ''yes'' - AP does not include SSID in the beacon frames, and does not reply to probe requests that have broadcast SSID.<br />
* ''no'' - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.<br />
<br />
This property has an effect only in AP mode. Setting it to ''yes'' can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-basic-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-supported-mcs<br />
|type= list of (mcs-0 {{!}} mcs-1 {{!}} mcs-2 {{!}} mcs-3 {{!}} mcs-4 {{!}} mcs-5 {{!}} mcs-6 {{!}} mcs-7 {{!}} mcs-8 {{!}} mcs-9 {{!}} mcs-10 {{!}} mcs-11 {{!}} mcs-12 {{!}} mcs-13 {{!}} mcs-14 {{!}} mcs-15 {{!}} mcs-16 {{!}} mcs-17 {{!}} mcs-18 {{!}} mcs-19 {{!}} mcs-20 {{!}} mcs-21 {{!}} mcs-22 {{!}} mcs-23)<br />
|default=mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23<br />
|desc= [http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11n for MCS specification.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-fragmentation-threshold<br />
|type= integer[256..3000] {{!}} disabled<br />
|default=0<br />
|desc=Specifies maximum fragment size in bytes when transmitted over the wireless medium. 802.11 standard packet (MSDU in 802.11 terminologies) fragmentation allows packets to be fragmented before transmitting over a wireless medium to increase the probability of successful transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of a fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and increased resource usage at both - transmitting and receiving party.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-mode<br />
|type= cts-to-self {{!}} none {{!}} rts-cts<br />
|default=none<br />
|desc=Frame protection support property [[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-protection-threshold<br />
|type= integer [0..65535]<br />
|default=0<br />
|desc=Frame protection support property[[#Frame protection support (RTS/CTS) | <code>read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hw-retries<br />
|type= integer [0..15]<br />
|default=7<br />
|desc=Number of times sending frame is retried without considering it a transmission failure.<br />
<br />
Data-rate is decreased upon failure and the frame is sent again. Three sequential failures on the lowest supported rate suspend transmission to this destination for the duration of '''on-fail-retry-time'''. After that, the frame is sent again. The frame is being retransmitted until transmission success, or until the client is disconnected after '''disconnect-timeout'''. The frame can be discarded during this time if '''frame-lifetime''' is exceeded.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=installation<br />
|type= any {{!}} indoor {{!}} outdoor<br />
|default=any<br />
|desc=Adjusts scan-list to use indoor, outdoor or all frequencies for the country that is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interworking-profile<br />
|type= enabled {{!}} disabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=keepalive-frames<br />
|type= enabled {{!}} disabled<br />
|default=enabled<br />
|desc=Applies only if wireless interface is in mode='''ap-bridge'''. If a client has not communicated for around 20 seconds, AP sends a "keepalive-frame".<br />
<br>'''Note''', disabling the feature can lead to "ghost" clients in registration-table.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=1600<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=Name of wireless interface that has ''virtual-ap'' capability. [[Virtual AP]] interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or ''wds-slave'' mode. This property is only for virtual AP interfaces.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-station-count<br />
|type= integer [1..2007]<br />
|default=2007<br />
|desc=Maximum number of associated clients. WDS links also count toward this limit.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=station {{!}} station-wds {{!}} ap-bridge {{!}} bridge {{!}} alignment-only {{!}} nstreme-dual-slave {{!}} wds-slave {{!}} station-pseudobridge {{!}} station-pseudobridge-clone {{!}} station-bridge<br />
|default=station<br />
|desc=Selection between different station and access point (AP) modes.<br />
[[Manual:Wireless_Station_Modes|Station modes]]:<br />
* ''station'' - Basic station mode. Find and connect to acceptable AP.<br />
* ''station-wds'' - Same as ''station'', but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in [[wds]].<br />
* ''station-pseudobridge'' - Same as ''station'', but additionally perform MAC address translation of all traffic. Allows interface to be bridged.<br />
* ''station-pseudobridge-clone'' - Same as ''station-pseudobridge'', but use '''station-bridge-clone-mac''' address to connect to AP. <br />
AP modes:<br />
* ''ap-bridge'' - Basic access point mode.<br />
* ''bridge'' - Same as ''ap-bridge'', but limited to one associated client.<br />
* ''wds-slave'' - Same as ''ap-bridge'', but scan for AP with the same '''ssid''' and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If '''dfs-mode''' is ''radar-detect'', then APs with enabled '''hide-ssid''' will not be found during scanning.<br />
Special modes:<br />
* ''alignment-only'' - Put the interface in a continuous transmit mode that is used for aiming the remote antenna.<br />
* ''nstreme-dual-slave'' - allow this interface to be used in nstreme-dual setup.<br />
:MAC address translation in '''pseudobridge''' modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type= integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-buffering<br />
|type= disabled {{!}} enabled <br />
|default=enabled<br />
|desc=For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-helper<br />
|type= default {{!}} disabled {{!}} full<br />
|default=default<br />
|desc=When set to '''full''', multicast packets will be sent with a unicast destination MAC address, resolving [[Manual:Multicast_detailed_example#Multicast_and_Wireless | multicast problem]] on the wireless link. This option should be enabled only on the access point, clients should be configured in '''station-bridge''' mode. Available starting from v5.15. <br />
*disabled - disables the helper and sends multicast packets with multicast destination MAC addresses<br />
*full - all multicast packet mac address are changed to unicast mac addresses prior sending them out<br />
*default - default choice that currently is set to ''disabled''. Value can be changed in future releases.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=name of the interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=noise-floor-threshold<br />
|type= default {{!}} integer [-128..127]<br />
|default=default<br />
|desc=For advanced use only, as it can badly affect the performance of the interface. It is possible to manually set noise floor threshold value. By default, it is dynamically calculated. This property also affects received signal strength. This property is only effective on non-AC chips.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-cell-radius<br />
|type= integer [10..200]<br />
|default=30<br />
|desc=Setting affects the size of contention time slot that AP allocates for clients to initiate connection and also size of time slots used for estimating distance to client. When setting is too small, clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error. Although during normal operation the effect of this setting should be negligible, in order to maintain maximum performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually never used, but instead allocates it for actual data transfer.<br />
* on AP: distance to farthest client in km<br />
* on station: no effect<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-noise-floor-offset<br />
|type=default {{!}} integer [0..20]<br />
|default=default<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-preshared-key<br />
|type= string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-qos<br />
|type= default {{!}} frame-priority<br />
|default=default<br />
|desc=Sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data is not sent. Use it very carefully, setting works on AP <br />
* '''frame-priority''' - manual setting that can be tuned with Mangle rules. <br />
* '''default''' - default setting where small packets receive priority for best latency<br />
<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-queue-count<br />
|type=integer [2..8]<br />
|default=2<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=nv2-security<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-fail-retry-time<br />
|type= time [100ms..1s]<br />
|default=100ms<br />
|desc=After third sending failure on the lowest data rate, wait for specified time interval before retrying.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration<br />
|type= default {{!}} disabled {{!}} enabled<br />
|default=default<br />
|desc=Setting ''default'' enables periodic calibration if [[#Info | info]] '''default-periodic-calibration''' property is ''enabled''. Value of that property depends on the type of wireless card.<br />
<br />
This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=periodic-calibration-interval<br />
|type=integer [1..10000]<br />
|default=60<br />
|desc=This property is only effective for cards based on Atheros chipset.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=preamble-mode<br />
|type= both {{!}} long {{!}} short<br />
|default=both<br />
|desc=Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.<br />
* On AP:<br />
** ''long'' - Do not use short preamble.<br />
** ''short'' - Announce short preamble capability. Do not accept connections from clients that do not have this capability.<br />
** ''both'' - Announce short preamble capability.<br />
* On station:<br />
** ''long'' - do not use short preamble.<br />
** ''short'' - do not connect to AP if it does not support short preamble.<br />
** ''both'' - Use short preamble if AP supports it.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prism-cardtype<br />
|type= 100mW {{!}} 200mW {{!}} 30mW<br />
|default=<br />
|desc=Specify type of the installed Prism wireless card.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=proprietary-extensions<br />
|type= post-2.9.25 {{!}} pre-2.9.25<br />
|default=post-2.9.25 <br />
|desc=RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.<br />
* ''pre-2.9.25'' - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.<br />
* ''post-2.9.25'' - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radio-name<br />
|type= string<br />
|default=MAC address of an interface<br />
|desc=Descriptive name of the device, that is shown in registration table entries on the remote devices.<br />
<br />
This is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-selection<br />
|type=advanced {{!}} legacy<br />
|default=advanced<br />
|desc=Starting from v5.9 default value is advanced since legacy mode was inefficient.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-set<br />
|type= configured {{!}} default<br />
|default=default<br />
|desc=Two options are available:<br />
* ''default'' - default basic and supported rate sets are used. Values from '''basic-rates''' and '''supported-rates''' parameters have no effect.<br />
* ''configured'' - use values from '''basic-rates''', '''supported-rates''', '''basic-mcs''', '''mcs'''. [[#Basic and MCS Rate table | <code>Read more >></code>]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for receive. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=<div id="scan-list">scan-list</div><br />
|type=Comma separated list of frequencies and frequency ranges {{!}} default.<br />
Since v6.35 (wireless-rep) type also support range:step option<br />
|default=default<br />
|desc=The ''default'' value is all channels from selected band that are supported by card and allowed by the '''country''' and '''frequency-mode''' settings (this list can be seen in [[#Info | info]]). For default scan list in ''5ghz'' band channels are taken with 20MHz step, in ''5ghz-turbo'' band - with 40MHz step, for all other bands - with 5MHz step. If '''scan-list''' is specified manually, then all matching channels are taken. (Example: '''scan-list'''=''default,5200-5245,2412-2427'' - This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.) <br><br />
Since RouterOS v6.0 with Winbox or Webfig, for inputting of multiple frequencies, add each frequency or range of frequencies into separate multiple scan-lists. Using a comma to separate frequencies is no longer supported in Winbox/Webfig since v6.0.<br />
Since RouterOS v6.35 (wireless-rep) scan-list support step feature where it is possible to manually specify the scan step. Example: '''scan-list'''=''5500-5600:20'' will generate such scan-list values ''5500,5520,5540,5560,5580,5600''<br />
To specify specific channels or channel lists, defined under "/interface wireless channels", use '''scan-list'''=''"channel1,channel2"'' in quotation marks.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type= string<br />
|default=default<br />
|desc=Name of profile from [[#Security Profiles | security-profiles]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=secondary-channel<br />
|type=integer<br />
|default=""<br />
|desc=Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-channel to "" or unset the value via CLI/GUI.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string (0..32 chars)<br />
|default=value of [[Manual:System/identity|system/identity]]<br />
|desc=SSID (service set identifier) is a name that identifies wireless network.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=skip-dfs-channels<br />
|type=string {{!}} 10min-cac {{!}} all {{!}} disabled <br />
|default=disabled<br />
<br />
|desc=These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-bridge-clone-mac<br />
|type=MAC<br />
|default=<br />
|desc=This property has effect only in the ''station-pseudobridge-clone'' mode.<br />
<br />
Use this MAC address when connection to AP. If this value is ''00:00:00:00:00:00'', station will initially use MAC address of the wireless interface.<br />
<br />
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=station-roaming<br />
|type= disabled {{!}} enabled<br />
|default=disabled<br />
|desc=Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. [[#Station-Roaming | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-a/g<br />
|type=list of rates [12Mbps {{!}} 18Mbps {{!}} 24Mbps {{!}} 36Mbps {{!}} 48Mbps {{!}} 54Mbps {{!}} 6Mbps {{!}} 9Mbps]<br />
|default=6Mbps; 9Mbps; 12Mbps; 18Mbps; 24Mbps; 36Mbps; 48Mbps; 54Mbps<br />
|desc=List of supported rates, used for all bands except ''2ghz-b''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supported-rates-b<br />
|type= list of rates [11Mbps {{!}} 1Mbps {{!}} 2Mbps {{!}} 5.5Mbps]<br />
|default=1Mbps; 2Mbps; 5.5Mbps; 11Mbps<br />
|desc=List of supported rates, used for ''2ghz-b'', ''2ghz-b/g'' and ''2ghz-b/g/n'' bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of '''rate-set''' is ''configured''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tdma-period-size<br />
|type= integer [1..10]<br />
|default=2<br />
|desc=Specifies TDMA period in milliseconds. It could help on the longer distance links, it could slightly increase bandwidth, while latency is increased too.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-chains<br />
|type= list of integer [0..3]<br />
|default=0<br />
|desc=Which antennas to use for transmitting. In current MikroTik routers, both RX and TX chain must be enabled, for the chain to be enabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power<br />
|type=integer [-30..40] <br />
|default=<br />
|desc=For 802.11ac wireless interface it's total power but for 802.11a/b/g/n it's power per chain.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-power-mode<br />
|type=default, card-rates, all-rates-fixed, manual-table<br />
|default=default<br />
|desc=sets up tx-power mode for wireless card<br />
* default - use values stored in the card<br />
* all-rates-fixed - use same transmit power for all data rates. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* manual-table - define transmit power for each rate separately. Can damage the card if transmit power is set above rated value of the card for used rate.<br />
* card-rates - use transmit power calculated for each rate based on value of '''tx-power''' parameter. Legacy mode only compatible with currently discontinued products.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=update-stats-interval<br />
|type= <br />
|default=<br />
|desc=How often to request update of signals strength and ccq values from clients.<br />
Access to [[#Registration Table | registration-table]] also triggers update of these values.<br />
<br />
This is proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-basic-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default=MCS 0-7<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that every connecting client must support. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - client must support MCS-0 to MCS-7<br />
* ''MCS 0-8'' - client must support MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - client must support MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vht-supported-mcs<br />
|type= none {{!}} MCS 0-7 {{!}} MCS 0-8 {{!}} MCS 0-9<br />
|default= MCS 0-9<br />
|desc=[http://en.wikipedia.org/wiki/IEEE_802.11ac#Data_rates_and_speed Modulation and Coding Schemes] that this device advertises as supported. Refer to 802.11ac for MCS specification.<br />
You can set MCS interval for each of Spatial Stream<br />
* ''none'' - will not use selected Spatial Stream<br />
* ''MCS 0-7'' - devices will advertise as supported MCS-0 to MCS-7<br />
* ''MCS 0-8'' - devices will advertise as supported MCS-0 to MCS-8 <br />
* ''MCS 0-9'' - devices will advertise as supported MCS-0 to MCS-9 <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-cost-range<br />
|type= start [-end] integer[0..4294967295]<br />
|default=50-150<br />
|desc=Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment.<br />
<br />
Setting this property to ''0'' disables automatic cost adjustment.<br />
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-bridge<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=When WDS link is established and status of the wds interface becomes ''running'', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-default-cost<br />
|type=integer [0..4294967295] <br />
|default=100<br />
|desc=Initial bridge port cost of the WDS links.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wds-ignore-ssid<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to ''yes'', then SSID of the remote AP will not be checked. This property has no effect on connections from clients in ''station-wds'' mode. It also does not work if '''wds-mode''' is ''static-mesh'' or ''dynamic-mesh''.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=wds-mode<br />
|type=disabled {{!}} dynamic {{!}} dynamic-mesh {{!}} static {{!}} static-mesh <br />
|default=disabled<br />
|desc= Controls how WDS links with other devices (APs and clients in ''station-wds'' mode) are established.<br />
* ''disabled'' does not allow WDS links.<br />
* ''static'' only allows WDS links that are manually configured in [[wds]]<br />
* ''dynamic'' also allows WDS links with devices that are not configured in [[wds]], by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.<br />
:''-mesh'' modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.<br />
:When AP or station is establishing WDS connection with another AP, it uses [[#Connect List | connect-list]] to check whether this connection is allowed. If station in ''station-wds'' mode is establishing connection with AP, AP uses [[#Access List | access-list]] to check whether this connection is allowed.<br />
:If '''mode''' is ''station-wds'', then this property has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type= 802.11 {{!}} any {{!}} nstreme {{!}} nv2 {{!}} nv2-nstreme {{!}} nv2-nstreme-802.11 {{!}} unspecified<br />
|default=any<br />
|desc=Specifies protocol used on wireless interface; <br />
* ''unspecified'' - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old enable-nstreme setting, Nv2 configuration is not possible.<br />
* ''any'' : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.<br />
* ''nstreme'' - enables Nstreme protocol (the same as old enable-nstreme setting).<br />
* ''nv2'' - enables Nv2 protocol.<br />
* ''nv2 nstreme'' : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point.<br />
* ''nv2 nstreme 802.11'' - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.<br />
'''Warning!''' Nv2 doesn't have support for Virtual AP<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wmm-support<br />
|type= disabled {{!}} enabled {{!}} required<br />
|default=disabled<br />
|desc=Specifies whether to enable [[M:WMM | WMM]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wps-mode<br />
|type= disabled {{!}} push-button {{!}} push-button-virtual-only<br />
|default=depending on the device model <br />
|desc=[[#WPS Server | <code>Read more >></code>]]<br />
}}<br />
<br />
===Transmit Power representation on 802.11n and 802.11ac===<br />
<br />
802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:<br />
<br />
<table class="styled_table"><br />
<caption>Wireless chipset signal level representation</caption><br />
<tr><th>Wireless chipset<th>Enabled Chains<th>Power per Chain<th>Total Power</tr><br />
<tr><td>802.11n<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11n<td>2<td>Equal to the selected Tx Power<td>+3dBm</tr><br />
<tr><td>802.11n<td>3<td>Equal to the selected Tx Power<td>+5dBm</tr><br />
<tr><td>802.11ac<td>1<td>Equal to the selected Tx Power<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>2<td>-3dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>3<td>-5dBm<td>Equal to the selected Tx Power</tr><br />
<tr><td>802.11ac<td>4<td>-6dBm<td>Equal to the selected Tx Power</tr><br />
</table><br />
===Basic and MCS Rate table===<br />
<br />
<table class="styled_table"><br />
<caption>Default basic and supported rates, depending on selected band</caption><br />
<tr><th>band<th>basic rates<th>basic-HT-mcs<th>basic-VHT-mcs<th>VHT-mcs<th>HT-mcs<th>supported rates</tr><br />
<tr><td>2.4ghz-b<td>1<td>-<td>-<td>-<td>-<td>1-11</tr><br />
<tr><td>2.4ghz-onlyg<td>6<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g<td>1-11<td>-<td>-<td>-<td>-<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-b/g/n<td>1-11<td>none<td>-<td>-<td>0-23<td>1-11,6-54</tr><br />
<tr><td>2.4ghz-g/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>2.4ghz-g-turbo<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<br />
<tr><td>5ghz-a<td>6<td>-<td>-<td>-<td>-<td>6-54</tr><br />
<tr><td>5ghz-a/n<td>6<td>none<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyn<td>6<td>0-7<td>-<td>-<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-a/n/ac<td>6<td>none<td>none<td>0-9<td>0-23<td>6-54</tr><br />
<tr><td>5ghz-onlyac<td>6<td>none<td>0-7<td>0-9<td>0-23<td>6-54</tr><br />
</table><br />
<br />
<br />
<br />
Used settings when '''rate-set=configured'''<br />
<br />
<table class="styled_table"><br />
<tr><th>band<th>used settings</tr><br />
<tr><td>2.4ghz-b<td>basic-b, supported-b</tr><br />
<tr><td>2.4ghz-b/g, 2.4ghz-onlyg<td>basic-b, supported-b, basic-a/g, supported-a/g</tr><br />
<tr><td>2.4ghz-onlyn, 2.4ghz-b/g/n<td>basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs</tr><br />
<tr><td>2.4ghz-g/n<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a<td>basic-a/g,supported-a/g</tr><br />
<tr><td>5ghz-a/n, 5ghz-onlyn<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs</tr><br />
<tr><td>5ghz-a/n/ac, 5ghz-onlyac<td>basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs,vht-basic-mcs,vht-supported-mcs</tr><br />
</table><br />
<br />
<br />
Settings independent from '''rate-set''':<br />
# allowed mcs depending on number of chains:<br />
#* 1 chain: 0-7<br />
#* 2 chains: 0-15<br />
#* 3 chains: 0-23<br />
# if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)<br />
<br />
=== Frame protection support (RTS/CTS) ===<br />
<br />
802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:<br />
* RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves<br />
* "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).<br />
<br />
Protection mode is controlled by '''hw-protection-mode''' setting of wireless interface. Possible values: '''none''' - for no protection (default), '''rts-cts''' for RTS/CTS based protection or '''cts-to-self''' for "CTS to self" based protection.<br />
<br />
Frame size threshold at which protection should be used is controlled by '''hw-protection-threshold''' setting of wireless interface.<br />
<br />
For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0<br />
</pre><br />
To enable RTS/CTS based protection on client use command:<br />
<pre><br />
[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0<br />
</pre><br />
<br />
=== Nv2 ===<br />
<br />
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: [[M:NV2 | NV2]]<br />
<br />
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.<br />
<br />
The most important benefits of Nv2 are:<br />
<br />
*Increased speed<br />
*More client connections in PTM environments<br />
*Lower latency<br />
*No distance limitations<br />
*No penalty for long distances<br />
<br />
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take<br />
a look at the NV2 protocol [[NV2#NV2_protocol_implementation_status | implementation status]].<br />
Nv2 protocol limit is 511 clients. <br />
<br />
{{Warning | Nv2 doesn't have support for Virtual AP}}<br />
<br />
==== Nv2 Troubleshooting ====<br />
<br />
Increase throughput on long distance with '''tdma-period-size'''. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to ''round trip time'' - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. <br />
<br />
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. '''tdma-period-size''' default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.<br />
<br />
==Access List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless access-list</code></p><br />
<br />
<br />
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.<br />
<br />
Operation:<br />
* Access list rules are checked sequentially.<br />
* Disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.<br />
* If remote device is matched by rule that has '''authentication'''=''no'' value, the connection from that remote device is rejected.<br />
<br />
<br />
{{Warning | If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.}}<br />
<br />
For example, if client's signal during connection is -41 and we have ACL rule<br />
<pre><br />
/interface wireless access-list<br />
add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0<br />
</pre><br />
Then connection is not matched to any ACL rule and if signal drops to -70..-80, client will not be disconnected.<br />
<br />
<br />
To make it work correctly it is required that client is matched by any of ACL rules.<br />
<br />
If we modify ACL rules in previous example to:<br />
<pre><br />
/interface wireless access-list<br />
add interface=wlan2 signal-range=-55<br />
add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56<br />
</pre><br />
Then if signal drops to -56, client will be disconnected.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ap-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Limit rate of data transmission to this client. Value ''0'' means no limit. Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client association will always fail.<br />
* ''yes'' - Use authentication procedure that is specified in the [[#Security Profiles | '''security-profile''']] of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=client-tx-limit<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Ask client to limit rate of data transmission. Value ''0'' means no limit.<br />
<br />
This is a proprietary extension that is supported by RouterOS clients.<br />
Value is in bits per second.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forwarding<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc= '' ''<br />
* ''no'' - Client cannot send frames to other station that are connected to same access point.<br />
* ''yes'' - Client can send frames to other stations on the same access point.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string {{!}} any {{!}} all<br />
|default=any<br />
|desc=Rules with '''interface'''=''any'' are used for any wireless interface and the '''interface'''=''all'' defines [[Manual:Interface/List#Lists|interface-list]] “all” name. To make rule that applies only to one wireless interface, specify that interface as a value of this property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches client with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=management-protection-key<br />
|type=string<br />
|default=""<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-algo<br />
|type=104bit-wep {{!}} 40bit-wep {{!}} aes-ccm {{!}} none {{!}} tkip<br />
|default=none<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-key<br />
|type=string<br />
|default=""<br />
|desc=Only for WEP modes.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=private-pre-shared-key<br />
|type=string<br />
|default=""<br />
|desc=Used in WPA PSK mode.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the station is within the range.<br />
:If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=time<br />
|type=''TIME-TIME,sun,mon,tue,wed,thu,fri,sat'' - ''TIME'' is time interval 0..86400 seconds; all day names are optional; value can be unset<br />
|default=<br />
|desc= Rule will match only during specified time.<br />
<br />
Station will be disconnected after specified time ends.<br />
Both start and end time is expressed as time since midnight, 00:00.<br />
<br />
Rule will match only during specified days of the week.<br />
}}<br />
<br />
==Align==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless align</code></p><br />
<br />
Align tool is used to help in alignment devices running this tool.<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=active-mode<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=If in active mode, will send out frames for align.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-max<br />
|type=integer [-2147483648..2147483647]<br />
|default=-20<br />
|desc=Maxumum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-min<br />
|type=integer [-2147483648..2147483647]<br />
|default=-100<br />
|desc=Minimum signal strength for beeper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=audio-monitor<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to use for audio monitoring<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=filter-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Filtered out MAC address that will be shown in monitor screen.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-size<br />
|type=integer [200..1500]<br />
|default=300<br />
|desc=Size of the frames used by monitor.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frames-per-second<br />
|type=integer [1..100]<br />
|default=25<br />
|desc=Frame transmit interval<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to "yes", monitor will find all available devices.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=ssid-all<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to show all SSIDs in the monitor or only one configured in wireless settings.<br />
}}<br />
<br />
===Menu Specific Commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=monitor<br />
|type=interface name<br />
|desc=Start align monitoring<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=test-audio<br />
|type=integer [-2147483648..2147483647]<br />
|desc=Test the beeper<br />
}}<br />
<br />
==Connect List==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless connect-list</code></p><br />
<br />
<br />
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.<br />
connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule (this is unlike [[#Access List | access-list]], where rules can apply to all interfaces).<br />
Rule can match MAC address of remote access point, it's signal strength and many other parameters.<br />
<br />
Operation:<br />
* connect-list rules are always checked sequentially, starting from the first.<br />
* disabled rules are always ignored.<br />
* Only the first matching rule is applied.<br />
* If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.<br />
* If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.<br />
* If access point is matched by rule that has '''connect'''=''no'' value, connection with this access point will not be attempted.<br />
* If access point is matched by rule that has '''connect'''=''yes'' value, connection with this access point will be attempted.<br />
** In station mode, if several remote access points are matched by connect list rules with '''connect'''=''yes'' value, connection will be attempted with access point that is matched by rule higher in the connect-list.<br />
** If no remote access points are matched by connect-list rules with '''connect'''=''yes'' value, then value of '''default-authentication''' interface property determines whether station will attempt to connect to any access point. If '''default-authentication'''=''yes'', station will choose access point with best signal and compatible security.<br />
* In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of '''default-authentication''' determines whether WDS link will be established.<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=area-prefix<br />
|type=string<br />
|default=<br />
|desc=Rule matches if area value of AP (a proprietary extension) begins with specified value.'''area''' value is a proprietary extension.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=connect<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Available options:<br />
* ''yes'' - Connect to access point that matches this rule.<br />
* ''no'' - Do not connect to any access point that matches this rule.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Rule matches only AP with the specified MAC address. Value ''00:00:00:00:00:00'' matches always.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=security-profile<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Name of [[#Security Profiles | security profile]] that is used when connecting to matching access points, If value of this property is ''none'', then security profile specified in the interface configuration will be used.<br />
<br />
In station mode, rule will match only access points that can support specified security profile. Value ''none'' will match access point that supports security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=signal-range<br />
|type=''NUM..NUM'' - both ''NUM'' are numbers in the range -120..120<br />
|default=-120..120<br />
|desc=Rule matches if signal strength of the access point is within the range.<br />
<br />
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ssid<br />
|type=string<br />
|default=""<br />
|desc=Rule matches access points that have this SSID. Empty value matches any SSID.<br />
<br />
This property has effect only when station mode interface '''ssid''' is empty, or when access point mode interface has '''wds-ignore-ssid'''=''yes''<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wireless-protocol<br />
|type=802.11 {{!}} any {{!}} nstreme {{!}} tdma<br />
|default=any<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Each rule in connect list applies only to one wireless interface that is specified by this setting. <br />
}}<br />
<br />
<br />
<br />
===Usage===<br />
====Restrict station connections only to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''no''.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span></code><br />
* Create rules that matches allowed access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01</code><br />
:: <code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02</code><br />
<br />
====Disallow connections to specific access points====<br />
* Set value of '''default-authentication''' interface property to ''yes''.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span></code><br />
* Create '''connect'''=''no'' rules that match those access points that station should not connect to. These rules must have '''connect'''=''no'' and '''interface''' equal to the name of station wireless interface.<br />
::<code class=samp><span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55</code><br />
<br />
====Select preferred access points====<br />
* Create rules that match preferred access points. These rules must have '''connect'''=''yes'' and '''interface''' equal to the name of station wireless interface.<br />
* Put rules that match preferred access points higher in the connect-list, in the order of preference.<br />
<br />
====Restrict WDS link establishment====<br />
* Place rules that match allowed access points at the top.<br />
* Add deny-all rule at the end of connect list.<br />
<br />
==Info==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless info</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-b-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-channels<br />
|type=<br />
|desc=<br />
}}<br />
{{Mr-arg-ro-table<br />
|arg=2ghz-g-turbo-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-10mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-11n-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-5mhz-power-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-channels<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=5ghz-turbo-channels <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=capabilities <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=chip-info <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=default-periodic-calibration<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=firmware <br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ht-chains<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface-type<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=pci-info<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=supported-bands<br />
|type=<br />
|desc=<br />
}}<br />
<br />
==Manual TX Power Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless manual-tx-power-table</code></p><br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=manual-tx-powers<br />
|type=list of [Rate:TxPower]; <br />
Rate ::= 11Mbps {{!}} 12Mbps {{!}} 18Mbps {{!}} 1Mbps {{!}} 24Mbps {{!}} ...<br />
TxPower ::= integer [-30..30]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of the wireless interface to which tx powers will be applied.<br />
}}<br />
<br />
==Wireless hardware table==<br />
<br />
{{Warning | You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK}}<br />
<br />
<table class="styled_table"><br />
<caption><b>Integrated wireless interface frequency table</b></caption><br />
<tr><th>Board name<th>Wireless interfaces<th>Frequency range [MHz]<th>Supported channel widths [Mhz]</tr><br />
<tr><td>2011UAS-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>751G-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>751U-2HnD<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>911-2Hn<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911-5Hn<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>911-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>911G-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>911G-5HPacD /-NB /-QRT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>911G-5HPnD /-QRT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>912UAG-2HPnD /-OUT<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>912UAG-5HPnD /-OUT<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>921GS-5HPacD-15S /-19S<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>921UAGS-5SHPacD-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>921UAGS-5SHPacT-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacD /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>922UAGS-5HPacT /-NM<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>941-2nD /-TC<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951G-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>951Ui-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>952Ui-5ac2nD /-TC<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>953GS-5HnT /-RP<td>1<td>4920-6100<td>5,10,20,40</tr><br />
<tr><td>962UiGS-5HacT2HnT<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>cAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>cAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS109-8G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>CRS125-24G-1S-2HnD-IN<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Disc-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>DynaDishG-5HacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>Groove52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveA-52HPn<td>1<td>4920-6100,2312-2732<td>5,10,20,40 and 5,10,20,40</tr><br />
<tr><td>GrooveG-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>GrooveGA-52HPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>LDF-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>LHG-5nD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>mAP2n<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAP2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>mAPL-2nD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>Metal2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>Metal5SHPn<td>1<td>4800-6100<td>5,10,20,40 and advanced channel support</tr><br />
<tr><td>Metal9HPn<td>1<td>902-928<td>5,10,20</tr><br />
<tr><td>MetalG-52SHPacn<td>1<td>4920-6100,2312-2732<td>20,40,80 and 20,40</tr><br />
<tr><td>OmniTikG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTikPG-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>OmniTIKU-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>OmniTIKUPA-5HnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>QRTG-2SHPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>SEXTANTG-5HPnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT2nDr2<td>1<td>2312-2732<td>20,40</tr> <br />
<tr><td>SXT5HacD2n<td>2<td>2312-2732,4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40 and 5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXT5HPnDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXT5nDr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-2HnD<td>1<td>2200-2700<td>20,40</tr><br />
<tr><td>SXTG-2HnDr2<td>1<td>2312-2700<td>20,40</tr><br />
<tr><td>SXTG-5HPacD<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPacD-HG /-SA<td>1<td>4920-6100<td>5<sup>1</sup>,10<sup>1</sup>,20,40,80</tr><br />
<tr><td>SXTG-5HPnD-HGr2 /-SAr2<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>SXTG-6HPnD<td>1<td>5500-6500<td>20,40</tr><br />
<tr><td>SXTsq2nD<td>1<td>2312-2484<td>20,40</tr><br />
<tr><td>wAP2nD /-BE<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>wAPG-5HacT2HnD /-BE<td>2<td>2312-2732,4920-6100<td>20,40 and 20,40,80</tr><br />
<tr><td>R11e-2HnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-2HPnD<td>1<td>2312-2732<td>20,40</tr><br />
<tr><td>R11e-5HacD<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HacT<td>1<td>4920-6100<td>20,40,80</tr><br />
<tr><td>R11e-5HnD<td>1<td>4920-6100<td>20,40</tr><br />
<tr><td>R2SHPn<td>1<td>2200-2700<td>20,40 and advanced channel support</tr><br />
<tr><td>R52H<td>1<td>4920-6100,2192-2507<td>20 and 20</tr><br />
<tr><td>R52HnD<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40</tr><br />
<tr><td>R52nM<td>1<td>4800-6100,2200-2700<td>20,40 and 20,40 and advanced channel support</tr><br />
<tr><td>R5SHPn<td>1<td>4800-6100<td>20,40 and advanced channel support</tr><br />
</table><br />
<br />
<b>NOTES:</b><br />
# - Only in 802.11a/n standard<br />
<br />
==Nstreme==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme</code></p><br />
<br />
<br />
This menu allows to switch a wireless card to the nstreme mode. In this case the card will work only with nstreme clients.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA when polling is used (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-nstreme<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to switch the card into the nstreme mode<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-polling<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to use polling for clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [100..4000]<br />
|default=3200<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} dynamic-size {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
<br />
* '''none''' - do nothing special, do not combine packets (framing is disabled) <br />
* '''best-fit''' - put as many packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as many packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
* '''dynamic-size''' - choose the best frame size dynamically <br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=name<br />
|type=string<br />
|desc=Name of an interface, to which setting will be applied. Read only.<br />
}}<br />
<br />
<br />
{{Note | The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.<br /><br />
<br />
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.}}<br />
<br />
==Nstreme Dual==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless nstreme-dual</code></p><br />
<br />
<br />
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:<br />
<br />
* frequency-mode<br />
* country<br />
* antenna-gain<br />
* tx-power<br />
* tx-power-mode<br />
* antenna-mode<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type= disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=[[Manual:IP/ARP#ARP_Modes | <code>Read more >></code>]]<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-csma<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable CSMA/CA (better performance)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the interface should always be treated as running even if there is no connection to a remote peer<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-limit<br />
|type=integer [64..4000]<br />
|default=2560<br />
|desc=Maximal frame size<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=framer-policy<br />
|type=best-fit {{!}} exact-size {{!}} none<br />
|default=none<br />
|desc=The method how to combine frames. A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:<br />
* '''none''' - do nothing special, do not combine packets <br />
* '''best-fit''' - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets <br />
* '''exact-size''' - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-channel-width<br />
|type=2040mhz {{!}} 20mhz {{!}} 40mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-guard-interval<br />
|type=both {{!}} long {{!}} short<br />
|default=long<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-rates<br />
|type=list of rates [1,2,3,4,5,6,7,8]<br />
|default=1,2,3,4,5,6,7,8<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ht-streams<br />
|type=both {{!}} double {{!}} single<br />
|default=single<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of an entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-a/g<br />
|type=list of rates [6Mbps,9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps]<br />
|default=6Mbps,9Mbps,12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps<br />
|desc=Rates to be supported in 802.11a or 802.11g standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rates-b<br />
|type=list of rates [1Mbps, 2Mbps, 5.5Mbps, 11Mbps]<br />
|default=1Mbps, 2Mbps, 5.5Mbps, 11Mbps<br />
|desc=Rates to be supported in 802.11b standard<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-mac<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=Which MAC address to connect to (this would be the remote receiver card's MAC address)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the receiving radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=RX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for receive.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-band<br />
|type=2ghz-b {{!}} 2ghz-g {{!}} 2ghz-n {{!}} 5ghz-a {{!}} 5ghz-n<br />
|default=<br />
|desc=Operating band of the transmitting radio<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-channel-width<br />
|type=10mhz |{{!}} 20mhz {{!}} 40mhz {{!}} 5mhz<br />
|default=20mhz<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tx-frequency<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=TX card operation frequency in Mhz.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tx-radio<br />
|type=string<br />
|default=<br />
|desc=Name of the interface used for transmit.<br />
}}<br />
<br />
<br />
{{Warning | WDS cannot be used on Nstreme-dual links.}}<br />
{{Note | The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!}}<br />
<br />
{{Note | You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.}}<br />
<br />
==Registration Table==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless registration-table</code></p><br />
<br />
<br />
In the registration table, you can see various information about currently connected clients. It is used only for Access Points.<br />
<br />
All properties are read-only.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=802.1x-port-enabled<br />
|type=yes {{!}} no<br />
|desc=whether the data exchange is allowed with the peer (i.e., whether 802.1x authentication is completed, if needed)<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ack-timeout<br />
|type=integer<br />
|desc=current value of ack-timeout<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap<br />
|type=yes {{!}} no<br />
|desc=Shows whether registered device is configured as access point.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=ap-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=authentication-type<br />
|type=<br />
|desc=authentication method used for the peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bridge<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer , integer<br />
|desc=number of sent and received packet bytes<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=client-tx-limit<br />
|type=integer<br />
|desc=transmit rate limit on the AP, in bits per second<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=comment<br />
|type=string<br />
|desc=Description of an entry. comment is taken from appropriate [[#Access_List | Access List]] entry if specified.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=compression<br />
|type=yes {{!}} no<br />
|desc=whether data compresson is used for this peer<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=distance<br />
|type=integer<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encryption<br />
|type=aes-ccm {{!}} tkip<br />
|desc=unicast encryption algorithm used<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes excluding header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=frames<br />
|type=integer,integer<br />
|desc=Number of frames that need to be sent over wireless link. This value can be compared to '''hw-frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-current-size<br />
|type=integer<br />
|desc=current size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-limit<br />
|type=integer<br />
|desc=maximal size of combined frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=framing-mode<br />
|type=<br />
|desc=the method how to combine frames<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=group-encryption<br />
|type=<br />
|desc=group encryption algorithm used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frame-bytes<br />
|type=integer,integer<br />
|desc=number of sent and received data bytes including header information<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=hw-frames<br />
|type=integer,integer<br />
|desc=Number of frames sent over wireless link by the driver. This value can be compared to '''frames''' to check wireless retransmits. [[Manual:Wireless_FAQ#What_are_wireless_retransmits_and_where_to_check_them.3F | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=interface<br />
|type=string<br />
|desc=Name of the wireless interface to which wireless client is associated<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-activity<br />
|type=time<br />
|desc=last interface data tx/rx activity<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-ip<br />
|type=IP Address<br />
|desc=IP address found in the last IP packet received from the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=MAC address of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=management-protection<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=nstreme<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[#Nstreme|Nstreme]] is enabled<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=p-throughput<br />
|type=integer<br />
|desc=estimated approximate throughput that is expected to the given peer, taking into account the effective transmit rate and hardware retries. Calculated once in 5 seconds<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-bytes<br />
|type=integer, integer<br />
|desc=number of bytes packed into larger frames for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packed-frames<br />
|type=integer, integer<br />
|desc=number of frames packed into larger ones for transmitting/receiving (framing)<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer.integer<br />
|desc=number of sent and received network layer packets<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=radio-name<br />
|type=string<br />
|desc=radio name of the peer<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=routeros-version<br />
|type=string<br />
|desc=RouterOS version of the registered client<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for receive. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=rx-rate<br />
|type=integer<br />
|desc=receive data rate<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength<br />
|type=integer<br />
|desc=average strength of the client signal recevied by the AP<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=signal-to-noise<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=strength-at-rates<br />
|type=<br />
|desc=signal strength level at different rates together with time how long ago these rates were used<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-retx<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-rx-size<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-timing-offset<br />
|type=<br />
|desc=tdma-timing-offset is proportional to '''distance''' and is approximately two times the propagation delay.<br />
AP measures this so that it can tell clients what offset to use for their transmissions - clients then subtract this offset from their target transmission time such that propagation delay is accounted for and transmission arrives at AP when expected. You may occasionally see small negative value (like few usecs) there for close range clients because of additional unaccounted delay that may be produced in transmitter or receiver hardware that varies from chipset to chipset.<br />
<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-tx-size<br />
|type=integer<br />
|desc=Value in bytes that specifies the size of data unit whose loss can be detected (data unit over which CRC is calculated) sent by device. In general - the bigger the better, because overhead is less. On the other hand, small value in this setting can not always be considered a signal that connection is poor - if device does not have enough pending data that would enable it to use bigger data units (e.g. if you are just pinging over link), this value will not go up.<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tdma-windfull<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-ccq<br />
|type=<br />
|desc=Client Connection Quality (CCQ) for transmit. [[Manual:Wireless_FAQ#What_is_CCQ_and_how_are_the_values_determined.3F | <code>Read more >> </code>]] <br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-evm-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-frames-timed-out<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-rate<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch0<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch1<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=tx-signal-strength-ch2<br />
|type=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=uptime<br />
|type=time<br />
|desc=time the client is associated with the access point<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=wds<br />
|type=yes {{!}} no<br />
|desc=whether the connected client is using wds or not<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=wmm-enabled<br />
|type=yes {{!}} no<br />
|desc=Shows whether [[M:WMM | WMM]] is enabled.<br />
}}<br />
<br />
==Security Profiles==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless security-profiles</code></p><br />
<br />
<br />
Security profiles are configured under the '''/interface wireless security-profiles''' path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interface [[Manual:Interface/Wireless#General_interface_properties | security-profile]] property and [[Manual:Interface/Wireless#Connect_List | security-profile]] property of Connect Lists.<br />
<br />
===Basic properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mode<br />
|type=none {{!}} static-keys-optional {{!}} static-keys-required {{!}} dynamic-keys<br />
|default=none<br />
|desc=Encryption mode for the security profile.<br />
* <var>none</var> - Encryption is not used. Encrypted frames are not accepted.<br />
* <var>static-keys-required</var> - WEP mode. Do not accept and do not send unencrypted frames. Station in ''static-keys-required'' mode will not connect to an Access Point in ''static-keys-optional'' mode.<br />
* <var>static-keys-optional</var> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as ''none''. Station in ''static-keys-optional'' mode will not connect to an Access Point in ''static-keys-required'' mode. See also: [[Manual:Interface/Wireless#WEP_properties | static-sta-private-algo]], [[Manual:Interface/Wireless#WEP_properties | static-transmit-key]].<br />
* <var>dynamic-keys</var> - WPA mode.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=text<br />
|default=<br />
|desc=Name of the security profile<br />
}}<br />
<br />
===WPA properties===<br />
These properties have effect only when '''mode''' is set to ''dynamic-keys''.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=wpa-psk {{!}} wpa2-psk {{!}} wpa-eap {{!}} wpa2-eap<br />
|default=<br />
|desc=Set of supported authentication types, multiple values can be selected. Access Point will advertise supported authentication types, and client will connect to Access Point only if it supports any of the advertised authentication types.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg= disable-pmkid<br />
|type=no {{!}} yes<br />
|default=no<br />
|desc=Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.<br />
* <var>yes</var> - removes PMKID from EAPOL frames (improves security, reduces compatibility).<br />
* <var>no</var> - includes PMKID into EAPOL frames (reduces security, improves compatibility).<br />
This property only has effect on Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unicast-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises that it supports specified ciphers, multiple values can be selected. Client attempts connection only to Access Points that supports at least one of the specified ciphers. One of the ciphers will be used to encrypt unicast frames that are sent between Access Point and Station.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-ciphers<br />
|type=tkip {{!}} aes-ccm<br />
|default=aes-ccm<br />
|desc=Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.<br />
* <var>tkip</var> - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.<br />
* <var>aes-ccm</var> - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=group-key-update<br />
|type=time: 30s..1d<br />
|default=5m<br />
|desc=Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=wpa-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA mode. property only has effect when ''wpa-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wpa2-pre-shared-key<br />
|type=text<br />
|default=<br />
|desc=WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. Commonly referred to as the network password for WPA2 mode. property only has effect when ''wpa2-psk'' is added to '''authentication-types'''.<br />
}}<br />
<br />
{{ Note | RouterOS also allows to override pre-shared key value for specific clients, using either the [[Manual:Interface/Wireless#Access_List | private-pre-shared-key]] property, or the [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Mikrotik-Wireless-Psk]] attribute in the RADIUS MAC authentication response. This is an extension. }}<br />
<br />
====WPA EAP properties====<br />
These properties have effect only when '''authentication-types''' contains ''wpa-eap'' or ''wpa2-eap'', and '''mode''' is set to ''dynamic-keys''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=eap-methods<br />
|type=eap-tls {{!}} eap-ttls-mschapv2 {{!}} passthrough {{!}} peap<br />
|default=passthrough<br />
|desc=Allowed types of authentication methods, multiple values can be selected. This property only has effect on Access Points.<br />
* <var>eap-tls</var> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of '''tls-mode''' and '''tls-certificate''' properties.<br />
* <var>eap-ttls-mschapv2</var> - Use EAP-TTLS with MS-CHAPv2 authentication.<br />
* <var>passthrough</var> - Access Point will relay authentication process to the RADIUS server.<br />
* <var>peap</var> - Use Protected EAP authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=supplicant-identity<br />
|type=text<br />
|default=[[Manual:System/identity | Identity]]<br />
|desc=EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-username<br />
|type=text<br />
|default=<br />
|desc=Username to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mschapv2-password<br />
|type=text<br />
|default=<br />
|desc=Password to use for authentication when ''eap-ttls-mschapv2'' authentication method is being used. This property only has effect on Stations.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-mode<br />
|type=verify-certificate {{!}} dont-verify-certificate {{!}} no-certificates {{!}} verify-certificate-with-crl<br />
|default=no-certificates<br />
|desc=This property has effect only when '''eap-methods''' contains ''eap-tls''.<br />
* <var>verify-certificate</var> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also the [[Manual:System/Certificates | Certificates]] configuration.<br />
* <var>dont-verify-certificate</var> - Do not check certificate of the remote device. Access Point will not require client to provide certificate.<br />
* <var>no-certificates</var> - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.<br />
* <var>verify-certificate-with-crl</var> - Same as ''verify-certificate'' but also checks if the certificate is valid by checking the Certificate Revocation List.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=tls-certificate<br />
|type=none {{!}} name<br />
|default=none<br />
|desc=Access Point always needs a certificate when configured when '''tls-mode''' is set to ''verify-certificate'', or is set to ''dont-verify-certificate''. Client needs a certificate only if Access Point is configured with '''tls-mode''' set to ''verify-certificate''. In this case client needs a valid certificate that is signed by a CA known to the Access Point. This property only has effect when '''tls-mode''' is not set to ''no-certificates'' and '''eap-methods''' contains ''eap-tls''.<br />
}}<br />
<br />
{{ Note | The order of allowed authentication methods in <code>eap-methods</code> is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where '''eap-methods''' is set to ''eap-tls'',''passthrough''; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server. }}<br />
<br />
{{ Note | When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client. }}<br />
<br />
{{ Note | When <code>tls-mode</code> is using either <code>verify-certificate</code> or <code>dont-verify-certificate</code>, then the remote device has to support one of the ''RC4-MD5'', ''RC4-SHA'' or ''DES-CBC3-SHA'' TLS cipher suites. When using <code>no-certificates</code> mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. }}<br />
<br />
====RADIUS properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-authentication<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=This property affects the way how Access Point processes clients that are not found in the [[Manual:Interface/Wireless#Access_List | Access List]].<br />
* <var>no</var> - allow or reject client authentication based on the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] property of the Wireless interface.<br />
* <var>yes</var> - Query RADIUS server using MAC address of client as user name. With this setting the value of [[Manual:Interface/Wireless#General_interface_properties | default-authentication]] has no effect.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-mac authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-eap-accounting<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Explicitly enable accouting packets for radius-eap authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-called-format<br />
|type=mac {{!}} mac:ssid {{!}} ssid<br />
|default=mac:ssid<br />
|desc=Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0<br />
|desc=When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using [[Manual:Interface/Wireless#RADIUS_MAC_authentication | Acct-Interim-Interval]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-format<br />
|type=XX:XX:XX:XX:XX:XX {{!}} XXXX:XXXX:XXXX {{!}} XXXXXX:XXXXXX {{!}} XX-XX-XX-XX-XX-XX {{!}} XXXXXX-XXXXXX {{!}} XXXXXXXXXXXX {{!}} XX XX XX XX XX XX<br />
|default=XX:XX:XX:XX:XX:XX<br />
|desc=Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=radius-mac-mode<br />
|type=as-username {{!}} as-username-and-password<br />
|default=as-username<br />
|desc=By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to ''as-username-and-password'', Access Point will use the same value for User-Password attribute as for the User-Name attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=radius-mac-caching<br />
|type=disabled {{!}} time<br />
|default=disabled<br />
|desc=If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value ''disabled'' will disable cache, Access Point will always contact RADIUS server.<br />
}}<br />
<br />
====WEP properties====<br />
These properties have effect only when '''mode''' is set to ''static-keys-required'' or ''static-keys-optional''.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-key-0 {{!}} static-key-1 {{!}} static-key-2 {{!}} static-key-3<br />
|type=hex<br />
|default=<br />
|desc=Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-algo-0 {{!}} static-algo-1 {{!}} static-algo-2 {{!}} static-algo-3<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with the corresponding key.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-transmit-key<br />
|type=key-0 {{!}} key-1 {{!}} key-2 {{!}} key-3<br />
|default=key-0<br />
|desc=Access Point will use the specified key to encrypt frames for clients that do not use private key. Access Point will also use this key to encrypt broadcast and multicast frames. Client will use the specified key to encrypt frames if '''static-sta-private-algo''' is set to ''none''. If corresponding '''static-algo-N''' property has value set to ''none'', then frame will be sent unencrypted (when '''mode''' is set to ''static-keys-optional'') or will not be sent at all (when '''mode''' is set to ''static-keys-required'').<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=static-sta-private-key<br />
|type=hex<br />
|default=<br />
|desc=Length of key must be appropriate for selected algorithm, see the [[Manual:Interface/Wireless#Statically_configured_WEP_keys | Statically configured WEP keys]] section. This property is used only on Stations. Access Point uses corresponding key either from [[Manual:Interface/Wireless#Access_List | private-key]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Key]] attribute.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=static-sta-private-algo<br />
|type=none {{!}} 40bit-wep {{!}} 104bit-wep {{!}} tkip {{!}} aes-ccm<br />
|default=none<br />
|desc=Encryption algorithm to use with station private key. Value ''none'' disables use of the private key. This property is only used on Stations. Access Point has to get corresponding value either from [[Manual:Interface/Wireless#Access_List | private-algo]] property, or from [[Manual:Interface/Wireless#RADIUS_MAC_authenticatio | Mikrotik-Wireless-Enc-Algo]] attribute. Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.<br />
}}<br />
<br />
=== Management frame protection ===<br />
<br />
'''''Used for''': Deauthentication attack prevention, MAC address cloning issue.''<br />
<br />
RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.<br />
<br />
Management protection mode is configured in security-profile with '''management-protection''' setting. Possible values are: '''disabled''' - management protection is disabled (default), '''allowed''' - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), '''required''' - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).<br />
<br />
Management protection shared secret is configured with security-profile '''management-protection-key''' setting.<br />
<br />
When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.<br />
<br />
[admin@mikrotik] /interface wireless security-profiles> print <br />
0 name="default" mode=none authentication-types="" unicast-ciphers="" <br />
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" <br />
supplicant-identity="n-str-p46" eap-methods=passthrough <br />
tls-mode=no-certificates tls-certificate=none static-algo-0=none <br />
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none <br />
static-key-2="" static-algo-3=none static-key-3="" <br />
static-transmit-key=key-0 static-sta-private-algo=none <br />
static-sta-private-key="" radius-mac-authentication=no <br />
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s <br />
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username <br />
radius-mac-caching=disabled group-key-update=5m <br />
'''management-protection=disabled management-protection-key="" ''' <br />
<br />
[admin@mikrotik] /interface wireless security-profiles> set default management-protection= <br />
allowed disabled required <br />
<br />
<br />
[[Image:2009-02-06 1518.png]]<br />
<br />
===Operation details===<br />
<br />
====RADIUS MAC authentication====<br />
Note: RADIUS MAC authentication is used by access point for clients that are not found in the [[#Access lists |access-list]], similarly to the '''default-authentication''' property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.<br />
<br />
When '''radius-mac-authentication'''=''yes'', access point queries RADIUS server by sending Access-Request with the following attributes:<br />
* User-Name - Client MAC address. This is encoded as specified by the '''radius-mac-format''' setting. Default encoding is "XX:XX:XX:XX:XX:XX".<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* User-Password - When '''radius-mac-mode'''=''as-username-and-password'' this is set to the same value as User-Name. Otherwise this attribute is empty.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-mac-accounting'''=''yes''.<br />
<br />
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<br />
* Ascend-Data-Rate<br />
* Ascend-Xmit-Rate<br />
* Mikrotik-Wireless-Forward - Same as [[#Access lists |access-list]] '''forwarding'''.<br />
* Mikrotik-Wireless-Enc-Algo - Same as [[#Access lists |access-list]] '''private-algo'''.<br />
* Mikrotik-Wireless-Enc-Key - Same as [[#Access lists |access-list]] '''private-key'''.<br />
* Mikrotik-Wireless-Psk - Same as [[#Access lists |access-list]] '''private-pre-shared-key'''.<br />
* Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list<br />
* Session-Timeout - Time, after which client will be disconnected.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
<br />
=====Caching=====<br />
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.<br />
<br />
====RADIUS EAP pass-through authentication====<br />
When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:<br />
* User-Name - EAP supplicant identity. This value is configured in the '''supplicant-identity''' property of the client security profile.<br />
* Nas-Port-Id - '''name''' of wireless interface.<br />
* Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".<br />
* Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).<br />
* Acct-Session-Id - Added when '''radius-eap-accounting'''=''yes''.<br />
* Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as ''AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX''.<br />
:Added when '''radius-eap-accounting'''=''yes''.<br />
<br />
Access point uses following RADIUS attributes from the Access-Accept server response:<br />
* Class - If present, value of this attribute is saved and included in Accounting-Request messages.<br />
* Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.<br />
* Acct-Interim-Interval - Overrides value of '''interim-update'''.<br />
<br />
=====Usage=====<br />
'''Radius authentication with one server'''<br />
<br />
1.Create security-profile.<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless</code><br />
<br />
<br />
'''Radius authentication with different radius servers for each SSID'''<br />
<br />
1.Create security-profile:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless security-profiles</span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>name</span>=radius <span style='color: #009B00;'>mode</span>=dynamic-keys <span style='color: #009B00;'>authentication-types</span>=wpa2-eap <span style='color: #009B00;'>supplicant-identity</span>=RadUserIdent <span style='color: #009B00;'>radius-called-format</span>=ssid</code><br />
2. Asign the security-profile to WLAN interface:<br />
::<code class=samp><span style='color: #009B9B;'>/interface wireless </span> <span style='color: #9B009B;'>set</span> <span style='color: #009B00;'>security-profile</span>=radius</code><br />
3.Add Radius server1 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=x.x.x.x <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID1</code><br />
4.Add Radius server2 client:<br />
::<code class=samp><span style='color: #009B9B;'>/radius </span> <span style='color: #9B009B;'>add</span> <span style='color: #009B00;'>address</span>=y.y.y.y <span style='color: #009B00;'>secret</span>=MySecret <span style='color: #009B00;'>service</span>=wireless <span style='color: #009B00;'>called-id</span>=WLAN_SSID2</code><br />
<br />
====Statically configured WEP keys====<br />
Different algorithms require different length of keys:<br />
* ''40bit-wep'' - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.<br />
* ''104bit-wep'' - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.<br />
* ''tkip'' - At least 64 hexadecimal digits (256 bits).<br />
* ''aes-ccm'' - At least 32 hexadecimal digits (128 bits).<br />
Key must contain even number of hexadecimal digits.<br />
<br />
====WDS security configuration====<br />
WDS links can use all available security features. However, they require careful configuration of security parameters.<br />
<br />
It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[#Connect lists | connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has '''connect'''=''yes'' and specifies compatible '''security-profile'''.<br />
<br />
=====WDS and WPA/WPA2=====<br />
If access point uses security profile with '''mode'''=''dynamic-keys'', then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how ''static-mesh'' and ''dynamic-mesh'' WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non''-mesh'' mode, is not possible if WPA encryption is enabled. However, non''-mesh'' modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the ''-mesh'' WDS modes.<br />
<br />
In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are '''authentication-types''', '''unicast-ciphers''', '''group-ciphers'''. For non''-mesh'' WDS mode these properties need to have the same values on both devices. In ''mesh'' WDS mode each access point has to support the other one as a client.<br />
<br />
Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.<br />
<br />
Implementation of ''eap-tls'' EAP method in RouterOS is particularly well suited for WDS link encryption. '''tls-mode'''=''no-certificates'' requires no additional configuration, and provides very strong encryption.<br />
<br />
=====WDS and WEP=====<br />
'''mode''', '''static-sta-private-key''' and '''static-sta-private-algo''' parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.<br />
<br />
====Security profile and access point matching in the connect list====<br />
Client uses value of [[#Connect lists | connect-list]] '''security-profile''' property to match only those access points that support necessary security.<br />
* '''mode'''=''static-keys-required'' and '''mode'''=''static-keys-optional'' matches only access points with the same '''mode''' in interface '''security-profile'''.<br />
* If '''mode'''=''dynamic-keys'', then connect list entry matches if all of the '''authentication-types''', '''unicast-ciphers''' and '''group-ciphers''' contain at least one value that is advertised by access point.<br />
<br />
==Virtual interfaces ==<br />
<br />
=== VirtualAP ===<br />
<br />
It is possible to create virtual access points using the ''add'' command in the wireless menu. You must specify the ''master-interface'' which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.<br />
<br />
Virtual AP interface will only work if master interface is in ''ap-bridge'', ''bridge'', ''station'' or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. <br />
<br />
This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. <br />
For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.<br />
<br />
<p id="shbox"><b>To create a new virtual-ap:</b> <code>/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
''Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. <br />
''<br />
<br />
=== Virtual Clients ===<br />
<br />
<br />
{{Note|Starting from 6.35 only in wireless-rep or wireless-cm2 package}}<br />
<br />
It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode '''station''': <br />
<br />
<p id="shbox"><b>To create a new virtual-client:</b> <code>/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile</code> (<em>such security profile first needs to be created</em>)</p><br />
<br />
{{Note|Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.}}<br />
<br />
==Sniffer==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer</code></p><br />
<br />
<br />
Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=channel-time<br />
|type=<br />
|default=200ms<br />
|desc=How long to sniff each channel. Used only if '''multiple-channels'''=yes<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated file size in kilobytes which will be used to store captured data. Applicable if '''file-name''' is specified.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=file-name<br />
|type=string<br />
|default=<br />
|desc=Name of the file where to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-limit<br />
|type=integer [10..4294967295]<br />
|default=10<br />
|desc=Allocated memory buffer in kilobytes used to store captured data.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multiple-channels<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to sniff multiple channels or a single channel. '''No''' means that all channel settings will be taken from '''/interface wireless''', <br />
<br>'''Yes''' means that all channel settings will be taken from '''scan-list''' under '''/interface wireless'''.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-headers<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=If set to yes, then sniffer will capture only information stored in frame headers.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=receive-errors<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to process crc mismatch packets<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-enabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to stream captured data to specified streaming server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=streaming-max-rate<br />
|type=integer [0..4294967295]<br />
|default=0<br />
|desc=Maximum packets per second allowed. '''0''' equals unlimited<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=streaming-server<br />
|type=IPv4<br />
|default=0.0.0.0<br />
|desc=IP address of the streaming server.<br />
}}<br />
<br />
{{Note | Use the command '''/interface wireless info scan-list''' to verify your '''scan-list''' defined under '''/interface wireless channels''' when using '''<nowiki>multiple-channels=yes</nowiki>'''}}<br />
<br />
===Packets===<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless sniffer packet</code></p><br />
<br />
Sub-menu shows captured packets.<br />
<br />
==Scan==<br />
<br />
Scan command allows to see available AP in the frequency range defined in the scan-list.<br />
Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation)<br />
Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.<br />
<br />
Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1<br />
</pre><br />
<br />
'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:<br />
<pre><br />
/interface wireless scan wlan1 rounds=1 save-file=scan1<br />
</pre><br />
<br />
To use background wireless scan the 'background=yes' setting should be provided. Example:<br />
<pre><br />
/interface wireless scan wlan1 background=yes<br />
</pre><br />
<br />
Background scan feature is working in such conditions:<br />
* Wireless interface should be enabled<br />
* For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)<br />
* For wireless interface in Station mode - when it is connected to 802.11 protocol AP.<br />
<br />
Scan command is supported also on the Virtual wireless interfaces with such limitations:<br />
* It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).<br />
* Scan is only performed in channel master interface is on.<br />
* It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".<br />
<br />
==Snooper==<br />
<br />
This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless snooper</code></p><br />
<br />
[[File:Snoop1.png]]<br />
<br />
[[File:Snoop2.png]]<br />
<br />
==== Settings ====<br />
<br />
[[File:Snoop3.PNG]]<br />
<br />
== Spectral scan == <br />
<br />
* See separate document [[Manual:Spectral_scan]]<br />
<br />
==WDS==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless wds</code></p><br />
<br />
'''Properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disable-running-check<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=integer [0..65536]<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=master-interface<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer [0..65536]<br />
|default=1500<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wds-address<br />
|type=MAC<br />
|default=00:00:00:00:00:00<br />
|desc=<br />
}}<br />
<br />
<br />
'''Read-only properties:'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=mac-address<br />
|type=MAC<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=running<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==WPS==<br />
<br />
Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).<br />
<br />
===WPS Server ===<br />
<br />
WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.<br />
<br />
WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:<br />
<pre> /interface wireless set wlan1 wps-mode=push-button</pre><br />
<br />
Wps-mode has 3 options<br />
* disabled<br />
* push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)<br />
* push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu<br />
<br />
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.<br />
<br />
WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite<br />
<br />
WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled.<br />
It is possible to configure this mode for the Virtual AP interfaces as well.<br />
<br />
===WPS Client===<br />
<br />
WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled.<br />
WPS Client can be enabled by such command:<br />
<pre> /interface wireless wps-client wlan1</pre><br />
<br />
WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example:<br />
<pre><br />
[admin@MikroTik] /interface wireless> wps-client wlan1<br />
status: disconnected, success<br />
ssid: MikroTik<br />
mac-address: E4:8D:8C:D6:E0:AC<br />
passphrase: presharedkey<br />
authentication: wpa2-psk<br />
encryption: aes-ccm<br />
</pre><br />
<br />
It is possible to specify additional settings for the WPS-Client command:<br />
* create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile<br />
* ssid - get WPS information only from AP with specified SSID<br />
* mac-address - get WPS information only from AP with specified mac-address<br />
<br />
==Repeater==<br />
<br />
Wireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients.<br />
Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.<br />
<br />
If your AP '''supports button-enabled WPS''' mode, you can use the automatic setup command:<br />
<pre><br />
/interface wireless setup-repeater wlan1<br />
</pre><br />
<br />
The setup-repeater does the following steps:<br />
* searches for WPS AP with button pushed<br />
* acquires SSID, key, channel from AP<br />
* resets main master interface config (same as reset-configuration)<br />
* removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)<br />
* removes all virtual interfaces added to this master<br />
* creates security profile with name "<interfacename>-<ssid>-repeater", if such security profile already exists does not create new, just updates settings<br />
* configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge<br />
* creates virtual AP interface with same SSID and security profile as master<br />
* if master interface is not in some bridge, creates new bridge interface and adds master interface to it<br />
* adds virtual AP interface to the same bridge master interface is in.<br />
<br />
If your AP '''does not support WPS''', it is possible to specify the settings manually, using these parameters: <br />
<br />
* '''address''' - MAC address of AP to setup repeater for (optional)<br />
* '''ssid''' - SSID of AP to setup repeater for (optional) <br />
* '''passphrase''' - key to use for AP - if this IS specified, the command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, the command will do WPS to find out passphrase.<br />
<br />
{{Note | Configuring the '''address''' field will add a connection-list entry with the specified MAC address and set master WLAN interface with [[M:Interface/Wireless#Connect_List | default-authenticate=no]]<br />
<br> If you want to allow the repeater to connect to an AP with the same SSID/Passphrase but different MAC, but still prioritize '''address''' configured MAC, set <nowiki>default-authenticate=yes</nowiki>, otherwise adjust connection-list manually or don't use the '''address''' field}}<br />
<br />
<br />
The same options are available in the GUI:<br />
<br />
[[File:Screen.jpg|700px]]<br />
<br />
==Station-Roaming==<br />
Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.<br />
When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.<br />
<br />
{{Note | If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP}}<br />
<br />
==VLAN tagging==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless</code></p><br />
<br />
With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.<br />
<br />
VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.<br />
<br />
You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use [[Manual:RADIUS_Client/vendor_dictionary|RADIUS attributes]].<br />
<br />
{{Note | In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.}}<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-mode<br />
|type=no tag {{!}} user service tag {{!}} use tag<br />
|default=no tag<br />
|desc=Three VLAN modes are available:<br />
* ''no-tag'' - AP don't use VLAN tagging<br />
* ''use-service-tag'' - VLAN ID use 802.1ad tag type<br />
* ''use-tag'' - VLAN ID use 802.1q tag type<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-id<br />
|type=integer [1..4095]<br />
|default=1<br />
|desc=VLAN identification number<br />
}}<br />
<br />
===Vlan tag override===<br />
<br />
Per-interface VLAN tag can be overridden on per-client basis by means of <br />
access-list and RADIUS attributes (for both - regular wireless and <br />
wireless controller).<br />
<br />
This way traffic can be separated between wireless clients even on the <br />
same interface, but must be used with care - only "interface VLAN" <br />
broadcast/multicast traffic will be sent out. If working <br />
broadcast/multicast is necessary for other (overridden) VLANs as well, <br />
multicast-helper can be used for now (this changes every multicast <br />
packet to unicast and then it is only sent to clients with matching VLAN <br />
ids).<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|W]]<br />
[[Category:Wireless|W]]<br />
[[Category:Interface|W]]<br />
<br />
==Winbox==<br />
[[Manual:Winbox|Winbox]] is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.<br />
<br />
{{Note | Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).}}<br />
<br />
==Interworking Realms setting==<br />
<br />
Starting from RouterOS v6.42rc27 we have added such feature:<br />
<br />
'''realms-raw''' - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.<br />
<br />
Each hex encoded string must consist of the following fields:<br />
- NAI Realm Encoding (1 byte)<br />
- NAI Realm Length (1 byte)<br />
- NAI Realm (variable)<br />
- EAP Method Count (1 byte)<br />
- EAP Method Tuples (variable)<br />
<br />
For example, value "00045465737401020d00" decodes as:<br />
- NAI Realm Encoding: 0 (rfc4282)<br />
- NAI Realm Length: 4<br />
- NAI Realm: Test<br />
- EAP Method Count: 1<br />
- EAP Method Length: 2<br />
- EAP Method Tuple: TLS, no EAP method parameters<br />
<br />
Note, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls".<br />
<br />
Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:TOC&diff=34388Manual:TOC2021-05-27T07:26:48Z<p>Guntis: </p>
<hr />
<div>{{ Note | Take a look at our [https://help.mikrotik.com/docs/ new documentation!] }}<br />
<br />
__NOTOC__<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''General'''<br />
|title-center=<br />
|title-right=<br />
|content-left=<br />
'''Basic'''<br />
* [[M:First_time_startup | First Time Startup]]<br />
* [[M:Initial_Configuration | Initial Configuration using WebFig]]<br />
* [[M:Console_login_process | Console Login Process]]<br />
* [[Manual:Troubleshooting_tools | Troubleshooting Tools]]<br />
* [[Manual:Support_Output_File | Support output file]]<br />
* [[Manual:Securing_Your_Router | Securing your router]]<br />
* [[Manual:RouterOS_FAQ | RouterOS FAQ]]<br />
* [[Manual:Connection_oriented_communication_(TCP/IP) | Connection Oriented Communication (TCP/IP)]]<br />
* [[Manual:Router AAA | Router users and groups]]<br />
<br />
<br />
'''Management tools'''<br />
* [[M:Console | Console]]<br />
* [[M:Winbox | Winbox]]<br />
* [[M:Webfig | WebFig]]<br />
* [[M:Quickset | QuickSet]]<br />
* [[M:CAPsMAN | CAPsMAN]]<br />
<br />
|content-center=<br />
'''RouterOS Licensing'''<br />
* [[M:License | License]]<br />
* [[M:Purchasing_a_License_for_RouterOS | Purchasing a License for RouterOS]]<br />
* [[M:Entering_a_RouterOS_License_key | Entering a RouterOS License key]]<br />
* [[M:Replacement_Key | Replacement Key]]<br />
<br />
'''Hardware'''<br />
* [[Manual:RouterBOARD_settings | RouterBOARD settings]]<br />
* [[Manual:RouterBOOT | RouterBOOT]]<br />
* [[M:PoE-In | PoE input for RouterBOARD]]<br />
* [[M:Product_Naming | Product Naming]]<br />
* [[Manual:Peripherals | Supported peripherals]]<br />
* [[Manual:CHR | CHR]]<br />
<br />
|content-right=<br />
'''What's New'''<br />
* <span class="plainlinks">[https://mikrotik.com/download/changelogs What's new in v6]</span><br />
<br />
<br />
'''RouterOS Installation and packages'''<br />
* [[M:Default_Configurations | Default Configurations on RouterBOARDS]]<br />
* [[M:System/Packages | RouterOS package types]]<br />
* [[M:Upgrading_RouterOS | Upgrading RouterOS]]<br />
* [[M:Netinstall | Netinstall]]<br />
* [[M:Configuration_Management | Configuration Management]] <br />
<br />
}}<br />
<br />
<br />
=Bridging and switching=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Bridging and switching<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Multicast=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Multicast<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Wireless=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Case Studies<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Wireless<br />
category = Examples<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Interface=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Interface<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Interface<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Interface<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=IP=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:IP<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = IP<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = IP<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
}}<br />
<br />
=IPv6=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:IPv6<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = IPv6<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = IPv6<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}<br />
<br />
=Routing=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Routing protocol case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Routing<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<br />
'''BGP'''<br />
<DynamicPageList><br />
ordermethod = sortkey<br />
order = ascending<br />
category = Routing<br />
category = Manual<br />
category = BGP<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
'''OSPF'''<br />
<DynamicPageList><br />
ordermethod = sortkey<br />
order = ascending<br />
category = Routing<br />
category = Manual<br />
category = OSPF<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
'''Other'''<br />
<DynamicPageList><br />
notcategory = BGP<br />
notcategory = OSPF<br />
category = Routing<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Routing<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
}}<br />
<br />
=MPLS=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<br />
* '''Interface'''<br />
**[[M:Interface/VPLS | vpls ]]<br />
**[[M:Interface/Traffic_Engineering | traffic-eng]]<br />
<br />
* '''MPLS'''<br />
**[[M:MPLS/LDP | ldp ]]<br />
<br />
<br />
|content-center=<br />
'''General'''<br />
* [[M:MPLS/Overview|MPLS Overview and RouterOS MPLS Implementation Status]]<br />
* [[M:MPLS/EXP bit behaviour | EXP bit behaviour]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards#MPLS.2FLayer-2.5.2FL2.5_MTU|L2MTU]]<br />
<br />
<br />
'''Layer2 VPN'''<br />
* [[M:MPLSVPLS|LDP and LDP based VPLS]]<br />
* [[M:BGP_based_VPLS|BGP based VPLS]]<br />
* [[M:Cisco_VPLS|Cisco style VPLS]]<br />
* [[M:VPLS_Control_Word|VPLS Control Word]]<br />
<br />
<br />
'''Layer3 VPN'''<br />
* [[M:Virtual Routing and Forwarding | Virtual Routing and Forwarding (VRF)]]<br />
* [[M:OSPF as PE-CE routing protocol | OSPF as PE-CE routing protocol]]<br />
* [[M:EBGP as PE-CE routing protocol | EBGP as PE-CE routing protocol]]<br />
<br />
<br />
'''Traffic Engineering'''<br />
* [[M:TE_Tunnels|TE Tunnels]]<br />
* [[M:TE_tunnel_auto_bandwidth|TE Tunnel Bandwidth Control]]<br />
<br />
<br />
<br />
|content-right=<br />
'''General'''<br />
* [[M:MPLS over PPPoE | MPLS over PPPoE]]<br />
<br />
<br />
'''Layer2 VPN'''<br />
* [[Manual:MPLS_L2VPN_vs_Juniper | P2P L2VPN to Juniper router]]<br />
<br />
<br />
'''Layer3 VPN'''<br />
* [[M:Layer-3 MPLS VPN example|A complete Layer-3 MPLS VPN example]]<br />
* [[VRF_Route_Leaking|VRF Route Leaking]]<br />
* [[M:Internet access from VRF|Internet access from VRF]]<br />
* [[M:Internet access from VRF with NAT|Internet access from VRF with NAT]]<br />
<br />
<br />
'''Traffic Engineering'''<br />
* [[M:Simple_TE | Simple TE configuration]]<br />
* [[M:TE Tunnels Example | TE tunnels for VPLS]]<br />
<br />
}}<br />
<br />
=System=<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:System<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = System<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = System<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
}}<br />
<br />
=Tools=<br />
<br />
<br />
{{ycgu-cooltable-3<br />
|title-left='''List of reference sub-pages'''<br />
|title-center='''Case studies'''<br />
|title-right='''List of examples'''<br />
|content-left=<br />
<splist<br />
parent=M:Tools<br />
showparent=yes<br />
/><br />
<br />
|content-center=<br />
<DynamicPageList><br />
category = Tools<br />
category = Manual<br />
category = Case Studies<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
<br />
|content-right=<br />
<DynamicPageList><br />
category = Manual<br />
category = Tools<br />
category = Examples<br />
namespace = Manual<br />
shownamespace = false<br />
</DynamicPageList><br />
<br />
}}</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interworking_Profiles&diff=34386Manual:Interworking Profiles2021-05-21T10:17:10Z<p>Guntis: </p>
<hr />
<div>{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Interworking+Profiles}}<br />
<br />
{{Versions|v6}}<br />
=Summary=<br />
===Interworking===<br />
Interworking is the occurrence of two or more things working together. For a better Wireless network experience information about the network must be exchanged between Access Points and Wireless client devices, the information that can be found in basic Wireless beacons and probe requests is limited. For this reason, the IEEE 802.11u™-2011 (Interworking with External Networks) standard was created, that specifies how devices should exchange information between each other. Network discovery and Access Point selection process can be enhanced with the interworking service. Wireless client devices can have more criteria upon which they can choose the network with which to associate.<br />
<br />
===Hotspot 2.0===<br />
Hotspot 2.0 is a specification developed and owned by the Wi-Fi Alliance. It was designed to enable a more cellular-like experience when connecting to Wi-Fi networks. In the attempt to increase Wireless network security Hotspot 2.0 access points use mandatory WPA2 authentication. Hotspot 2.0 relies on Interworking as well as adds some of its own properties and procedures.<br />
<br />
<br />
Interworking profiles are implemented according to IEEE 802.11u and Hotspot 2.0 Release 1 specifications.<br />
<br />
=Configuration Properties=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless interworking-profiles</code></p><br />
===Information elements in beacon and probe response===<br />
<br />
Some information can be added to beacon and probe response packets with a Interworking element. Following parameters of a Interworking element can be configured:<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=asra<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Additional Steps Required for Access. Set to <code>yes</code>, if a user should take additional steps to access the internet, like the walled garden.<br />
}}<br />
{{Mr-arg-table<br />
|arg=esr<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Emergency services reachable (ESR). Set to <code>yes</code> in order to indicate that emergency services are reachable through the access point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hessid<br />
|type=MAC address<br />
|default=<br />
|desc=Homogenous extended service set identifier (HESSID). Devices that provide access to same external networks are in one homogenous extended service set. This service set can be identified by HESSID that is the same on all access points in this set. 6-byte value of HESSID is represented as MAC address. It should be globally unique, therefore it is advised to use one of the MAC address of access point in the service set.<br />
}}<br />
{{Mr-arg-table<br />
|arg=internet<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether the internet is available through this connection or not. This information is included in the Interworking element.<br />
}}<br />
{{Mr-arg-table<br />
|arg=network-type<br />
|type=emergency-only {{!}} personal-device {{!}} private {{!}} private-with-guest {{!}} public-chargeable {{!}} public-free {{!}} test {{!}} wildcard<br />
|default=wildcard<br />
|desc=Information about network access type.<br />
* <code>emergency-only</code> - a network dedicated and limited to accessing emergency services;<br />
* <code>personal-device</code> - a network of personal devices. An example of this type of network is a camera that is attached to a printer, thereby forming a network for the purpose of printing pictures;<br />
* <code>private</code> - network for users with user accounts. Usually used in enterprises for employees, not guests;<br />
* <code>private-with-guest</code> - same as private, but guest accounts are available;<br />
* <code>public-chargeable</code> - a network that is available to anyone willing to pay. For example, a subscription to Hotspot 2.0 service or in-room internet access in a hotel;<br />
* <code>public-free</code> - network is available to anyone without any fee. For example, municipal network in city or airport Hotspot;<br />
* <code>test</code> - network used for testing and experimental uses. Not used in production;<br />
* <code>wildcard</code> - is used on Wireless clients. Sending probe request with a wildcard as network type value will make all Interworking Access Points respond despite their actual network-type setting.<br />
A client sends a probe request frame with network-type set to value it is interested in. It will receive replies only from access points with the same value (except the case of wildcard).<br />
}}<br />
{{Mr-arg-table<br />
|arg=uesa<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Unauthenticated emergency service accessible (UESA).<br />
* <code>no</code> - indicates that no unauthenticated emergency services are reachable through this Access Point;<br />
* <code>yes</code> - indicates that higher layer unauthenticated emergency services are reachable through this Access Point. <br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue<br />
|type=venue<br />
|default=unspecified<br />
|desc=Specify the venue in which the Access Point is located. Choose the value from available ones. Some examples:<br />
<pre><br />
venue=business-bank<br />
venue=mercantile-shopping-mall<br />
venue=educational-university-or-college<br />
</pre><br />
}}<br />
<br />
===ANQP elements===<br />
<br />
Access network query protocol (ANQP). Not all necessary information is included in probe response and beacon frames. For client device to get more information before choosing access point to associate with ANQP is used. The Access Point can have stored information in multiple ANQP elements. Client device will use ANQP to query only for the information it is interested in. This reduces the time needed before association.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=octet string in hex<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Please see 3GPP TS 24.302. (Annex H) for a format of this field. This value is sent ANQP response if queried.<br />
}}<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=dns-redirection:<code>url</code> {{!}} https-redirection:<code>url</code> {{!}} online-enrollment:<code>url</code> {{!}} terms-and-conditions:<code>url</code><br />
|default=<br />
|desc=This property is only effective when <var>asra</var> is set to <code>yes</code>. Value of <code>url</code> is optional and not needed if <code>dns-redirection</code> or <code>online-enrollment</code> is selected. To set the value of <code>url</code> to empty string use double quotes. For example:<br />
<pre>authentication-types=online-enrollment:""</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=connection-capabilities<br />
|type=number:number:closed{{!}}open{{!}}unknown<br />
|default=<br />
|desc=This option allows to provide information about the allowed IP protocols and ports. This information can be provided in ANQP response. The first number represents the IP protocol number, the second number represents a port number.<br />
* <code>closed</code> - set if protocol and port combination is not allowed;<br />
* <code>open</code> - set if protocol and port combination is allowed;<br />
* <code>unknown</code> - set if protocol and port combination is either open or closed.<br />
Example:<br />
<pre>connection-capabilities=6:80:open,17:5060:closed</pre><br />
Setting such a value on an Access Point informs the Wireless client, which is connecting to the Access Point, that HTTP (6 - TCP, 80 - HTTP) is allowed and VoIP (17 - UDP; 5060 - VoIP) is not allowed.<br />
This property does not restrict or allow usage of these protocols and ports, it only gives information to station device which is connecting to Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=domain-names<br />
|type=list of strings<br />
|default=<br />
|desc=None or more fully qualified domain names (FQDN) that indicate the entity operating the Hotspot. A station that is connecting to the Access Point can request this AQNP property and check if there is a suffix match with any of the domain names it has credentials to.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv4-availability<br />
|type=double-nated {{!}} not-available {{!}} port-restricted {{!}} port-restricted-double-nated {{!}} port-restricted-single-nated {{!}} public {{!}} single-nated {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv4 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>public</code> - public IPv4 address available;<br />
* <code>port-restricted</code> - port-restricted IPv4 address available;<br />
* <code>single-nated</code> - single NATed private IPv4 address available;<br />
* <code>double-nated</code> - double NATed private IPv4 address available;<br />
* <code>port-restricted-single-nated</code> -port-restricted IPv4 address and single NATed IPv4 address available;<br />
* <code>port-restricted-double-nated</code> - port-restricted IPv4 address and double NATed IPv4 address available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv6-availability<br />
|type=available {{!}} not-available {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv6 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>available</code> - address type available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=realms<br />
|type=string:eap-sim{{!}}eap-tls{{!}}not-specified<br />
|default=<br />
|desc=Information about supported realms and the corresponding EAP method.<br />
<pre><br />
realms=example.com:eap-tls,foo.ba:not-specified<br />
</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=realms-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Set NAI Realm ANQP-element manually.<br />
}}<br />
{{Mr-arg-table<br />
|arg=roaming-ois<br />
|type=octet string in hex<br />
|default=<br />
|desc=Organization identifier (OI) usually are 24-bit is unique identifiers like organizationally unique identifier (OUI) or company identifier (CID). In some cases, OI is longer for example OUI-36.<br />
A subscription service provider (SSP) can be specified by its OI.<br />
<var>roaming-ois</var> property can contain zero or more SSPs OIs whose networks are accessible via this AP. <br />
Length of OI should be specified before OI itself. For example, to set E4-8D-8C and 6C-3B-6B:<br />
<pre><br />
roaming-ois=E48D8C,6C3B6B<br />
</pre><br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue-names<br />
|type=string:lang<br />
|default=<br />
|desc=Venue name can be used to provide additional info on the venue. It can help the client to choose a proper Access Point.<br />
Venue-names parameter consists of zero or more duple that contain Venue Name and Language Code:<br />
<pre><br />
venue-names=CoffeeShop:eng,TiendaDeCafe:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
<br />
===Hotspot 2.0 ANQP elements===<br />
<br />
Hotspot 2.0 specification introduced some additional ANQP elements. These elements use an ANQP vendor specific element ID. Here are available properties to change these elements.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hotspot20<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Indicate Hotspot 2.0 capability of the Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hotspot20-dgaf<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Downstream Group-Addressed Forwarding (DGAF). Sets value of DGAF bit to indicate whether multicast and broadcast frames to clients are disabled or enabled.<br />
* <code>yes</code> - multicast and broadcast frames to clients are enabled;<br />
* <code>no</code> - multicast and broadcast frames to clients are disabled.<br />
To disable multicast and broadcast frames set <code>multicast-helper=full</code>.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operational-classes<br />
|type=list of numbers<br />
|default=<br />
|desc=Information about other available bands of the same ESS.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operator-names<br />
|type=string:lang<br />
|default=<br />
|desc=Set operator name. Language must be specified for each operator name entry.<br />
Operator-names parameter consists of zero or more duple that contain Operator Name and Language Code:<br />
<pre><br />
operator-names=BestOperator:eng,MejorOperador:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-at-capacity<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the Access Point or the network is at its max capacity. If set to <code>yes</code> no additional mobile devices will be permitted to associate to the AP.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink<br />
|type=number<br />
|default=0<br />
|desc=The downlink speed of the WAN connection set in kbps. If the downlink speed is not known, set to 0.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink-load<br />
|type=number<br />
|default=0<br />
|desc=The downlink load of the WAN connection measured over <code>wan-measurement-duration</code>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-measurement-duration<br />
|type=number<br />
|default=0<br />
|desc=Duration during which <var>wan-downlink-load</var> and <code>wan-uplink-load</code> are measured. Value is a numeric value from 0 to 65535 representing tenths of seconds.<br />
* <code>0</code> - not measured;<br />
* <code>10</code> - 1 second;<br />
* <code>65535</code> - 1 hour 49 minutes or more.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-status<br />
|type=down {{!}} reserved {{!}} test {{!}} up<br />
|default=reserved<br />
|desc=Information about the status of the Access Point's WAN connection. The value <code>reserved</code> is not used.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-symmetric<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Weather the WAN link is symmetric (upload and download speeds are the same) or not.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-uplink<br />
|type=number<br />
|default=0<br />
|desc=The uplink speed of the WAN connection set in kbps. If the uplink speed is not known set to 0.<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=wan-uplink-load<br />
|type=number<br />
|default=0<br />
|desc=The uplink load of th WAN connection measured over <var>wan-measurement-duration</var>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
<br />
===Other Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the profile<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of the Interworking profile.<br />
}}<br />
<br />
=See also=<br />
<br />
<br />
* [[Manual:Interface/Wireless | Wireless manual]]<br />
<br />
[[Category:Manual]]<br />
[[Category:Wireless]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:PPP_AAA&diff=34369Manual:PPP AAA2021-05-17T08:44:18Z<p>Guntis: </p>
<hr />
<div>{{Versions|2.9, v3, v4, v5}}<br />
<br />
==Summary==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp</code></p><br />
<br />
<br />
The MikroTik RouterOS provides scalable Authentication, Authorization and Accounting (AAA) functionality.<br />
<br />
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using the respective user record from the User Database, associated item from the Profile Database, and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have the lowest priority while the user access record settings from the User Database have the highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on.<br />
<br />
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a [[M:RADIUS_Client | RADIUS client]] which can authenticate for PPP, [[M:Interface/PPPoE | PPPoE]], [[M:Interface/PPTP | PPTP]], [[M:Interface/L2TP | L2TP]] and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.<br />
<br />
<br />
<br />
==User Profiles==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp profile</code></p><br />
<br />
PPP profiles are used to define default values for user access records stored under <code>/ppp secret</code> submenu. Settings in <code>/ppp secret</code> User Database override corresponding <code>/ppp profile</code> settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address-list<br />
|type=string<br />
|default=<br />
|desc=[[M:IP/Firewall/Address_list | Address list]] name to which ppp assigned address will be added.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=string<br />
|default=<br />
|desc=Name of the [[M:Interface/Bridge | bridge]] interface to which ppp interface will be added as a slave port. Both tunnel endpoints (server and client) must be in bridge in order to make this work, see more details on the [[Manual:BCP_bridging_(PPP_tunnel_bridging)| BCP bridging]] manual.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-horizon<br />
|type=integer 0..429496729<br />
|default=<br />
|desc=Used split-horizon value for the dynamically created bridge port. Can be used to prevent bridging loops and isolate traffic. Set the same value for a group of ports, to prevent them from sending data to ports with the same horizon value.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-learning<br />
|type=default {{!}} no {{!}} yes<br />
|default=default<br />
|desc=Changes MAC learning behavior on the dynamically created bridge port:<br />
* <var>yes</var> - enables MAC learning<br />
* <var>no</var> - disables MAC learning<br />
* <var>default</var> - derive this value from the interface default profile; same as <var>yes</var> if this is the interface default profile<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-path-cost<br />
|type=integer 0..429496729<br />
|default=<br />
|desc=Used path cost for the dynamically created bridge port, used by STP/RSTP to determine the best path, used by MSTP to determine the best path between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-port-priority<br />
|type=integer 0..240<br />
|default=<br />
|desc=Used priority for the dynamically created bridge port, used by STP/RSTP to determine the root port, used by MSTP to determine root port between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=change-tcp-mss<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Modifies connection MSS settings (applies only for IPv4):<br />
* <var>yes</var> - adjust connection MSS value <br />
* <var>no</var> - do not adjust connection MSS value <br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=dhcpv6-pd-pool<br />
|type=string<br />
|default=<br />
|desc=Name of the [[M:IPv6/Pool | IPv6 pool]] which will be used by dynamically created [[Manual:IPv6/DHCP_Server | DHCPv6-PD server]] when client connects. [[Manual:IPv6_PD_over_PPP | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dns-server<br />
|type=IP<br />
|default=<br />
|desc=IP address of the DNS server that is supplied to ppp clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=idle-timeout<br />
|type=time<br />
|default=<br />
|desc=Specifies the amount of time after which the link will be terminated if there are no activity present. Timeout is not set by default<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=incoming-filter<br />
|type=string<br />
|default=<br />
|desc=Firewall chain name for incoming packets. Specified chain gets control for each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the [[#Examples | examples]] section<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=local-address<br />
|type=IP address {{!}} pool<br />
|default=<br />
|desc=Tunnel address or name of the [[M:IP/Pools | pool]] from which address is assigned to ppp interface locally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=PPP profile name<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-one<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Defines whether a user is allowed to have more than one ppp session at a time<br />
* <var>yes</var> - a user is not allowed to have more than one ppp session at a time <br />
* <var>no</var> - the user is allowed to have more than one ppp session at a time <br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=outgoing-filter<br />
|type=string<br />
|default=<br />
|desc=Firewall chain name for outgoing packets. The specified chain gets control for each packet going to the client. The PPP chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-limit<br />
|type=string<br />
|default=<br />
|desc=Rate limitation in form of '''rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]''' from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates are measured in bits per second, unless followed by optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-address<br />
|type=IP<br />
|default=<br />
|desc=Tunnel address or name of the [[M:IP/Pools | pool]] from which address is assigned to remote ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-ipv6-prefix-pool<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Assign prefix from IPv6 pool to the client and install corresponding IPv6 route.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=session-timeout<br />
|type=time<br />
|default=<br />
|desc=Maximum time the connection can stay up. By default no time limit is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-compression<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Specifies whether to use data compression or not.<br />
* <var>yes</var> - enable data compression <br />
* <var>no</var> - disable data compression<br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
<br />
This setting does not affect OVPN tunnels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-encryption<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to use data encryption or not.<br />
* <var>yes</var> - enable data encryption <br />
* <var>no</var> - disable data encryption<br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
* <var>require</var> - explicitly requires encryption<br />
<br />
This setting does not work on OVPN and SSTP tunnels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ipv6<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to allow IPv6. By default is enabled if IPv6 package is installed.<br />
* <var>yes</var> - enable IPv6 support<br />
* <var>no</var> - disable IPv6 support<br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
* <var>require</var> - explicitly requires IPv6 support<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-mpls<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to allow MPLS over PPP.<br />
* <var>yes</var> - enable MPLS support<br />
* <var>no</var> - disable MPLS support<br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
* <var>require</var> - explicitly requires MPLS support<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-vj-compression<br />
|type=yes {{!}} no {{!}} default <br />
|default=default<br />
|desc=Specifies whether to use Van Jacobson header compression algorithm.<br />
* <var>yes</var> - enable Van Jacobson header compression<br />
* <var>no</var> - disable Van Jacobson header compression <br />
* <var>default</var> - derive this value from the interface default profile; same as <var>no</var> if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-up<br />
|type=script<br />
|default=<br />
|desc=Execute script on user login-event. These are available variables that are accessible for the event script:<br />
* <var>user</var><br />
* <var>local-address</var><br />
* <var>remote-address</var><br />
* <var>caller-id</var><br />
* <var>called-id</var><br />
* <var>interface</var><br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-down<br />
|type=script<br />
|default=<br />
|desc=Execute script on user logging off. See <var>on-up</var> for more details<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wins-server<br />
|type=IP address<br />
|default=<br />
|desc=IP address of the WINS server to supply to Windows clients<br />
}}<br />
<br />
===Notes===<br />
<br />
There are two default profiles that cannot be removed:<br />
<pre><br />
[admin@rb13] ppp profile> print<br />
Flags: * - default<br />
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no<br />
change-tcp-mss=yes<br />
1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes<br />
only-one=default change-tcp-mss=default<br />
[admin@rb13] ppp profile><br />
</pre><br />
Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels.<br />
<br />
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp should be manually added before changing these arguments.<br />
<br />
<var>only-one</var> parameter is ignored if RADIUS authentication is used.<br />
<br />
If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the <var>change-mss</var> property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.<br />
<br />
==User Database==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp secret</code></p><br />
<br />
<br />
PPP User Database stores PPP user access records with PPP user profile assigned to each user.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=caller-id<br />
|type=string<br />
|default=<br />
|desc=For [[M:Interface/PPTP | PPTP]] and [[M:Interface/L2TP | L2TP]] it is the IP address a client must connect from. For [[PPPoE]] it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it is the caller's number (that may or may not be provided by the operator) the client may dial-in from<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the user.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether secret will be used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit-bytes-in<br />
|type=integer<br />
|default=0<br />
|desc=Maximal amount of bytes for a session that client can upload.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit-bytes-out<br />
|type=integer<br />
|default=0<br />
|desc=Maximal amount of bytes for a session that client can download.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=local-address<br />
|type=IP address<br />
|default=<br />
|desc=IP address that will be set locally on ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name used for authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=password<br />
|type=string<br />
|default=<br />
|desc=Password used for authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=profile<br />
|type=string<br />
|default=default<br />
|desc=Which [[#User profiles | user profile]] to use.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-address<br />
|type=IP<br />
|default=<br />
|desc=IP address that will be assigned to remote ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-ipv6-prefix<br />
|type=IPv6 prefix<br />
|default=<br />
|desc=IPv6 prefix assigned to ppp client. Prefix is added to [[M:IPv6/ND | ND prefix list]] enabling [[Manual:IPv6/ND#Stateless_address_autoconfiguration | stateless]] address auto-configuration on ppp interface.Available starting from v5.0.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=routes<br />
|type=string<br />
|default=<br />
|desc=Routes that appear on the server when the client is connected. The route format is: dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Other syntax is not acceptable since it can be represented in incorrect way. Several routes may be specified separated with commas. This parameter will be ignored for [[OpenVPN]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=service<br />
|type=any {{!}} async {{!}} isdn {{!}} l2tp {{!}} pppoe {{!}} pptp {{!}} ovpn {{!}} sstp<br />
|default=any<br />
|desc=Specifies the services that particular user will be able to use.<br />
}}<br />
<br />
==Active Users==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp active</code></p><br />
<br />
This submenu allows to monitor active (connected) users.<br />
<br />
<code>/ppp active print</code> command will show all currently connected users. <br />
<br />
<code>/ppp active print stats</code> command will show received/sent bytes and packets<br />
<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=address<br />
|type=IP address<br />
|desc=IP address the client got from the server<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer<br />
|desc=Amount of bytes transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=caller-id<br />
|type=string<br />
|desc=For [[M:Interface/PPTP | PPTP]] and [[M:Interface/L2TP | L2TP]] it is the IP address the client connected from. For [[M:Interface/PPPoE | PPPoE]] it is the MAC address the client connected from.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encoding<br />
|type=string<br />
|desc=Shows encryption and encoding (separated with '/' if asymmetric) being used in this connection<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=limit-bytes-in<br />
|type=integer<br />
|desc=Maximal amount of bytes the user is allowed to send to the router.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=limit-bytes-out<br />
|type=integer<br />
|desc=Maximal amount of bytes the user is allowed to send to the client.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=string<br />
|desc=User name supplied at authentication stage<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer/integer<br />
|desc=Amount of packets transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=service<br />
|type=async {{!}} isdn {{!}} l2tp {{!}} pppoe {{!}} pptp {{!}} ovpn {{!}} sstp<br />
|desc=Type of service the user is using.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=session-id<br />
|type=string<br />
|desc=Shows unique client identifier.<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=uptime<br />
|type=time<br />
|desc=User's uptime<br />
}}<br />
<br />
==Remote AAA==<br />
<p><b>Sub-menu:</b> <code>/ppp aaa</code></p><br />
<br />
Settings in this submenu allows to set RADIUS accounting and authentication.<br />
Note that RADIUS user database is consulted only if the required username is not found in local user database.<br />
<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=accounting<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Enable RADIUS accounting<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0s<br />
|desc=Interim-Update time interval<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=use-radius<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS.<br />
}}<br />
<br />
==Examples==<br />
<br />
===Add new profile===<br />
<br />
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients, filtering traffic coming from clients through mypppclients chain:<br />
<pre><br />
[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex incoming-filter=mypppclients<br />
[admin@rb13] ppp profile> print<br />
Flags: * - default<br />
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no<br />
change-tcp-mss=yes<br />
1 name="ex" local-address=10.0.0.1 remote-address=ex use-compression=default<br />
use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default<br />
incoming-filter=mypppclients<br />
2 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes<br />
only-one=default change-tcp-mss=default<br />
[admin@rb13] ppp profile><br />
</pre><br />
<br />
===Add new user===<br />
<br />
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following command:<br />
<pre><br />
[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex<br />
[admin@rb13] ppp secret> print<br />
Flags: X - disabled<br />
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS<br />
0 ex pptp lkjrht ex 0.0.0.0<br />
[admin@rb13] ppp secret><br />
</pre><br />
<br />
<br />
<br />
[[Category:Manual|PPP AAA]]<br />
[[Category:AAA|PPP AAA]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Customizing_Hotspot&diff=34366Manual:Customizing Hotspot2021-05-06T06:49:53Z<p>Guntis: </p>
<hr />
<div>{{Versions | v3, v4, v5+}}<br />
__TOC__<br />
<br />
==HTML customizations==<br />
===Summary===<br />
You can create a completely different set of servlet pages for each HotSpot server you have, specifying the directory in "html-override-directory" property of a HotSpot server profile [[M:IP/Hotspot/Profile | /ip hotspot profile]]. The default servlet pages are copied in the directory "hotspot" directory right after you create server profile. This directory can be accessed by connecting to the router with an FTP client. You can copy this directory and modify the pages as you like using the information from this section of the manual. Note that it is suggested to edit the files manually, as automated HTML editing tools may corrupt the pages by removing variables or other vital parts. After you are finished with content modification you need to upload this modified content to some custom directory on hotspot router and point previously mentioned property "html-override-directory" value as path to this new custom HTML directory. <br />
<br />
{{ Note | If "html-override-directory" value path is missing or empty then hotspot server will revert back to default HTML files.}}<br />
<br />
===Available Pages===<br />
Main HTML servlet pages, which are shown to user:<br />
<br />
* '''redirect.html''' - redirects user to another url (for example, to login page)<br />
* '''login.html''' - login page shown to a user to ask for username and password. This page may take the following parameters:<br />
**'''username''' - username<br />
**'''password''' - either plain-text password (in case of PAP authentication) or MD5 hash of chap-id variable, password and CHAP challenge (in case of CHAP authentication). This value is used as e-mail address for trial users<br />
**'''dst''' - original URL requested before the redirect. This will be opened on successfull login<br />
**'''popup''' - whether to pop-up a status window on successfull login<br />
**'''radius<id>''' - send the attribute identified with <id> in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)<br />
**'''radius<id>u''' - send the attribute identified with <id> in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)<br />
**'''radius<id>-<vnd-id>''' - send the attribute identified with <id> and vendor ID <vnd-id> in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)<br />
**'''radius<id>-<vnd-id>u''' - send the attribute identified with <id> and vendor ID <vnd-id> in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)<br />
*'''md5.js''' - JavaScript for MD5 password hashing. Used together with http-chap login method<br />
*'''alogin.html''' - page shown after client has logged in. It pops-up status page and redirects browser to originally requested page (before he/she was redirected to the HotSpot login page)<br />
*'''status.html''' - status page, shows statistics for the client. It is also able to display advertisements automatically<br />
*'''logout.html''' - logout page, shown after user is logged out. Shows final statistics about the finished session. This page may take the following additional parameters:<br />
**'''erase-cookie''' - whether to erase cookies from the HotSpot server on logout (makes impossible to log in with cookie next time from the same browser, might be useful in multiuser environments)<br />
*'''error.html''' - error page, shown on fatal errors only<br />
<br />
<br />
Some other pages are available as well, if more control is needed:<br />
<br />
*'''rlogin.html''' - page, which redirects client from some other URL to the login page, if authorization of the client is required to access that URL<br />
*'''rstatus.html''' - similarly to rlogin.html, only in case if the client is already logged in and the original URL is not known<br />
*'''radvert.html''' - redirects client to the scheduled advertisement link<br />
*'''flogin.html''' - shown instead of login.html, if some error has happened (invalid username or password, for example)<br />
*'''fstatus.html''' - shown instead of redirect, if status page is requested, but client is not logged in<br />
*'''flogout.html''' - shown instead of redirect, if logout page is requested, but client is not logged in<br />
<br />
<br />
===Serving Servlet Pages===<br />
The HotSpot servlet recognizes 5 different request types:<br />
<br />
# '''request for a remote host'''<br />
#*if user is logged in and advertisement is due to be displayed, radvert.html is displayed. This page makes redirect to the scheduled advertisment page<br />
#*if user is logged in and advertisement is not scheduled for this user, the requested page is served<br />
#*if user is not logged in, but the destination host is allowed by walled garden, then the request is also served<br />
#*if user is not logged in, and the destination host is disallowed by walled garden, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page<br />
#:<br />
# '''request for "/" on the HotSpot host'''<br />
#*if user is logged in, rstatus.html is displayed; if rstatus.html is not found, redirect.html is used to redirect to the status page<br />
#*if user is not logged in, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page<br />
#:<br />
# '''request for "/login" page'''<br />
#*if user has successfully logged in (or is already logged in), alogin.html is displayed; if alogin.html is not found, redirect.html is used to redirect to the originally requested page or the status page (in case, original destination page was not given)<br />
#*if user is not logged in (username was not supplied, no error message appeared), login.html is showed<br />
#*if login procedure has failed (error message is supplied), flogin.html is displayed; if flogin.html is not found, login.html is used<br />
#*in case of fatal errors, error.html is showed<br />
#:<br />
# '''request for "/status" page'''<br />
#*if user is logged in, status.html is displayed<br />
#*if user is not logged in, fstatus.html is displayed; if fstatus.html is not found, redirect.html is used to redirect to the login page<br />
#:<br />
# '''request for '/logout' page'''<br />
#*if user is logged in, logout.html is displayed<br />
#*if user is not logged in, flogout.html is displayed; if flogout.html is not found, redirect.html is used to redirect to the login page<br />
<br />
{{Note | If it is not possible to meet a request using the pages stored on the router's FTP server, Error 404 is displayed }}<br />
<br />
There are many possibilities to customize what the HotSpot authentication pages look like:<br />
<ul class="bullets"><br />
<li> The pages are easily modifiable. They are stored on the router's FTP server in the directory you choose for the respective HotSpot server profile.<br />
<li> By changing the variables, which client sends to the HotSpot servlet, it is possible to reduce keyword count to one (username or password; for example, the client's MAC address may be used as the other value) or even to zero (License Agreement; some predefined values general for all users or client's MAC address may be used as username and password)<br />
<li> Registration may occur on a different server (for example, on a server that is able to charge Credit Cards). Client's MAC address may be passed to it, so that this information need not be written in manually. After the registration, the server should change RADIUS database enabling client to log in for some amount of time.<br />
</ul><br />
<br />
<br />
To insert variable in some place in HTML file, the $(var_name) syntax is used, where the "var_name" is the name of the variable (without quotes). This construction may be used in any HotSpot HTML file accessed as '/', '/login', '/status' or '/logout', as well as any text or HTML (.txt, .htm or .html) file stored on the HotSpot server (with the exception of traffic counters, which are available in status page only, and '''error''', '''error-orig''', '''chap-id''', '''chap-challenge''' and '''popup''' variables, which are available in login page only). For example, to show a link to the login page, following construction can be used:<br />
<br />
<pre><br />
<a href="$(link-login)">login</a><br />
</pre><br />
<br />
<br />
===Variables===<br />
<br />
All of the Servlet HTML pages use variables to show user specific values. Variable names appear only in the HTML source of the servlet pages - they are automatically replaced with the respective values by the HotSpot Servlet. For most variables there is an example of their possible value included in brackets. All the described variables are valid in all servlet pages, but some of them just might be empty at the time they are accesses (for example, there is no uptime before a user has logged in).<br />
<br />
<br />
<br />
====List of available variables====<br />
<br />
{{Note|Some of the variables use hard coded http URL, if you are using https, you can construct the link in some other way, for example for $link-status, you can use https://$(hostname)/$(target-dir)status}}<br />
<br />
'''Common server variables:'''<br />
* <var><b>hostname</b></var> - DNS name or IP address (if DNS name is not given) of the HotSpot Servlet ("hotspot.example.net")<br />
* <var><b>identity</b></var> - RouterOS identity name ("MikroTik")<br />
* <var><b>login-by</b></var> - authentication method used by user<br />
* <var><b>plain-passwd</b></var> - a "yes/no" representation of whether HTTP-PAP login method is allowed ("no")<br />
* <var><b>server-address</b></var> - HotSpot server address ("10.5.50.1:80")<br />
* <var><b>ssl-login</b></var> - a "yes/no" representation of whether HTTPS method was used to access that servlet page ("no")<br />
* <var><b>server-name</b></var> - HotSpot server name (set in the /ip hotspot menu, as the name property)<br />
<br />
<br />
'''Links:'''<br />
* <var><b>link-login</b></var> - link to login page including original URL requested ("http://10.5.50.1/login?dst=http://www.example.com/")<br />
* <var><b>link-login-only</b></var> - link to login page, not including original URL requested ("http://10.5.50.1/login")<br />
* <var><b>link-logout</b></var> - link to logout page ("http://10.5.50.1/logout")<br />
* <var><b>link-status</b></var> - link to status page ("http://10.5.50.1/status")<br />
* <var><b>link-orig</b></var> - original URL requested ("http://www.example.com/")<br />
<br />
<br />
'''General client information:'''<br />
* <var><b>domain</b></var> - domain name of the user ("example.com")<br />
* <var><b>interface-name</b></var> - physical HotSpot interface name (in case of bridged interfaces, this will return the actual bridge port name)<br />
* <var><b>ip</b></var> - IP address of the client ("10.5.50.2")<br />
* <var><b>logged-in</b></var> - "yes" if the user is logged in, otherwise - "no" ("yes")<br />
* <var><b>mac</b></var> - MAC address of the user ("01:23:45:67:89:AB")<br />
* <var><b>trial</b></var> - a "yes/no" representation of whether the user has access to trial time. If users trial time has expired, the value is "no"<br />
* <var><b>username</b></var> - the name of the user ("John")<br />
* <var><b>host-ip</b></var> - client IP address from /ip hotspot host table<br />
* <var><b>vlan-id</b></var> - Represents ID of a VLAN interface from which client is connected<br />
<br />
<br />
'''User status information:'''<br />
* <var><b>idle-timeout</b></var> - idle timeout ("20m" or "" if none)<br />
* <var><b>idle-timeout-secs</b></var> - idle timeout in seconds ("88" or "0" if there is such timeout)<br />
* <var><b>limit-bytes-in</b></var> - byte limit for send ("1000000" or "---" if there is no limit)<br />
* <var><b>limit-bytes-out</b></var> - byte limit for receive ("1000000" or "---" if there is no limit)<br />
* <var><b>refresh-timeout</b></var> - status page refresh timeout ("1m30s" or "" if none)<br />
* <var><b>refresh-timeout-secs</b></var> - status page refresh timeout in seconds ("90s" or "0" if none)<br />
* <var><b>session-timeout</b></var> - session time left for the user ("5h" or "" if none)<br />
* <var><b>session-timeout-secs</b></var> - session time left for the user, in seconds ("3475" or "0" if there is such timeout)<br />
* <var><b>session-time-left</b></var> - session time left for the user ("5h" or "" if none)<br />
* <var><b>session-time-left-secs</b></var> - session time left for the user, in seconds ("3475" or "0" if there is such timeout)<br />
* <var><b>uptime</b></var> - current session uptime ("10h2m33s")<br />
* <var><b>uptime-secs</b></var> - current session uptime in seconds ("125")<br />
<br />
<br />
'''Traffic counters, which are available only in the status page:'''<br />
* <var><b>bytes-in</b></var> - number of bytes received from the user ("15423")<br />
* <var><b>bytes-in-nice</b></var> - user-friendly form of number of bytes received from the user ("15423")<br />
* <var><b>bytes-out</b></var> - number of bytes sent to the user ("11352")<br />
* <var><b>bytes-out-nice</b></var> - user-friendly form of number of bytes sent to the user ("11352")<br />
* <var><b>packets-in</b></var> - number of packets received from the user ("251")<br />
* <var><b>packets-out</b></var> - number of packets sent to the user ("211")<br />
* <var><b>remain-bytes-in</b></var> - remaining bytes until limit-bytes-in will be reached ("337465" or "---" if there is no limit)<br />
* <var><b>remain-bytes-out</b></var> - remaining bytes until limit-bytes-out will be reached ("124455" or "---" if there is no limit)<br />
<br />
<br />
'''Miscellaneous variables:'''<br />
* <var><b>session-id</b></var> - value of 'session-id' parameter in the last request<br />
* <var><b>var</b></var> - value of 'var' parameter in the last request<br />
* <var><b>error</b></var> - error message, if something failed ("invalid username or password")<br />
* <var><b>error-orig</b></var> - original error message (without translations retrieved from errors.txt), if something failed ("invalid username or password")<br />
* <var><b>chap-id</b></var> - value of chap ID ("\371")<br />
* <var><b>chap-challenge</b></var> - value of chap challenge ("\357\015\330\013\021\234\145\245\303\253\142\246\133\175\375\316")<br />
* <var><b>popup</b></var> - whether to pop-up checkbox ("true" or "false")<br />
* <var><b>advert-pending</b></var> - whether an advertisement is pending to be displayed ("yes" or "no")<br />
* <var><b>http-status</b></var> - allows the setting of the http status code and message<br />
* <var><b>http-header</b></var> - allows the setting of the http header<br />
<br />
'''RADIUS-related variables:'''<br />
* <var><b>radius<id></b></var> - show the attribute identified with <id> in text string form (in case RADIUS authentication was used; "" otherwise)<br />
* <var><b>radius<id>u</b></var> - show the attribute identified with <id> in unsigned integer form (in case RADIUS authentication was used; "0" otherwise)<br />
* <var><b>radius<id>-<vnd-id></b></var> - show the attribute identified with <id> and vendor ID <vnd-id> in text string form (in case RADIUS authentication was used; "" otherwise)<br />
* <var><b>radius<id>-<vnd-id>u</b></var> - show the attribute identified with <id> and vendor ID <vnd-id> in unsigned integer form (in case RADIUS authentication was used; "0" otherwise)<br />
<br />
====Working with variables====<br />
<br />
$(if <var_name>) statements can be used in theses pages. Following content will be included, if value of <var_name> will not be an empty string. It is an equivalent to $(if <var_name> != "") It is possible to compare on equivalence as well: $(if <var_name> == <value>) These statements have effect until $(elif <var_name>), $(else) or $(endif). In general case it looks like this:<br />
<pre><br />
some content, which will always be displayed<br />
$(if username == john)<br />
Hey, your username is john<br />
$(elif username == dizzy)<br />
Hello, Dizzy! How are you? Your administrator.<br />
$(elif ip == 10.1.2.3)<br />
You are sitting at that crappy computer, which is damn slow...<br />
$(elif mac == 00:01:02:03:04:05)<br />
This is an ethernet card, which was stolen few months ago...<br />
$(else)<br />
I don't know who you are, so lets live in peace.<br />
$(endif)<br />
other content, which will always be displayed<br />
</pre><br />
<br />
Only one of those expressions will be shown. Which one - depends on values of those variables for each client.<br />
<br />
<br />
====Redirects and custom Headers====<br />
<br />
<br />
Starting from RouterOS 5.12 there are 2 new hotspot html page variables:<br />
* '''http-status''' - allows the setting of the http status code and message<br />
* '''http-header''' - allows the setting of the http header message<br />
<br />
<br />
Example:<br />
<pre><br />
$(if http-status == 302)Hotspot login required$(endif)<br />
$(if http-header == "Location")$(link-redirect)$(endif)<br />
</pre><br />
<br />
{{Note | Although the above appears to use the conditional expression 'if' it is in fact setting the 'http-status' to '302' not testing for it. Also the same for the variable 'http-header'. Once again, even though it uses an 'if' it is in fact setting the variable to 'Location' followed by the url set from the variable 'link-redirect'.}}<br />
<br />
E.g. in the case where $(link-redirect) evaluates to "http://192.168.88.1/login", then the HTTP response returned to the client will be changed to:<br />
<pre><br />
HTTP/1.0 302 Hotspot login required<br />
<regular HTTP headers><br />
Location: http://192.168.88.1/login<br />
</pre><br />
<br />
<br />
'''http-status syntax''':<br />
<pre><br />
$(if http-status == XYZ)HTTP_STATUS_MESSAGE$(endif)<br />
</pre><br />
* ''XYZ'' - The status code you wish to return. Should be 3 decimal digits, first one must not be 0<br />
* ''HTTP_STATUS_MESSAGE'' - any text you wish to return to the client which will follow the above status code in the HTTP reply<br />
<br />
In any HTTP response it will be on the first line and will be as follows:<br />
<pre><br />
HTTP/1.0 XYZ HTTP_STATUS_MESSAGE<br />
</pre><br />
<br />
<br />
'''http-header syntax:'''<br />
<pre><br />
$(if http-header == HTTP_HEADER_NAME)HTTP_HEADER_VALUE$(endif)<br />
</pre><br />
<br />
* ''HTTP_HEADER_NAME'' - name of the HTTP header to be sent in the response<br />
* ''HTTP_HEADER_VALUE'' - value of the HTTP header with name HTTP_HEADER_NAME to be sent in the response<br />
<br />
The HTTP response will appear as:<br />
<pre><br />
HTTP_HEADER_NAME: HTTP_HEADER_VALUE<br />
</pre><br />
<br />
<br />
All variables and conditional expressions within HTTP_HEADER_VALUE and HTTP_STATUS_MESSAGE are processed as usual.<br />
<br />
In case multiple headers with the same name are added, then only the last one will be used (previous ones will be discarded). It allows the system to override regular HTTP headers (for example, Content-Type and Cache-Control).<br />
<br />
===Customizing Error Messages===<br />
<br />
All error messages are stored in the errors.txt file within the respective HotSpot servlet directory. You can change and translate all these messages to your native language. To do so, edit the errors.txt file. You can also use variables in the messages. All instructions are given in that file.<br />
<br />
<br />
===Multiple Versions of HotSpot Pages===<br />
<br />
Multiple HotSpot page sets for the same HotSpot server are supported. They can be chosen by user (to select language) or automatically by JavaScript (to select PDA/regular version of HTML pages).<br />
<br />
To utilize this feature, create subdirectories in HotSpot HTML directory, and place those HTML files, which are different, in that subdirectory. For example, to translate everything in Latvian, subdirectory "lv" can be created with login.html, logout.html, status.html, alogin.html, radvert.html and errors.txt files, which are translated into Latvian. If the requested HTML page can not be found in the requested subdirectory, the corresponding HTML file from the main directory will be used. Then main login.html file would contain link to "/lv/login?dst=$(link-orig-esc)", which then displays Latvian version of login page: <a href="/lv/login?dst=$(link-orig-esc)">Latviski</a> . And Latvian version would contain link to English version: <a href="/login?dst=$(link-orig-esc)">English</a><br />
<br />
Another way of referencing directories is to specify 'target' variable:<br />
<pre><br />
<a href="$(link-login-only)?dst=$(link-orig-esc)&target=lv">Latviski</a><br />
<a href="$(link-login-only)?dst=$(link-orig-esc)&target=%2F">English</a><br />
</pre><br />
After preferred directory has been selected (for example, "lv"), all links to local HotSpot pages will contain that path (for example, $(link-status) = "http://hotspot.mt.lv/lv/status"). So, if all HotSpot pages reference links using "$(link-xxx)" variables, then no more changes are to be made - each client will stay within the selected directory all the time.<br />
<br />
<br />
===Misc===<br />
<br />
If you want to use HTTP-CHAP authentication method it is supposed that you include the '''doLogin()''' function (which references to the '''md5.js''' which must be already loaded) before the '''Submit''' action of the login form. Otherwise, CHAP login will fail.<br />
<br />
The resulting password to be sent to the HotSpot gateway in case of HTTP-CHAP method, is formed MD5-hashing the concatenation of the following: chap-id, the password of the user and chap-challenge (in the given order)<br />
<br />
In case variables are to be used in link directly, then they must be escaped accordingly. For example, in login page, <b><nowiki><a href="https://login.example.com/login?mac=$(mac)&user=$(username)">link</a></nowiki></b> will not work as intended, if username will be "123&456=1 2". In this case instead of $(user), its escaped version must be used: $(user-esc): <b><nowiki><a href="https://login.server.serv/login?mac=$(mac-esc)&user=$(user-esc)">link</a></nowiki></b>. Now the same username will be converted to "123%26456%3D1+2", which is the valid representation of "123&456=1 2" in URL. This trick may be used with any variables, not only with $(username).<br />
<br />
There is a boolean parameter "erase-cookie" to the logout page, which may be either "on" or "true" to delete user cookie on logout (so that the user would not be automatically logged on when he/she opens a browser next time.<br />
<br />
===Examples===<br />
<br />
With basic HTML language knowledge and the examples below it should be easy to implement the ideas described above.<br />
<br />
*To provide predefined value as username, in login.html change:<br />
<pre><br />
<type="text" value="$(username)><br />
</pre><br />
to this line:<br />
<pre><br />
<input type="hidden" name="username" value="hsuser"><br />
</pre><br />
(where hsuser is the username you are providing)<br />
<br />
*To provide predefined value as password, in login.html change:<br />
<pre><br />
<input type="password"><br />
</pre><br />
to this line:<br />
<pre><br />
<input type="hidden" name="password" value="hspass"><br />
</pre><br />
(where hspass is the password you are providing)<br />
<br />
*To send client's MAC address to a registration server in form of:<br />
<br />
<nowiki>https://www.example.com/register.html?mac=XX:XX:XX:XX:XX:XX</nowiki><br />
<br />
change the Login button link in login.html to:<br />
<pre><br />
https://www.example.com/register.html?mac=$(mac)<br />
</pre><br />
(you should correct the link to point to your server)<br />
<br />
* To show a banner after user login, in alogin.html after<br />
<br />
$(if popup == 'true')<br />
add the following line:<br />
<pre><br />
open('http://www.example.com/your-banner-page.html', 'my-banner-name','');<br />
</pre><br />
(you should correct the link to point to the page you want to show)<br />
<br />
*To choose different page shown after login, in login.html change:<br />
<pre><br />
<input type="hidden" name="dst" value="$(link-orig)"><br />
</pre><br />
to this line:<br />
<pre><br />
<input type="hidden" name="dst" value="http://www.example.com"><br />
</pre><br />
(you should correct the link to point to your server)<br />
<br />
*To erase the cookie on logoff, in the page containing link to the logout (for example, in status.html) change:<br />
<pre><br />
open('$(link-logout)', 'hotspot_logout', ...<br />
</pre><br />
to this:<br />
<pre><br />
open('$(link-logout)?erase-cookie=on', 'hotspot_logout', ...<br />
</pre><br />
or alternatively add this line:<br />
<pre><br />
<input type="hidden" name="erase-cookie" value="on"><br />
</pre><br />
before this one:<br />
<pre><br />
<input type="submit" value="log off"><br />
</pre><br />
<br />
==== External authentication ====<br />
<br />
Another example is making HotSpot to authenticate on a remote server (which may, for example, perform creditcard charging):<br />
<br />
*Allow direct access to the external server in walled-garden (either HTTP-based, or IP-based)<br />
*Modify login page of the HotSpot servlet to redirect to the external authentication server. The external server should modify RADIUS database as needed<br />
:<br />
:Here is an example of such a login page to put on the HotSpot router (it is redirecting to https://auth.example.com/login.php, replace with the actual address of an external authentication server):<br />
<pre><br />
<br />
<html><br />
<title>...</title><br />
<body><br />
<form name="redirect" action="https://auth.example.com/login.php" method="post"><br />
<input type="hidden" name="mac" value="$(mac)"><br />
<input type="hidden" name="ip" value="$(ip)"><br />
<input type="hidden" name="username" value="$(username)"><br />
<input type="hidden" name="link-login" value="$(link-login)"><br />
<input type="hidden" name="link-orig" value="$(link-orig)"><br />
<input type="hidden" name="error" value="$(error)"><br />
</form><br />
<script language="JavaScript"><br />
<!--<br />
document.redirect.submit();<br />
//--><br />
</script><br />
</body><br />
</html><br />
<br />
</pre><br />
<br />
*The external server can log in a HotSpot client by redirecting it back to the original HotSpot servlet login page, specifying the correct username and password<br />
<br />
:Here is an example of such a page (it is redirecting to https://hotspot.example.com/login, replace with the actual address of a HotSpot router; also, it is displaying www.mikrotik.com after successful login, replace with what needed):<br />
<pre><br />
<br />
<html><br />
<title>Hotspot login page</title><br />
<body><br />
<form name="login" action="https://hotspot.example.com/login" method="post"><br />
<input type="text" name="username" value="demo"><br />
<input type="password" name="password" value="none"><br />
<input type="hidden" name="domain" value=""><br />
<input type="hidden" name="dst" value="http://www.mikrotik.com/"><br />
<input type="submit" name="login" value="log in"><br />
</form><br />
</body><br />
</html><br />
<br />
</pre><br />
<br />
*Hotspot will ask RADIUS server whether to allow the login or not. If allowed, alogin.html page will be displayed (it can be modified to do anything). If not allowed, flogin.html (or login.html) page will be displayed, which will redirect client back to the external authentication server.<br />
{{Note | as shown in these examples, HTTPS protocol and POST method can be used to secure communications.}}<br />
<br />
==== HTTP header detection ====<br />
<br />
The Hotspot login pages have access to HTTP headers by using '''$(http-header-name);'''<br />
<br />
For example, there exists an ability to check the user agent (or browser), and will return any other content instead of the regular login page, if so desired. This can be used to disable automatic popups in phones, for example. <br />
<br />
For example, to output "SUCCESS" for users of a specific Firefox mobile version, instead of the login page, you can these lines on the top of the '''rlogin.html''' page in your hotspot directory:<br />
<br />
$(if user-agent == "Mozilla/5.0 (Android; Mobile; rv:40.0) Gecko/40.0 Firefox/40.0" ) <br />
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML> <br />
$(else)<br />
---- regular content of rlogin.html page ----<br />
$(endif)<br />
<br />
This will DISABLE the login popup for Android Firefox 40 users.<br />
<br />
==== One click login ====<br />
<br />
It is possible to create modified captive portal for quick one click login for scenarios where no user or password is required. <br />
<br />
What you need to do is:<br />
<br />
* Create user for this purpose. In example it is "notsosecretuser" with password "notsosecretpass"<br />
* Assign this user to user profile that allows specific/unlimited amount of simultaneous active users.<br />
* Copy original hotspot directory that is already generated in routers file menu on root level.<br />
* Modify contents of this copy directory contents.<br />
** Only one file requires modifications for this to work, the "login.html".<br />
<br />
Original:<br />
<pre><br />
<table width="100" style="background-color: #ffffff"><br />
<tr><td align="right">login</td><br />
<td><input style="width: 80px" name="username" type="text" value="$(username)"/></td><br />
</tr><br />
<tr><td align="right">password</td><br />
<td><input style="width: 80px" name="password" type="password"/></td><br />
</tr><br />
<tr><td>&nbsp;</td><br />
<td><input type="submit" value="OK" /></td><br />
</tr><br />
</table><br />
</pre><br />
<br />
Modified:<br />
<pre><br />
<table width="100" style="background-color: #ffffff"><br />
<tr style="display:none;"><td align="right">login</td><br />
<td><input style="width: 80px" name="username" type="text" value="notsosecretuser"/></td><br />
</tr><br />
<tr style="display:none;"><td align="right">password</td><br />
<td><input style="width: 80px" name="password" type="password" value="notsosecretpass"/></td><br />
</tr><br />
<tr><td>&nbsp;</td><br />
<td><input type="submit" value="Proceed to Internet!" /></td><br />
</tr><br />
</table><br />
</pre><br />
<br />
What changed:<br />
*** User and Password "<tr>" fields are hidden. <br />
*** Both User and Password field values contain predefined values.<br />
*** Changed "OK" button value(name) to something more fitting.<br />
<br />
* Now upload this new hotspot folder back to router, preferably with different name. <br />
* Change settings in hotspot server profile to use this new html directory.<br />
<br />
<pre><br />
/ip hotspot profile set (profile number or name) html-directory-override=(dir path/name)<br />
</pre><br />
<br />
==Firewall customizations==<br />
===Summary===<br />
Apart from the obvious dynamic entries in the /ip hotspot submenu itself (like hosts and active users), some additional rules are added in the firewall tables when activating a HotSpot service. Unlike RouterOS version 2.8, there are relatively few firewall rules added in the firewall as the main job is made by the one-to-one NAT algorithm.<br />
<br />
===NAT===<br />
<br />
From '''/ip firewall nat print dynamic''' command, you can get something like this (comments follow after each of the rules):<br />
<pre><br />
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client<br />
</pre> <br />
Putting all HotSpot-related tasks for packets from all HotSpot clients into a separate chain.<br />
<pre><br />
1 I chain=hotspot action=jump jump-target=pre-hotspot<br />
</pre> <br />
Any actions that should be done before HotSpot rules apply, should be put in the pre-hotspot chain. This chain is under full administrator control and does not contain any rules set by the system, hence the invalid jump rule (as the chain does not have any rules by default).<br />
<pre><br />
2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp <br />
3 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp <br />
</pre> <br />
Redirect all DNS requests to the HotSpot service. The 64872 port provides DNS service for all HotSpot users. If you want HotSpot server to listen also to another port, add rules here the same way, changing dst-port property.<br />
<pre><br />
4 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=80<br />
protocol=tcp<br />
</pre> <br />
Redirect all HTTP login requests to the HTTP login servlet. The 64873 is HotSpot HTTP servlet port.<br />
<pre><br />
5 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst dst-port=443<br />
protocol=tcp<br />
</pre> <br />
Redirect all HTTPS login requests to the HTTPS login servlet. The 64875 is HotSpot HTTPS servlet port.<br />
<pre><br />
6 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth protocol=tcp<br />
</pre> <br />
All other packets except DNS and login requests from unauthorized clients should pass through the hs-unauth chain.<br />
<pre><br />
7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp<br />
</pre> <br />
And packets from the authorized clients - through the hs-auth chain.<br />
<pre><br />
8 D ;;; www.mikrotik.com<br />
chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp<br />
</pre> <br />
First in the '''hs-unauth''' chain is put everything that affects TCP protocol in the <code>/ip hotspot walled-garden ip </code>submenu (i.e., everything where either protocol is not set, or set to TCP). Here we are excluding www.mikrotik.com from being redirected to the login page.<br />
<pre><br />
9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp<br />
</pre> <br />
All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port. If there is an allow entry in the <code>/ip hotspot walled-garden</code> menu for an HTTP request, it is being forwarded to the destination. Otherwise, the request will be automatically redirected to the HotSpot login servlet (port 64873).<br />
<pre><br />
10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp <br />
11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp <br />
</pre> <br />
HotSpot by default assumes that only these ports may be used for HTTP proxy requests. These two entries are used to "catch" client requests to unknown proxies (you can add more rules here for other ports). I.e., to make it possible for the clients with unknown proxy settings to work with the HotSpot system. This feature is called "Universal Proxy". If it is detected that a client is using some proxy server, the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem, as we will see later on. Note that the port used (64874) is the same as for HTTP requests in the rule #9 (so both HTTP and HTTP proxy requests are processed by the same code).<br />
<pre><br />
12 D chain=hs-unauth action=redirect to-ports=64875 dst-port=443 protocol=tcp<br />
</pre> <br />
HTTPS proxy is listening on the 64875 port.<br />
<pre><br />
13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp<br />
</pre> <br />
Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it is, a redirect rule will be put in the hs-smtp chain. This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider's (your) SMTP server instead of going to the [possibly unavailable outside their network of origin] SMTP server users have configured on their computers. The chain is empty by default, hence the invalid jump rule.<br />
<pre><br />
14 D chain=hs-auth action=redirect to-ports=64874 hotspot=http protocol=tcp<br />
</pre> <br />
Providing HTTP proxy service for authorized users. Authenticated user requests may need to be subject to transparent proxying (the "Universal Proxy" technique and advertisement feature). This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy (the one that is listening on the 64874 port) as HTTP proxy requests for unknown proxy servers. This is done so that users that have some proxy settings would use the HotSpot gateway instead of the [possibly unavailable outside their network of origin] proxy server users have configured in their computers. This mark is also applied when advertisement is due to be shown to the user, as well as on any HTTP requests done form the users whose profile is configured to transparently proxy their requests.<br />
<pre><br />
15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp<br />
</pre> <br />
Providing SMTP proxy for authorized users (the same as in rule #13).<br />
<br />
<br />
===Packet Filtering===<br />
<br />
From '''/ip firewall filter print dynamic''' command, you can get something like this (comments follow after each of the rules):<br />
<pre><br />
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth<br />
</pre> <br />
Any packet that traverse the router from an unauthorized client will be sent to the '''hs-unauth''' chain. The hs-unauth implements the IP-based Walled Garden filter.<br />
<pre><br />
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth<br />
</pre> <br />
Everything that comes to clients through the router, gets redirected to another chain, called '''hs-unauth-to'''. This chain should reject unauthorized requests to the clients.<br />
<pre><br />
2 D chain=input action=jump jump-target=hs-input hotspot=from-client<br />
</pre> <br />
Everything that comes from clients to the router itself, gets to yet another chain, called '''hs-input'''.<br />
<pre><br />
3 I chain=hs-input action=jump jump-target=pre-hs-input<br />
</pre> <br />
Before proceeding with [predefined] dynamic rules, the packet gets to the administratively controlled '''pre-hs-input''' chain, which is empty by default, hence the invalid state of the jump rule.<br />
<pre><br />
4 D chain=hs-input action=accept dst-port=64872 protocol=udp <br />
5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp <br />
</pre> <br />
Allow client access to the local authentication and proxy services (as described earlier).<br />
<pre><br />
6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth<br />
</pre> <br />
All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic traversing the routers.<br />
<pre><br />
7 D chain=hs-unauth action=return protocol=icmp<br />
8 D ;;; www.mikrotik.com<br />
chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp<br />
</pre> <br />
Unlike NAT table where only TCP-protocol related Walled Garden entries were added, in the packet filter '''hs-unauth''' chain is added everything you have set in the '''/ip hotspot walled-garden ip''' menu. That is why although you have seen only one entry in the NAT table, there are two rules here.<br />
<pre><br />
9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp<br />
10 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited<br />
</pre> <br />
Everything else that has not been while-listed by the Walled Garden will be rejected. Note usage of TCP Reset for rejecting TCP connections.<br />
<pre><br />
11 D chain=hs-unauth-to action=return protocol=icmp<br />
12 D ;;; www.mikrotik.com<br />
chain=hs-unauth-to action=return src-address=66.228.113.26 src-port=80 protocol=tcp<br />
</pre> <br />
Same action as in rules #7 and #8 is performed for the packets destined to the clients (chain '''hs-unauth-to''') as well.<br />
<pre><br />
13 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited<br />
</pre> <br />
Reject all packets to the clients with ICMP reject message.<br />
<br />
<br />
<br />
{{cont}}<br />
[[Category:Manual|H]]<br />
[[Category:Hotspot|H]]<br />
[[Category:IP|H]]<br />
[[Category:Examples|H]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Setting_up_DHCPv6&diff=34353Setting up DHCPv62021-04-22T07:58:01Z<p>Guntis: </p>
<hr />
<div>{{Versions|v5.8+}}<br />
<br />
This page will describe which steps you should take to easily enable DHCPv6 on your Mikrotik.<br />
<br />
First, we need to select a prefix from which we want to delegate prefixes. In this example, I will use 2a03:7900:6::/48. From this prefix, we will delegate /56s to our clients.<br />
<br />
We do not need to configure this address-space on any of the interfaces, we can work with link-local addresses.<br />
<br />
First, configure the DHCPv6-pool<br />
[admin@dhcpv6test] /ipv6 pool> add name=dhcpv6-1 prefix-length=56 prefix=2a03:7900:6::/48<br />
<br />
Now configure the DHCP-server to use this pool<br />
[admin@dhcpv6test] /ipv6 dhcp-server> add name=server1 interface=ether2 address-pool6=dhcpv6-1<br />
<br />
Please note that DHCPv6 does not send gateways and routes. You need to configure router advertisements to make it work. By setting 'autonomous=no' on a RA-prefix, the advertisement will not contain a prefix from which the receiving router will select an address. It will only use the RA to set a default route.<br />
[admin@dhcpv6test] /ipv6 nd prefix> add prefix=::/64 interface=ether2 on-link=yes autonomous=no<br />
<br />
Now, finish the RA-settings<br />
[admin@dhcpv6test] /ipv6 nd> add interface=ether2 managed-address-configuration=yes other-configuration=yes advertise-dns=yes<br />
<br />
That should be it. <br />
<br />
[[Category:IPv6|I]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=User_Manager/Languages&diff=34317User Manager/Languages2021-01-19T09:13:12Z<p>Guntis: </p>
<hr />
<div>User Manager supports multiple languages. This page contains user translated files, based on the standard language file from RouterOS. <br />
<br />
== Create your own translations ==<br />
# Download language file [http://wiki.mikrotik.com/images/5/59/En_EN_def.txt template], containing English translations<br />
# Open it with poEdit. Language files are plain-text and can also be edited with any text editor if [http://www.poedit.net/ poEdit] is not available. Please, use '''UTF-8''' encoding for non-standard characters.<br />
# Translate the file<br />
# Set the language: in [http://www.poedit.net/ poEdit]: Catalog > Settings > Language, in text editor, change the line containing <code>"X-Poedit-Language: English\n"</code><br />
# Save it as .lng file. File name is not important (.lng extension is required), but it is recommended to contain translation language information, for example, de_DE.lng for German translation)<br />
# Upload the file to the router, using FTP<br />
# If you are logged in to User Manager web, log out and log in again.<br />
# In the web page there will be a language select box on the menu. Select desired language.<br />
<br />
Multiple languages can be stored on the router at the same time, the desired language is chosen on the customer web page. Every customer can choose their own language to use.<br />
<br />
== User translations ==<br />
<br />
* Spanish translation https://wiki.mikrotik.com/images/d/d8/Sp_SP_def.po author: Jose Salazar, Spain. Change po extension for lng and upload it via FTP to Router.<br />
* Brazilian Portuguese http://wiki.mikrotik.com/images/6/67/Pt_BR2.lng.po Author: Carlos Fernando, Brazil<br />
* Brazilian Portuguese translation http://wiki.mikrotik.com/images/2/2c/Pt_BR.lng.txt author: Antonio Junior, Brazil. Change extension for lng and upload it via FTP to Router.<br />
* Italian http://wiki.mikrotik.com/images/2/23/It_IT_def.txt author: Renato Bernardi, Italy. Change txt extension for lng and upload it via FTP to Router.<br />
* Russian http://wiki.mikrotik.com/images/1/1f/Ru_RU.txt authors: Alexander Zotov and Eugene Nurullin, Russia. Change txt extension for lng and upload it via FTP to Router.<br />
* Arabic http://wiki.mikrotik.com/images/9/9c/AR_AR.lng.txt Change txt extension for lng and upload it via FTP to Router.<br />
* Turkish http://wiki.mikrotik.com/images/5/5c/Tr_TR_def.lng.txt Author: Bulent KUSVA and Umut Can YILDIZ<br />
* Bulgarian http://wiki.mikrotik.com/images/a/a0/Bg_BG.lng.txt Author: Luboslav Colov<br />
* Persian https://wiki.mikrotik.com/images/4/4b/Um-persian3.po Author: Morteza Tajbakhsh<br />
* Czech http://wiki.mikrotik.com/images/5/56/Cs_CZ.po Author: Martin Ryšavý, Czechia<br />
* French https://wiki.mikrotik.com/images/6/61/Fr_FR.po Author: Keuambou F. Yannick, Cameroon</div>Guntishttps://wiki.mikrotik.com/index.php?title=File:Um-persian3.po&diff=34316File:Um-persian3.po2021-01-19T09:09:12Z<p>Guntis: </p>
<hr />
<div></div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interworking_Profiles&diff=34304Manual:Interworking Profiles2020-12-28T13:57:01Z<p>Guntis: </p>
<hr />
<div>{{Versions|v6}}<br />
=Summary=<br />
===Interworking===<br />
Interworking is the occurrence of two or more things working together. For a better Wireless network experience information about the network must be exchanged between Access Points and Wireless client devices, the information that can be found in basic Wireless beacons and probe requests is limited. For this reason, the IEEE 802.11u™-2011 (Interworking with External Networks) standard was created, that specifies how devices should exchange information between each other. Network discovery and Access Point selection process can be enhanced with the interworking service. Wireless client devices can have more criteria upon which they can choose the network with which to associate.<br />
<br />
===Hotspot 2.0===<br />
Hotspot 2.0 is a specification developed and owned by the Wi-Fi Alliance. It was designed to enable a more cellular-like experience when connecting to Wi-Fi networks. In the attempt to increase Wireless network security Hotspot 2.0 access points use mandatory WPA2 authentication. Hotspot 2.0 relies on Interworking as well as adds some of its own properties and procedures.<br />
<br />
<br />
Interworking profiles are implemented according to IEEE 802.11u and Hotspot 2.0 Release 1 specifications.<br />
<br />
=Configuration Properties=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless interworking-profiles</code></p><br />
===Information elements in beacon and probe response===<br />
<br />
Some information can be added to beacon and probe response packets with a Interworking element. Following parameters of a Interworking element can be configured:<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=asra<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Additional Steps Required for Access. Set to <code>yes</code>, if a user should take additional steps to access the internet, like the walled garden.<br />
}}<br />
{{Mr-arg-table<br />
|arg=esr<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Emergency services reachable (ESR). Set to <code>yes</code> in order to indicate that emergency services are reachable through the access point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hessid<br />
|type=MAC address<br />
|default=<br />
|desc=Homogenous extended service set identifier (HESSID). Devices that provide access to same external networks are in one homogenous extended service set. This service set can be identified by HESSID that is the same on all access points in this set. 6-byte value of HESSID is represented as MAC address. It should be globally unique, therefore it is advised to use one of the MAC address of access point in the service set.<br />
}}<br />
{{Mr-arg-table<br />
|arg=internet<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether the internet is available through this connection or not. This information is included in the Interworking element.<br />
}}<br />
{{Mr-arg-table<br />
|arg=network-type<br />
|type=emergency-only {{!}} personal-device {{!}} private {{!}} private-with-guest {{!}} public-chargeable {{!}} public-free {{!}} test {{!}} wildcard<br />
|default=wildcard<br />
|desc=Information about network access type.<br />
* <code>emergency-only</code> - a network dedicated and limited to accessing emergency services;<br />
* <code>personal-device</code> - a network of personal devices. An example of this type of network is a camera that is attached to a printer, thereby forming a network for the purpose of printing pictures;<br />
* <code>private</code> - network for users with user accounts. Usually used in enterprises for employees, not guests;<br />
* <code>private-with-guest</code> - same as private, but guest accounts are available;<br />
* <code>public-chargeable</code> - a network that is available to anyone willing to pay. For example, a subscription to Hotspot 2.0 service or in-room internet access in a hotel;<br />
* <code>public-free</code> - network is available to anyone without any fee. For example, municipal network in city or airport Hotspot;<br />
* <code>test</code> - network used for testing and experimental uses. Not used in production;<br />
* <code>wildcard</code> - is used on Wireless clients. Sending probe request with a wildcard as network type value will make all Interworking Access Points respond despite their actual network-type setting.<br />
A client sends a probe request frame with network-type set to value it is interested in. It will receive replies only from access points with the same value (except the case of wildcard).<br />
}}<br />
{{Mr-arg-table<br />
|arg=uesa<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Unauthenticated emergency service accessible (UESA).<br />
* <code>no</code> - indicates that no unauthenticated emergency services are reachable through this Access Point;<br />
* <code>yes</code> - indicates that higher layer unauthenticated emergency services are reachable through this Access Point. <br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue<br />
|type=venue<br />
|default=unspecified<br />
|desc=Specify the venue in which the Access Point is located. Choose the value from available ones. Some examples:<br />
<pre><br />
venue=business-bank<br />
venue=mercantile-shopping-mall<br />
venue=educational-university-or-college<br />
</pre><br />
}}<br />
<br />
===ANQP elements===<br />
<br />
Access network query protocol (ANQP). Not all necessary information is included in probe response and beacon frames. For client device to get more information before choosing access point to associate with ANQP is used. The Access Point can have stored information in multiple ANQP elements. Client device will use ANQP to query only for the information it is interested in. This reduces the time needed before association.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=octet string in hex<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Please see 3GPP TS 24.302. (Annex H) for a format of this field. This value is sent ANQP response if queried.<br />
}}<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=dns-redirection:<code>url</code> {{!}} https-redirection:<code>url</code> {{!}} online-enrollment:<code>url</code> {{!}} terms-and-conditions:<code>url</code><br />
|default=<br />
|desc=This property is only effective when <var>asra</var> is set to <code>yes</code>. Value of <code>url</code> is optional and not needed if <code>dns-redirection</code> or <code>online-enrollment</code> is selected. To set the value of <code>url</code> to empty string use double quotes. For example:<br />
<pre>authentication-types=online-enrollment:""</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=connection-capabilities<br />
|type=number:number:closed{{!}}open{{!}}unknown<br />
|default=<br />
|desc=This option allows to provide information about the allowed IP protocols and ports. This information can be provided in ANQP response. The first number represents the IP protocol number, the second number represents a port number.<br />
* <code>closed</code> - set if protocol and port combination is not allowed;<br />
* <code>open</code> - set if protocol and port combination is allowed;<br />
* <code>unknown</code> - set if protocol and port combination is either open or closed.<br />
Example:<br />
<pre>connection-capabilities=6:80:open,17:5060:closed</pre><br />
Setting such a value on an Access Point informs the Wireless client, which is connecting to the Access Point, that HTTP (6 - TCP, 80 - HTTP) is allowed and VoIP (17 - UDP; 5060 - VoIP) is not allowed.<br />
This property does not restrict or allow usage of these protocols and ports, it only gives information to station device which is connecting to Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=domain-names<br />
|type=list of strings<br />
|default=<br />
|desc=None or more fully qualified domain names (FQDN) that indicate the entity operating the Hotspot. A station that is connecting to the Access Point can request this AQNP property and check if there is a suffix match with any of the domain names it has credentials to.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv4-availability<br />
|type=double-nated {{!}} not-available {{!}} port-restricted {{!}} port-restricted-double-nated {{!}} port-restricted-single-nated {{!}} public {{!}} single-nated {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv4 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>public</code> - public IPv4 address available;<br />
* <code>port-restricted</code> - port-restricted IPv4 address available;<br />
* <code>single-nated</code> - single NATed private IPv4 address available;<br />
* <code>double-nated</code> - double NATed private IPv4 address available;<br />
* <code>port-restricted-single-nated</code> -port-restricted IPv4 address and single NATed IPv4 address available;<br />
* <code>port-restricted-double-nated</code> - port-restricted IPv4 address and double NATed IPv4 address available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv6-availability<br />
|type=available {{!}} not-available {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv6 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>available</code> - address type available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=realms<br />
|type=string:eap-sim{{!}}eap-tls{{!}}not-specified<br />
|default=<br />
|desc=Information about supported realms and the corresponding EAP method.<br />
<pre><br />
realms=example.com:eap-tls,foo.ba:not-specified<br />
</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=realms-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Set NAI Realm ANQP-element manually.<br />
}}<br />
{{Mr-arg-table<br />
|arg=roaming-ois<br />
|type=octet string in hex<br />
|default=<br />
|desc=Organization identifier (OI) usually are 24-bit is unique identifiers like organizationally unique identifier (OUI) or company identifier (CID). In some cases, OI is longer for example OUI-36.<br />
A subscription service provider (SSP) can be specified by its OI.<br />
<var>roaming-ois</var> property can contain zero or more SSPs OIs whose networks are accessible via this AP. <br />
Length of OI should be specified before OI itself. For example, to set E4-8D-8C and 6C-3B-6B:<br />
<pre><br />
roaming-ois=E48D8C,6C3B6B<br />
</pre><br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue-names<br />
|type=string:lang<br />
|default=<br />
|desc=Venue name can be used to provide additional info on the venue. It can help the client to choose a proper Access Point.<br />
Venue-names parameter consists of zero or more duple that contain Venue Name and Language Code:<br />
<pre><br />
venue-names=CoffeeShop:eng,TiendaDeCafe:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
<br />
===Hotspot 2.0 ANQP elements===<br />
<br />
Hotspot 2.0 specification introduced some additional ANQP elements. These elements use an ANQP vendor specific element ID. Here are available properties to change these elements.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hotspot20<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Indicate Hotspot 2.0 capability of the Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hotspot20-dgaf<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Downstream Group-Addressed Forwarding (DGAF). Sets value of DGAF bit to indicate whether multicast and broadcast frames to clients are disabled or enabled.<br />
* <code>yes</code> - multicast and broadcast frames to clients are enabled;<br />
* <code>no</code> - multicast and broadcast frames to clients are disabled.<br />
To disable multicast and broadcast frames set <code>multicast-helper=full</code>.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operational-classes<br />
|type=list of numbers<br />
|default=<br />
|desc=Information about other available bands of the same ESS.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operator-names<br />
|type=string:lang<br />
|default=<br />
|desc=Set operator name. Language must be specified for each operator name entry.<br />
Operator-names parameter consists of zero or more duple that contain Operator Name and Language Code:<br />
<pre><br />
operator-names=BestOperator:eng,MejorOperador:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-at-capacity<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the Access Point or the network is at its max capacity. If set to <code>yes</code> no additional mobile devices will be permitted to associate to the AP.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink<br />
|type=number<br />
|default=0<br />
|desc=The downlink speed of the WAN connection set in kbps. If the downlink speed is not known, set to 0.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink-load<br />
|type=number<br />
|default=0<br />
|desc=The downlink load of the WAN connection measured over <code>wan-measurement-duration</code>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-measurement-duration<br />
|type=number<br />
|default=0<br />
|desc=Duration during which <var>wan-downlink-load</var> and <code>wan-uplink-load</code> are measured. Value is a numeric value from 0 to 65535 representing tenths of seconds.<br />
* <code>0</code> - not measured;<br />
* <code>10</code> - 1 second;<br />
* <code>65535</code> - 1 hour 49 minutes or more.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-status<br />
|type=down {{!}} reserved {{!}} test {{!}} up<br />
|default=reserved<br />
|desc=Information about the status of the Access Point's WAN connection. The value <code>reserved</code> is not used.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-symmetric<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Weather the WAN link is symmetric (upload and download speeds are the same) or not.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-uplink<br />
|type=number<br />
|default=0<br />
|desc=The uplink speed of the WAN connection set in kbps. If the uplink speed is not known set to 0.<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=wan-uplink-load<br />
|type=number<br />
|default=0<br />
|desc=The uplink load of th WAN connection measured over <var>wan-measurement-duration</var>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
<br />
===Other Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the profile<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of the Interworking profile.<br />
}}<br />
<br />
=See also=<br />
<br />
<br />
* [[Manual:Interface/Wireless | Wireless manual]]<br />
<br />
[[Category:Manual]]<br />
[[Category:Wireless]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interworking_Profiles&diff=34303Manual:Interworking Profiles2020-12-28T13:08:12Z<p>Guntis: </p>
<hr />
<div>{{Versions|v6}}<br />
=Summary=<br />
===Interworking===<br />
Interworking is the occurrence of two or more things working together. For a better Wireless network experience information about the network must be exchanged between Access Points and Wireless client devices, the information that can be found in basic Wireless beacons and probe requests is limited. For this reason, the IEEE 802.11u™-2011 (Interworking with External Networks) standard was created, that specifies how devices should exchange information between each other. Network discovery and Access Point selection process can be enhanced with the interworking service. Wireless client devices can have more criteria upon which they can choose the network with which to associate.<br />
<br />
===Hotspot 2.0===<br />
Hotspot 2.0 is a specification developed and owned by the Wi-Fi Alliance. It was designed to enable a more cellular-like experience when connecting to Wi-Fi networks. In the attempt to increase Wireless network security Hotspot 2.0 access points use mandatory WPA2 authentication. Hotspot 2.0 relies on Interworking as well as adds some of its own properties and procedures.<br />
<br />
<br />
Interworking profiles are implemented according to IEEE 802.11u and Hotspot 2.0 Release 1 specifications.<br />
<br />
=Configuration Properties=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface wireless interworking-profiles</code></p><br />
===Information elements in beacon and probe response===<br />
<br />
Some information can be added to beacon and probe response packets with a Interworking element. Following parameters of a Interworking element can be configured:<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=asra<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Additional Steps Required for Access. Set to <code>yes</code>, if a user should take additional steps to access the internet, like the walled garden.<br />
}}<br />
{{Mr-arg-table<br />
|arg=esr<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Emergency services reachable (ESR). Set to <code>yes</code> in order to indicate that emergency services are reachable through the access point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hessid<br />
|type=MAC address<br />
|default=<br />
|desc=Homogenous extended service set identifier (HESSID). Devices that provide access to same external networks are in one homogenous extended service set. This service set can be identified by HESSID that is the same on all access points in this set. 6-byte value of HESSID is represented as MAC address. It should be globally unique, therefore it is advised to use one of the MAC address of access point in the service set.<br />
}}<br />
{{Mr-arg-table<br />
|arg=internet<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether the internet is available through this connection or not. This information is included in the Interworking element.<br />
}}<br />
{{Mr-arg-table<br />
|arg=network-type<br />
|type=emergency-only {{!}} personal-device {{!}} private {{!}} private-with-guest {{!}} public-chargeable {{!}} public-free {{!}} test {{!}} wildcard<br />
|default=wildcard<br />
|desc=Information about network access type.<br />
* <code>emergency-only</code> - a network dedicated and limited to accessing emergency services;<br />
* <code>personal-device</code> - a network of personal devices. An example of this type of network is a camera that is attached to a printer, thereby forming a network for the purpose of printing pictures;<br />
* <code>private</code> - network for users with user accounts. Usually used in enterprises for employees, not guests;<br />
* <code>private-with-guest</code> - same as private, but guest accounts are available;<br />
* <code>public-chargeable</code> - a network that is available to anyone willing to pay. For example, a subscription to Hotspot 2.0 service or in-room internet access in a hotel;<br />
* <code>public-free</code> - network is available to anyone without any fee. For example, municipal network in city or airport Hotspot;<br />
* <code>test</code> - network used for testing and experimental uses. Not used in production;<br />
* <code>wildcard</code> - is used on Wireless clients. Sending probe request with a wildcard as network type value will make all Interworking Access Points respond despite their actual network-type setting.<br />
A client sends a probe request frame with network-type set to value it is interested in. It will receive replies only from access points with the same value (except the case of wildcard).<br />
}}<br />
{{Mr-arg-table<br />
|arg=uesa<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Unauthenticated emergency service accessible (UESA).<br />
* <code>no</code> - indicates that no unauthenticated emergency services are reachable through this Access Point;<br />
* <code>yes</code> - indicates that higher layer unauthenticated emergency services are reachable through this Access Point. <br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue<br />
|type=venue<br />
|default=unspecified<br />
|desc=Specify the venue in which the Access Point is located. Choose the value from available ones. Some examples:<br />
<pre><br />
venue=business-bank<br />
venue=mercantile-shopping-mall<br />
venue=educational-university-or-college<br />
</pre><br />
}}<br />
<br />
===ANQP elements===<br />
<br />
Access network query protocol (ANQP). Not all necessary information is included in probe response and beacon frames. For client device to get more information before choosing access point to associate with ANQP is used. The Access Point can have stored information in multiple ANQP elements. Client device will use ANQP to query only for the information it is interested in. This reduces the time needed before association.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=3gpp<br />
|type=octet string in hex<br />
|default=<br />
|desc=Cellular network advertisement information - country and network codes. This helps Hotspot 2.0 clients in the selection of an Access Point to access 3GPP network. Please see 3GPP TS 24.302. (Annex H) for a format of this field. This value is sent ANQP response if queried.<br />
}}<br />
{{Mr-arg-table<br />
|arg=authentication-types<br />
|type=dns-redirection:<code>url</code> {{!}} https-redirection:<code>url</code> {{!}} online-enrollment:<code>url</code> {{!}} terms-and-conditions:<code>url</code><br />
|default=<br />
|desc=This property is only effective when <var>asra</var> is set to <code>yes</code>. Value of <code>url</code> is optional and not needed if <code>dns-redirection</code> or <code>online-enrollment</code> is selected. To set the value of <code>url</code> to empty string use double quotes. For example:<br />
<pre>authentication-types=online-enrollment:""</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=connection-capabilities<br />
|type=number:number:closed{{!}}open{{!}}unknown<br />
|default=<br />
|desc=This option allows to provide information about the allowed IP protocols and ports. This information can be provided in ANQP response. The first number represents the IP protocol number, the second number represents a port number.<br />
* <code>closed</code> - set if protocol and port combination is not allowed;<br />
* <code>open</code> - set if protocol and port combination is allowed;<br />
* <code>unknown</code> - set if protocol and port combination is either open or closed.<br />
Example:<br />
<pre>connection-capabilities=6:80:open,17:5060:closed</pre><br />
Setting such a value on an Access Point informs the Wireless client, which is connecting to the Access Point, that HTTP (6 - TCP, 80 - HTTP) is allowed and VoIP (17 - UDP; 5060 - VoIP) is not allowed.<br />
This property does not restrict or allow usage of these protocols and ports, it only gives information to station device which is connecting to Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=domain-names<br />
|type=list of strings<br />
|default=<br />
|desc=None or more fully qualified domain names (FQDN) that indicate the entity operating the Hotspot. A station that is connecting to the Access Point can request this AQNP property and check if there is a suffix match with any of the domain names it has credentials to.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv4-availability<br />
|type=double-nated {{!}} not-available {{!}} port-restricted {{!}} port-restricted-double-nated {{!}} port-restricted-single-nated {{!}} public {{!}} single-nated {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv4 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>public</code> - public IPv4 address available;<br />
* <code>port-restricted</code> - port-restricted IPv4 address available;<br />
* <code>single-nated</code> - single NATed private IPv4 address available;<br />
* <code>double-nated</code> - double NATed private IPv4 address available;<br />
* <code>port-restricted-single-nated</code> -port-restricted IPv4 address and single NATed IPv4 address available;<br />
* <code>port-restricted-double-nated</code> - port-restricted IPv4 address and double NATed IPv4 address available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=ipv6-availability<br />
|type=available {{!}} not-available {{!}} unknown<br />
|default=not-available<br />
|desc=Information about what IPv6 address and access are available.<br />
* <code>not-available</code> - Address type not available;<br />
* <code>available</code> - address type available;<br />
* <code>unknown</code> - availability of the address type is not known.<br />
}}<br />
{{Mr-arg-table<br />
|arg=realms<br />
|type=string:eap-sim{{!}}eap-tls{{!}}not-specified<br />
|default=<br />
|desc=Information about supported realms and the corresponding EAP method.<br />
<pre><br />
realms=example.com:eap-tls,foo.ba:not-specified<br />
</pre><br />
}}<br />
{{Mr-arg-table<br />
|arg=realms-raw<br />
|type=octet string in hex<br />
|default=<br />
|desc=Set NAI Realm ANQP-element manually.<br />
}}<br />
{{Mr-arg-table<br />
|arg=roaming-ois<br />
|type=octet string in hex<br />
|default=<br />
|desc=Organization identifier (OI) usually are 24-bit is unique identifiers like organizationally unique identifier (OUI) or company identifier (CID). In some cases, OI is longer for example OUI-36.<br />
A subscription service provider (SSP) can be specified by its OI.<br />
<var>roaming-ois</var> property can contain zero or more SSPs OIs whose networks are accessible via this AP. <br />
Length of OI should be specified before OI itself. For example, to set E4-8D-8C and 6C-3B-6B:<br />
<pre><br />
roaming-ois=03E48D8C,036C3B6B<br />
</pre><br />
}}<br />
{{Mr-arg-table-end<br />
|arg=venue-names<br />
|type=string:lang<br />
|default=<br />
|desc=Venue name can be used to provide additional info on the venue. It can help the client to choose a proper Access Point.<br />
Venue-names parameter consists of zero or more duple that contain Venue Name and Language Code:<br />
<pre><br />
venue-names=CoffeeShop:eng,TiendaDeCafe:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
<br />
===Hotspot 2.0 ANQP elements===<br />
<br />
Hotspot 2.0 specification introduced some additional ANQP elements. These elements use an ANQP vendor specific element ID. Here are available properties to change these elements.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=hotspot20<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Indicate Hotspot 2.0 capability of the Access Point.<br />
}}<br />
{{Mr-arg-table<br />
|arg=hotspot20-dgaf<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Downstream Group-Addressed Forwarding (DGAF). Sets value of DGAF bit to indicate whether multicast and broadcast frames to clients are disabled or enabled.<br />
* <code>yes</code> - multicast and broadcast frames to clients are enabled;<br />
* <code>no</code> - multicast and broadcast frames to clients are disabled.<br />
To disable multicast and broadcast frames set <code>multicast-helper=full</code>.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operational-classes<br />
|type=list of numbers<br />
|default=<br />
|desc=Information about other available bands of the same ESS.<br />
}}<br />
{{Mr-arg-table<br />
|arg=operator-names<br />
|type=string:lang<br />
|default=<br />
|desc=Set operator name. Language must be specified for each operator name entry.<br />
Operator-names parameter consists of zero or more duple that contain Operator Name and Language Code:<br />
<pre><br />
operator-names=BestOperator:eng,MejorOperador:es<br />
</pre><br />
The Language Code field value is a two or three-character 8 language code selected from ISO-639.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-at-capacity<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether the Access Point or the network is at its max capacity. If set to <code>yes</code> no additional mobile devices will be permitted to associate to the AP.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink<br />
|type=number<br />
|default=0<br />
|desc=The downlink speed of the WAN connection set in kbps. If the downlink speed is not known, set to 0.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-downlink-load<br />
|type=number<br />
|default=0<br />
|desc=The downlink load of the WAN connection measured over <code>wan-measurement-duration</code>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-measurement-duration<br />
|type=number<br />
|default=0<br />
|desc=Duration during which <var>wan-downlink-load</var> and <code>wan-uplink-load</code> are measured. Value is a numeric value from 0 to 65535 representing tenths of seconds.<br />
* <code>0</code> - not measured;<br />
* <code>10</code> - 1 second;<br />
* <code>65535</code> - 1 hour 49 minutes or more.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-status<br />
|type=down {{!}} reserved {{!}} test {{!}} up<br />
|default=reserved<br />
|desc=Information about the status of the Access Point's WAN connection. The value <code>reserved</code> is not used.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-symmetric<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Weather the WAN link is symmetric (upload and download speeds are the same) or not.<br />
}}<br />
{{Mr-arg-table<br />
|arg=wan-uplink<br />
|type=number<br />
|default=0<br />
|desc=The uplink speed of the WAN connection set in kbps. If the uplink speed is not known set to 0.<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=wan-uplink-load<br />
|type=number<br />
|default=0<br />
|desc=The uplink load of th WAN connection measured over <var>wan-measurement-duration</var>. Values from 0 to 255.<br />
* <code>0</code> - unknown;<br />
* <code>255</code> - 100%.<br />
}}<br />
<br />
===Other Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the profile<br />
}}<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name of the Interworking profile.<br />
}}<br />
<br />
=See also=<br />
<br />
<br />
* [[Manual:Interface/Wireless | Wireless manual]]<br />
<br />
[[Category:Manual]]<br />
[[Category:Wireless]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Dual_SIM_Application&diff=34284Dual SIM Application2020-11-30T11:48:00Z<p>Guntis: /* Initial settings */</p>
<hr />
<div>==Summary==<br />
<br />
The first script example shows how to switch between SIM slots in case mobile roaming is detected for LtAP mini devices. This could be useful for mobile vehicle applications, where cars, buses or trains could drive abroad and should use two SIM cards (one for a home network, other for a roaming network). Since RouterOS version 6.43 a roaming status for info command is added (displayed only when roaming) so we can use this in RouterOS scripts to change SIM cards accordingly.<br />
<br />
The second script example shows how to switch between the SIM cards in case mobile connection is lost on the currently selected one.<br />
<br />
{{ Note | Keep in mind that these are just examples of how to utilize dual SIM slots. For real-life production environments, a proper testing should be carried out, so try to optimize them and add new features according to your needs.}}<br />
<br />
==Initial settings==<br />
<br />
First, make sure you have correctly set up LTE network parameters (provided by the mobile network operator) for each SIM card. You can use default APN profile or create two separate ones, follow this link - [[Manual:Interface/LTE#Quick_setup_example | Quick setup example]]. This example uses default APN profile.<br />
<br />
After that, enable data roaming for connecting to other countries data-providers with the following command. This allows to keep track of roaming status.<br />
<pre><br />
/interface lte set [find name=lte1] allow-roaming=yes<br />
</pre><br />
<br />
Then, choose which SIM slots will be used for home and roaming networks. In this example, we use slot "down" for home and slot "up" for roaming network. Use the following command to switch between active slots.<br />
{{Note| command for sim slot selection changes in v6.45.1. And some device models like SXT, have SIM slots named "a" and "b" instead of "up" and down"}}<br />
Command for pre 6.45.1<br />
<pre><br />
/system routerboard sim set sim-slot=down<br />
</pre><br />
<br />
Command after 6.45.1<br />
<pre><br />
/system routerboard modem set sim-slot=down<br />
</pre><br />
After changing SIM slots, LTE modem will be restarted. It can take some time (depending on modem and board around 30 seconds) to fully initialize it, so make sure you test your modem.<br />
<br />
==Roaming script example==<br />
<br />
Now create a script that will run with a scheduler. This script example is going through few key points:<br />
* Check if LTE interface is initialized (shows in <code>/interface lte</code> list), otherwise try a power reset<br />
* Check if LTE connection is established (interface is in "running" state), otherwise create a log entry and simply wait for next scheduler<br />
* Read currently used LTE slot and make a decision whether to change SIM slots based on roaming status<br />
Let's call this script "roamingScript", and see below the source:<br />
<pre><br />
{<br />
# Setup and read current values, "up" SIM slot will be used for roaming, "down" for home network<br />
:global simSlot [/system routerboard sim get sim-slot]<br />
:global timeoutLTE 60<br />
:global timeoutConnect 60<br />
<br />
# Wait for LTE to initialize for maximum "timeoutLTE" seconds<br />
:local i 0<br />
:local isLTEinit false<br />
:while ($i<$timeoutLTE) do={<br />
:foreach n in=[/interface lte find] do={:set $isLTEinit true}<br />
:if ($isLTEinit=true) do={<br />
:set $i $timeoutLTE<br />
}<br />
:set $i ($i+1)<br />
:delay 1s<br />
}<br />
<br />
# Check if LTE is initialized, or try power-reset the modem<br />
:if ($isLTEinit=true) do={<br />
# Wait for LTE interface to connect to mobile network for maximum "timeoutConnet" seconds<br />
:local isConnected false<br />
:set $i 0<br />
:while ($i<$timeoutConnect) do={<br />
:if ([/interface lte get [find name="lte1"] running]=true) do={<br />
:set $isConnected true<br />
:set $i $timeoutConnect<br />
}<br />
:set $i ($i+1)<br />
:delay 1s<br />
}<br />
# Check if LTE is connected<br />
if ($isConnected=true) do={<br />
:local Info [/interface lte info [find name="lte1"] once as-value]<br />
:local isRoaming ($Info->"roaming")<br />
# Check which SIM slot is used<br />
:if ($simSlot="down") do={<br />
# If "down" (home) slot, check roaming status<br />
:if ($isRoaming=true) do={<br />
:log info message="Roaming detected, switching to SIM UP (Roaming)"<br />
/system routerboard sim set sim-slot=up<br />
}<br />
} else={<br />
# Else "up" (roaming) slot, check roaming status<br />
:if (!$isRoaming=true) do={<br />
:log info message="Not roaming, switching to SIM DOWN (Home)"<br />
/system routerboard sim set sim-slot=down<br />
}<br />
}<br />
} else={<br />
:log info message="LTE interface did not connect to network, wait for next scheduler"<br />
}<br />
} else={<br />
:log info message="LTE modem did not appear, trying power-reset"<br />
/system routerboard usb power-reset duration=5s<br />
}<br />
}<br />
</pre><br />
<br />
<br />
==Failover script example==<br />
<br />
Now create a script that will run with a scheduler. This script example is going through few key points:<br />
* Check if LTE interface is initialized (shows in <code>/interface lte</code> list), otherwise try a power reset<br />
* Check if LTE connection is established (interface is in "running" state), otherwise create a log entry and simply wait for next scheduler<br />
* Read currently used LTE slot and make a decision whether to change SIM slots based on interface status<br />
<br />
{{ Note | Keep in mind that the SIM slot will only be changed if the current one is not able to connect to the network if you need to switch back to the main SIM card you need to schedule another action that does it at a certain time. It is not possible to know if the other SIM card is in service without switching back to it.}} <br />
<br />
Let's call this script "failoverScript", and see below the source:<br />
<pre><br />
{<br />
# Setup and read current values<br />
:global simSlot [/system routerboard modem get sim-slot]<br />
:global timeoutLTE 60<br />
:global timeoutConnect 60<br />
<br />
# Wait for LTE to initialize for maximum "timeoutLTE" seconds<br />
:local i 0<br />
:local isLTEinit false<br />
:while ($i<$timeoutLTE) do={<br />
:foreach n in=[/interface lte find] do={:set $isLTEinit true}<br />
:if ($isLTEinit=true) do={<br />
:set $i $timeoutLTE<br />
}<br />
:set $i ($i+1)<br />
:delay 1s<br />
}<br />
<br />
# Check if LTE is initialized, or try power-reset the modem<br />
:if ($isLTEinit=true) do={<br />
# Wait for LTE interface to connect to mobile network for maximum "timeoutConnet" seconds<br />
:local isConnected false<br />
:set $i 0<br />
:while ($i<$timeoutConnect) do={<br />
:if ([/interface lte get [find name="lte1"] running]=true) do={<br />
:set $isConnected true<br />
:set $i $timeoutConnect<br />
}<br />
:set $i ($i+1)<br />
:delay 1s<br />
}<br />
# Check if LTE is connected<br />
if ($isConnected=false) do={<br />
# Check which SIM slot is used<br />
:if ($simSlot="down") do={<br />
# If "down" slot, switch to up<br />
:log info message="LTE down, switching slot to UP"<br />
/system routerboard modem set sim-slot=up<br />
}<br />
:if ($simSlot="up") do={<br />
# If "up" slot, switch to down<br />
:log info message="LTE down, switching slot to DOWN"<br />
/system routerboard modem set sim-slot=down<br />
}<br />
} else={<br />
# Else "running"<br />
:if ($isConnected=true) do={<br />
:log info message="LTE UP"<br />
}<br />
} else={<br />
:log info message="LTE interface did not connect to network, wait for next scheduler"<br />
}<br />
} else={<br />
:log info message="LTE modem did not appear, trying power-reset"<br />
/system routerboard usb power-reset duration=5s<br />
}<br />
}<br />
</pre><br />
<br />
<br />
<br />
==Setting up scheduler==<br />
Last, create your scheduler that will run the previously created script. Choose a proper scheduler interval, so two or more events do not overlap with each other. For this example above, 3 minutes will be enough.<br />
<pre><br />
/system scheduler add interval=3m on-event=roamingScript name=Roaming<br />
</pre><br />
<pre><br />
/system scheduler add interval=3m on-event=failoverScript name=Failover<br />
</pre><br />
<br />
Keep in mind that "home" SIM card will consume some roaming data because changing SIM slots do not happen instantly.</div>Guntishttps://wiki.mikrotik.com/index.php?title=User_Manager/Languages&diff=34272User Manager/Languages2020-10-29T07:23:43Z<p>Guntis: </p>
<hr />
<div>User Manager supports multiple languages. This page contains user translated files, based on the standard language file from RouterOS. <br />
<br />
== Create your own translations ==<br />
# Download language file [http://wiki.mikrotik.com/images/5/59/En_EN_def.txt template], containing English translations<br />
# Open it with poEdit. Language files are plain-text and can also be edited with any text editor if [http://www.poedit.net/ poEdit] is not available. Please, use '''UTF-8''' encoding for non-standard characters.<br />
# Translate the file<br />
# Set the language: in [http://www.poedit.net/ poEdit]: Catalog > Settings > Language, in text editor, change the line containing <code>"X-Poedit-Language: English\n"</code><br />
# Save it as .lng file. File name is not important (.lng extension is required), but it is recommended to contain translation language information, for example de_DE.lng for German translation)<br />
# Upload the file to router, using ftp<br />
# If you are logged in to User Manager web, log out and log in again.<br />
# In the web page there will be language select box on the menu. Select desired language.<br />
<br />
Multiple languages can be stored on router at the same time, desired language is chosen in customer web page. Every customer can choose its own language to use.<br />
<br />
== User translations ==<br />
<br />
* Spanish translation https://wiki.mikrotik.com/images/d/d8/Sp_SP_def.po author: Jose Salazar, Spain. Change po extension for lng and upload it via FTP to Router.<br />
* Brazilian portuguese http://wiki.mikrotik.com/images/6/67/Pt_BR2.lng.po Author: Carlos Fernando, Brazil<br />
* Brazilian portuguese translation http://wiki.mikrotik.com/images/2/2c/Pt_BR.lng.txt author: Antonio Junior, Brazil. Change extension for lng and upload it via FTP to Router.<br />
* Italian http://wiki.mikrotik.com/images/2/23/It_IT_def.txt author: Renato Bernardi, Italy. Change txt extension for lng and upload it via FTP to Router.<br />
* Russian http://wiki.mikrotik.com/images/1/1f/Ru_RU.txt authors: Alexander Zotov and Eugene Nurullin, Russia. Change txt extension for lng and upload it via FTP to Router.<br />
* Arabic http://wiki.mikrotik.com/images/9/9c/AR_AR.lng.txt Change txt extension for lng and upload it via FTP to Router.<br />
* Turkish http://wiki.mikrotik.com/images/5/5c/Tr_TR_def.lng.txt Author: Bulent KUSVA and Umut Can YILDIZ<br />
* Bulgarian http://wiki.mikrotik.com/images/a/a0/Bg_BG.lng.txt Author: Luboslav Colov<br />
* Persian http://wiki.mikrotik.com/images/5/52/Umpersian.po Author: Hossein Hatami, Iran<br />
* Czech http://wiki.mikrotik.com/images/5/56/Cs_CZ.po Author: Martin Ryšavý, Czechia<br />
* French https://wiki.mikrotik.com/images/6/61/Fr_FR.po Author: Keuambou F. Yannick, Cameroon</div>Guntishttps://wiki.mikrotik.com/index.php?title=File:Sp_SP_def.po&diff=34271File:Sp SP def.po2020-10-29T07:22:38Z<p>Guntis: Spanish translation for User Manager</p>
<hr />
<div>Spanish translation for User Manager</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:RouterBOARD_settings&diff=34266Manual:RouterBOARD settings2020-10-12T10:08:34Z<p>Guntis: /* General */</p>
<hr />
<div>==General==<br />
<p id="shbox"><b>Sub-menu level:</b> <code> /system routerboard</code><br />
</p><br />
<br />
On RouterBOARD devices, the following menu exists which gives you some basic information about your device: <br />
<br />
[admin@demo.mt.lv] /system routerboard> print <br />
routerboard: yes<br />
model: 433<br />
serial-number: 185C01FCA958 <br />
current-firmware: 3.25<br />
upgrade-firmware: 3.25<br />
<br />
===Properties===<br />
<br />
All properties are read-only<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=model<br />
|type=string<br />
|desc=If this device is a MikroTik RouterBOARD, this describes the model name<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=serial-number<br />
|type=string<br />
|desc=Serial number of this particular device<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=current-firmware<br />
|type=string<br />
|desc=The version of the RouterBOOT loader that is currently in use. Not to be confused with RouterOS operating system version<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=upgrade-firmware<br />
|type=string<br />
|desc=RouterOS upgrades also include new RouterBOOT version files, but they have to be applied manually. This line shows if a new RouterBOOT file has been found in the device. The file can either be included via a recent RouterOS upgrade, or a FWF file which has been manually uploaded to the router. In either case, the newest found version will be shown here<br />
}}<br />
<br />
<br />
=== Upgrading RouterBOOT === <br />
<br />
RouterBOOT upgrades usually include minor improvements to overall RouterBOARD operation. It is recommended to keep this version upgraded. <br />
If you see that '''upgrade-firmware''' value is bigger than '''current-firmware''', you simply need to perform the '''upgrade''' command, accept it with '''y''' and then reboot with '''/system reboot'''<br />
<br />
[admin@mikrotik] /system routerboard> upgrade <br />
Do you really want to upgrade firmware? [y/n] <br />
y<br />
echo: system,info,critical Firmware upgraded successfully, please reboot for changes to take effect!<br />
<br />
After rebooting, the '''current-firmware''' value should become identical with '''upgrade-firmware'''<br />
<br />
== Settings == <br />
<br />
<p id="shbox"><b>Sub-menu level:</b> <code> /system routerboard settings</code><br />
</p><br />
[admin@demo.mt.lv] /system routerboard settings> print <br />
baud-rate: 115200<br />
boot-delay: 2s<br />
enter-setup-on: any-key<br />
boot-device: nand-if-fail-then-ethernet<br />
cpu-frequency: 1200MHz<br />
memory-frequency: 1066DDR<br />
boot-protocol: bootp<br />
enable-jumper-reset: yes<br />
force-backup-booter: no<br />
silent-boot: no<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-upgrade<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Whether to upgrade firmware automatically after RouterOS upgrade. The latest firmware will be applied after an additional reboot<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=baud-rate<br />
|type=integer<br />
|default=115200<br />
|desc=Choose the onboard RS232 speed in bits per second (if installed)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=boot-delay<br />
|type=time<br />
|default=1s<br />
|desc=How much time to wait for a key stroke while booting<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=boot-device<br />
|type=nand-if-fail-then-ethernet ...<br />
|default=nand-if-fail-then-ethernet<br />
|desc=Choose the way RouterBOOT loads the operating system:<br />
* <var>flash-boot</var> - <br />
* <var>flash-boot-once-then-nand</var> - <br />
* <var>nand-if-fail-then-ethernet</var> -<br />
* <var>nand-only</var> - <br />
* <var>try-ethernet-once-then-nand</var> - <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=boot-protocol<br />
|type=bootp {{!}}dhcp ...<br />
|default=bootp<br />
|desc=Boot protocol to use:<br />
* <var>bootp</var> - the default option for booting RouterOS<br />
* <var>dhpc</var> - used for OpenWRT and possibly other OS<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cpu-frequency<br />
|type= depends on model<br />
|default=depends on model<br />
|desc=This option allows for changing the CPU frequency of the device. Values depend on model, to see available options, hit [?] button on the keyboard at this prompt<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cpu-mode<br />
|type= power-save {{!}} regular<br />
|default=power-save<br />
|desc=Whether to enter CPU suspend mode in HTL instruction. Most OSs use HLT instruction during CPU idle cycle. When CPU is in suspend mode, it consumes less power, but in low-temperature conditions it is recommended to choose regular mode, so that overall system temperature would be higher<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enable-jumper-reset<br />
|type= yes {{!}} no<br />
|default=yes<br />
|desc=Disable this to avoid accidental setting reset via the onboard jumper<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enter-setup-on<br />
|type= any-key {{!}} delete-key <br />
|default=any-key<br />
|desc=Which key will cause the BIOS to enter configuration mode during boot delay. Useful when serial console prints out symbols during boot process and goes into RouterBOOT menu by itself. Note that in some serial terminal programs, it is impossible to use Delete key to enter the setup - in this case it might be possible to do this with the Backspace key<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=force-backup-booter<br />
|type=yes {{!}} no <br />
|default=no<br />
|desc=If to use the backup RouterBOOT. This is only useful if the main loader has become corrupted somehow and cannot be fixed. So that you don't have to boot the device with a pushed reset button (which loads backup loader), you can use this setting to load it every time<br />
* <var>yes</var> - backup loader will be used always <br />
* <var>no</var> - main booter will be used<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-frequency<br />
|type= depends on model<br />
|default=depends on model<br />
|desc=This option allows to change the memory frequency of the device. Values depend on model, to see available options, hit [?] button on the keyboard at this prompt<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=memory-data-rate<br />
|type= depends on model<br />
|default=depends on model<br />
|desc=This option allows to change the memory data rate of the device. Values depend on model, to see available options, hit [?] button on the keyboard at this prompt<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=regulatory-domain-ce<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables extra low TX power for high antenna gain devices (requires reboot)<br />
<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=silent-boot<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc= This option disables output on the serial console and beeping sounds during booting, to avoid the text output interrupting a connected device. Useful if you have some temperature monitor or modem connected to the serial port<br />
* <var>yes</var> - no output on the serial console and no booting beeps (does not disable the RouterOS :beep command)<br />
* <var>no</var> - regular info and option menu on serial console<br />
}}<br />
<br />
<br />
{{ Warning | <b>If CPU or memory is overclocked and that is the reason why router is not performing as suspected, then this is not considered as a warranty case and you should return both frequencies to nominal value..</b>}}<br />
=== Protected bootloader === <br />
<br />
This is a new feature which allows the protection of RouterOS configuration and files from a physical attacker by disabling etherboot. It is called "Protected RouterBOOT". This feature can be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT setting to enable/disable this feature. These extra options appear only under certain conditions. When this setting is enabled - both the reset button and the reset pin-hole is disabled. RouterBOOT menu is also disabled. The only ability to change boot mode or enable RouterBOOT settings menu, is through RouterOS. If you do not know the RouterOS password - only a complete format is possible. <br />
<br />
* The backup RouterBOOT version can not be older than v3.24 version. A special package is provided to upgrade the backup RouterBOOT ('''DANGEROUS'''). Newer devices will have this new backup loader already installed at the factory. If your RouterOS is v6.40, use these packages: [https://www.mikrotik.com/download/share/protected_routerboot_v3_41_enable_6_40_mipsbe.dpk MIPSBE], [https://www.mikrotik.com/download/share/protected_routerboot_v3_41_enable_6_40_smips.dpk SMIPS], [https://www.mikrotik.com/download/share/protected_routerboot_v3_41_enable_6_40_mmips.dpk MMIPS], [https://www.mikrotik.com/download/share/protected_routerboot_v3_41_enable_6_40_tile.dpk TILE]. If your RouterOS is v6.43 or higher, use the universal package for all architectures: [https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 Universal]<br />
<br />
* RouterOS version 6.33 or later is required to enable this feature. Also make sure, that you have the latest firmware installed.<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protected-routerboot<br />
|type= enabled {{!}} disabled <br />
|default= disabled<br />
|desc= This setting disables any access to the RouterBOOT configuration settings over a console cable and disables operation of the reset button to change the boot mode ('''Netinstall will be disabled'''). Access to RouterOS will only be possible with a known RouterOS admin password. Unsetting of this option is only possible from RouterOS. If you forget the RouterOS password, the only option is to perform a complete reformat of both NAND and RAM with the following method, but you '''have''' to know the reset button hold time in seconds. <br />
* <var> enabled </var> - secure mode, only RouterOS can be accessed with a RouterOS admin password. Any user input from serial port is ignored. Etherboot is not available, RouterBOOT setting change is not possible.<br />
* <var> disabled </var> - regular operation, RouterBOOT settings available with serial console and reset button can be used to launch Netinstall <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=reformat-hold-button<br />
|type=5s .. 300s<br />
|default=20s<br />
|desc= As an emergency recovery option, it is possible to reset everything by pressing the button at power-on for longer than reformat-hold-button time, but less than reformat-hold-button-max (new in RouterBOOT 3.38.3).<br />
When you use the button for a complete reset, following actions are taken:<br />
'''EXTREMELY DANGEROUS'''. Use this only if you have lost all access to the device. <br />
#RouterOS, all of its files and configuration is completely and irreversibly erased by nand re-format;<br />
#all RouterBOOT settings are reset to defaults;<br />
#Board is rebooted;<br />
#As boot from NAND fails, it goes to etherboot automatically;<br />
#Netinstall is required to reinstall RouterOS.<br />
'''Please note!''' Reformat on some RouterBOARDS can take more than 5 minutes. After formating the board will be ready for Netinstall. <br />
<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=reformat-hold-button-max<br />
|type=5s .. 600s<br />
|default=10m<br />
|desc= Increase the security even further by setting the max hold time, this means that you must release the reset button within a specified time interval. If you set t he "reformat-hold-button" to 60s and "reformat-hold-button-max" to 65s, it will mean that you must hold the button 60 to 65 seconds, not less and not more, making guesses impossible. Introduced in RouterBOOT 3.38.3<br />
}}<br />
<br />
{{Note|RouterBOARD that has the protected RouterBOOT setting enabled will blink the LED every second, to make counting easier. The LED will turn off for one second, and turn on for the next second.}}<br />
<br />
== Mode and Reset buttons ==<br />
<br />
Reset button additional functionality is supported by all MikroTik devices running RouterOS<br />
<br />
Some RouterBOARD devices have a mode button that allows you to run any script when the button it pushed. <br />
<br />
The list of supported devices:<br />
<br />
*RBcAP-2nD (cAP)<br />
*RBcAPGi-5acD2nD (cAP ac)<br />
*RBwsAP5Hac2nD (wsAP ac lite)<br />
*RB750Gr3 (hEX)<br />
*RB760iGS (hEX S)<br />
*RB912R-2nD (LtAP mini, LtAP mini LTE/4G kit)<br />
*RBD52G-5HacD2HnD (hAP ac^2)<br />
*RBLHGR (LHG LTE/4G kit)<br />
*RBSXTR (SXT LTE/4G kit)<br />
*CRS328-4C-20S-4S+RM<br />
*CRS328-24P-4S+RM<br />
*CCR1016-12G r2<br />
*CCR1016-12S-1S+ r2<br />
*CCR1036-12G-4S r2<br />
*CCR1036-8G-2S+ r2<br />
*RBD53G-5HacD2HnD (Chateau)<br />
*RBD53GR-5HacD2HnD (hAP ac^3)<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=enabled<br />
|type= no {{!}} yes<br />
|default= no<br />
|desc= Disable or enable the operation of the button<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=hold-time<br />
|type= time interval Min..Max<br />
|default=<br />
|desc= HoldTime ::= Button functionality can be called if button is pressed for a certain period of time:<br><br />
Min..Max Min -- 0s..1m (time interval), Max -- 0s..1m (time interval) (available only starting from RouterOS 6.47beta60)<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=on-event<br />
|type= string<br />
|default= <br />
|desc= Name of the script that will be run upon pressing the button. The script must be defined and named in the "/system scripts" menu<br />
}}<br />
<br />
==== Example ====<br />
<br />
With mode button:<br />
<pre><br />
/system script add name=test-script source={:log info message=("1234567890");}<br />
/system routerboard mode-button set on-event=test-script enabled=yes<br />
</pre><br />
<br />
Upon pressing the button, the message ''1234567890'' will be logged in the system log. <br />
<br />
<br />
{{Warning | Starting from RouterOS 6.47beta60 reset-button functionality and hold-time option has been added<br />
}}<br />
Example for RouterOS version over 6.47beta60:<br />
<pre><br />
/system script add name=test-script2 source={:log info message=("test2");}<br />
/system routerboard mode-button set on-event=test-script2 hold-time=3..5 enabled=yes<br />
</pre><br />
Reset button works in same way, but menu is moved under <code>/system routerboard reset-button</code>:<br />
<br />
<pre><br />
/system script add name=test-reset-button source={:log info message=("reset button pressed");}<br />
/system routerboard mode-button set on-event=test-reset-button hold-time=0..10 enabled=yes<br />
</pre><br />
<br />
[[Category:Manual]]<br />
[[Category:System]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:IPv6/DHCP_Server&diff=34215Manual:IPv6/DHCP Server2020-09-15T07:03:24Z<p>Guntis: </p>
<hr />
<div>{{Versions|v5.9+}}<br />
<br />
<br />
==Summary==<br />
<br />
<p id="shbox"><b>Standards:</b> <code>RFC 3315, RFC 3633</code><br /><br />
<b>Package:</b> <code>dhcp,ipv6</code><br />
</p><br />
Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their assigned interface.<br />
<br />
Client binding creates dynamic pool with timeout set to binding's expiration time (note that now dynamic pools can have a timeout), which will be updated every time binding gets renewed.<br />
<br />
When client is bound to prefix, DHCP server adds routing information to know how to reach assigned prefix.<br />
<br />
Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by user;<br />
{{ Note |RouterOS DHCPv6 server can only delegate IPv6 prefixes, not addresses. }}<br />
==General==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ipv6 dhcp-server</code></p><br />
<br />
This sub menu lists and allows to configure DHCP-PD servers.<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address-pool<br />
|type=enum {{!}} static-only<br />
|default=static-only<br />
|desc=[[M:IPv6/Pool | IPv6 pool]], from which to take IPv6 prefix for the clients.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=authoritative<br />
|type=after-10sec-delay {{!}} after-2sec-delay {{!}} yes {{!}} no<br />
|default=after-2sec-delay <br />
|desc=Whether the DHCP server is the only one DHCP server for the network:<br />
* <var>after-10sec-delay</var> - to clients request for an address, dhcp server will wait 10 seconds and if there is another request from the client after this period of time, then dhcp server will offer the address to the client or will send DHCPNAK, if the requested address is not available from this server <br />
* <var>after-2sec-delay</var> - to clients request for an address, dhcp server will wait 2 seconds and if there is another request from the client after this period of time, then dhcp server will offer the address to the client or will send DHCPNAK, if the requested address is not available from this server <br />
* <var>yes</var> - to clients request for an address that is not available from this server, dhcp server will send negative acknowledgment (DHCPNAK) <br />
* <var>no</var> - dhcp server ignores clients requests for addresses that are not available from this server <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=binding-script<br />
|type=string<br />
|default=<br />
|desc=Script that will be executed after binding is assigned or de-assigned. Internal "global" variables that can be used in the script:<br />
* <var>bindingBound</var> - set to "1" if bound, otherwise set to "0"<br />
* <var>bindingServerName</var> - dhcp server name<br />
* <var>bindingDUID</var> - DUID<br />
* <var>bindingAddress</var> - active address<br />
* <var>bindingPrefix</var> - active prefix<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=delay-threshold<br />
|type=time {{!}} none<br />
|default=none<br />
|desc=If secs field in DHCP packet is smaller than delay-threshold, then this packet is ignored. If set to <b>none</b> - there is no threshold (all DHCP packets are processed) <br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether DHCP-PD server participate in prefix assignment process.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=string<br />
|default=<br />
|desc=Interface on which server will be running. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=lease-time<br />
|type=time<br />
|default=3d<br />
|desc=The time that a client may use the assigned address. The client will try to renew this address after a half of this time and will request a new address after time limit expires.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Reference name<br />
}}<br />
<br />
<br />
'''Read-only Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=invalid<br />
|type=yes {{!}} no<br />
|desc=<br />
}}<br />
<br />
==Bindings==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ipv6 dhcp-server binding</code></p><br />
<br />
<br />
DUID is used only for dynamic bindings, so if it changes then client will receive different prefix than previously.<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address<br />
|type=IPv6 prefix<br />
|default=<br />
|desc=IPv6 prefix that will be assigned to the client<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-dual-stack-queue<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Creates a single simple queue entry for both IPv4 and IPv6 addresses, uses the MAC address and DUID for identification. Requires [[ Manual:IP/DHCP_Server | IPv4 DHCP Server]] to have this option enabled as well to work properly.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of an item.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether item is disabled<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-option<br />
|type=string<br />
|default=<br />
|desc=Add additional DHCP options from [[#Options | option list]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-option-set<br />
|type=string<br />
|default=<br />
|desc=Add additional set of DHCP options.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=life-time<br />
|type=time<br />
|default=3d<br />
|desc=Time period after which binding expires/<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=duid<br />
|type= hex string<br />
|default=<br />
|desc=DUID value. Should be specified only in hexadecimal format.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=iaid<br />
|type=integer [0..4294967295]<br />
|default=<br />
|desc=Identity Association Identifier, part of the Client ID.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=prefix-pool<br />
|type=string<br />
|default=<br />
|desc=Prefix pool that is being advertised to the DHCPv6 Client.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-limit<br />
|type=integer[/integer] [integer[/integer] [integer[/integer] [integer[/integer]]]]<br />
|default=<br />
|desc=Adds a dynamic simple queue to limit IP's bandwidth to a specified rate. Requires the lease to be static. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=server<br />
|type=string {{!}} all<br />
|default=all<br />
|desc=Name of the server. If set to '''all''', then binding applies to all created DHCP-PD servers.<br />
}}<br />
<br />
<br />
'''Read-only properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=dynamic<br />
|type=yes {{!}} no<br />
|desc=Whether item is dynamically created.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=expires-after<br />
|type=time<br />
|desc=Time period after which binding expires.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=last-seen<br />
|type=time<br />
|desc=Time period since client was last seen.<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=status<br />
|type=waiting {{!}} offered {{!}} bound<br />
|desc=Three status vales are possible:<br />
* '''waiting''' - Shown for static bindings if it is not used. For dynamic bindings this status is shown if it was used previously, server will wait 10 minutes to allow old client to get this binding, otherwise binding will be cleared and prefix willbe offered to other clients.<br />
* '''offered''' - if '''solicit''' message was received, and server responded with '''advertise''' message, but '''request''' was not received. During this state client have 2 minutes to get this binding, otherwise it is freed or changed status to '''waiting''' for static bindings.<br />
* '''bound''' - currently bound.<br />
}}<br />
<br />
<br />
For example, dynamically assigned /62 prefix<br />
<pre><br />
[admin@RB493G] /ipv6 dhcp-server binding> print detail <br />
Flags: X - disabled, D - dynamic <br />
0 D address=2a02:610:7501:ff00::/62 duid="1605fcb400241d1781f7" iaid=0 <br />
server=local-dhcp life-time=3d status=bound expires-after=2d23h40m10s <br />
last-seen=19m50s <br />
<br />
1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2 <br />
server=local-dhcp life-time=3d status=bound expires-after=2d23h43m47s <br />
last-seen=16m13s <br />
<br />
</pre><br />
<br />
<br />
===Menu specific commands===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=make-static<br />
|type=<br />
|desc=Set dynamic binding as static.<br />
}}<br />
<br />
===Rate limiting===<br />
<br />
It is possible to set a bandwidth to a specific IPv6 address by using DHCPv6 bindings. This can be done by setting a rate limit on the DHCPv6 binding itself, by doing this a dynamic simple queue rule will be added for the IPv6 address that corresponds to the DHCPv6 binding. By using the <code>rate-limit</code> parameter you can conveniently limit a user's bandwidth.<br />
<br />
{{ Note | For any queues to work properly, the traffic must not be [[ Manual:IP/Fasttrack | FastTracked]], make sure your Firewall does not FastTrack traffic that you want to limit. }}<br />
<br />
First, make the DHCPv6 binding static, otherwise it will not be possible to set a rate limit to a DHCPv6 binding:<br />
<pre><br />
[admin@MikroTik] > /ipv6 dhcp-server binding print <br />
Flags: X - disabled, D - dynamic <br />
# ADDRESS DUID SERVER STATUS <br />
0 D fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound<br />
<br />
[admin@MikroTik] > /ipv6 dhcp-server binding make-static 0<br />
<br />
[admin@MikroTik] > /ipv6 dhcp-server binding print<br />
Flags: X - disabled, D - dynamic <br />
# ADDRESS DUID SERVER STATUS <br />
0 fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound <br />
</pre><br />
<br />
Then you need can set a rate to a DHCPv6 binding that will create a new dynamic simple queue entry:<br />
<pre><br />
[admin@MikroTik] > /ipv6 dhcp-server binding set 0 rate-limit=10M/10<br />
<br />
[admin@MikroTik] > /queue simple print <br />
Flags: X - disabled, I - invalid, D - dynamic <br />
0 D name="dhcp<6c3b6b7c413e fdb4:4de7:a3f8:418c::/66>" target=fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0 <br />
burst-time=0s/0s bucket-size=0.1/0.1 <br />
</pre><br />
<br />
{{ Note | By default <code>allow-dual-stack-queue</code> is enabled, this will add a single dynamic simple queue entry for both DCHPv6 binding and DHCPv4 lease, without this option enabled separate dynamic simple queue entries will be added for IPv6 and IPv4. }}<br />
<br />
If <code>allow-dual-stack-queue</code> is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:<br />
<pre><br />
[admin@MikroTik] > /queue simple print <br />
Flags: X - disabled, I - invalid, D - dynamic <br />
0 D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.1.200/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0 <br />
burst-time=0s/0s bucket-size=0.1/0.1 <br />
</pre><br />
<br />
====RADIUS Support====<br />
<br />
Since RouterOS v6.43 it is possible to use RADIUS to assign a rate-limit per DHCPv6 binding, to do so you need to pass the <var>Mikrotik-Rate-Limit</var> attribute from your RADIUS Server for your DHCPv6 binding. To achieve this you first need to set your DHCPv6 Server to use RADIUS for assigning bindings. Below is an example how to set it up:<br />
<pre><br />
/radius<br />
add address=10.0.0.1 secret=VERYsecret123 service=dhcp<br />
/ipv6 dhcp-server<br />
set dhcp1 use-radius=yes<br />
</pre><br />
<br />
After that you need to tell your RADIUS Server to pass the <var>Mikrotik-Rate-Limit</var> attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into '''radcheck''' and '''radreply''' tables for a MAC address, that is being used for your DHCPv6 Client. Below is an example for table entries:<br />
<pre><br />
INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES<br />
('000c4200d464', 'Auth-Type', ':=', 'Accept'),<br />
<br />
INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES<br />
('000c4200d464', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66'),<br />
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');<br />
</pre><br />
<br />
{{ Note | By default <var>allow-dual-stack-queue</var> is enabled and will add a single dynamic queue entry if the MAC address from the IPv4 lease (or DUID, if the DHCPv4 Client supports <code>Node-specific Client Identifiers</code> from RFC4361), but DUID from DHCPv6 Client is not always based on the MAC address from the interface on which the DHCPv6 Client is running on, DUID is generated on per-device basis. For this reason a single dynamic queue entry might not be created, separate dynamic queue entries might be created instead. }}<br />
<br />
==Configuration Examples==<br />
<br />
===Enabling IPv6 Prefix delegation===<br />
<br />
Lets consider that we already have running DHCP server.<br />
<br />
To enable IPv6 prefix delegation, first we need to create address pool<br />
<br />
<pre><br />
/ipv6 pool add name=myPool prefix=2001:db8:7501::/60 prefix-length=62<br />
</pre><br />
Notice that prefix-length is 62 bits, it means that clients will receive /62 prefixes from the /60 pool.<br />
<br />
Next step is to enable DHCP-PD.<br />
<br />
<pre><br />
/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local<br />
</pre><br />
<br />
<br />
To test our server we will set up wide-dhcpv6 on ubuntu machine:<br />
* install wide-dhcpv6-client <br />
* edit "/etc/wide-dhcpv6/dhcp6c.conf" as above<br />
<br />
{{ Note | You can use also RouterOS as DHCP-PD client. <code>[[M:IPv6/DHCP_Client#IPv6-PD_setup_example | Read more >>]] </code> }}<br />
<br />
<br />
<pre><br />
interface eth2{<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd {<br />
prefix-interface eth3{<br />
sla-id 1;<br />
sla-len 2;<br />
};<br />
};<br />
<br />
</pre><br />
<br />
* Run DHCP-PD client<br />
<pre><br />
sudo dhcp6c -d -D -f eth2<br />
</pre><br />
<br />
* Verify that prefix was added to eth3<br />
<pre><br />
mrz@bumba:/media/aaa$ ip -6 addr<br />
..<br />
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000<br />
inet6 2001:db8:7501:1:200:ff:fe00:0/64 scope global <br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::224:1dff:fe17:81f7/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<br />
* You can make binding to specific client static, so that it always receives the same prefix<br />
<pre><br />
[admin@RB493G] /ipv6 dhcp-server binding> print <br />
Flags: X - disabled, D - dynamic <br />
# ADDRESS DU IAID SER.. STATUS <br />
0 D 2001:db8:7501:1::/62 16 0 loc.. bound <br />
[admin@RB493G] /ipv6 dhcp-server binding> make-static 0<br />
<br />
</pre><br />
<br />
* DHCP-PD also installs route to assigned prefix into IPv6 routing table<br />
<pre><br />
[admin@RB493G] /ipv6 route> print <br />
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable <br />
# DST-ADDRESS GATEWAY DISTANCE<br />
...<br />
2 ADS 2001:db8:7501:1::/62 fe80::224:1dff:fe17:8... 1<br />
<br />
</pre><br />
<br />
<br />
<br />
{{cont}}<br />
<br />
[[Category:Manual|DHCP]]<br />
[[Category:IPv6|DHCP]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Bridge&diff=34178Manual:Interface/Bridge2020-08-17T11:10:43Z<p>Guntis: </p>
<hr />
<div>{{Versions| v3, v4+}}<br />
<br />
=Summary=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code><br />
<br /><br />
<b>Standards:</b> <code>[https://en.wikipedia.org/wiki/IEEE_802.1D IEEE 802.1D] , [https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q]</code><br />
</p><br />
<br /><br />
<br />
<p><br />
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).<br />
</p><br />
<br />
<p><br />
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.<br />
</p><br />
<br />
=Bridge Interface Setup=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p><br />
<br /><br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address from slave (secondary) ports will be assigned to the bridge interface, the MAC address will be chosen automatically, depending on "port-number", and it can change after a reboot. To avoid unwanted MAC address changes, it is recommended to disable "auto-mac", and to manually specify MAC by using "admin-mac".</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=add-dhcp-option82<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=admin-mac<br />
|type=MAC address<br />
|default=none<br />
|desc=Static MAC address of the bridge. This property only has effect when <var>auto-mac</var> is set to <code>no</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ageing-time<br />
|type=time<br />
|default=00:05:00<br />
|desc=How long a host's information will be kept in the bridge database.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=Address Resolution Protocol setting<br />
* <code>disabled</code> - the interface will not use ARP<br />
* <code>enabled</code> - the interface will use ARP<br />
* <code>proxy-arp</code> - the interface will use the ARP proxy feature<br />
* <code>reply-only</code> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the [[Manual:IP/ARP | IP/ARP]] table. No dynamic entries will be automatically stored in the [[Manual:IP/ARP | IP/ARP]] table. Therefore for communications to be successful, a valid static entry must already exist.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value <code>auto</code> equals to the value of <var>arp-timeout</var> in [[Manual:IP/Settings | IP/Settings]], default is 30s.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-mac<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboot, the bridge MAC can change depending on the port-number.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables DHCP Snooping on the bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Changes whether the bridge is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ether-type<br />
|type=0x9100 {{!}} 0x8100 {{!}} 0x88a8<br />
|default=0x8100<br />
|desc=Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-forward<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Special and faster case of [[Manual:Fast_Path | FastPath]] which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the [[ Manual:Interface/Bridge#Fast_Forward | Fast Forward]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forward-delay<br />
|type=time<br />
|default=00:00:15<br />
|desc=Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-version<br />
|type=2 {{!}} 3<br />
|default=2<br />
|desc=Selects the IGMP version in which IGMP general membership queries will be generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=read-only<br />
|default=<br />
|desc=L2MTU indicates the maximum size of the frame without MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-interval<br />
|type=time<br />
|default=1s<br />
|desc=If a port has <var>fast-leave</var> set to <code>no</code> and a bridge port receives a IGMP Leave message, then a IGMP Snooping enabled bridge will send a IGMP query to make sure that no devices has subscribed to a certain multicast stream on a bridge port. If a IGMP Snooping enabled bridge does not receive a IGMP membership report after amount of <var>last-member-interval</var>, then the bridge considers that no one has subscribed to a certain multicast stream and can stop forwarding it. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=How many times should <var>last-member-interval</var> pass until a IGMP Snooping bridge will stop forwarding a certain multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-hops<br />
|type=integer: 6..40<br />
|default=20<br />
|desc=Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-message-age<br />
|type=time<br />
|default=00:00:20<br />
|desc=How long to remember Hello messages received from other STP/RSTP enabled bridges. This property only has effect when <var>protocol-mode</var> is set to <code>stp</code> or <code>rstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=membership-interval<br />
|type=time<br />
|default=4m20s<br />
|desc=Amount of time after an entry in the Multicast Database (MDB) is removed if a IGMP membership report is not received on a certain port. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mld-version<br />
|type=1 {{!}} 2<br />
|default=1<br />
|desc=Selects the MLD version. Version 2 adds support for source-specific multicast. This property only has effect when RouterOS IPv6 package is enabled and <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer<br />
|default=auto<br />
|desc= Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the actual-mtu of the bridge (set by the <var>mtu</var> property), then manually set value will be ignored and the bridge will act as if <code>mtu=auto</code> is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-querier<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Multicast querier generates IGMP general membership queries to which all IGMP capable devices respond with a IGMP membership report, usually a PIM (multicast) router generates these queries. By using this property you can make a IGMP Snooping enabled bridge to generate IGMP general membership queries. This property should be used whenever there is no PIM (multicast) router in a Layer2 network or IGMP packets must be sent through multiple IGMP Snooping enabled bridges to reach a PIM (multicast) router. Without a multicast querier in a Layer2 network the Multicast Database (MDB) is not being updated and IGMP Snooping will not function properly. Only untagged IGMP general membership queries are generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>. Additionally, the <var>igmp-snooping</var> should be disabled/enabled after changing <var>multicast-querier</var> property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge itself if IGMP membership reports are going to be forwarded to it. This property can be used to forward IGMP membership reports to the bridge for statistics or to analyse them.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded to the bridge itself regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this the bridge itself regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=text<br />
|default=bridgeN<br />
|desc=Name of the bridge interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..65535 decimal format or 0x0000-0xffff hex format<br />
|default=32768 / 0x8000<br />
|desc=Bridge priority, used by STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protocol-mode<br />
|type=none {{!}} rstp {{!}} stp {{!}} mstp<br />
|default=rstp<br />
|desc=Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in '''01:80:C2:00:00:0X''' range, this can be done by setting the <var>protocol-mode</var> to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer: 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=querier-interval<br />
|type=time<br />
|default=4m15s<br />
|desc=Used to change the interval how often a bridge checks if it is the active multicast querier. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-interval<br />
|type=time<br />
|default=2m5s<br />
|desc=Used to change the interval how often IGMP general membership queries are sent out. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-response-interval<br />
|type=time<br />
|default=10s<br />
|desc=Interval in which a IGMP capable device must reply to a IGMP query with a IGMP membership report. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-name<br />
|type=text<br />
|default=<br />
|desc=MSTP region name. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-revision<br />
|type=integer: 0..65535<br />
|default=0<br />
|desc=MSTP configuration revision number. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=Specifies how many times must <var>startup-query-interval</var> pass until the bridge starts sending out IGMP general membership queries periodically. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-interval<br />
|type=time<br />
|default=31s250ms<br />
|desc=Used to change the amount of time after a bridge starts sending out IGMP general membership queries after the bridge is enabled. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=transmit-hold-count<br />
|type=integer: 1..10<br />
|default=6<br />
|desc=The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Globally enables or disables VLAN functionality for bridge.<br />
}}<br />
<br /><br />
<br />
{{ Warning | Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <var>vlan-filtering</var>, <var>protocol-mode</var>, <var>igmp-snooping</var>, <var>fast-forward</var> and others. }}<br />
<br />
<br />
==Example==<br />
<br />
<p>To add and enable a bridge interface that will forward all the protocols:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> add <br />
[admin@MikroTik] /interface bridge> print <br />
Flags: X - disabled, R - running <br />
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled <br />
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 <br />
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s <br />
forward-delay=15s transmit-hold-count=6 ageing-time=5m <br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Spanning Tree Protocol=<br />
<br />
RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. <br />
<br />
{{ Warning | In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 }}<br />
<br />
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Hardware Offloading ]] section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backwards compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol ]] section. In RouterOS the <var>protocol-mode</var> property controls the used STP variant.<br />
<br />
{{ Note | By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly. }}<br />
<br />
== Per port STP ==<br />
There might be certain situations where you want to limit STP functionality on a single or multiple ports. Below you can find some examples for different use cases.<br />
<br />
{{ Warning | Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behaviour. }}<br />
<br />
* Don't send out BPDUs from a certain port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
/interface bridge filter<br />
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1<br />
</pre><br />
<br />
In this example BPDUs will not be sent out through '''ether1'''. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to '''ether1''', then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well.<br />
<br />
{{ Note | You can use [[ Manual:Interface/List | Interface Lists]] to specify multiple interfaces. }}<br />
<br />
* Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge.<br />
<br />
On CRS3xx:<br />
<pre><br />
/interface ethernet switch rule<br />
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1<br />
</pre><br />
<br />
Or on CRS1xx/CRS2xx with [[Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models | Access Control List (ACL) support]]:<br />
<pre><br />
/interface ethernet switch acl<br />
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1<br />
</pre><br />
<br />
In this example all received BPDUs on '''ether1''' are dropped. This will prevent other bridges on that port becoming a root bridge.<br />
<br />
{{ Warning | If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously. }}<br />
<br />
* Don't allow BPDUs on a port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1 bpdu-guard=yes<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
</pre><br />
<br />
In this example if '''ether1''' receives a BPDU, it will block the port and will require you to manually re-enable it.<br />
<br />
=Bridge Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge settings</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing ([[Manual:Packet_Flow_v6 | Packet Flow]]). This does not apply to routed traffic. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to traffic in a bridge. Property <var>use-ip-firewall-for-vlan</var> is required in case bridge <var>vlan-filtering</var> is used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-pppoe<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged un-encrypted PPPoE traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to PPPoE traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-vlan<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged VLAN traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to VLAN traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-fast-path<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to enable a bridge [[Manual:Fast_Path | FastPath]] globally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-active<br />
|type=yes {{!}} no<br />
|default=''<br />
|desc=Shows whether a bridge FastPath is active globally, FastPatch status per bridge interface is not displayed. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge FastPath.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Path.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-forward-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=bridge-fast-forward-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{ Note | In case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] (Simple QoS) or global [[ Manual:Queue#Queue_Tree | Queue Trees]] to traffic that is being forwarded by a bridge, then you need to enable the <var>use-ip-firewall</var> property. Without using this property the bridge traffic will never reach the postrouting chain, [[Manual:Queue#Simple_Queues | Simple Queues]] and global [[ Manual:Queue#Queue_Tree | Queue Trees]] are working in the postrouting chain. To assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Trees]] for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well. }}<br />
<br />
=Port Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port</code></p><br />
<br /><br />
<p>Port submenu is used to enslave interfaces in a particular bridge interface.</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-isolate<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when <var>protocol-mode</var> is set to <code>rstp</code> or <code>mstp</code> and <var>edge</var> is set to <code>no</code>. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bpdu-guard<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface the respective interface is grouped in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=broadcast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses '''FF:FF:FF:FF:FF:FF''' as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall) and others. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=edge<br />
|type=auto {{!}} no {{!}} no-discover {{!}} yes {{!}} yes-discover<br />
|default=auto<br />
|desc=Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
* <code>no</code> - non-edge port, will participate in learning and listening states in STP.<br />
* <code>no-discover</code> - non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become edge port if no BPDU is received.<br />
* <code>yes</code> - edge port without discovery, will transit directly to forwarding state.<br />
* <code>yes-discover</code> - edge port with enabled discovery, will transit directly to forwarding state.<br />
* <code>auto</code> - same as <code>no-discover</code>, but will additionally detect if bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=external-fdb<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Whether to use wireless registration table to speed up bridge host learning. If there are no Wireless interfaces in a bridge, then setting <var>external-fdb</var> to <code>yes</code> will disable MAC learning and the bridge will act as a hub (disables hardware offloading). Replaced with <var>learn</var> parameter in RouterOS v6.42<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-leave<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables IGMP Fast leave feature on the port. Bridge will stop forwarding traffic to a bridge port whenever a IGMP Leave message is received for appropriate multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed ingress frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=learn<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Changes MAC learning behaviour on a bridge port<br />
* <code>yes</code> - enables MAC learning<br />
* <code>no</code> - disables MAC learning<br />
* <code>auto</code> - detects if bridge port is a Wireless interface and uses Wireless registration table instead of MAC learning, will use Wireless registration table if the [[Manual:Interface/Wireless | Wireless interface]] is set to one of <var>ap-bridge,bridge,wds-slave</var> mode and bridge mode for the [[Manual:Interface/Wireless | Wireless interface]] is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge port whether IGMP membership reports are going to be forwarded to this port. By default IGMP membership reports (most importantly IGMP Join messages) are only forwarded to ports that have a multicast router or a IGMP Snooping enabled bridge connected to. Without at least one port marked as a <code>multicast-router</code> IPTV might not work properly, it can be either detected automatically or forced manually.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded through this port regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this port regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges.<br />
You can improve security by forcing ports that have IPTV boxes connected to never become ports marked as <code>multicast-router</code>. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=horizon<br />
|type=integer 0..429496729<br />
|default=none<br />
|desc=Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about [[MPLSVPLS#Split_horizon_bridging | Bridge split horizon]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=internal-path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface for MSTI0 inside a region. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface, used by STP to determine the "best" path, used by MSTP to determine "best" path between regions. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=point-to-point<br />
|type=auto {{!}} yes {{!}} no<br />
|default=auto<br />
|desc=Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to <code>yes</code>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits BPDUs from other devices from this single link, by setting this property to <code>no</code>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to <code>yes</code>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to <code>no</code> if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex, <code>auto</code> enables point-to-point functionality. And this property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..240<br />
|default=128<br />
|desc=The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-role<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable the restricted role on a port, used by STP to forbid a port becoming a root port. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-tcn<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable topology change notification (TCN) sending on a port, used by STP to forbid network topology changes to propagate. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tag-stacking<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the <var>pvid</var> value and will use EtherType that is specified in <var>ether-type</var>. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trusted<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, it allows to forward DHCP packets towards DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unknown-multicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in <code>/interface bridge mdb</code> are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when <var>unknown-multicast-flood</var> is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=unknown-unicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in <code>/interface bridge host</code>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
==Example==<br />
<br />
<p>To group <b>ether1</b> and <b>ether2</b> in the already created <b>bridge1</b> bridge</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1<br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2<br />
[admin@MikroTik] /interface bridge port> print <br />
Flags: X - disabled, I - inactive, D - dynamic <br />
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON <br />
0 ether1 bridge1 0x80 10 none <br />
1 ether2 bridge1 0x80 10 none <br />
[admin@MikroTik] /interface bridge port> <br />
</pre><br />
<br />
=Interface lists=<br />
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules, you can read more about interface lists at the [[Manual:Interface/List | Interface List ]] section. Below is an example how to add interface list to a bridge:<br />
<pre><br />
/interface list member<br />
add interface=ether1 list=LAN1<br />
add interface=ether2 list=LAN1<br />
add interface=ether3 list=LAN2<br />
add interface=ether4 list=LAN2<br />
/interface bridge port<br />
add bridge=bridge1 interface=LAN1<br />
add bridge=bridge1 interface=LAN2<br />
</pre><br />
<br />
Ports from a interface list added to a bridge will show up as dynamic ports:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN1 bridge1<br />
1 D ether1 bridge1<br />
2 D ether2 bridge1<br />
3 LAN2 bridge1<br />
4 D ether3 bridge1<br />
5 D ether4 bridge1 <br />
</pre><br />
<br />
It is also possible to sort the order of lists in which they appear in the <code>/interface bridge port</code> menu. This can be done using the <code>move</code> command. Below is an example how to sort interface lists:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port move 3 0<br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN2 bridge1<br />
1 D ether3 bridge1<br />
2 D ether4 bridge1<br />
3 LAN1 bridge1<br />
4 D ether1 bridge1<br />
5 D ether2 bridge1<br />
</pre><br />
<br />
{{ Note | The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.}}<br />
<br />
=Hosts Table=<br />
<br />
MAC addresses that have been learned on a bridge interface can be viewed in the <code>/interface bridge host</code> menu. Below is a table of parameters and flags that can be viewed.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>age</b></var> (<em>read-only: time</em>)</td><br />
<td>The time since the last packet was received from the host. Appears only for dynamic, non-external and non-local host entries</td><br />
</tr><br />
<tr><br />
<td><var><b>bridge</b></var> (<em>read-only: name</em>)</td><br />
<td>The bridge the entry belongs to</td><br />
</tr><br />
<tr><br />
<td><var><b>disabled</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the static host entry is disabled</td><br />
</tr><br />
<tr><br />
<td><var><b>dynamic</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been dynamically created</td><br />
</tr><br />
<tr><br />
<td><var><b>external</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td><br />
</tr><br />
<tr><br />
<td><var><b>invalid</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td><br />
</tr><br />
<tr><br />
<td><var><b>local</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td><br />
</tr><br />
<tr><br />
<td><var><b>mac-address</b></var> (<em>read-only: MAC address</em>)</td><br />
<td>Host's MAC address</td><br />
</tr><br />
<tr><br />
<td><var><b>on-interface</b></var> (<em>read-only: name</em>)</td><br />
<td>Which of the bridged interfaces the host is connected to</td><br />
</tr><br />
</table><br />
<br />
==Monitoring==<br />
<p>To get the active hosts table:</p><br />
<pre><br />
[admin@MikroTik] > interface bridge host print <br />
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external <br />
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE<br />
0 D E D4:CA:6D:E1:B5:7E ether2 bridge1<br />
1 DL E4:8D:8C:73:70:37 bridge1 bridge1<br />
2 D D4:CA:6D:E1:B5:7F ether3 bridge2 27s<br />
3 DL E4:8D:8C:73:70:38 bridge2 bridge2<br />
</pre><br />
<br />
==Static entries==<br />
<br />
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is for protecting the device resources by disabling the dynamic learning and rely only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the hosts table.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface to which the MAC address is going to be assigned to.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disables/enables static MAC address entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=MAC address that will be added to the hosts table statically.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vid<br />
|type=integer: 1..4094<br />
|default=<br />
|desc=VLAN ID for the statically added MAC address entry.<br />
}}<br />
<br />
For example, if it was required that all traffic destined to '''4C:5E:0C:4D:12:43''' is forwarded only through '''ether2''', then the following commands can be used:<br />
<pre><br />
/interface bridge host<br />
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43<br />
</pre><br />
<br />
=Bridge Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge monitor</code></p><br />
<br /><br />
<p>Used to monitor the current status of a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="35%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>current-mac-address</b></var> (<em>MAC address</em>)</td><br />
<td>Current MAC address of the bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>designated-port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of designated bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of the bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether bridge is the root bridge of the spanning tree</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge-id</b></var> (<em>text</em>)</td><br />
<td>The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td><br />
</tr><br />
<tr><br />
<td><var><b>root-path-cost</b></var> (<em>integer</em>)</td><br />
<td>The total cost of the path to the root-bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>root-port</b></var> (<em>name</em>)</td><br />
<td>Port to which the root bridge is connected to</td><br />
</tr><br />
<tr><br />
<td><var><b>state</b></var> (<em>enabled | disabled</em>)</td><br />
<td>State of the bridge</td><br />
</tr><br />
</table><br />
<br />
<h3>Example</h3><br />
<br />
<p>To monitor a bridge:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> monitor bridge1 <br />
state: enabled<br />
current-mac-address: 00:0C:42:52:2E:CE<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
<br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Bridge Port Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port monitor</code></p><br />
<br /><br />
<p>Statistics of an interface that belongs to a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is an edge port or not.</td><br />
</tr><br />
<tr><br />
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is set to automatically detect edge ports.</td><br />
</tr><br />
<tr><br />
<td><var><b>external-fdb</b></var> (<em>yes | no</em>)</td><br />
<td>Whether registration table is used instead of forwarding data base.</td><br />
</tr><br />
<tr><br />
<td><var><b>forwarding</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is not blocked by (R/M)STP.</td><br />
</tr><br />
<tr><br />
<td><var><b>hw-offload-group</b></var> (<em>switchX</em>)</td><br />
<td>Switch chip used by the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>learning</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is currently listening for BPDUs.</td><br />
</tr><br />
<tr><br />
<td><var><b>multicast-router</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if a multicast router is detected on the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td><br />
<td>port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot internal numbering will be used.</td><br />
</tr><br />
<tr><br />
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td><br />
</tr><br />
<tr><br />
<td><var><b>role</b></var> (<em>designated | root port | alternate | backup | disabled</em>)</td><br />
<td><br />
(R/M)STP algorithm assigned role of the port:<br />
* <code>Disabled port</code> - not strictly part of STP, a network administrator can manually disable a port<br />
* <code>Root port</code> - a forwarding port that is the best port from Nonroot-bridge to Rootbridge<br />
* <code>Alternative port</code> - an alternate path to the root bridge. This path is different than using the root port<br />
* <code>Designated port</code> - a forwarding port for every LAN segment<br />
* <code>Backup port</code> - a backup/redundant path to a segment where another bridge port already connects.<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>sending-rstp</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is sending BPDU messages</td><br />
</tr><br />
<tr><br />
<td><var><b>status</b></var> (<em>in-bridge | inactive</em>)</td><br />
<td>Port status:<br />
* <code>in-bridge</code> - port is enabled.<br />
* <code>inactive</code> - port is disabled.<br />
</td><br />
</tr><br />
</table><br />
<br />
==Example==<br />
<br />
<p>To monitor a bridge port:</p><br />
<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor 0 <br />
status: in-bridge<br />
port-number: 1<br />
role: designated-port<br />
edge-port: no<br />
edge-port-discovery: yes<br />
point-to-point-port: no<br />
external-fdb: no<br />
sending-rstp: no<br />
learning: yes<br />
forwarding: yes<br />
<br />
[admin@MikroTik] /interface bridge port><br />
</pre><br />
<br />
=Bridge Hardware Offloading=<br />
<br />
Since RouterOS v6.41 it is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly. In previous versions (prior to RouterOS v6.41) you had to use the <var>master-port</var> property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example, [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol]]. More details about the outdated <var>master-port</var> property can be found in the [[Manual:Master-port | Master-port]] page.<br />
<br />
{{ Note | When upgrading from previous versions (before RouterOS v6.41), the old <var>master-port</var> configuration is automatically converted to the new '''Bridge Hardware Offloading''' configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old <var>master-port</var> configuration. }}<br />
<br />
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):<br />
<br />
{| border="1" class="wikitable collapsible sortable" style="text-align: center"<br />
| nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b><br />
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge DHCP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bonding</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS3xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>+ <small style="font-size:60%;">1</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [QCA8337]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8327]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|-<br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8227]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8316]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros7240]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [MT7621]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [RTL8367]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
|}<br />
<br />
<b>NOTES:</b><br />
# Feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example, <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code>. DHCP Option 82 will not contain any information regarding VLAN-ID. <br />
# Feature will not work properly in VLAN switching setups.<br />
<br />
{{ Note | When upgrading from older versions (before RouterOS v6.41), only the <var>master-port</var> configuration is converted. For each <var>master-port</var> a bridge will be created. VLAN configuration is not converted and should not be changed, check the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide to be sure how VLAN switching should be configured for your device. }}<br />
<br />
Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to processes packets using it's switching logic. The diagram below illustrates that switching occurs before any software related action:<br />
<br />
[[File:switch-png.png|center]]<br />
<br />
A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU, though it is possible in certain situations to allow a packet to be processed by the CPU. To allow the CPU process a packet you need to forward the packet to the CPU and not allow the switch chip to forward the packet through a switch port directly, this is usually called passing a packet to the switch CPU port (or the bridge CPU port in bridge VLAN filtering scenario).<br />
<br />
By passing a packet to the switch CPU port you are prohibiting the switch chip to forward the packet directly, this allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | non-CRS series switches]]<br />
<br />
{{ Warning | Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a '''switch chip reset''', that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control and others (exact settings that can trigger a switch chip reset depends on the device's model). }}<br />
<br />
==Example==<br />
<br />
Port switching with bridge configuration and enabled hardware offloading since RouterOS v6.41:<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2 hw=yes<br />
add bridge=bridge1 interface=ether3 hw=yes<br />
add bridge=bridge1 interface=ether4 hw=yes<br />
add bridge=bridge1 interface=ether5 hw=yes<br />
</pre><br />
<br />
Make sure that hardware offloading is enabled by checking the "H" flag:<br />
<pre><br />
[admin@MikroTik] > interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON<br />
0 H ether2 bridge1 yes 1 0x80 10 10 none<br />
1 H ether3 bridge1 yes 1 0x80 10 10 none<br />
2 H ether4 bridge1 yes 1 0x80 10 10 none<br />
3 H ether5 bridge1 yes 1 0x80 10 10 none<br />
</pre><br />
<br />
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}<br />
<br />
=Bridge VLAN Filtering=<br />
<br />
{{ Note | Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide. If an improper configuration method is used, your device can cause throughput issues in your network. }}<br />
<br />
<p>Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.<br />
This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged.<br />
Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</p><br />
<br />
<p>The main VLAN setting is <code>vlan-filtering</code> which globally controls vlan-awareness and VLAN tag processing in the bridge.<br />
If <code>vlan-filtering=no</code>, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.<br />
Turning on <code>vlan-filtering</code> enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.<br />
Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).</p><br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge vlan</code></p><br />
<br />
<p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<br />
<code>tagged</code> ports send out frames with a learned VLAN ID tag.<br />
<code>untagged</code> ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port <code>pvid</code>.<br />
</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface which the respective VLAN entry is intended for.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables Bridge VLAN entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. <code>tagged=ether1,ether2</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=untagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. <code>untagged=ether3,ether4</code><br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-ids<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. <code>vlan-ids=100-115,120,122,128-130</code>.<br />
}}<br />
<br /><br />
{{ Warning | The <var>vlan-ids</var> parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the <var>PVID</var> value. }}<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br />
<p>Bridge Host table allows monitoring learned MAC addresses and when <code>vlan-filtering</code> is enabled shows learned VLAN ID as well.</p><br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge host print where !local<br />
Flags: L - local, E - external-fdb <br />
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE <br />
bridge1 200 D4:CA:6D:77:2E:F0 ether3 7s <br />
bridge1 200 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 300 D4:CA:6D:74:65:9D ether4 3s <br />
bridge1 300 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 400 4C:5E:0C:4B:89:5C ether5 0s <br />
bridge1 400 E4:8D:8C:1B:05:F0 ether2 0s <br />
[admin@MikroTik] > <br />
</pre><br />
<br />
{{ Note | Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the [[Manual:Interface/Bridge#Management_port| Management port]] section.}}<br />
<br />
{{ Warning | When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.}}<br />
<br />
==VLAN Example #1 (Trunk and Access Ports)==<br />
<br />
{{ Note | Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how [[ Manual:Bridge_VLAN_Table | Bridge VLAN table]] works before deploying your device into production environments. }}<br />
<br />
[[File:portbased-vlan1.png|center|frame|alt=Alt text|Trunk and Access Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the device before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==VLAN Example #2 (Trunk and Hybrid Ports)==<br />
<br />
[[File:portbased-vlan2.png|center|frame|alt=Alt text|Trunk and Hybrid Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> on hybrid VLAN ports to assign untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | You don't have to add access ports as untagged ports, they will be added dynamically as untagged port with the VLAN ID that is specified in <code>PVID</code>, you can specify just the trunk port as tagged port. All ports that have the same <code>PVID</code> set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a <code>PVID</code> value, this means that the bridge port also will be added as untagged port for the ports that have the same <code>PVID</code>. You can circumvent this behaviour by either setting different <code>PVID</code> on all ports (even the trunk port and bridge itself), or to use <code>frame-type</code> set to <code>accept-only-vlan-tagged</code>. }}<br />
<br />
==VLAN Example #3 (InterVLAN Routing by Bridge)==<br />
<br />
[[File:bridge-vlan-routing.png|center|frame|alt=Alt text|InterVLAN Routing by Bridge]]<br />
<br />
Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured:<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN:<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example '''bridge1''' interface is the VLAN trunk that will send traffic further to do InterVLAN routing:<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
Configure VLAN interfaces on the '''bridge1''' to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned:<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=VLAN200 vlan-id=200<br />
add interface=bridge1 name=VLAN300 vlan-id=300<br />
add interface=bridge1 name=VLAN400 vlan-id=400<br />
<br />
/ip address<br />
add address=20.0.0.1/24 interface=VLAN200<br />
add address=30.0.0.1/24 interface=VLAN300<br />
add address=40.0.0.1/24 interface=VLAN400<br />
</pre><br />
<br />
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==Management access configuration==<br />
<br />
There are multiple ways to setup management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* In case VLAN filtering will not be used and access with untagged traffic is desired<br />
<br />
The only requirement is to create an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.99.1/24 interface=bridge1<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired<br />
<br />
In this example VLAN99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.<br />
<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=MGMT vlan-id=99<br />
/ip address<br />
add address=192.168.99.1/24 interface=MGMT<br />
</pre><br />
<br />
For example, if you want to allow access to the router/switch from access ports '''ether3''', '''ether4''' and from trunk port '''sfp-sfpplus1''', then you must add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired<br />
<br />
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.88.1/24 interface=bridge1<br />
</pre><br />
<br />
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports '''ether3''', '''ether4''' add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1<br />
</pre><br />
<br />
Make sure that PVID on the bridge interface matches the PVID value on these ports:<br />
<pre><br />
/interface bridge set bridge1 pvid=1<br />
/interface bridge port set ether3,ether4 pvid=1<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Note | If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way. }}<br />
<br />
==VLAN Tunneling (Q-in-Q)==<br />
Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100). The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common '''Provider bridge''':<br />
<br />
[[File:provider_bridge.png|700px|thumb|center|alt=Alt text|Provider bridge topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic by 802.1Q (CVID), but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by enabling <code>802.1ad</code> VLAN protocol on the bridge, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x88a8<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' are going to be access ports (untagged), use the <code>pvid</code> parameter to tag all ingress traffic on each port, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200<br />
add interface=ether2 bridge=bridge1 pvid=300<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. The difference between using different EtherTypes is that you must use a Service VLAN interface. Service VLAN interfaces can be created as regular VLAN interface, but the <var>use-service-tag</var> parameter toggles if the interface will use Service VLAN tag. }}<br />
<br />
{{ Note | Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering based on SVID (Service VLAN ID) tag when <var>ether-type</var> is set to 0x88a8. }}<br />
<br />
{{ Warning | When <code>ether-type&#61;0x8100</code>, then the bridge checks the outer VLAN tag if it is using EtherType <code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as <code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used. }}<br />
<br />
===Tag stacking===<br />
<br />
Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to [[ Manual:Interface/Bridge#VLAN_Tunneling_.28Q-in-Q.29 | Provider bridge]] setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:<br />
<br />
[[File:tag_stacking.png|700px|thumb|center|alt=Alt text|Tag stacking topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x8100<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' will ignore any VLAN tags that are present and add a new VLAN tag, use the <code>pvid</code> parameter to tag all ingress traffic on each port and allow <code>tag-stacking</code> on these ports, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes<br />
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <code>PVID</code> parameter have any effect, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. }}<br />
<br />
=Fast Forward=<br />
<br />
Fast Forward allows to forward packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge related checks, including MAC learning. Below you can find a list of conditions that '''MUST''' be met in order for Fast Forward to be active:<br />
* Bridge has <var>fast-forward</var> set to <code>yes</code><br />
* Bridge has only 2 running ports<br />
* Both bridge ports support [[ Manual:Fast_Path | Fast Path]], Fast Path is active on ports and globally on the bridge<br />
* [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] is disabled<br />
* <var>protocol-mode</var> is set to <code>none</code><br />
* [[ Manual:Interface/Bridge#Bridge_VLAN_Filtering | Bridge VLAN Filtering]] is disabled<br />
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | bridge DHCP snooping]] is disabled<br />
* <var>unknown-multicast-flood</var> is set to <code>yes</code><br />
* <var>unknown-unicast-flood</var> is set to <code>yes</code><br />
* <var>broadcast-flood</var> is set to <code>yes</code><br />
* MAC address for the bridge matches with a MAC address from one of the bridge slaves<br />
* <var>horizon</var> for both ports is set to <code>none</code><br />
<br />
{{ Note | Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out trough just one interface. }}<br />
<br />
{{ Warning | Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path. }}<br />
<br />
It is possible to check how many packets where processed by Fast Forward:<br />
<pre><br />
[admin@MikroTik] > /interface bridge settings print <br />
use-ip-firewall: no<br />
use-ip-firewall-for-vlan: no<br />
use-ip-firewall-for-pppoe: no<br />
allow-fast-path: yes<br />
bridge-fast-path-active: yes<br />
bridge-fast-path-packets: 0<br />
bridge-fast-path-bytes: 0<br />
bridge-fast-forward-packets: 1279812<br />
bridge-fast-forward-bytes: 655263744<br />
</pre><br />
<br />
{{ Note | If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator whether Fast Forward is active or not. }}<br />
<br />
Since RouterOS 6.44beta28 it is possible to monitor Fast Forward status, for example:<br />
<pre><br />
[admin@MikroTik] > /interface bridge monitor bridge1 <br />
state: enabled<br />
current-mac-address: D4:CA:6D:E1:B5:82<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
fast-forward: yes<br />
<br />
</pre><br />
<br />
{{ Warning | Disabling or enabling <var>fast-forward</var> will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped. }}<br />
<br />
=IGMP Snooping=<br />
<br />
<p>IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.<br /><br />
It's settings are placed in bridge menu and it works independently in every bridge interface.<br /><br />
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.</p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge mdb</code></p><br />
<br />
* Enabling IGMP Snooping on Bridge.<br />
<br />
<pre><br />
/interface bridge set bridge1 igmp-snooping=yes<br />
</pre><br />
<br />
* Monitoring multicast groups in the Bridge Multicast Database<br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge mdb print <br />
BRIDGE VID GROUP PORTS <br />
bridge1 200 229.1.1.2 ether3 <br />
ether2 <br />
ether1 <br />
bridge1 300 231.1.3.3 ether4 <br />
ether3 <br />
ether2 <br />
bridge1 400 229.10.10.4 ether4 <br />
ether3 <br />
bridge1 500 234.5.1.5 ether5 <br />
ether1 <br />
</pre><br />
<br />
* Monitoring ports that are connected to a multicast router<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor [f]<br />
interface: ether1 ether2<br />
status: in-bridge in-bridge<br />
port-number: 1 2<br />
role: designated-port designated-port<br />
edge-port: yes yes<br />
edge-port-discovery: yes yes<br />
point-to-point-port: yes yes<br />
external-fdb: no no<br />
sending-rstp: yes yes<br />
learning: yes yes<br />
forwarding: yes yes<br />
multicast-router: yes no<br />
</pre><br />
<br />
{{ Note | IGMP membership reports are only forwarded to ports that are connected to a multicast router or to another IGMP Snooping enabled bridge. If no port is marked as a <var>multicast-router</var> then IGMP membership reports will not be forwarded to any port. }}<br />
<br />
=DHCP Snooping and DHCP Option 82=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge port</code></p><br />
<br /><br />
Starting from RouterOS version 6.43, bridge supports DHCP Snooping and DHCP Option 82. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing a malicious information to users. In RouterOS you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is an additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allows identifying the device itself and DHCP clients.<br />
<br />
[[File:dhcp_snooping.png|700px|thumb|center|alt=Alt text|DHCP Snooping and Option 82 setup]]<br />
<br />
In this example, SW1 and SW2 are DHCP Snooping and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on <b>SW1</b>:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1<br />
add bridge=bridge interface=ether2 trusted=yes<br />
</pre><br />
<br />
For SW2 configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1 trusted=yes<br />
add bridge=bridge interface=ether2 trusted=yes<br />
add bridge=bridge interface=ether3<br />
</pre><br />
<br />
Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on <b>SW1</b> and <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes<br />
</pre><br />
<br />
Now both devices will analyze what DHCP messages are received on bridge ports. The <b>SW1</b> is responsible for adding and removing the DHCP Option 82. The <b>SW2</b> will limit rogue DHCP server form receiving any discovery messages and drop malicious DHCP server messages from ether3.<br />
<br />
{{ Note | Currently only CRS3xx devices fully support hardware DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN related configuration applied on the device, otherwise DHCP Snooping and Option 82 might not work properly. See [[ Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features.}}<br />
<br />
=Bridge Firewall=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter, /interface bridge nat</code></p><br />
<br /><br />
<p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.</p><br />
<br />
<p>[[Packet Flow | Packet flow diagram]] shows how packets are processed through router. It is possible to force bridge traffic to go through <code>/ip firewall filter</code> rules (see: [[#Bridge Settings | Bridge Settings]])</p><br />
<br />
<p><br />
There are two bridge firewall tables:<br />
<br />
*'''filter''' - bridge firewall with three predefined chains:<br />
**'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)<br />
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally)<br />
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)<br />
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<br />
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface<br />
**'''dstnat''' - used for redirecting some packets to other destinations<br />
</p><br />
<br />
<p><br />
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.<br />
</p><br />
<br />
<p><br />
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.<br />
</p><br />
<br />
==Properties==<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-sap<br />
|type=integer<br />
|default=<br />
|desc=DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-type<br />
|type=integer<br />
|default=<br />
|desc=Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=<br />
|desc= Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. Packet is not passed to next firewall rule<br />
* <var>drop</var> - silently drop the packet<br />
* <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code><br />
* <var>mark-packet</var> - place a mark specified by the new-packet-mark parameter on a packet that matches the rule<br />
* <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics)<br />
* <var>return</var> - passes control back to the chain from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP destination IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=ARP destination MAC address<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-gratuitous<br />
|type=yes {{!}} no<br />
|default=<br />
|desc=Matches ARP gratuitous packets.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-hardware-type<br />
|type=integer<br />
|default=1<br />
|desc=ARP hardware type. This is normally Ethernet (Type 1).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-opcode<br />
|type=arp-nak {{!}} drarp-error {{!}} drarp-reply {{!}} drarp-request {{!}} inarp-reply {{!}} inarp-request {{!}} reply {{!}} reply-reverse {{!}} request {{!}} request-reverse<br />
|default=<br />
|desc=ARP opcode (packet type)<br />
* <var>arp-nak</var> - negative ARP reply (rarely used, mostly in ATM networks) <br />
* <var>drarp-error</var> - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated <br />
* <var>drarp-reply</var> - Dynamic RARP reply, with a temporaty IP address assignment for a host <br />
* <var>drarp-request</var> - Dynamic RARP request to assign a temporary IP address for the given MAC address <br />
* <var>inarp-reply</var> - InverseARP Reply<br />
* <var>inarp-request</var> - InverseARP Request<br />
* <var>reply</var> - standard ARP reply with a MAC address <br />
* <var>reply-reverse</var> - reverse ARP (RARP) reply with an IP address assigned <br />
* <var>request</var> - standard ARP request to a known IP address to find out unknown MAC address <br />
* <var>request-reverse</var> - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-packet-type<br />
|type=integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=ARP Packet Type.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP source IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-mac-address<br />
|type=MAC addres<br />
|default=<br />
|desc=ARP source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=chain<br />
|type=text<br />
|default=<br />
|desc=Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-address<br />
|type=IP address<br />
|default=<br />
|desc=Destination IP address (only if MAC protocol is set to IP).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Destination port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-bridge<br />
|type=name<br />
|default=<br />
|desc=Bridge interface through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface<br />
|type=name<br />
|default=<br />
|desc=Physical interface (i.e., bridge port) through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>in-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-priority<br />
|type=integer 0..63<br />
|default=<br />
|desc=Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more&#187;]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ip-protocol<br />
|type=dccp {{!}} ddp {{!}} egp {{!}} encap {{!}} etherip {{!}} ggp {{!}} gre {{!}} hmp {{!}} icmp {{!}} icmpv6 {{!}} idpr-cmtp {{!}} igmp {{!}} ipencap {{!}} ipip {{!}} ipsec-ah {{!}} ipsec-esp {{!}} ipv6 {{!}} ipv6-frag {{!}} ipv6-nonxt {{!}} ipv6-opts {{!}} ipv6-route {{!}} iso-tp4 {{!}} l2tp {{!}} ospf {{!}} pim {{!}} pup {{!}} rdp {{!}} rspf {{!}} rsvp {{!}} sctp {{!}} st {{!}} tcp {{!}} udp {{!}} udp-lite {{!}} vmtp {{!}} vrrp {{!}} xns-idp {{!}} xtp<br />
|default=<br />
|desc=IP protocol (only if MAC protocol is set to IPv4)<br />
* <var>dccp</var> - Datagram Congestion Control Protocol<br />
* <var>ddp</var> - Datagram Delivery Protocol<br />
* <var>egp</var> - Exterior Gateway Protocol<br />
* <var>encap</var> - Encapsulation Header<br />
* <var>etherip</var> - Ethernet-within-IP Encapsulation<br />
* <var>ggp</var> - Gateway-to-Gateway Protocol<br />
* <var>gre</var> - Generic Routing Encapsulation<br />
* <var>hmp</var> - Host Monitoring Protocol<br />
* <var>icmp</var> - IPv4 Internet Control Message Protocol<br />
* <var>icmpv6</var> - IPv6 Internet Control Message Protocol<br />
* <var>idpr-cmtp</var> - Inter-Domain Policy Routing Control Message Transport Protocol <br />
* <var>igmp</var> - Internet Group Management Protocol<br />
* <var>ipencap</var> - IP in IP (encapsulation)<br />
* <var>ipip</var> - IP-within-IP Encapsulation Protocol<br />
* <var>ipsec-ah</var> - IPsec Authentication Header<br />
* <var>ipsec-esp</var> - IPsec Encapsulating Security Payload<br />
* <var>ipv6</var> - Internet Protocol version 6<br />
* <var>ipv6-frag</var> - Fragment Header for IPv6<br />
* <var>ipv6-nonxt</var> - No Next Header for IPv6<br />
* <var>ipv6-opts</var> - Destination Options for IPv6<br />
* <var>ipv6-route</var> - Routing Header for IPv6<br />
* <var>iso-tp4</var> - ISO Transport Protocol Class 4<br />
* <var>l2tp</var> - Layer Two Tunneling Protocol<br />
* <var>ospf</var> - Open Shortest Path First<br />
* <var>pim</var> - Protocol Independent Multicast<br />
* <var>pup</var> - PARC Universal Packet<br />
* <var>rdp</var> - Reliable Data Protocol<br />
* <var>rspf</var> - Radio Shortest Path First<br />
* <var>rsvp</var> - Reservation Protocol<br />
* <var>sctp</var> - Stream Control Transmission Protocol<br />
* <var>st</var> - Internet Stream Protocol<br />
* <var>tcp</var> - Transmission Control Protocol<br />
* <var>udp</var> - User Datagram Protocol<br />
* <var>udp-lite</var> - Lightweight User Datagram Protocol<br />
* <var>vmtp</var> - Versatile Message Transaction Protocol<br />
* <var>vrrp</var> - Virtual Router Redundancy Protocol<br />
* <var>xns-idp</var> - Xerox Network Systems Internet Datagram Protocol<br />
* <var>xtp</var> - Xpress Transport Protocol<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=jump-target<br />
|type=name<br />
|default=<br />
|desc=If <code>action=jump</code> specified, then specifies the user-defined firewall chain to process the packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit<br />
|type=integer/time,integer<br />
|default=<br />
|desc=Restricts packet match rate to a given limit.<br />
* <var>count</var> - maximum average packet rate, measured in packets per second (pps), unless followed by Time option <br />
* <var>time</var> - specifies the time interval over which the packet rate is measured <br />
* <var>burst</var> - number of packets to match in a burst<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=log-prefix<br />
|type=text<br />
|default=<br />
|desc=Defines the prefix to be printed before the logging information.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-protocol<br />
|type=802.2 {{!}} arp {{!}} homeplug-av {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} lldp {{!}} loop-protect {{!}} mpls-multicast {{!}} mpls-unicast {{!}} packing-compr {{!}} packing-simple {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} service-vlan {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a <var>vlan-encap</var> property should be used.<br />
* <var>802.2</var> - 802.2 Frames (0x0004)<br />
* <var>arp</var> - Address Resolution Protocol (0x0806)<br />
* <var>homeplug-av</var> - HomePlug AV MME (0x88E1)<br />
* <var>ip</var> - Internet Protocol version 4 (0x0800)<br />
* <var>ipv6</var> - Internet Protocol Version 6 (0x86DD)<br />
* <var>ipx</var> - Internetwork Packet Exchange (0x8137)<br />
* <var>length</var> - Packets with length field (0x0000-0x05DC)<br />
* <var>lldp</var> - Link Layer Discovery Protocol (0x88CC)<br />
* <var>loop-protect</var> - Loop Protect Protocol (0x9003)<br />
* <var>mpls-multicast</var> - MPLS multicast (0x8848)<br />
* <var>mpls-unicast</var> - MPLS unicast (0x8847)<br />
* <var>packing-compr</var> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)<br />
* <var>packing-simple</var> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)<br />
* <var>pppoe</var> - PPPoE Session Stage (0x8864)<br />
* <var>pppoe-discovery</var> - PPPoE Discovery Stage (0x8863)<br />
* <var>rarp</var> - Reverse Address Resolution Protocol (0x8035)<br />
* <var>service-vlan</var> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) <br />
* <var>vlan</var> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-bridge<br />
|type=name<br />
|default=<br />
|desc=Outgoing bridge interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface<br />
|type=name<br />
|default=<br />
|desc=Interface that the packet is leaving the bridge through.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>out-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-mark<br />
|type=name<br />
|default=<br />
|desc=Match packets with certain packet mark.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-type<br />
|type=broadcast {{!}} host {{!}} multicast {{!}} other-host<br />
|default=<br />
|desc=MAC frame type:<br />
* <var>broadcast</var> - broadcast MAC packet <br />
* <var>host</var> - packet is destined to the bridge itself <br />
* <var>multicast</var> - multicast MAC packet <br />
* <var>other-host</var> - packet is destined to some other unicast address, not to the bridge itself<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-address<br />
|type=IP address<br />
|default=<br />
|desc=Source IP address (only if MAC protocol is set to IPv4).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Source port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-flags<br />
|type=topology-change {{!}} topology-change-ack<br />
|default=<br />
|desc=The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<br />
* <var>topology-change</var> - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology <br />
* <var>topology-change-ack</var> - topology change acknowledgement flag is sent in replies to the notification packets <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-forward-delay<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Forward delay timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-hello-time<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP hello packets time.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-max-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Maximal STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-msg-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP port identifier.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-address<br />
|type=MAC address<br />
|default=<br />
|desc=Root bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-cost<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge cost.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-address<br />
|type=MAC address<br />
|default=<br />
|desc=STP message sender MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP sender priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-type<br />
|type=config {{!}} tcn<br />
|default=<br />
|desc=The BPDU type:<br />
* <var>config</var> - configuration BPDU <br />
* <var>tcn</var> - topology change notification<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-host<br />
|type=string<br />
|default=<br />
|desc=Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-encap<br />
|type=802.2 {{!}} arp {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} mpls-multicast {{!}} mpls-unicast {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Matches the MAC protocol type encapsulated in the VLAN frame.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-id<br />
|type=integer 0..4095<br />
|default=<br />
|desc=Matches the VLAN identifier field.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-priority<br />
|type=integer 0..7<br />
|default=<br />
|desc=Matches the VLAN priority<br />
}}<br />
<br />
<br />
<h3>Notes</h3><br />
<br />
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled.<br />
<br />
*ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code><br />
<br />
*VLAN matchers are only valid for <code>0x8100</code> or <code>0x88a8</code> ethernet protocols<br />
<br />
*IP or IPv6 related matchers are only valid if <var>mac-protocol</var> is either set to <code>ip</code> or <code>ipv6</code><br />
<br />
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.<br />
<br />
==Bridge Packet Filter==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p><br />
<br /><br />
<p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough<br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
==Bridge NAT==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p><br />
<br /><br />
<p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p><br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} mark-packet {{!}} redirect {{!}} set-priority {{!}} arp-reply {{!}} dst-nat {{!}} log {{!}} passthrough {{!}} return {{!}} src-nat<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule:<br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>arp-reply</var> - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>dst-nat</var> - change destination MAC address of a packet (only valid in dstnat chain) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - log the packet <br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>redirect</var> - redirect the packet to the bridge itself (only valid in dstnat chain) <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
* <var>src-nat</var> - change source MAC address of a packet (only valid in srcnat chain) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-arp-reply-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frame and ARP payload, when <code>action=arp-reply</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address to put in Ethernet frames, when <code>action=dst-nat</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=to-src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frames, when <code>action=src-nat</code> is selected<br />
}}<br />
<br />
=See also=<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | Swith chip features]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]<br />
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]<br />
* [[Manual:Bridge_VLAN_Table | Bridge VLAN Table]]<br />
* [[Manual:Wireless VLAN Trunk | Wireless VLAN Trunk]]<br />
* [[Manual:VLANs_on_Wireless | VLANs on Wireless]]<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|B]]<br />
[[Category:Interface|B]]<br />
[[Category:Bridging and switching]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Bridge&diff=34174Manual:Interface/Bridge2020-08-17T06:47:40Z<p>Guntis: /* Bridge Interface Setup */</p>
<hr />
<div>{{Versions| v3, v4+}}<br />
<br />
=Summary=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code><br />
<br /><br />
<b>Standards:</b> <code>[https://en.wikipedia.org/wiki/IEEE_802.1D IEEE 802.1D] , [https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q]</code><br />
</p><br />
<br /><br />
<br />
<p><br />
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).<br />
</p><br />
<br />
<p><br />
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.<br />
</p><br />
<br />
=Bridge Interface Setup=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p><br />
<br /><br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces, the MAC address of first bridge port which comes up will be chosen automatically and depending on port-number, it can change after a reboot.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=add-dhcp-option82<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=admin-mac<br />
|type=MAC address<br />
|default=none<br />
|desc=Static MAC address of the bridge. This property only has effect when <var>auto-mac</var> is set to <code>no</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ageing-time<br />
|type=time<br />
|default=00:05:00<br />
|desc=How long a host's information will be kept in the bridge database.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=Address Resolution Protocol setting<br />
* <code>disabled</code> - the interface will not use ARP<br />
* <code>enabled</code> - the interface will use ARP<br />
* <code>proxy-arp</code> - the interface will use the ARP proxy feature<br />
* <code>reply-only</code> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the [[Manual:IP/ARP | IP/ARP]] table. No dynamic entries will be automatically stored in the [[Manual:IP/ARP | IP/ARP]] table. Therefore for communications to be successful, a valid static entry must already exist.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value <code>auto</code> equals to the value of <var>arp-timeout</var> in [[Manual:IP/Settings | IP/Settings]], default is 30s.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-mac<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboot, the bridge MAC can change depending on the port-number.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables DHCP Snooping on the bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Changes whether the bridge is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ether-type<br />
|type=0x9100 {{!}} 0x8100 {{!}} 0x88a8<br />
|default=0x8100<br />
|desc=Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-forward<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Special and faster case of [[Manual:Fast_Path | FastPath]] which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the [[ Manual:Interface/Bridge#Fast_Forward | Fast Forward]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forward-delay<br />
|type=time<br />
|default=00:00:15<br />
|desc=Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-version<br />
|type=2 {{!}} 3<br />
|default=2<br />
|desc=Selects the IGMP version in which IGMP general membership queries will be generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=read-only<br />
|default=<br />
|desc=L2MTU indicates the maximum size of the frame without MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-interval<br />
|type=time<br />
|default=1s<br />
|desc=If a port has <var>fast-leave</var> set to <code>no</code> and a bridge port receives a IGMP Leave message, then a IGMP Snooping enabled bridge will send a IGMP query to make sure that no devices has subscribed to a certain multicast stream on a bridge port. If a IGMP Snooping enabled bridge does not receive a IGMP membership report after amount of <var>last-member-interval</var>, then the bridge considers that no one has subscribed to a certain multicast stream and can stop forwarding it. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=How many times should <var>last-member-interval</var> pass until a IGMP Snooping bridge will stop forwarding a certain multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-hops<br />
|type=integer: 6..40<br />
|default=20<br />
|desc=Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-message-age<br />
|type=time<br />
|default=00:00:20<br />
|desc=How long to remember Hello messages received from other STP/RSTP enabled bridges. This property only has effect when <var>protocol-mode</var> is set to <code>stp</code> or <code>rstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=membership-interval<br />
|type=time<br />
|default=4m20s<br />
|desc=Amount of time after an entry in the Multicast Database (MDB) is removed if a IGMP membership report is not received on a certain port. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mld-version<br />
|type=1 {{!}} 2<br />
|default=1<br />
|desc=Selects the MLD version. Version 2 adds support for source-specific multicast. This property only has effect when RouterOS IPv6 package is enabled and <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer<br />
|default=auto<br />
|desc= Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the actual-mtu of the bridge (set by the <var>mtu</var> property), then manually set value will be ignored and the bridge will act as if <code>mtu=auto</code> is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-querier<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Multicast querier generates IGMP general membership queries to which all IGMP capable devices respond with a IGMP membership report, usually a PIM (multicast) router generates these queries. By using this property you can make a IGMP Snooping enabled bridge to generate IGMP general membership queries. This property should be used whenever there is no PIM (multicast) router in a Layer2 network or IGMP packets must be sent through multiple IGMP Snooping enabled bridges to reach a PIM (multicast) router. Without a multicast querier in a Layer2 network the Multicast Database (MDB) is not being updated and IGMP Snooping will not function properly. Only untagged IGMP general membership queries are generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>. Additionally, the <var>igmp-snooping</var> should be disabled/enabled after changing <var>multicast-querier</var> property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge itself if IGMP membership reports are going to be forwarded to it. This property can be used to forward IGMP membership reports to the bridge for statistics or to analyse them.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded to the bridge itself regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this the bridge itself regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=text<br />
|default=bridgeN<br />
|desc=Name of the bridge interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..65535 decimal format or 0x0000-0xffff hex format<br />
|default=32768 / 0x8000<br />
|desc=Bridge priority, used by STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protocol-mode<br />
|type=none {{!}} rstp {{!}} stp {{!}} mstp<br />
|default=rstp<br />
|desc=Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in '''01:80:C2:00:00:0X''' range, this can be done by setting the <var>protocol-mode</var> to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer: 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=querier-interval<br />
|type=time<br />
|default=4m15s<br />
|desc=Used to change the interval how often a bridge checks if it is the active multicast querier. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-interval<br />
|type=time<br />
|default=2m5s<br />
|desc=Used to change the interval how often IGMP general membership queries are sent out. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-response-interval<br />
|type=time<br />
|default=10s<br />
|desc=Interval in which a IGMP capable device must reply to a IGMP query with a IGMP membership report. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-name<br />
|type=text<br />
|default=<br />
|desc=MSTP region name. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-revision<br />
|type=integer: 0..65535<br />
|default=0<br />
|desc=MSTP configuration revision number. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=Specifies how many times must <var>startup-query-interval</var> pass until the bridge starts sending out IGMP general membership queries periodically. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-interval<br />
|type=time<br />
|default=31s250ms<br />
|desc=Used to change the amount of time after a bridge starts sending out IGMP general membership queries after the bridge is enabled. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=transmit-hold-count<br />
|type=integer: 1..10<br />
|default=6<br />
|desc=The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Globally enables or disables VLAN functionality for bridge.<br />
}}<br />
<br /><br />
<br />
{{ Warning | Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <var>vlan-filtering</var>, <var>protocol-mode</var>, <var>igmp-snooping</var>, <var>fast-forward</var> and others. }}<br />
<br />
<br />
==Example==<br />
<br />
<p>To add and enable a bridge interface that will forward all the protocols:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> add <br />
[admin@MikroTik] /interface bridge> print <br />
Flags: X - disabled, R - running <br />
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled <br />
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 <br />
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s <br />
forward-delay=15s transmit-hold-count=6 ageing-time=5m <br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Spanning Tree Protocol=<br />
<br />
RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. <br />
<br />
{{ Warning | In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 }}<br />
<br />
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Hardware Offloading ]] section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backwards compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol ]] section. In RouterOS the <var>protocol-mode</var> property controls the used STP variant.<br />
<br />
{{ Note | By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly. }}<br />
<br />
== Per port STP ==<br />
There might be certain situations where you want to limit STP functionality on a single or multiple ports. Below you can find some examples for different use cases.<br />
<br />
{{ Warning | Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behaviour. }}<br />
<br />
* Don't send out BPDUs from a certain port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
/interface bridge filter<br />
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1<br />
</pre><br />
<br />
In this example BPDUs will not be sent out through '''ether1'''. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to '''ether1''', then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well.<br />
<br />
{{ Note | You can use [[ Manual:Interface/List | Interface Lists]] to specify multiple interfaces. }}<br />
<br />
* Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge.<br />
<br />
On CRS3xx:<br />
<pre><br />
/interface ethernet switch rule<br />
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1<br />
</pre><br />
<br />
Or on CRS1xx/CRS2xx with [[Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models | Access Control List (ACL) support]]:<br />
<pre><br />
/interface ethernet switch acl<br />
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1<br />
</pre><br />
<br />
In this example all received BPDUs on '''ether1''' are dropped. This will prevent other bridges on that port becoming a root bridge.<br />
<br />
{{ Warning | If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously. }}<br />
<br />
* Don't allow BPDUs on a port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1 bpdu-guard=yes<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
</pre><br />
<br />
In this example if '''ether1''' receives a BPDU, it will block the port and will require you to manually re-enable it.<br />
<br />
=Bridge Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge settings</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing ([[Manual:Packet_Flow_v6 | Packet Flow]]). This does not apply to routed traffic. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to traffic in a bridge. Property <var>use-ip-firewall-for-vlan</var> is required in case bridge <var>vlan-filtering</var> is used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-pppoe<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged un-encrypted PPPoE traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to PPPoE traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-vlan<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged VLAN traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to VLAN traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-fast-path<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to enable a bridge [[Manual:Fast_Path | FastPath]] globally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-active<br />
|type=yes {{!}} no<br />
|default=''<br />
|desc=Shows whether a bridge FastPath is active globally, FastPatch status per bridge interface is not displayed. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge FastPath.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Path.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-forward-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=bridge-fast-forward-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{ Note | In case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] (Simple QoS) or global [[ Manual:Queue#Queue_Tree | Queue Trees]] to traffic that is being forwarded by a bridge, then you need to enable the <var>use-ip-firewall</var> property. Without using this property the bridge traffic will never reach the postrouting chain, [[Manual:Queue#Simple_Queues | Simple Queues]] and global [[ Manual:Queue#Queue_Tree | Queue Trees]] are working in the postrouting chain. To assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Trees]] for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well. }}<br />
<br />
=Port Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port</code></p><br />
<br /><br />
<p>Port submenu is used to enslave interfaces in a particular bridge interface.</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-isolate<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when <var>protocol-mode</var> is set to <code>rstp</code> or <code>mstp</code> and <var>edge</var> is set to <code>no</code>. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bpdu-guard<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface the respective interface is grouped in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=broadcast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses '''FF:FF:FF:FF:FF:FF''' as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall) and others. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=edge<br />
|type=auto {{!}} no {{!}} no-discover {{!}} yes {{!}} yes-discover<br />
|default=auto<br />
|desc=Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
* <code>no</code> - non-edge port, will participate in learning and listening states in STP.<br />
* <code>no-discover</code> - non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become edge port if no BPDU is received.<br />
* <code>yes</code> - edge port without discovery, will transit directly to forwarding state.<br />
* <code>yes-discover</code> - edge port with enabled discovery, will transit directly to forwarding state.<br />
* <code>auto</code> - same as <code>no-discover</code>, but will additionally detect if bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=external-fdb<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Whether to use wireless registration table to speed up bridge host learning. If there are no Wireless interfaces in a bridge, then setting <var>external-fdb</var> to <code>yes</code> will disable MAC learning and the bridge will act as a hub (disables hardware offloading). Replaced with <var>learn</var> parameter in RouterOS v6.42<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-leave<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables IGMP Fast leave feature on the port. Bridge will stop forwarding traffic to a bridge port whenever a IGMP Leave message is received for appropriate multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed ingress frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=learn<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Changes MAC learning behaviour on a bridge port<br />
* <code>yes</code> - enables MAC learning<br />
* <code>no</code> - disables MAC learning<br />
* <code>auto</code> - detects if bridge port is a Wireless interface and uses Wireless registration table instead of MAC learning, will use Wireless registration table if the [[Manual:Interface/Wireless | Wireless interface]] is set to one of <var>ap-bridge,bridge,wds-slave</var> mode and bridge mode for the [[Manual:Interface/Wireless | Wireless interface]] is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge port whether IGMP membership reports are going to be forwarded to this port. By default IGMP membership reports (most importantly IGMP Join messages) are only forwarded to ports that have a multicast router or a IGMP Snooping enabled bridge connected to. Without at least one port marked as a <code>multicast-router</code> IPTV might not work properly, it can be either detected automatically or forced manually.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded through this port regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this port regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges.<br />
You can improve security by forcing ports that have IPTV boxes connected to never become ports marked as <code>multicast-router</code>. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=horizon<br />
|type=integer 0..429496729<br />
|default=none<br />
|desc=Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about [[MPLSVPLS#Split_horizon_bridging | Bridge split horizon]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=internal-path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface for MSTI0 inside a region. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface, used by STP to determine the "best" path, used by MSTP to determine "best" path between regions. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=point-to-point<br />
|type=auto {{!}} yes {{!}} no<br />
|default=auto<br />
|desc=Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to <code>yes</code>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits BPDUs from other devices from this single link, by setting this property to <code>no</code>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to <code>yes</code>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to <code>no</code> if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex, <code>auto</code> enables point-to-point functionality. And this property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..240<br />
|default=128<br />
|desc=The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-role<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable the restricted role on a port, used by STP to forbid a port becoming a root port. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-tcn<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable topology change notification (TCN) sending on a port, used by STP to forbid network topology changes to propagate. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tag-stacking<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the <var>pvid</var> value and will use EtherType that is specified in <var>ether-type</var>. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trusted<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, it allows to forward DHCP packets towards DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unknown-multicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in <code>/interface bridge mdb</code> are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when <var>unknown-multicast-flood</var> is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=unknown-unicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in <code>/interface bridge host</code>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
==Example==<br />
<br />
<p>To group <b>ether1</b> and <b>ether2</b> in the already created <b>bridge1</b> bridge</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1<br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2<br />
[admin@MikroTik] /interface bridge port> print <br />
Flags: X - disabled, I - inactive, D - dynamic <br />
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON <br />
0 ether1 bridge1 0x80 10 none <br />
1 ether2 bridge1 0x80 10 none <br />
[admin@MikroTik] /interface bridge port> <br />
</pre><br />
<br />
=Interface lists=<br />
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules, you can read more about interface lists at the [[Manual:Interface/List | Interface List ]] section. Below is an example how to add interface list to a bridge:<br />
<pre><br />
/interface list member<br />
add interface=ether1 list=LAN1<br />
add interface=ether2 list=LAN1<br />
add interface=ether3 list=LAN2<br />
add interface=ether4 list=LAN2<br />
/interface bridge port<br />
add bridge=bridge1 interface=LAN1<br />
add bridge=bridge1 interface=LAN2<br />
</pre><br />
<br />
Ports from a interface list added to a bridge will show up as dynamic ports:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN1 bridge1<br />
1 D ether1 bridge1<br />
2 D ether2 bridge1<br />
3 LAN2 bridge1<br />
4 D ether3 bridge1<br />
5 D ether4 bridge1 <br />
</pre><br />
<br />
It is also possible to sort the order of lists in which they appear in the <code>/interface bridge port</code> menu. This can be done using the <code>move</code> command. Below is an example how to sort interface lists:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port move 3 0<br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN2 bridge1<br />
1 D ether3 bridge1<br />
2 D ether4 bridge1<br />
3 LAN1 bridge1<br />
4 D ether1 bridge1<br />
5 D ether2 bridge1<br />
</pre><br />
<br />
{{ Note | The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.}}<br />
<br />
=Hosts Table=<br />
<br />
MAC addresses that have been learned on a bridge interface can be viewed in the <code>/interface bridge host</code> menu. Below is a table of parameters and flags that can be viewed.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>age</b></var> (<em>read-only: time</em>)</td><br />
<td>The time since the last packet was received from the host. Appears only for dynamic, non-external and non-local host entries</td><br />
</tr><br />
<tr><br />
<td><var><b>bridge</b></var> (<em>read-only: name</em>)</td><br />
<td>The bridge the entry belongs to</td><br />
</tr><br />
<tr><br />
<td><var><b>disabled</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the static host entry is disabled</td><br />
</tr><br />
<tr><br />
<td><var><b>dynamic</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been dynamically created</td><br />
</tr><br />
<tr><br />
<td><var><b>external</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td><br />
</tr><br />
<tr><br />
<td><var><b>invalid</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td><br />
</tr><br />
<tr><br />
<td><var><b>local</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td><br />
</tr><br />
<tr><br />
<td><var><b>mac-address</b></var> (<em>read-only: MAC address</em>)</td><br />
<td>Host's MAC address</td><br />
</tr><br />
<tr><br />
<td><var><b>on-interface</b></var> (<em>read-only: name</em>)</td><br />
<td>Which of the bridged interfaces the host is connected to</td><br />
</tr><br />
</table><br />
<br />
==Monitoring==<br />
<p>To get the active hosts table:</p><br />
<pre><br />
[admin@MikroTik] > interface bridge host print <br />
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external <br />
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE<br />
0 D E D4:CA:6D:E1:B5:7E ether2 bridge1<br />
1 DL E4:8D:8C:73:70:37 bridge1 bridge1<br />
2 D D4:CA:6D:E1:B5:7F ether3 bridge2 27s<br />
3 DL E4:8D:8C:73:70:38 bridge2 bridge2<br />
</pre><br />
<br />
==Static entries==<br />
<br />
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is for protecting the device resources by disabling the dynamic learning and rely only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the hosts table.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface to which the MAC address is going to be assigned to.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disables/enables static MAC address entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=MAC address that will be added to the hosts table statically.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vid<br />
|type=integer: 1..4094<br />
|default=<br />
|desc=VLAN ID for the statically added MAC address entry.<br />
}}<br />
<br />
For example, if it was required that all traffic destined to '''4C:5E:0C:4D:12:43''' is forwarded only through '''ether2''', then the following commands can be used:<br />
<pre><br />
/interface bridge host<br />
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43<br />
</pre><br />
<br />
=Bridge Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge monitor</code></p><br />
<br /><br />
<p>Used to monitor the current status of a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="35%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>current-mac-address</b></var> (<em>MAC address</em>)</td><br />
<td>Current MAC address of the bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>designated-port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of designated bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of the bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether bridge is the root bridge of the spanning tree</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge-id</b></var> (<em>text</em>)</td><br />
<td>The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td><br />
</tr><br />
<tr><br />
<td><var><b>root-path-cost</b></var> (<em>integer</em>)</td><br />
<td>The total cost of the path to the root-bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>root-port</b></var> (<em>name</em>)</td><br />
<td>Port to which the root bridge is connected to</td><br />
</tr><br />
<tr><br />
<td><var><b>state</b></var> (<em>enabled | disabled</em>)</td><br />
<td>State of the bridge</td><br />
</tr><br />
</table><br />
<br />
<h3>Example</h3><br />
<br />
<p>To monitor a bridge:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> monitor bridge1 <br />
state: enabled<br />
current-mac-address: 00:0C:42:52:2E:CE<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
<br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Bridge Port Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port monitor</code></p><br />
<br /><br />
<p>Statistics of an interface that belongs to a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is an edge port or not.</td><br />
</tr><br />
<tr><br />
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is set to automatically detect edge ports.</td><br />
</tr><br />
<tr><br />
<td><var><b>external-fdb</b></var> (<em>yes | no</em>)</td><br />
<td>Whether registration table is used instead of forwarding data base.</td><br />
</tr><br />
<tr><br />
<td><var><b>forwarding</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is not blocked by (R/M)STP.</td><br />
</tr><br />
<tr><br />
<td><var><b>hw-offload-group</b></var> (<em>switchX</em>)</td><br />
<td>Switch chip used by the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>learning</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is currently listening for BPDUs.</td><br />
</tr><br />
<tr><br />
<td><var><b>multicast-router</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if a multicast router is detected on the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td><br />
<td>port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot internal numbering will be used - for example, sfp ports will have first port-numbers, followed by Ethernet ports in order, ether1, ether2, etc.</td><br />
</tr><br />
<tr><br />
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td><br />
</tr><br />
<tr><br />
<td><var><b>role</b></var> (<em>designated | root port | alternate | backup | disabled</em>)</td><br />
<td><br />
(R/M)STP algorithm assigned role of the port:<br />
* <code>Disabled port</code> - not strictly part of STP, a network administrator can manually disable a port<br />
* <code>Root port</code> - a forwarding port that is the best port from Nonroot-bridge to Rootbridge<br />
* <code>Alternative port</code> - an alternate path to the root bridge. This path is different than using the root port<br />
* <code>Designated port</code> - a forwarding port for every LAN segment<br />
* <code>Backup port</code> - a backup/redundant path to a segment where another bridge port already connects.<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>sending-rstp</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is sending BPDU messages</td><br />
</tr><br />
<tr><br />
<td><var><b>status</b></var> (<em>in-bridge | inactive</em>)</td><br />
<td>Port status:<br />
* <code>in-bridge</code> - port is enabled.<br />
* <code>inactive</code> - port is disabled.<br />
</td><br />
</tr><br />
</table><br />
<br />
==Example==<br />
<br />
<p>To monitor a bridge port:</p><br />
<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor 0 <br />
status: in-bridge<br />
port-number: 1<br />
role: designated-port<br />
edge-port: no<br />
edge-port-discovery: yes<br />
point-to-point-port: no<br />
external-fdb: no<br />
sending-rstp: no<br />
learning: yes<br />
forwarding: yes<br />
<br />
[admin@MikroTik] /interface bridge port><br />
</pre><br />
<br />
=Bridge Hardware Offloading=<br />
<br />
Since RouterOS v6.41 it is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly. In previous versions (prior to RouterOS v6.41) you had to use the <var>master-port</var> property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example, [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol]]. More details about the outdated <var>master-port</var> property can be found in the [[Manual:Master-port | Master-port]] page.<br />
<br />
{{ Note | When upgrading from previous versions (before RouterOS v6.41), the old <var>master-port</var> configuration is automatically converted to the new '''Bridge Hardware Offloading''' configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old <var>master-port</var> configuration. }}<br />
<br />
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):<br />
<br />
{| border="1" class="wikitable collapsible sortable" style="text-align: center"<br />
| nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b><br />
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge DHCP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bonding</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS3xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>+ <small style="font-size:60%;">1</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [QCA8337]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8327]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|-<br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8227]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8316]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros7240]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [MT7621]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [RTL8367]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
|}<br />
<br />
<b>NOTES:</b><br />
# Feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example, <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code>. DHCP Option 82 will not contain any information regarding VLAN-ID. <br />
# Feature will not work properly in VLAN switching setups.<br />
<br />
{{ Note | When upgrading from older versions (before RouterOS v6.41), only the <var>master-port</var> configuration is converted. For each <var>master-port</var> a bridge will be created. VLAN configuration is not converted and should not be changed, check the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide to be sure how VLAN switching should be configured for your device. }}<br />
<br />
Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to processes packets using it's switching logic. The diagram below illustrates that switching occurs before any software related action:<br />
<br />
[[File:switch-png.png|center]]<br />
<br />
A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU, though it is possible in certain situations to allow a packet to be processed by the CPU. To allow the CPU process a packet you need to forward the packet to the CPU and not allow the switch chip to forward the packet through a switch port directly, this is usually called passing a packet to the switch CPU port (or the bridge CPU port in bridge VLAN filtering scenario).<br />
<br />
By passing a packet to the switch CPU port you are prohibiting the switch chip to forward the packet directly, this allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | non-CRS series switches]]<br />
<br />
{{ Warning | Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a '''switch chip reset''', that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control and others (exact settings that can trigger a switch chip reset depends on the device's model). }}<br />
<br />
==Example==<br />
<br />
Port switching with bridge configuration and enabled hardware offloading since RouterOS v6.41:<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2 hw=yes<br />
add bridge=bridge1 interface=ether3 hw=yes<br />
add bridge=bridge1 interface=ether4 hw=yes<br />
add bridge=bridge1 interface=ether5 hw=yes<br />
</pre><br />
<br />
Make sure that hardware offloading is enabled by checking the "H" flag:<br />
<pre><br />
[admin@MikroTik] > interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON<br />
0 H ether2 bridge1 yes 1 0x80 10 10 none<br />
1 H ether3 bridge1 yes 1 0x80 10 10 none<br />
2 H ether4 bridge1 yes 1 0x80 10 10 none<br />
3 H ether5 bridge1 yes 1 0x80 10 10 none<br />
</pre><br />
<br />
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}<br />
<br />
=Bridge VLAN Filtering=<br />
<br />
{{ Note | Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide. If an improper configuration method is used, your device can cause throughput issues in your network. }}<br />
<br />
<p>Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.<br />
This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged.<br />
Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</p><br />
<br />
<p>The main VLAN setting is <code>vlan-filtering</code> which globally controls vlan-awareness and VLAN tag processing in the bridge.<br />
If <code>vlan-filtering=no</code>, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.<br />
Turning on <code>vlan-filtering</code> enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.<br />
Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).</p><br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge vlan</code></p><br />
<br />
<p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<br />
<code>tagged</code> ports send out frames with a learned VLAN ID tag.<br />
<code>untagged</code> ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port <code>pvid</code>.<br />
</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface which the respective VLAN entry is intended for.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables Bridge VLAN entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. <code>tagged=ether1,ether2</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=untagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. <code>untagged=ether3,ether4</code><br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-ids<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. <code>vlan-ids=100-115,120,122,128-130</code>.<br />
}}<br />
<br /><br />
{{ Warning | The <var>vlan-ids</var> parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the <var>PVID</var> value. }}<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br />
<p>Bridge Host table allows monitoring learned MAC addresses and when <code>vlan-filtering</code> is enabled shows learned VLAN ID as well.</p><br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge host print where !local<br />
Flags: L - local, E - external-fdb <br />
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE <br />
bridge1 200 D4:CA:6D:77:2E:F0 ether3 7s <br />
bridge1 200 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 300 D4:CA:6D:74:65:9D ether4 3s <br />
bridge1 300 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 400 4C:5E:0C:4B:89:5C ether5 0s <br />
bridge1 400 E4:8D:8C:1B:05:F0 ether2 0s <br />
[admin@MikroTik] > <br />
</pre><br />
<br />
{{ Note | Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the [[Manual:Interface/Bridge#Management_port| Management port]] section.}}<br />
<br />
{{ Warning | When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.}}<br />
<br />
==VLAN Example #1 (Trunk and Access Ports)==<br />
<br />
{{ Note | Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how [[ Manual:Bridge_VLAN_Table | Bridge VLAN table]] works before deploying your device into production environments. }}<br />
<br />
[[File:portbased-vlan1.png|center|frame|alt=Alt text|Trunk and Access Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the device before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==VLAN Example #2 (Trunk and Hybrid Ports)==<br />
<br />
[[File:portbased-vlan2.png|center|frame|alt=Alt text|Trunk and Hybrid Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> on hybrid VLAN ports to assign untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | You don't have to add access ports as untagged ports, they will be added dynamically as untagged port with the VLAN ID that is specified in <code>PVID</code>, you can specify just the trunk port as tagged port. All ports that have the same <code>PVID</code> set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a <code>PVID</code> value, this means that the bridge port also will be added as untagged port for the ports that have the same <code>PVID</code>. You can circumvent this behaviour by either setting different <code>PVID</code> on all ports (even the trunk port and bridge itself), or to use <code>frame-type</code> set to <code>accept-only-vlan-tagged</code>. }}<br />
<br />
==VLAN Example #3 (InterVLAN Routing by Bridge)==<br />
<br />
[[File:bridge-vlan-routing.png|center|frame|alt=Alt text|InterVLAN Routing by Bridge]]<br />
<br />
Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured:<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN:<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example '''bridge1''' interface is the VLAN trunk that will send traffic further to do InterVLAN routing:<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
Configure VLAN interfaces on the '''bridge1''' to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned:<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=VLAN200 vlan-id=200<br />
add interface=bridge1 name=VLAN300 vlan-id=300<br />
add interface=bridge1 name=VLAN400 vlan-id=400<br />
<br />
/ip address<br />
add address=20.0.0.1/24 interface=VLAN200<br />
add address=30.0.0.1/24 interface=VLAN300<br />
add address=40.0.0.1/24 interface=VLAN400<br />
</pre><br />
<br />
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==Management access configuration==<br />
<br />
There are multiple ways to setup management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* In case VLAN filtering will not be used and access with untagged traffic is desired<br />
<br />
The only requirement is to create an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.99.1/24 interface=bridge1<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired<br />
<br />
In this example VLAN99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.<br />
<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=MGMT vlan-id=99<br />
/ip address<br />
add address=192.168.99.1/24 interface=MGMT<br />
</pre><br />
<br />
For example, if you want to allow access to the router/switch from access ports '''ether3''', '''ether4''' and from trunk port '''sfp-sfpplus1''', then you must add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired<br />
<br />
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.88.1/24 interface=bridge1<br />
</pre><br />
<br />
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports '''ether3''', '''ether4''' add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1<br />
</pre><br />
<br />
Make sure that PVID on the bridge interface matches the PVID value on these ports:<br />
<pre><br />
/interface bridge set bridge1 pvid=1<br />
/interface bridge port set ether3,ether4 pvid=1<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Note | If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way. }}<br />
<br />
==VLAN Tunneling (Q-in-Q)==<br />
Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100). The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common '''Provider bridge''':<br />
<br />
[[File:provider_bridge.png|700px|thumb|center|alt=Alt text|Provider bridge topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic by 802.1Q (CVID), but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by enabling <code>802.1ad</code> VLAN protocol on the bridge, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x88a8<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' are going to be access ports (untagged), use the <code>pvid</code> parameter to tag all ingress traffic on each port, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200<br />
add interface=ether2 bridge=bridge1 pvid=300<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. The difference between using different EtherTypes is that you must use a Service VLAN interface. Service VLAN interfaces can be created as regular VLAN interface, but the <var>use-service-tag</var> parameter toggles if the interface will use Service VLAN tag. }}<br />
<br />
{{ Note | Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering based on SVID (Service VLAN ID) tag when <var>ether-type</var> is set to 0x88a8. }}<br />
<br />
{{ Warning | When <code>ether-type&#61;0x8100</code>, then the bridge checks the outer VLAN tag if it is using EtherType <code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as <code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used. }}<br />
<br />
===Tag stacking===<br />
<br />
Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to [[ Manual:Interface/Bridge#VLAN_Tunneling_.28Q-in-Q.29 | Provider bridge]] setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:<br />
<br />
[[File:tag_stacking.png|700px|thumb|center|alt=Alt text|Tag stacking topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x8100<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' will ignore any VLAN tags that are present and add a new VLAN tag, use the <code>pvid</code> parameter to tag all ingress traffic on each port and allow <code>tag-stacking</code> on these ports, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes<br />
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <code>PVID</code> parameter have any effect, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. }}<br />
<br />
=Fast Forward=<br />
<br />
Fast Forward allows to forward packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge related checks, including MAC learning. Below you can find a list of conditions that '''MUST''' be met in order for Fast Forward to be active:<br />
* Bridge has <var>fast-forward</var> set to <code>yes</code><br />
* Bridge has only 2 running ports<br />
* Both bridge ports support [[ Manual:Fast_Path | Fast Path]], Fast Path is active on ports and globally on the bridge<br />
* [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] is disabled<br />
* <var>protocol-mode</var> is set to <code>none</code><br />
* [[ Manual:Interface/Bridge#Bridge_VLAN_Filtering | Bridge VLAN Filtering]] is disabled<br />
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | bridge DHCP snooping]] is disabled<br />
* <var>unknown-multicast-flood</var> is set to <code>yes</code><br />
* <var>unknown-unicast-flood</var> is set to <code>yes</code><br />
* <var>broadcast-flood</var> is set to <code>yes</code><br />
* MAC address for the bridge matches with a MAC address from one of the bridge slaves<br />
* <var>horizon</var> for both ports is set to <code>none</code><br />
<br />
{{ Note | Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out trough just one interface. }}<br />
<br />
{{ Warning | Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path. }}<br />
<br />
It is possible to check how many packets where processed by Fast Forward:<br />
<pre><br />
[admin@MikroTik] > /interface bridge settings print <br />
use-ip-firewall: no<br />
use-ip-firewall-for-vlan: no<br />
use-ip-firewall-for-pppoe: no<br />
allow-fast-path: yes<br />
bridge-fast-path-active: yes<br />
bridge-fast-path-packets: 0<br />
bridge-fast-path-bytes: 0<br />
bridge-fast-forward-packets: 1279812<br />
bridge-fast-forward-bytes: 655263744<br />
</pre><br />
<br />
{{ Note | If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator whether Fast Forward is active or not. }}<br />
<br />
Since RouterOS 6.44beta28 it is possible to monitor Fast Forward status, for example:<br />
<pre><br />
[admin@MikroTik] > /interface bridge monitor bridge1 <br />
state: enabled<br />
current-mac-address: D4:CA:6D:E1:B5:82<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
fast-forward: yes<br />
<br />
</pre><br />
<br />
{{ Warning | Disabling or enabling <var>fast-forward</var> will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped. }}<br />
<br />
=IGMP Snooping=<br />
<br />
<p>IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.<br /><br />
It's settings are placed in bridge menu and it works independently in every bridge interface.<br /><br />
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.</p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge mdb</code></p><br />
<br />
* Enabling IGMP Snooping on Bridge.<br />
<br />
<pre><br />
/interface bridge set bridge1 igmp-snooping=yes<br />
</pre><br />
<br />
* Monitoring multicast groups in the Bridge Multicast Database<br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge mdb print <br />
BRIDGE VID GROUP PORTS <br />
bridge1 200 229.1.1.2 ether3 <br />
ether2 <br />
ether1 <br />
bridge1 300 231.1.3.3 ether4 <br />
ether3 <br />
ether2 <br />
bridge1 400 229.10.10.4 ether4 <br />
ether3 <br />
bridge1 500 234.5.1.5 ether5 <br />
ether1 <br />
</pre><br />
<br />
* Monitoring ports that are connected to a multicast router<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor [f]<br />
interface: ether1 ether2<br />
status: in-bridge in-bridge<br />
port-number: 1 2<br />
role: designated-port designated-port<br />
edge-port: yes yes<br />
edge-port-discovery: yes yes<br />
point-to-point-port: yes yes<br />
external-fdb: no no<br />
sending-rstp: yes yes<br />
learning: yes yes<br />
forwarding: yes yes<br />
multicast-router: yes no<br />
</pre><br />
<br />
{{ Note | IGMP membership reports are only forwarded to ports that are connected to a multicast router or to another IGMP Snooping enabled bridge. If no port is marked as a <var>multicast-router</var> then IGMP membership reports will not be forwarded to any port. }}<br />
<br />
=DHCP Snooping and DHCP Option 82=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge port</code></p><br />
<br /><br />
Starting from RouterOS version 6.43, bridge supports DHCP Snooping and DHCP Option 82. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing a malicious information to users. In RouterOS you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is an additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allows identifying the device itself and DHCP clients.<br />
<br />
[[File:dhcp_snooping.png|700px|thumb|center|alt=Alt text|DHCP Snooping and Option 82 setup]]<br />
<br />
In this example, SW1 and SW2 are DHCP Snooping and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on <b>SW1</b>:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1<br />
add bridge=bridge interface=ether2 trusted=yes<br />
</pre><br />
<br />
For SW2 configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1 trusted=yes<br />
add bridge=bridge interface=ether2 trusted=yes<br />
add bridge=bridge interface=ether3<br />
</pre><br />
<br />
Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on <b>SW1</b> and <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes<br />
</pre><br />
<br />
Now both devices will analyze what DHCP messages are received on bridge ports. The <b>SW1</b> is responsible for adding and removing the DHCP Option 82. The <b>SW2</b> will limit rogue DHCP server form receiving any discovery messages and drop malicious DHCP server messages from ether3.<br />
<br />
{{ Note | Currently only CRS3xx devices fully support hardware DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN related configuration applied on the device, otherwise DHCP Snooping and Option 82 might not work properly. See [[ Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features.}}<br />
<br />
=Bridge Firewall=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter, /interface bridge nat</code></p><br />
<br /><br />
<p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.</p><br />
<br />
<p>[[Packet Flow | Packet flow diagram]] shows how packets are processed through router. It is possible to force bridge traffic to go through <code>/ip firewall filter</code> rules (see: [[#Bridge Settings | Bridge Settings]])</p><br />
<br />
<p><br />
There are two bridge firewall tables:<br />
<br />
*'''filter''' - bridge firewall with three predefined chains:<br />
**'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)<br />
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally)<br />
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)<br />
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<br />
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface<br />
**'''dstnat''' - used for redirecting some packets to other destinations<br />
</p><br />
<br />
<p><br />
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.<br />
</p><br />
<br />
<p><br />
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.<br />
</p><br />
<br />
==Properties==<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-sap<br />
|type=integer<br />
|default=<br />
|desc=DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-type<br />
|type=integer<br />
|default=<br />
|desc=Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=<br />
|desc= Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. Packet is not passed to next firewall rule<br />
* <var>drop</var> - silently drop the packet<br />
* <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code><br />
* <var>mark-packet</var> - place a mark specified by the new-packet-mark parameter on a packet that matches the rule<br />
* <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics)<br />
* <var>return</var> - passes control back to the chain from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP destination IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=ARP destination MAC address<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-gratuitous<br />
|type=yes {{!}} no<br />
|default=<br />
|desc=Matches ARP gratuitous packets.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-hardware-type<br />
|type=integer<br />
|default=1<br />
|desc=ARP hardware type. This is normally Ethernet (Type 1).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-opcode<br />
|type=arp-nak {{!}} drarp-error {{!}} drarp-reply {{!}} drarp-request {{!}} inarp-reply {{!}} inarp-request {{!}} reply {{!}} reply-reverse {{!}} request {{!}} request-reverse<br />
|default=<br />
|desc=ARP opcode (packet type)<br />
* <var>arp-nak</var> - negative ARP reply (rarely used, mostly in ATM networks) <br />
* <var>drarp-error</var> - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated <br />
* <var>drarp-reply</var> - Dynamic RARP reply, with a temporaty IP address assignment for a host <br />
* <var>drarp-request</var> - Dynamic RARP request to assign a temporary IP address for the given MAC address <br />
* <var>inarp-reply</var> - InverseARP Reply<br />
* <var>inarp-request</var> - InverseARP Request<br />
* <var>reply</var> - standard ARP reply with a MAC address <br />
* <var>reply-reverse</var> - reverse ARP (RARP) reply with an IP address assigned <br />
* <var>request</var> - standard ARP request to a known IP address to find out unknown MAC address <br />
* <var>request-reverse</var> - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-packet-type<br />
|type=integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=ARP Packet Type.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP source IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-mac-address<br />
|type=MAC addres<br />
|default=<br />
|desc=ARP source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=chain<br />
|type=text<br />
|default=<br />
|desc=Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-address<br />
|type=IP address<br />
|default=<br />
|desc=Destination IP address (only if MAC protocol is set to IP).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Destination port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-bridge<br />
|type=name<br />
|default=<br />
|desc=Bridge interface through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface<br />
|type=name<br />
|default=<br />
|desc=Physical interface (i.e., bridge port) through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>in-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-priority<br />
|type=integer 0..63<br />
|default=<br />
|desc=Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more&#187;]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ip-protocol<br />
|type=dccp {{!}} ddp {{!}} egp {{!}} encap {{!}} etherip {{!}} ggp {{!}} gre {{!}} hmp {{!}} icmp {{!}} icmpv6 {{!}} idpr-cmtp {{!}} igmp {{!}} ipencap {{!}} ipip {{!}} ipsec-ah {{!}} ipsec-esp {{!}} ipv6 {{!}} ipv6-frag {{!}} ipv6-nonxt {{!}} ipv6-opts {{!}} ipv6-route {{!}} iso-tp4 {{!}} l2tp {{!}} ospf {{!}} pim {{!}} pup {{!}} rdp {{!}} rspf {{!}} rsvp {{!}} sctp {{!}} st {{!}} tcp {{!}} udp {{!}} udp-lite {{!}} vmtp {{!}} vrrp {{!}} xns-idp {{!}} xtp<br />
|default=<br />
|desc=IP protocol (only if MAC protocol is set to IPv4)<br />
* <var>dccp</var> - Datagram Congestion Control Protocol<br />
* <var>ddp</var> - Datagram Delivery Protocol<br />
* <var>egp</var> - Exterior Gateway Protocol<br />
* <var>encap</var> - Encapsulation Header<br />
* <var>etherip</var> - Ethernet-within-IP Encapsulation<br />
* <var>ggp</var> - Gateway-to-Gateway Protocol<br />
* <var>gre</var> - Generic Routing Encapsulation<br />
* <var>hmp</var> - Host Monitoring Protocol<br />
* <var>icmp</var> - IPv4 Internet Control Message Protocol<br />
* <var>icmpv6</var> - IPv6 Internet Control Message Protocol<br />
* <var>idpr-cmtp</var> - Inter-Domain Policy Routing Control Message Transport Protocol <br />
* <var>igmp</var> - Internet Group Management Protocol<br />
* <var>ipencap</var> - IP in IP (encapsulation)<br />
* <var>ipip</var> - IP-within-IP Encapsulation Protocol<br />
* <var>ipsec-ah</var> - IPsec Authentication Header<br />
* <var>ipsec-esp</var> - IPsec Encapsulating Security Payload<br />
* <var>ipv6</var> - Internet Protocol version 6<br />
* <var>ipv6-frag</var> - Fragment Header for IPv6<br />
* <var>ipv6-nonxt</var> - No Next Header for IPv6<br />
* <var>ipv6-opts</var> - Destination Options for IPv6<br />
* <var>ipv6-route</var> - Routing Header for IPv6<br />
* <var>iso-tp4</var> - ISO Transport Protocol Class 4<br />
* <var>l2tp</var> - Layer Two Tunneling Protocol<br />
* <var>ospf</var> - Open Shortest Path First<br />
* <var>pim</var> - Protocol Independent Multicast<br />
* <var>pup</var> - PARC Universal Packet<br />
* <var>rdp</var> - Reliable Data Protocol<br />
* <var>rspf</var> - Radio Shortest Path First<br />
* <var>rsvp</var> - Reservation Protocol<br />
* <var>sctp</var> - Stream Control Transmission Protocol<br />
* <var>st</var> - Internet Stream Protocol<br />
* <var>tcp</var> - Transmission Control Protocol<br />
* <var>udp</var> - User Datagram Protocol<br />
* <var>udp-lite</var> - Lightweight User Datagram Protocol<br />
* <var>vmtp</var> - Versatile Message Transaction Protocol<br />
* <var>vrrp</var> - Virtual Router Redundancy Protocol<br />
* <var>xns-idp</var> - Xerox Network Systems Internet Datagram Protocol<br />
* <var>xtp</var> - Xpress Transport Protocol<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=jump-target<br />
|type=name<br />
|default=<br />
|desc=If <code>action=jump</code> specified, then specifies the user-defined firewall chain to process the packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit<br />
|type=integer/time,integer<br />
|default=<br />
|desc=Restricts packet match rate to a given limit.<br />
* <var>count</var> - maximum average packet rate, measured in packets per second (pps), unless followed by Time option <br />
* <var>time</var> - specifies the time interval over which the packet rate is measured <br />
* <var>burst</var> - number of packets to match in a burst<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=log-prefix<br />
|type=text<br />
|default=<br />
|desc=Defines the prefix to be printed before the logging information.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-protocol<br />
|type=802.2 {{!}} arp {{!}} homeplug-av {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} lldp {{!}} loop-protect {{!}} mpls-multicast {{!}} mpls-unicast {{!}} packing-compr {{!}} packing-simple {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} service-vlan {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a <var>vlan-encap</var> property should be used.<br />
* <var>802.2</var> - 802.2 Frames (0x0004)<br />
* <var>arp</var> - Address Resolution Protocol (0x0806)<br />
* <var>homeplug-av</var> - HomePlug AV MME (0x88E1)<br />
* <var>ip</var> - Internet Protocol version 4 (0x0800)<br />
* <var>ipv6</var> - Internet Protocol Version 6 (0x86DD)<br />
* <var>ipx</var> - Internetwork Packet Exchange (0x8137)<br />
* <var>length</var> - Packets with length field (0x0000-0x05DC)<br />
* <var>lldp</var> - Link Layer Discovery Protocol (0x88CC)<br />
* <var>loop-protect</var> - Loop Protect Protocol (0x9003)<br />
* <var>mpls-multicast</var> - MPLS multicast (0x8848)<br />
* <var>mpls-unicast</var> - MPLS unicast (0x8847)<br />
* <var>packing-compr</var> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)<br />
* <var>packing-simple</var> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)<br />
* <var>pppoe</var> - PPPoE Session Stage (0x8864)<br />
* <var>pppoe-discovery</var> - PPPoE Discovery Stage (0x8863)<br />
* <var>rarp</var> - Reverse Address Resolution Protocol (0x8035)<br />
* <var>service-vlan</var> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) <br />
* <var>vlan</var> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-bridge<br />
|type=name<br />
|default=<br />
|desc=Outgoing bridge interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface<br />
|type=name<br />
|default=<br />
|desc=Interface that the packet is leaving the bridge through.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>out-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-mark<br />
|type=name<br />
|default=<br />
|desc=Match packets with certain packet mark.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-type<br />
|type=broadcast {{!}} host {{!}} multicast {{!}} other-host<br />
|default=<br />
|desc=MAC frame type:<br />
* <var>broadcast</var> - broadcast MAC packet <br />
* <var>host</var> - packet is destined to the bridge itself <br />
* <var>multicast</var> - multicast MAC packet <br />
* <var>other-host</var> - packet is destined to some other unicast address, not to the bridge itself<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-address<br />
|type=IP address<br />
|default=<br />
|desc=Source IP address (only if MAC protocol is set to IPv4).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Source port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-flags<br />
|type=topology-change {{!}} topology-change-ack<br />
|default=<br />
|desc=The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<br />
* <var>topology-change</var> - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology <br />
* <var>topology-change-ack</var> - topology change acknowledgement flag is sent in replies to the notification packets <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-forward-delay<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Forward delay timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-hello-time<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP hello packets time.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-max-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Maximal STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-msg-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP port identifier.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-address<br />
|type=MAC address<br />
|default=<br />
|desc=Root bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-cost<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge cost.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-address<br />
|type=MAC address<br />
|default=<br />
|desc=STP message sender MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP sender priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-type<br />
|type=config {{!}} tcn<br />
|default=<br />
|desc=The BPDU type:<br />
* <var>config</var> - configuration BPDU <br />
* <var>tcn</var> - topology change notification<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-host<br />
|type=string<br />
|default=<br />
|desc=Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-encap<br />
|type=802.2 {{!}} arp {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} mpls-multicast {{!}} mpls-unicast {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Matches the MAC protocol type encapsulated in the VLAN frame.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-id<br />
|type=integer 0..4095<br />
|default=<br />
|desc=Matches the VLAN identifier field.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-priority<br />
|type=integer 0..7<br />
|default=<br />
|desc=Matches the VLAN priority<br />
}}<br />
<br />
<br />
<h3>Notes</h3><br />
<br />
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled.<br />
<br />
*ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code><br />
<br />
*VLAN matchers are only valid for <code>0x8100</code> or <code>0x88a8</code> ethernet protocols<br />
<br />
*IP or IPv6 related matchers are only valid if <var>mac-protocol</var> is either set to <code>ip</code> or <code>ipv6</code><br />
<br />
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.<br />
<br />
==Bridge Packet Filter==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p><br />
<br /><br />
<p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough<br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
==Bridge NAT==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p><br />
<br /><br />
<p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p><br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} mark-packet {{!}} redirect {{!}} set-priority {{!}} arp-reply {{!}} dst-nat {{!}} log {{!}} passthrough {{!}} return {{!}} src-nat<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule:<br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>arp-reply</var> - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>dst-nat</var> - change destination MAC address of a packet (only valid in dstnat chain) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - log the packet <br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>redirect</var> - redirect the packet to the bridge itself (only valid in dstnat chain) <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
* <var>src-nat</var> - change source MAC address of a packet (only valid in srcnat chain) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-arp-reply-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frame and ARP payload, when <code>action=arp-reply</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address to put in Ethernet frames, when <code>action=dst-nat</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=to-src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frames, when <code>action=src-nat</code> is selected<br />
}}<br />
<br />
=See also=<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | Swith chip features]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]<br />
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]<br />
* [[Manual:Bridge_VLAN_Table | Bridge VLAN Table]]<br />
* [[Manual:Wireless VLAN Trunk | Wireless VLAN Trunk]]<br />
* [[Manual:VLANs_on_Wireless | VLANs on Wireless]]<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|B]]<br />
[[Category:Interface|B]]<br />
[[Category:Bridging and switching]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Bridge&diff=34173Manual:Interface/Bridge2020-08-17T06:44:48Z<p>Guntis: /* Bridge Interface Setup */ auto-mac</p>
<hr />
<div>{{Versions| v3, v4+}}<br />
<br />
=Summary=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code><br />
<br /><br />
<b>Standards:</b> <code>[https://en.wikipedia.org/wiki/IEEE_802.1D IEEE 802.1D] , [https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q]</code><br />
</p><br />
<br /><br />
<br />
<p><br />
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).<br />
</p><br />
<br />
<p><br />
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.<br />
</p><br />
<br />
=Bridge Interface Setup=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p><br />
<br /><br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the MAC address of first bridge port which comes up will be chosen automatically).</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=add-dhcp-option82<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=admin-mac<br />
|type=MAC address<br />
|default=none<br />
|desc=Static MAC address of the bridge. This property only has effect when <var>auto-mac</var> is set to <code>no</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ageing-time<br />
|type=time<br />
|default=00:05:00<br />
|desc=How long a host's information will be kept in the bridge database.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=Address Resolution Protocol setting<br />
* <code>disabled</code> - the interface will not use ARP<br />
* <code>enabled</code> - the interface will use ARP<br />
* <code>proxy-arp</code> - the interface will use the ARP proxy feature<br />
* <code>reply-only</code> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the [[Manual:IP/ARP | IP/ARP]] table. No dynamic entries will be automatically stored in the [[Manual:IP/ARP | IP/ARP]] table. Therefore for communications to be successful, a valid static entry must already exist.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value <code>auto</code> equals to the value of <var>arp-timeout</var> in [[Manual:IP/Settings | IP/Settings]], default is 30s.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-mac<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboot, the bridge MAC can change depending on the port-number.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables DHCP Snooping on the bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Changes whether the bridge is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ether-type<br />
|type=0x9100 {{!}} 0x8100 {{!}} 0x88a8<br />
|default=0x8100<br />
|desc=Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-forward<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Special and faster case of [[Manual:Fast_Path | FastPath]] which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the [[ Manual:Interface/Bridge#Fast_Forward | Fast Forward]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forward-delay<br />
|type=time<br />
|default=00:00:15<br />
|desc=Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-version<br />
|type=2 {{!}} 3<br />
|default=2<br />
|desc=Selects the IGMP version in which IGMP general membership queries will be generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=read-only<br />
|default=<br />
|desc=L2MTU indicates the maximum size of the frame without MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-interval<br />
|type=time<br />
|default=1s<br />
|desc=If a port has <var>fast-leave</var> set to <code>no</code> and a bridge port receives a IGMP Leave message, then a IGMP Snooping enabled bridge will send a IGMP query to make sure that no devices has subscribed to a certain multicast stream on a bridge port. If a IGMP Snooping enabled bridge does not receive a IGMP membership report after amount of <var>last-member-interval</var>, then the bridge considers that no one has subscribed to a certain multicast stream and can stop forwarding it. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=How many times should <var>last-member-interval</var> pass until a IGMP Snooping bridge will stop forwarding a certain multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-hops<br />
|type=integer: 6..40<br />
|default=20<br />
|desc=Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-message-age<br />
|type=time<br />
|default=00:00:20<br />
|desc=How long to remember Hello messages received from other STP/RSTP enabled bridges. This property only has effect when <var>protocol-mode</var> is set to <code>stp</code> or <code>rstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=membership-interval<br />
|type=time<br />
|default=4m20s<br />
|desc=Amount of time after an entry in the Multicast Database (MDB) is removed if a IGMP membership report is not received on a certain port. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mld-version<br />
|type=1 {{!}} 2<br />
|default=1<br />
|desc=Selects the MLD version. Version 2 adds support for source-specific multicast. This property only has effect when RouterOS IPv6 package is enabled and <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer<br />
|default=auto<br />
|desc= Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the actual-mtu of the bridge (set by the <var>mtu</var> property), then manually set value will be ignored and the bridge will act as if <code>mtu=auto</code> is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-querier<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Multicast querier generates IGMP general membership queries to which all IGMP capable devices respond with a IGMP membership report, usually a PIM (multicast) router generates these queries. By using this property you can make a IGMP Snooping enabled bridge to generate IGMP general membership queries. This property should be used whenever there is no PIM (multicast) router in a Layer2 network or IGMP packets must be sent through multiple IGMP Snooping enabled bridges to reach a PIM (multicast) router. Without a multicast querier in a Layer2 network the Multicast Database (MDB) is not being updated and IGMP Snooping will not function properly. Only untagged IGMP general membership queries are generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>. Additionally, the <var>igmp-snooping</var> should be disabled/enabled after changing <var>multicast-querier</var> property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge itself if IGMP membership reports are going to be forwarded to it. This property can be used to forward IGMP membership reports to the bridge for statistics or to analyse them.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded to the bridge itself regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this the bridge itself regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=text<br />
|default=bridgeN<br />
|desc=Name of the bridge interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..65535 decimal format or 0x0000-0xffff hex format<br />
|default=32768 / 0x8000<br />
|desc=Bridge priority, used by STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protocol-mode<br />
|type=none {{!}} rstp {{!}} stp {{!}} mstp<br />
|default=rstp<br />
|desc=Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in '''01:80:C2:00:00:0X''' range, this can be done by setting the <var>protocol-mode</var> to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer: 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=querier-interval<br />
|type=time<br />
|default=4m15s<br />
|desc=Used to change the interval how often a bridge checks if it is the active multicast querier. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-interval<br />
|type=time<br />
|default=2m5s<br />
|desc=Used to change the interval how often IGMP general membership queries are sent out. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-response-interval<br />
|type=time<br />
|default=10s<br />
|desc=Interval in which a IGMP capable device must reply to a IGMP query with a IGMP membership report. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-name<br />
|type=text<br />
|default=<br />
|desc=MSTP region name. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-revision<br />
|type=integer: 0..65535<br />
|default=0<br />
|desc=MSTP configuration revision number. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=Specifies how many times must <var>startup-query-interval</var> pass until the bridge starts sending out IGMP general membership queries periodically. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-interval<br />
|type=time<br />
|default=31s250ms<br />
|desc=Used to change the amount of time after a bridge starts sending out IGMP general membership queries after the bridge is enabled. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=transmit-hold-count<br />
|type=integer: 1..10<br />
|default=6<br />
|desc=The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Globally enables or disables VLAN functionality for bridge.<br />
}}<br />
<br /><br />
<br />
{{ Warning | Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <var>vlan-filtering</var>, <var>protocol-mode</var>, <var>igmp-snooping</var>, <var>fast-forward</var> and others. }}<br />
<br />
<br />
==Example==<br />
<br />
<p>To add and enable a bridge interface that will forward all the protocols:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> add <br />
[admin@MikroTik] /interface bridge> print <br />
Flags: X - disabled, R - running <br />
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled <br />
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 <br />
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s <br />
forward-delay=15s transmit-hold-count=6 ageing-time=5m <br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Spanning Tree Protocol=<br />
<br />
RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. <br />
<br />
{{ Warning | In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 }}<br />
<br />
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Hardware Offloading ]] section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backwards compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol ]] section. In RouterOS the <var>protocol-mode</var> property controls the used STP variant.<br />
<br />
{{ Note | By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly. }}<br />
<br />
== Per port STP ==<br />
There might be certain situations where you want to limit STP functionality on a single or multiple ports. Below you can find some examples for different use cases.<br />
<br />
{{ Warning | Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behaviour. }}<br />
<br />
* Don't send out BPDUs from a certain port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
/interface bridge filter<br />
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1<br />
</pre><br />
<br />
In this example BPDUs will not be sent out through '''ether1'''. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to '''ether1''', then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well.<br />
<br />
{{ Note | You can use [[ Manual:Interface/List | Interface Lists]] to specify multiple interfaces. }}<br />
<br />
* Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge.<br />
<br />
On CRS3xx:<br />
<pre><br />
/interface ethernet switch rule<br />
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1<br />
</pre><br />
<br />
Or on CRS1xx/CRS2xx with [[Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models | Access Control List (ACL) support]]:<br />
<pre><br />
/interface ethernet switch acl<br />
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1<br />
</pre><br />
<br />
In this example all received BPDUs on '''ether1''' are dropped. This will prevent other bridges on that port becoming a root bridge.<br />
<br />
{{ Warning | If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously. }}<br />
<br />
* Don't allow BPDUs on a port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1 bpdu-guard=yes<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
</pre><br />
<br />
In this example if '''ether1''' receives a BPDU, it will block the port and will require you to manually re-enable it.<br />
<br />
=Bridge Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge settings</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing ([[Manual:Packet_Flow_v6 | Packet Flow]]). This does not apply to routed traffic. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to traffic in a bridge. Property <var>use-ip-firewall-for-vlan</var> is required in case bridge <var>vlan-filtering</var> is used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-pppoe<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged un-encrypted PPPoE traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to PPPoE traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-vlan<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged VLAN traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to VLAN traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-fast-path<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to enable a bridge [[Manual:Fast_Path | FastPath]] globally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-active<br />
|type=yes {{!}} no<br />
|default=''<br />
|desc=Shows whether a bridge FastPath is active globally, FastPatch status per bridge interface is not displayed. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge FastPath.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Path.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-forward-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=bridge-fast-forward-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{ Note | In case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] (Simple QoS) or global [[ Manual:Queue#Queue_Tree | Queue Trees]] to traffic that is being forwarded by a bridge, then you need to enable the <var>use-ip-firewall</var> property. Without using this property the bridge traffic will never reach the postrouting chain, [[Manual:Queue#Simple_Queues | Simple Queues]] and global [[ Manual:Queue#Queue_Tree | Queue Trees]] are working in the postrouting chain. To assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Trees]] for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well. }}<br />
<br />
=Port Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port</code></p><br />
<br /><br />
<p>Port submenu is used to enslave interfaces in a particular bridge interface.</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-isolate<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when <var>protocol-mode</var> is set to <code>rstp</code> or <code>mstp</code> and <var>edge</var> is set to <code>no</code>. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bpdu-guard<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface the respective interface is grouped in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=broadcast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses '''FF:FF:FF:FF:FF:FF''' as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall) and others. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=edge<br />
|type=auto {{!}} no {{!}} no-discover {{!}} yes {{!}} yes-discover<br />
|default=auto<br />
|desc=Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
* <code>no</code> - non-edge port, will participate in learning and listening states in STP.<br />
* <code>no-discover</code> - non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become edge port if no BPDU is received.<br />
* <code>yes</code> - edge port without discovery, will transit directly to forwarding state.<br />
* <code>yes-discover</code> - edge port with enabled discovery, will transit directly to forwarding state.<br />
* <code>auto</code> - same as <code>no-discover</code>, but will additionally detect if bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=external-fdb<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Whether to use wireless registration table to speed up bridge host learning. If there are no Wireless interfaces in a bridge, then setting <var>external-fdb</var> to <code>yes</code> will disable MAC learning and the bridge will act as a hub (disables hardware offloading). Replaced with <var>learn</var> parameter in RouterOS v6.42<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-leave<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables IGMP Fast leave feature on the port. Bridge will stop forwarding traffic to a bridge port whenever a IGMP Leave message is received for appropriate multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed ingress frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=learn<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Changes MAC learning behaviour on a bridge port<br />
* <code>yes</code> - enables MAC learning<br />
* <code>no</code> - disables MAC learning<br />
* <code>auto</code> - detects if bridge port is a Wireless interface and uses Wireless registration table instead of MAC learning, will use Wireless registration table if the [[Manual:Interface/Wireless | Wireless interface]] is set to one of <var>ap-bridge,bridge,wds-slave</var> mode and bridge mode for the [[Manual:Interface/Wireless | Wireless interface]] is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge port whether IGMP membership reports are going to be forwarded to this port. By default IGMP membership reports (most importantly IGMP Join messages) are only forwarded to ports that have a multicast router or a IGMP Snooping enabled bridge connected to. Without at least one port marked as a <code>multicast-router</code> IPTV might not work properly, it can be either detected automatically or forced manually.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded through this port regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this port regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges.<br />
You can improve security by forcing ports that have IPTV boxes connected to never become ports marked as <code>multicast-router</code>. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=horizon<br />
|type=integer 0..429496729<br />
|default=none<br />
|desc=Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about [[MPLSVPLS#Split_horizon_bridging | Bridge split horizon]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=internal-path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface for MSTI0 inside a region. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface, used by STP to determine the "best" path, used by MSTP to determine "best" path between regions. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=point-to-point<br />
|type=auto {{!}} yes {{!}} no<br />
|default=auto<br />
|desc=Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to <code>yes</code>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits BPDUs from other devices from this single link, by setting this property to <code>no</code>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to <code>yes</code>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to <code>no</code> if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex, <code>auto</code> enables point-to-point functionality. And this property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..240<br />
|default=128<br />
|desc=The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-role<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable the restricted role on a port, used by STP to forbid a port becoming a root port. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-tcn<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable topology change notification (TCN) sending on a port, used by STP to forbid network topology changes to propagate. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tag-stacking<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the <var>pvid</var> value and will use EtherType that is specified in <var>ether-type</var>. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trusted<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, it allows to forward DHCP packets towards DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unknown-multicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in <code>/interface bridge mdb</code> are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when <var>unknown-multicast-flood</var> is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=unknown-unicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in <code>/interface bridge host</code>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
==Example==<br />
<br />
<p>To group <b>ether1</b> and <b>ether2</b> in the already created <b>bridge1</b> bridge</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1<br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2<br />
[admin@MikroTik] /interface bridge port> print <br />
Flags: X - disabled, I - inactive, D - dynamic <br />
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON <br />
0 ether1 bridge1 0x80 10 none <br />
1 ether2 bridge1 0x80 10 none <br />
[admin@MikroTik] /interface bridge port> <br />
</pre><br />
<br />
=Interface lists=<br />
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules, you can read more about interface lists at the [[Manual:Interface/List | Interface List ]] section. Below is an example how to add interface list to a bridge:<br />
<pre><br />
/interface list member<br />
add interface=ether1 list=LAN1<br />
add interface=ether2 list=LAN1<br />
add interface=ether3 list=LAN2<br />
add interface=ether4 list=LAN2<br />
/interface bridge port<br />
add bridge=bridge1 interface=LAN1<br />
add bridge=bridge1 interface=LAN2<br />
</pre><br />
<br />
Ports from a interface list added to a bridge will show up as dynamic ports:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN1 bridge1<br />
1 D ether1 bridge1<br />
2 D ether2 bridge1<br />
3 LAN2 bridge1<br />
4 D ether3 bridge1<br />
5 D ether4 bridge1 <br />
</pre><br />
<br />
It is also possible to sort the order of lists in which they appear in the <code>/interface bridge port</code> menu. This can be done using the <code>move</code> command. Below is an example how to sort interface lists:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port move 3 0<br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN2 bridge1<br />
1 D ether3 bridge1<br />
2 D ether4 bridge1<br />
3 LAN1 bridge1<br />
4 D ether1 bridge1<br />
5 D ether2 bridge1<br />
</pre><br />
<br />
{{ Note | The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.}}<br />
<br />
=Hosts Table=<br />
<br />
MAC addresses that have been learned on a bridge interface can be viewed in the <code>/interface bridge host</code> menu. Below is a table of parameters and flags that can be viewed.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>age</b></var> (<em>read-only: time</em>)</td><br />
<td>The time since the last packet was received from the host. Appears only for dynamic, non-external and non-local host entries</td><br />
</tr><br />
<tr><br />
<td><var><b>bridge</b></var> (<em>read-only: name</em>)</td><br />
<td>The bridge the entry belongs to</td><br />
</tr><br />
<tr><br />
<td><var><b>disabled</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the static host entry is disabled</td><br />
</tr><br />
<tr><br />
<td><var><b>dynamic</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been dynamically created</td><br />
</tr><br />
<tr><br />
<td><var><b>external</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td><br />
</tr><br />
<tr><br />
<td><var><b>invalid</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td><br />
</tr><br />
<tr><br />
<td><var><b>local</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td><br />
</tr><br />
<tr><br />
<td><var><b>mac-address</b></var> (<em>read-only: MAC address</em>)</td><br />
<td>Host's MAC address</td><br />
</tr><br />
<tr><br />
<td><var><b>on-interface</b></var> (<em>read-only: name</em>)</td><br />
<td>Which of the bridged interfaces the host is connected to</td><br />
</tr><br />
</table><br />
<br />
==Monitoring==<br />
<p>To get the active hosts table:</p><br />
<pre><br />
[admin@MikroTik] > interface bridge host print <br />
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external <br />
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE<br />
0 D E D4:CA:6D:E1:B5:7E ether2 bridge1<br />
1 DL E4:8D:8C:73:70:37 bridge1 bridge1<br />
2 D D4:CA:6D:E1:B5:7F ether3 bridge2 27s<br />
3 DL E4:8D:8C:73:70:38 bridge2 bridge2<br />
</pre><br />
<br />
==Static entries==<br />
<br />
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is for protecting the device resources by disabling the dynamic learning and rely only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the hosts table.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface to which the MAC address is going to be assigned to.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disables/enables static MAC address entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=MAC address that will be added to the hosts table statically.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vid<br />
|type=integer: 1..4094<br />
|default=<br />
|desc=VLAN ID for the statically added MAC address entry.<br />
}}<br />
<br />
For example, if it was required that all traffic destined to '''4C:5E:0C:4D:12:43''' is forwarded only through '''ether2''', then the following commands can be used:<br />
<pre><br />
/interface bridge host<br />
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43<br />
</pre><br />
<br />
=Bridge Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge monitor</code></p><br />
<br /><br />
<p>Used to monitor the current status of a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="35%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>current-mac-address</b></var> (<em>MAC address</em>)</td><br />
<td>Current MAC address of the bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>designated-port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of designated bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of the bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether bridge is the root bridge of the spanning tree</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge-id</b></var> (<em>text</em>)</td><br />
<td>The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td><br />
</tr><br />
<tr><br />
<td><var><b>root-path-cost</b></var> (<em>integer</em>)</td><br />
<td>The total cost of the path to the root-bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>root-port</b></var> (<em>name</em>)</td><br />
<td>Port to which the root bridge is connected to</td><br />
</tr><br />
<tr><br />
<td><var><b>state</b></var> (<em>enabled | disabled</em>)</td><br />
<td>State of the bridge</td><br />
</tr><br />
</table><br />
<br />
<h3>Example</h3><br />
<br />
<p>To monitor a bridge:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> monitor bridge1 <br />
state: enabled<br />
current-mac-address: 00:0C:42:52:2E:CE<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
<br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Bridge Port Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port monitor</code></p><br />
<br /><br />
<p>Statistics of an interface that belongs to a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is an edge port or not.</td><br />
</tr><br />
<tr><br />
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is set to automatically detect edge ports.</td><br />
</tr><br />
<tr><br />
<td><var><b>external-fdb</b></var> (<em>yes | no</em>)</td><br />
<td>Whether registration table is used instead of forwarding data base.</td><br />
</tr><br />
<tr><br />
<td><var><b>forwarding</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is not blocked by (R/M)STP.</td><br />
</tr><br />
<tr><br />
<td><var><b>hw-offload-group</b></var> (<em>switchX</em>)</td><br />
<td>Switch chip used by the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>learning</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is currently listening for BPDUs.</td><br />
</tr><br />
<tr><br />
<td><var><b>multicast-router</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if a multicast router is detected on the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td><br />
<td>port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot internal numbering will be used - for example, sfp ports will have first port-numbers, followed by Ethernet ports in order, ether1, ether2, etc.</td><br />
</tr><br />
<tr><br />
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td><br />
</tr><br />
<tr><br />
<td><var><b>role</b></var> (<em>designated | root port | alternate | backup | disabled</em>)</td><br />
<td><br />
(R/M)STP algorithm assigned role of the port:<br />
* <code>Disabled port</code> - not strictly part of STP, a network administrator can manually disable a port<br />
* <code>Root port</code> - a forwarding port that is the best port from Nonroot-bridge to Rootbridge<br />
* <code>Alternative port</code> - an alternate path to the root bridge. This path is different than using the root port<br />
* <code>Designated port</code> - a forwarding port for every LAN segment<br />
* <code>Backup port</code> - a backup/redundant path to a segment where another bridge port already connects.<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>sending-rstp</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is sending BPDU messages</td><br />
</tr><br />
<tr><br />
<td><var><b>status</b></var> (<em>in-bridge | inactive</em>)</td><br />
<td>Port status:<br />
* <code>in-bridge</code> - port is enabled.<br />
* <code>inactive</code> - port is disabled.<br />
</td><br />
</tr><br />
</table><br />
<br />
==Example==<br />
<br />
<p>To monitor a bridge port:</p><br />
<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor 0 <br />
status: in-bridge<br />
port-number: 1<br />
role: designated-port<br />
edge-port: no<br />
edge-port-discovery: yes<br />
point-to-point-port: no<br />
external-fdb: no<br />
sending-rstp: no<br />
learning: yes<br />
forwarding: yes<br />
<br />
[admin@MikroTik] /interface bridge port><br />
</pre><br />
<br />
=Bridge Hardware Offloading=<br />
<br />
Since RouterOS v6.41 it is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly. In previous versions (prior to RouterOS v6.41) you had to use the <var>master-port</var> property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example, [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol]]. More details about the outdated <var>master-port</var> property can be found in the [[Manual:Master-port | Master-port]] page.<br />
<br />
{{ Note | When upgrading from previous versions (before RouterOS v6.41), the old <var>master-port</var> configuration is automatically converted to the new '''Bridge Hardware Offloading''' configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old <var>master-port</var> configuration. }}<br />
<br />
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):<br />
<br />
{| border="1" class="wikitable collapsible sortable" style="text-align: center"<br />
| nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b><br />
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge DHCP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bonding</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS3xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>+ <small style="font-size:60%;">1</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [QCA8337]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8327]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|-<br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8227]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8316]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros7240]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [MT7621]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [RTL8367]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
|}<br />
<br />
<b>NOTES:</b><br />
# Feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example, <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code>. DHCP Option 82 will not contain any information regarding VLAN-ID. <br />
# Feature will not work properly in VLAN switching setups.<br />
<br />
{{ Note | When upgrading from older versions (before RouterOS v6.41), only the <var>master-port</var> configuration is converted. For each <var>master-port</var> a bridge will be created. VLAN configuration is not converted and should not be changed, check the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide to be sure how VLAN switching should be configured for your device. }}<br />
<br />
Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to processes packets using it's switching logic. The diagram below illustrates that switching occurs before any software related action:<br />
<br />
[[File:switch-png.png|center]]<br />
<br />
A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU, though it is possible in certain situations to allow a packet to be processed by the CPU. To allow the CPU process a packet you need to forward the packet to the CPU and not allow the switch chip to forward the packet through a switch port directly, this is usually called passing a packet to the switch CPU port (or the bridge CPU port in bridge VLAN filtering scenario).<br />
<br />
By passing a packet to the switch CPU port you are prohibiting the switch chip to forward the packet directly, this allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | non-CRS series switches]]<br />
<br />
{{ Warning | Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a '''switch chip reset''', that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control and others (exact settings that can trigger a switch chip reset depends on the device's model). }}<br />
<br />
==Example==<br />
<br />
Port switching with bridge configuration and enabled hardware offloading since RouterOS v6.41:<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2 hw=yes<br />
add bridge=bridge1 interface=ether3 hw=yes<br />
add bridge=bridge1 interface=ether4 hw=yes<br />
add bridge=bridge1 interface=ether5 hw=yes<br />
</pre><br />
<br />
Make sure that hardware offloading is enabled by checking the "H" flag:<br />
<pre><br />
[admin@MikroTik] > interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON<br />
0 H ether2 bridge1 yes 1 0x80 10 10 none<br />
1 H ether3 bridge1 yes 1 0x80 10 10 none<br />
2 H ether4 bridge1 yes 1 0x80 10 10 none<br />
3 H ether5 bridge1 yes 1 0x80 10 10 none<br />
</pre><br />
<br />
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}<br />
<br />
=Bridge VLAN Filtering=<br />
<br />
{{ Note | Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide. If an improper configuration method is used, your device can cause throughput issues in your network. }}<br />
<br />
<p>Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.<br />
This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged.<br />
Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</p><br />
<br />
<p>The main VLAN setting is <code>vlan-filtering</code> which globally controls vlan-awareness and VLAN tag processing in the bridge.<br />
If <code>vlan-filtering=no</code>, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.<br />
Turning on <code>vlan-filtering</code> enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.<br />
Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).</p><br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge vlan</code></p><br />
<br />
<p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<br />
<code>tagged</code> ports send out frames with a learned VLAN ID tag.<br />
<code>untagged</code> ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port <code>pvid</code>.<br />
</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface which the respective VLAN entry is intended for.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables Bridge VLAN entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. <code>tagged=ether1,ether2</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=untagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. <code>untagged=ether3,ether4</code><br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-ids<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. <code>vlan-ids=100-115,120,122,128-130</code>.<br />
}}<br />
<br /><br />
{{ Warning | The <var>vlan-ids</var> parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the <var>PVID</var> value. }}<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br />
<p>Bridge Host table allows monitoring learned MAC addresses and when <code>vlan-filtering</code> is enabled shows learned VLAN ID as well.</p><br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge host print where !local<br />
Flags: L - local, E - external-fdb <br />
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE <br />
bridge1 200 D4:CA:6D:77:2E:F0 ether3 7s <br />
bridge1 200 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 300 D4:CA:6D:74:65:9D ether4 3s <br />
bridge1 300 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 400 4C:5E:0C:4B:89:5C ether5 0s <br />
bridge1 400 E4:8D:8C:1B:05:F0 ether2 0s <br />
[admin@MikroTik] > <br />
</pre><br />
<br />
{{ Note | Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the [[Manual:Interface/Bridge#Management_port| Management port]] section.}}<br />
<br />
{{ Warning | When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.}}<br />
<br />
==VLAN Example #1 (Trunk and Access Ports)==<br />
<br />
{{ Note | Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how [[ Manual:Bridge_VLAN_Table | Bridge VLAN table]] works before deploying your device into production environments. }}<br />
<br />
[[File:portbased-vlan1.png|center|frame|alt=Alt text|Trunk and Access Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the device before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==VLAN Example #2 (Trunk and Hybrid Ports)==<br />
<br />
[[File:portbased-vlan2.png|center|frame|alt=Alt text|Trunk and Hybrid Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> on hybrid VLAN ports to assign untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | You don't have to add access ports as untagged ports, they will be added dynamically as untagged port with the VLAN ID that is specified in <code>PVID</code>, you can specify just the trunk port as tagged port. All ports that have the same <code>PVID</code> set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a <code>PVID</code> value, this means that the bridge port also will be added as untagged port for the ports that have the same <code>PVID</code>. You can circumvent this behaviour by either setting different <code>PVID</code> on all ports (even the trunk port and bridge itself), or to use <code>frame-type</code> set to <code>accept-only-vlan-tagged</code>. }}<br />
<br />
==VLAN Example #3 (InterVLAN Routing by Bridge)==<br />
<br />
[[File:bridge-vlan-routing.png|center|frame|alt=Alt text|InterVLAN Routing by Bridge]]<br />
<br />
Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured:<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN:<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example '''bridge1''' interface is the VLAN trunk that will send traffic further to do InterVLAN routing:<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
Configure VLAN interfaces on the '''bridge1''' to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned:<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=VLAN200 vlan-id=200<br />
add interface=bridge1 name=VLAN300 vlan-id=300<br />
add interface=bridge1 name=VLAN400 vlan-id=400<br />
<br />
/ip address<br />
add address=20.0.0.1/24 interface=VLAN200<br />
add address=30.0.0.1/24 interface=VLAN300<br />
add address=40.0.0.1/24 interface=VLAN400<br />
</pre><br />
<br />
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==Management access configuration==<br />
<br />
There are multiple ways to setup management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* In case VLAN filtering will not be used and access with untagged traffic is desired<br />
<br />
The only requirement is to create an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.99.1/24 interface=bridge1<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired<br />
<br />
In this example VLAN99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.<br />
<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=MGMT vlan-id=99<br />
/ip address<br />
add address=192.168.99.1/24 interface=MGMT<br />
</pre><br />
<br />
For example, if you want to allow access to the router/switch from access ports '''ether3''', '''ether4''' and from trunk port '''sfp-sfpplus1''', then you must add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired<br />
<br />
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.88.1/24 interface=bridge1<br />
</pre><br />
<br />
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports '''ether3''', '''ether4''' add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1<br />
</pre><br />
<br />
Make sure that PVID on the bridge interface matches the PVID value on these ports:<br />
<pre><br />
/interface bridge set bridge1 pvid=1<br />
/interface bridge port set ether3,ether4 pvid=1<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Note | If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way. }}<br />
<br />
==VLAN Tunneling (Q-in-Q)==<br />
Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100). The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common '''Provider bridge''':<br />
<br />
[[File:provider_bridge.png|700px|thumb|center|alt=Alt text|Provider bridge topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic by 802.1Q (CVID), but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by enabling <code>802.1ad</code> VLAN protocol on the bridge, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x88a8<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' are going to be access ports (untagged), use the <code>pvid</code> parameter to tag all ingress traffic on each port, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200<br />
add interface=ether2 bridge=bridge1 pvid=300<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. The difference between using different EtherTypes is that you must use a Service VLAN interface. Service VLAN interfaces can be created as regular VLAN interface, but the <var>use-service-tag</var> parameter toggles if the interface will use Service VLAN tag. }}<br />
<br />
{{ Note | Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering based on SVID (Service VLAN ID) tag when <var>ether-type</var> is set to 0x88a8. }}<br />
<br />
{{ Warning | When <code>ether-type&#61;0x8100</code>, then the bridge checks the outer VLAN tag if it is using EtherType <code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as <code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used. }}<br />
<br />
===Tag stacking===<br />
<br />
Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to [[ Manual:Interface/Bridge#VLAN_Tunneling_.28Q-in-Q.29 | Provider bridge]] setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:<br />
<br />
[[File:tag_stacking.png|700px|thumb|center|alt=Alt text|Tag stacking topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x8100<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' will ignore any VLAN tags that are present and add a new VLAN tag, use the <code>pvid</code> parameter to tag all ingress traffic on each port and allow <code>tag-stacking</code> on these ports, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes<br />
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <code>PVID</code> parameter have any effect, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. }}<br />
<br />
=Fast Forward=<br />
<br />
Fast Forward allows to forward packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge related checks, including MAC learning. Below you can find a list of conditions that '''MUST''' be met in order for Fast Forward to be active:<br />
* Bridge has <var>fast-forward</var> set to <code>yes</code><br />
* Bridge has only 2 running ports<br />
* Both bridge ports support [[ Manual:Fast_Path | Fast Path]], Fast Path is active on ports and globally on the bridge<br />
* [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] is disabled<br />
* <var>protocol-mode</var> is set to <code>none</code><br />
* [[ Manual:Interface/Bridge#Bridge_VLAN_Filtering | Bridge VLAN Filtering]] is disabled<br />
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | bridge DHCP snooping]] is disabled<br />
* <var>unknown-multicast-flood</var> is set to <code>yes</code><br />
* <var>unknown-unicast-flood</var> is set to <code>yes</code><br />
* <var>broadcast-flood</var> is set to <code>yes</code><br />
* MAC address for the bridge matches with a MAC address from one of the bridge slaves<br />
* <var>horizon</var> for both ports is set to <code>none</code><br />
<br />
{{ Note | Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out trough just one interface. }}<br />
<br />
{{ Warning | Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path. }}<br />
<br />
It is possible to check how many packets where processed by Fast Forward:<br />
<pre><br />
[admin@MikroTik] > /interface bridge settings print <br />
use-ip-firewall: no<br />
use-ip-firewall-for-vlan: no<br />
use-ip-firewall-for-pppoe: no<br />
allow-fast-path: yes<br />
bridge-fast-path-active: yes<br />
bridge-fast-path-packets: 0<br />
bridge-fast-path-bytes: 0<br />
bridge-fast-forward-packets: 1279812<br />
bridge-fast-forward-bytes: 655263744<br />
</pre><br />
<br />
{{ Note | If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator whether Fast Forward is active or not. }}<br />
<br />
Since RouterOS 6.44beta28 it is possible to monitor Fast Forward status, for example:<br />
<pre><br />
[admin@MikroTik] > /interface bridge monitor bridge1 <br />
state: enabled<br />
current-mac-address: D4:CA:6D:E1:B5:82<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
fast-forward: yes<br />
<br />
</pre><br />
<br />
{{ Warning | Disabling or enabling <var>fast-forward</var> will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped. }}<br />
<br />
=IGMP Snooping=<br />
<br />
<p>IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.<br /><br />
It's settings are placed in bridge menu and it works independently in every bridge interface.<br /><br />
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.</p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge mdb</code></p><br />
<br />
* Enabling IGMP Snooping on Bridge.<br />
<br />
<pre><br />
/interface bridge set bridge1 igmp-snooping=yes<br />
</pre><br />
<br />
* Monitoring multicast groups in the Bridge Multicast Database<br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge mdb print <br />
BRIDGE VID GROUP PORTS <br />
bridge1 200 229.1.1.2 ether3 <br />
ether2 <br />
ether1 <br />
bridge1 300 231.1.3.3 ether4 <br />
ether3 <br />
ether2 <br />
bridge1 400 229.10.10.4 ether4 <br />
ether3 <br />
bridge1 500 234.5.1.5 ether5 <br />
ether1 <br />
</pre><br />
<br />
* Monitoring ports that are connected to a multicast router<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor [f]<br />
interface: ether1 ether2<br />
status: in-bridge in-bridge<br />
port-number: 1 2<br />
role: designated-port designated-port<br />
edge-port: yes yes<br />
edge-port-discovery: yes yes<br />
point-to-point-port: yes yes<br />
external-fdb: no no<br />
sending-rstp: yes yes<br />
learning: yes yes<br />
forwarding: yes yes<br />
multicast-router: yes no<br />
</pre><br />
<br />
{{ Note | IGMP membership reports are only forwarded to ports that are connected to a multicast router or to another IGMP Snooping enabled bridge. If no port is marked as a <var>multicast-router</var> then IGMP membership reports will not be forwarded to any port. }}<br />
<br />
=DHCP Snooping and DHCP Option 82=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge port</code></p><br />
<br /><br />
Starting from RouterOS version 6.43, bridge supports DHCP Snooping and DHCP Option 82. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing a malicious information to users. In RouterOS you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is an additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allows identifying the device itself and DHCP clients.<br />
<br />
[[File:dhcp_snooping.png|700px|thumb|center|alt=Alt text|DHCP Snooping and Option 82 setup]]<br />
<br />
In this example, SW1 and SW2 are DHCP Snooping and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on <b>SW1</b>:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1<br />
add bridge=bridge interface=ether2 trusted=yes<br />
</pre><br />
<br />
For SW2 configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1 trusted=yes<br />
add bridge=bridge interface=ether2 trusted=yes<br />
add bridge=bridge interface=ether3<br />
</pre><br />
<br />
Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on <b>SW1</b> and <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes<br />
</pre><br />
<br />
Now both devices will analyze what DHCP messages are received on bridge ports. The <b>SW1</b> is responsible for adding and removing the DHCP Option 82. The <b>SW2</b> will limit rogue DHCP server form receiving any discovery messages and drop malicious DHCP server messages from ether3.<br />
<br />
{{ Note | Currently only CRS3xx devices fully support hardware DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN related configuration applied on the device, otherwise DHCP Snooping and Option 82 might not work properly. See [[ Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features.}}<br />
<br />
=Bridge Firewall=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter, /interface bridge nat</code></p><br />
<br /><br />
<p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.</p><br />
<br />
<p>[[Packet Flow | Packet flow diagram]] shows how packets are processed through router. It is possible to force bridge traffic to go through <code>/ip firewall filter</code> rules (see: [[#Bridge Settings | Bridge Settings]])</p><br />
<br />
<p><br />
There are two bridge firewall tables:<br />
<br />
*'''filter''' - bridge firewall with three predefined chains:<br />
**'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)<br />
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally)<br />
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)<br />
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<br />
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface<br />
**'''dstnat''' - used for redirecting some packets to other destinations<br />
</p><br />
<br />
<p><br />
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.<br />
</p><br />
<br />
<p><br />
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.<br />
</p><br />
<br />
==Properties==<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-sap<br />
|type=integer<br />
|default=<br />
|desc=DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-type<br />
|type=integer<br />
|default=<br />
|desc=Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=<br />
|desc= Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. Packet is not passed to next firewall rule<br />
* <var>drop</var> - silently drop the packet<br />
* <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code><br />
* <var>mark-packet</var> - place a mark specified by the new-packet-mark parameter on a packet that matches the rule<br />
* <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics)<br />
* <var>return</var> - passes control back to the chain from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP destination IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=ARP destination MAC address<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-gratuitous<br />
|type=yes {{!}} no<br />
|default=<br />
|desc=Matches ARP gratuitous packets.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-hardware-type<br />
|type=integer<br />
|default=1<br />
|desc=ARP hardware type. This is normally Ethernet (Type 1).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-opcode<br />
|type=arp-nak {{!}} drarp-error {{!}} drarp-reply {{!}} drarp-request {{!}} inarp-reply {{!}} inarp-request {{!}} reply {{!}} reply-reverse {{!}} request {{!}} request-reverse<br />
|default=<br />
|desc=ARP opcode (packet type)<br />
* <var>arp-nak</var> - negative ARP reply (rarely used, mostly in ATM networks) <br />
* <var>drarp-error</var> - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated <br />
* <var>drarp-reply</var> - Dynamic RARP reply, with a temporaty IP address assignment for a host <br />
* <var>drarp-request</var> - Dynamic RARP request to assign a temporary IP address for the given MAC address <br />
* <var>inarp-reply</var> - InverseARP Reply<br />
* <var>inarp-request</var> - InverseARP Request<br />
* <var>reply</var> - standard ARP reply with a MAC address <br />
* <var>reply-reverse</var> - reverse ARP (RARP) reply with an IP address assigned <br />
* <var>request</var> - standard ARP request to a known IP address to find out unknown MAC address <br />
* <var>request-reverse</var> - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-packet-type<br />
|type=integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=ARP Packet Type.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP source IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-mac-address<br />
|type=MAC addres<br />
|default=<br />
|desc=ARP source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=chain<br />
|type=text<br />
|default=<br />
|desc=Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-address<br />
|type=IP address<br />
|default=<br />
|desc=Destination IP address (only if MAC protocol is set to IP).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Destination port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-bridge<br />
|type=name<br />
|default=<br />
|desc=Bridge interface through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface<br />
|type=name<br />
|default=<br />
|desc=Physical interface (i.e., bridge port) through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>in-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-priority<br />
|type=integer 0..63<br />
|default=<br />
|desc=Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more&#187;]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ip-protocol<br />
|type=dccp {{!}} ddp {{!}} egp {{!}} encap {{!}} etherip {{!}} ggp {{!}} gre {{!}} hmp {{!}} icmp {{!}} icmpv6 {{!}} idpr-cmtp {{!}} igmp {{!}} ipencap {{!}} ipip {{!}} ipsec-ah {{!}} ipsec-esp {{!}} ipv6 {{!}} ipv6-frag {{!}} ipv6-nonxt {{!}} ipv6-opts {{!}} ipv6-route {{!}} iso-tp4 {{!}} l2tp {{!}} ospf {{!}} pim {{!}} pup {{!}} rdp {{!}} rspf {{!}} rsvp {{!}} sctp {{!}} st {{!}} tcp {{!}} udp {{!}} udp-lite {{!}} vmtp {{!}} vrrp {{!}} xns-idp {{!}} xtp<br />
|default=<br />
|desc=IP protocol (only if MAC protocol is set to IPv4)<br />
* <var>dccp</var> - Datagram Congestion Control Protocol<br />
* <var>ddp</var> - Datagram Delivery Protocol<br />
* <var>egp</var> - Exterior Gateway Protocol<br />
* <var>encap</var> - Encapsulation Header<br />
* <var>etherip</var> - Ethernet-within-IP Encapsulation<br />
* <var>ggp</var> - Gateway-to-Gateway Protocol<br />
* <var>gre</var> - Generic Routing Encapsulation<br />
* <var>hmp</var> - Host Monitoring Protocol<br />
* <var>icmp</var> - IPv4 Internet Control Message Protocol<br />
* <var>icmpv6</var> - IPv6 Internet Control Message Protocol<br />
* <var>idpr-cmtp</var> - Inter-Domain Policy Routing Control Message Transport Protocol <br />
* <var>igmp</var> - Internet Group Management Protocol<br />
* <var>ipencap</var> - IP in IP (encapsulation)<br />
* <var>ipip</var> - IP-within-IP Encapsulation Protocol<br />
* <var>ipsec-ah</var> - IPsec Authentication Header<br />
* <var>ipsec-esp</var> - IPsec Encapsulating Security Payload<br />
* <var>ipv6</var> - Internet Protocol version 6<br />
* <var>ipv6-frag</var> - Fragment Header for IPv6<br />
* <var>ipv6-nonxt</var> - No Next Header for IPv6<br />
* <var>ipv6-opts</var> - Destination Options for IPv6<br />
* <var>ipv6-route</var> - Routing Header for IPv6<br />
* <var>iso-tp4</var> - ISO Transport Protocol Class 4<br />
* <var>l2tp</var> - Layer Two Tunneling Protocol<br />
* <var>ospf</var> - Open Shortest Path First<br />
* <var>pim</var> - Protocol Independent Multicast<br />
* <var>pup</var> - PARC Universal Packet<br />
* <var>rdp</var> - Reliable Data Protocol<br />
* <var>rspf</var> - Radio Shortest Path First<br />
* <var>rsvp</var> - Reservation Protocol<br />
* <var>sctp</var> - Stream Control Transmission Protocol<br />
* <var>st</var> - Internet Stream Protocol<br />
* <var>tcp</var> - Transmission Control Protocol<br />
* <var>udp</var> - User Datagram Protocol<br />
* <var>udp-lite</var> - Lightweight User Datagram Protocol<br />
* <var>vmtp</var> - Versatile Message Transaction Protocol<br />
* <var>vrrp</var> - Virtual Router Redundancy Protocol<br />
* <var>xns-idp</var> - Xerox Network Systems Internet Datagram Protocol<br />
* <var>xtp</var> - Xpress Transport Protocol<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=jump-target<br />
|type=name<br />
|default=<br />
|desc=If <code>action=jump</code> specified, then specifies the user-defined firewall chain to process the packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit<br />
|type=integer/time,integer<br />
|default=<br />
|desc=Restricts packet match rate to a given limit.<br />
* <var>count</var> - maximum average packet rate, measured in packets per second (pps), unless followed by Time option <br />
* <var>time</var> - specifies the time interval over which the packet rate is measured <br />
* <var>burst</var> - number of packets to match in a burst<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=log-prefix<br />
|type=text<br />
|default=<br />
|desc=Defines the prefix to be printed before the logging information.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-protocol<br />
|type=802.2 {{!}} arp {{!}} homeplug-av {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} lldp {{!}} loop-protect {{!}} mpls-multicast {{!}} mpls-unicast {{!}} packing-compr {{!}} packing-simple {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} service-vlan {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a <var>vlan-encap</var> property should be used.<br />
* <var>802.2</var> - 802.2 Frames (0x0004)<br />
* <var>arp</var> - Address Resolution Protocol (0x0806)<br />
* <var>homeplug-av</var> - HomePlug AV MME (0x88E1)<br />
* <var>ip</var> - Internet Protocol version 4 (0x0800)<br />
* <var>ipv6</var> - Internet Protocol Version 6 (0x86DD)<br />
* <var>ipx</var> - Internetwork Packet Exchange (0x8137)<br />
* <var>length</var> - Packets with length field (0x0000-0x05DC)<br />
* <var>lldp</var> - Link Layer Discovery Protocol (0x88CC)<br />
* <var>loop-protect</var> - Loop Protect Protocol (0x9003)<br />
* <var>mpls-multicast</var> - MPLS multicast (0x8848)<br />
* <var>mpls-unicast</var> - MPLS unicast (0x8847)<br />
* <var>packing-compr</var> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)<br />
* <var>packing-simple</var> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)<br />
* <var>pppoe</var> - PPPoE Session Stage (0x8864)<br />
* <var>pppoe-discovery</var> - PPPoE Discovery Stage (0x8863)<br />
* <var>rarp</var> - Reverse Address Resolution Protocol (0x8035)<br />
* <var>service-vlan</var> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) <br />
* <var>vlan</var> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-bridge<br />
|type=name<br />
|default=<br />
|desc=Outgoing bridge interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface<br />
|type=name<br />
|default=<br />
|desc=Interface that the packet is leaving the bridge through.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>out-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-mark<br />
|type=name<br />
|default=<br />
|desc=Match packets with certain packet mark.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-type<br />
|type=broadcast {{!}} host {{!}} multicast {{!}} other-host<br />
|default=<br />
|desc=MAC frame type:<br />
* <var>broadcast</var> - broadcast MAC packet <br />
* <var>host</var> - packet is destined to the bridge itself <br />
* <var>multicast</var> - multicast MAC packet <br />
* <var>other-host</var> - packet is destined to some other unicast address, not to the bridge itself<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-address<br />
|type=IP address<br />
|default=<br />
|desc=Source IP address (only if MAC protocol is set to IPv4).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Source port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-flags<br />
|type=topology-change {{!}} topology-change-ack<br />
|default=<br />
|desc=The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<br />
* <var>topology-change</var> - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology <br />
* <var>topology-change-ack</var> - topology change acknowledgement flag is sent in replies to the notification packets <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-forward-delay<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Forward delay timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-hello-time<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP hello packets time.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-max-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Maximal STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-msg-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP port identifier.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-address<br />
|type=MAC address<br />
|default=<br />
|desc=Root bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-cost<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge cost.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-address<br />
|type=MAC address<br />
|default=<br />
|desc=STP message sender MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP sender priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-type<br />
|type=config {{!}} tcn<br />
|default=<br />
|desc=The BPDU type:<br />
* <var>config</var> - configuration BPDU <br />
* <var>tcn</var> - topology change notification<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-host<br />
|type=string<br />
|default=<br />
|desc=Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-encap<br />
|type=802.2 {{!}} arp {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} mpls-multicast {{!}} mpls-unicast {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Matches the MAC protocol type encapsulated in the VLAN frame.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-id<br />
|type=integer 0..4095<br />
|default=<br />
|desc=Matches the VLAN identifier field.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-priority<br />
|type=integer 0..7<br />
|default=<br />
|desc=Matches the VLAN priority<br />
}}<br />
<br />
<br />
<h3>Notes</h3><br />
<br />
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled.<br />
<br />
*ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code><br />
<br />
*VLAN matchers are only valid for <code>0x8100</code> or <code>0x88a8</code> ethernet protocols<br />
<br />
*IP or IPv6 related matchers are only valid if <var>mac-protocol</var> is either set to <code>ip</code> or <code>ipv6</code><br />
<br />
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.<br />
<br />
==Bridge Packet Filter==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p><br />
<br /><br />
<p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough<br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
==Bridge NAT==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p><br />
<br /><br />
<p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p><br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} mark-packet {{!}} redirect {{!}} set-priority {{!}} arp-reply {{!}} dst-nat {{!}} log {{!}} passthrough {{!}} return {{!}} src-nat<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule:<br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>arp-reply</var> - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>dst-nat</var> - change destination MAC address of a packet (only valid in dstnat chain) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - log the packet <br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>redirect</var> - redirect the packet to the bridge itself (only valid in dstnat chain) <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
* <var>src-nat</var> - change source MAC address of a packet (only valid in srcnat chain) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-arp-reply-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frame and ARP payload, when <code>action=arp-reply</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address to put in Ethernet frames, when <code>action=dst-nat</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=to-src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frames, when <code>action=src-nat</code> is selected<br />
}}<br />
<br />
=See also=<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | Swith chip features]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]<br />
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]<br />
* [[Manual:Bridge_VLAN_Table | Bridge VLAN Table]]<br />
* [[Manual:Wireless VLAN Trunk | Wireless VLAN Trunk]]<br />
* [[Manual:VLANs_on_Wireless | VLANs on Wireless]]<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|B]]<br />
[[Category:Interface|B]]<br />
[[Category:Bridging and switching]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Interface/Bridge&diff=34172Manual:Interface/Bridge2020-08-17T06:42:39Z<p>Guntis: /* Bridge Port Monitoring */ port-number</p>
<hr />
<div>{{Versions| v3, v4+}}<br />
<br />
=Summary=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code><br />
<br /><br />
<b>Standards:</b> <code>[https://en.wikipedia.org/wiki/IEEE_802.1D IEEE 802.1D] , [https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q]</code><br />
</p><br />
<br /><br />
<br />
<p><br />
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE 802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).<br />
</p><br />
<br />
<p><br />
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.<br />
</p><br />
<br />
=Bridge Interface Setup=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p><br />
<br /><br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the MAC address of first bridge port which comes up will be chosen automatically).</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=add-dhcp-option82<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether to add DHCP Option-82 information (Agent Remote ID and Agent Circuit ID) to DHCP packets. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=admin-mac<br />
|type=MAC address<br />
|default=none<br />
|desc=Static MAC address of the bridge. This property only has effect when <var>auto-mac</var> is set to <code>no</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ageing-time<br />
|type=time<br />
|default=00:05:00<br />
|desc=How long a host's information will be kept in the bridge database.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp<br />
|type=disabled {{!}} enabled {{!}} proxy-arp {{!}} reply-only<br />
|default=enabled<br />
|desc=Address Resolution Protocol setting<br />
* <code>disabled</code> - the interface will not use ARP<br />
* <code>enabled</code> - the interface will use ARP<br />
* <code>proxy-arp</code> - the interface will use the ARP proxy feature<br />
* <code>reply-only</code> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the [[Manual:IP/ARP | IP/ARP]] table. No dynamic entries will be automatically stored in the [[Manual:IP/ARP | IP/ARP]] table. Therefore for communications to be successful, a valid static entry must already exist.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-timeout<br />
|type= auto {{!}} integer<br />
|default=auto<br />
|desc=ARP timeout is time how long ARP record is kept in ARP table after no packets are received from IP. Value <code>auto</code> equals to the value of <var>arp-timeout</var> in [[Manual:IP/Settings | IP/Settings]], default is 30s.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-mac<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Automatically select one MAC address of bridge ports as a bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dhcp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables DHCP Snooping on the bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type= yes {{!}} no<br />
|default=no<br />
|desc=Changes whether the bridge is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ether-type<br />
|type=0x9100 {{!}} 0x8100 {{!}} 0x88a8<br />
|default=0x8100<br />
|desc=Changes the EtherType, which will be used to determine if a packet has a VLAN tag. Packets that have a matching EtherType are considered as tagged packets. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-forward<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Special and faster case of [[Manual:Fast_Path | FastPath]] which works only on bridges with 2 interfaces (enabled by default only for new bridges). More details can be found in the [[ Manual:Interface/Bridge#Fast_Forward | Fast Forward]] section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=forward-delay<br />
|type=time<br />
|default=00:00:15<br />
|desc=Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-snooping<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables multicast group and port learning to prevent multicast traffic from flooding all interfaces in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=igmp-version<br />
|type=2 {{!}} 3<br />
|default=2<br />
|desc=Selects the IGMP version in which IGMP general membership queries will be generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. By default, VLANs that don't exist in the bridge VLAN table are dropped before they are sent out (egress), but this property allows you to drop the packets when they are received (ingress). Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=l2mtu<br />
|type=read-only<br />
|default=<br />
|desc=L2MTU indicates the maximum size of the frame without MAC header that can be sent by this interface. The L2MTU value will be automatically set by the bridge and it will use the lowest L2MTU value of any associated bridge port. This value cannot be manually changed.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-interval<br />
|type=time<br />
|default=1s<br />
|desc=If a port has <var>fast-leave</var> set to <code>no</code> and a bridge port receives a IGMP Leave message, then a IGMP Snooping enabled bridge will send a IGMP query to make sure that no devices has subscribed to a certain multicast stream on a bridge port. If a IGMP Snooping enabled bridge does not receive a IGMP membership report after amount of <var>last-member-interval</var>, then the bridge considers that no one has subscribed to a certain multicast stream and can stop forwarding it. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=last-member-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=How many times should <var>last-member-interval</var> pass until a IGMP Snooping bridge will stop forwarding a certain multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-hops<br />
|type=integer: 6..40<br />
|default=20<br />
|desc=Bridge count which BPDU can pass in a MSTP enabled network in the same region before BPDU is being ignored. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-message-age<br />
|type=time<br />
|default=00:00:20<br />
|desc=How long to remember Hello messages received from other STP/RSTP enabled bridges. This property only has effect when <var>protocol-mode</var> is set to <code>stp</code> or <code>rstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=membership-interval<br />
|type=time<br />
|default=4m20s<br />
|desc=Amount of time after an entry in the Multicast Database (MDB) is removed if a IGMP membership report is not received on a certain port. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mld-version<br />
|type=1 {{!}} 2<br />
|default=1<br />
|desc=Selects the MLD version. Version 2 adds support for source-specific multicast. This property only has effect when RouterOS IPv6 package is enabled and <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mtu<br />
|type=integer<br />
|default=auto<br />
|desc= Maximum transmission unit, by default, the bridge will set MTU automatically and it will use the lowest MTU value of any associated bridge port. The default bridge MTU value without any bridge ports added is 1500. The MTU value can be set manually, but it cannot exceed the bridge L2MTU or the lowest bridge port L2MTU. If a new bridge port is added with L2MTU which is smaller than the actual-mtu of the bridge (set by the <var>mtu</var> property), then manually set value will be ignored and the bridge will act as if <code>mtu=auto</code> is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-querier<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Multicast querier generates IGMP general membership queries to which all IGMP capable devices respond with a IGMP membership report, usually a PIM (multicast) router generates these queries. By using this property you can make a IGMP Snooping enabled bridge to generate IGMP general membership queries. This property should be used whenever there is no PIM (multicast) router in a Layer2 network or IGMP packets must be sent through multiple IGMP Snooping enabled bridges to reach a PIM (multicast) router. Without a multicast querier in a Layer2 network the Multicast Database (MDB) is not being updated and IGMP Snooping will not function properly. Only untagged IGMP general membership queries are generated. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>. Additionally, the <var>igmp-snooping</var> should be disabled/enabled after changing <var>multicast-querier</var> property.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge itself if IGMP membership reports are going to be forwarded to it. This property can be used to forward IGMP membership reports to the bridge for statistics or to analyse them.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded to the bridge itself regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this the bridge itself regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=text<br />
|default=bridgeN<br />
|desc=Name of the bridge interface<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..65535 decimal format or 0x0000-0xffff hex format<br />
|default=32768 / 0x8000<br />
|desc=Bridge priority, used by STP to determine root bridge, used by MSTP to determine CIST and IST regional root bridge. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=protocol-mode<br />
|type=none {{!}} rstp {{!}} stp {{!}} mstp<br />
|default=rstp<br />
|desc=Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. Select MSTP to ensure loop-free topology across multiple VLANs. Since RouterOS v6.43 it is possible to forward Reserved MAC addresses that are in '''01:80:C2:00:00:0X''' range, this can be done by setting the <var>protocol-mode</var> to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer: 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=querier-interval<br />
|type=time<br />
|default=4m15s<br />
|desc=Used to change the interval how often a bridge checks if it is the active multicast querier. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-interval<br />
|type=time<br />
|default=2m5s<br />
|desc=Used to change the interval how often IGMP general membership queries are sent out. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-response-interval<br />
|type=time<br />
|default=10s<br />
|desc=Interval in which a IGMP capable device must reply to a IGMP query with a IGMP membership report. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-name<br />
|type=text<br />
|default=<br />
|desc=MSTP region name. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=region-revision<br />
|type=integer: 0..65535<br />
|default=0<br />
|desc=MSTP configuration revision number. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-count<br />
|type=integer: 0..4294967295<br />
|default=2<br />
|desc=Specifies how many times must <var>startup-query-interval</var> pass until the bridge starts sending out IGMP general membership queries periodically. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=startup-query-interval<br />
|type=time<br />
|default=31s250ms<br />
|desc=Used to change the amount of time after a bridge starts sending out IGMP general membership queries after the bridge is enabled. This property only has effect when <var>igmp-snooping</var> and <var>multicast-querier</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=transmit-hold-count<br />
|type=integer: 1..10<br />
|default=6<br />
|desc=The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Globally enables or disables VLAN functionality for bridge.<br />
}}<br />
<br /><br />
<br />
{{ Warning | Changing certain properties can cause the bridge to temporarily disable all ports. This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped. Such properties include <var>vlan-filtering</var>, <var>protocol-mode</var>, <var>igmp-snooping</var>, <var>fast-forward</var> and others. }}<br />
<br />
<br />
==Example==<br />
<br />
<p>To add and enable a bridge interface that will forward all the protocols:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> add <br />
[admin@MikroTik] /interface bridge> print <br />
Flags: X - disabled, R - running <br />
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled <br />
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 <br />
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s <br />
forward-delay=15s transmit-hold-count=6 ageing-time=5m <br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Spanning Tree Protocol=<br />
<br />
RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. <br />
<br />
{{ Warning | In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 }}<br />
<br />
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Hardware Offloading ]] section. STP is considered to be outdated and slow, it has been almost entirely replaced in all network topologies by RSTP, which is backwards compatible with STP. For network topologies that depend on VLANs, it is recommended to use MSTP since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups. There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol ]] section. In RouterOS the <var>protocol-mode</var> property controls the used STP variant.<br />
<br />
{{ Note | By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not function properly. }}<br />
<br />
== Per port STP ==<br />
There might be certain situations where you want to limit STP functionality on a single or multiple ports. Below you can find some examples for different use cases.<br />
<br />
{{ Warning | Be careful when changing the default (R/M)STP functionality, make sure you understand the working principles of STP and BPDUs. Misconfigured (R/M)STP can cause unexpected behaviour. }}<br />
<br />
* Don't send out BPDUs from a certain port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
/interface bridge filter<br />
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1<br />
</pre><br />
<br />
In this example BPDUs will not be sent out through '''ether1'''. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to '''ether1''', then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well.<br />
<br />
{{ Note | You can use [[ Manual:Interface/List | Interface Lists]] to specify multiple interfaces. }}<br />
<br />
* Dropping received BPDUs on a certain port can be done on some switch chips using ACL rules, but the Bridge Filter Input rules cannot do it if bridge has STP/RSTP/MSTP enabled because then received BPDUs have special processing in the bridge.<br />
<br />
On CRS3xx:<br />
<pre><br />
/interface ethernet switch rule<br />
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch1<br />
</pre><br />
<br />
Or on CRS1xx/CRS2xx with [[Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models | Access Control List (ACL) support]]:<br />
<pre><br />
/interface ethernet switch acl<br />
add action=drop mac-dst-address=01:80:C2:00:00:00 src-ports=ether1<br />
</pre><br />
<br />
In this example all received BPDUs on '''ether1''' are dropped. This will prevent other bridges on that port becoming a root bridge.<br />
<br />
{{ Warning | If you intend to drop received BPDUs on a port, then make sure to prevent BPDUs from being sent out from the interface that this port is connected to. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU (from a bridge with a lower bridge ID), but the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge. If you have blocked BPDUs only on one side, then a port will flap continuously. }}<br />
<br />
* Don't allow BPDUs on a port<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether1 bpdu-guard=yes<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether3<br />
</pre><br />
<br />
In this example if '''ether1''' receives a BPDU, it will block the port and will require you to manually re-enable it.<br />
<br />
=Bridge Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge settings</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing ([[Manual:Packet_Flow_v6 | Packet Flow]]). This does not apply to routed traffic. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to traffic in a bridge. Property <var>use-ip-firewall-for-vlan</var> is required in case bridge <var>vlan-filtering</var> is used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-pppoe<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged un-encrypted PPPoE traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to PPPoE traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ip-firewall-for-vlan<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Send bridged VLAN traffic to also be processed by [[Manual:IP/Firewall | IP/Firewall]]. This property only has effect when <var>use-ip-firewall</var> is set to <code>yes</code>. This property is required in case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Tree]] to VLAN traffic in a bridge.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-fast-path<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Whether to enable a bridge [[Manual:Fast_Path | FastPath]] globally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-active<br />
|type=yes {{!}} no<br />
|default=''<br />
|desc=Shows whether a bridge FastPath is active globally, FastPatch status per bridge interface is not displayed. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge FastPath.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-path-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Path.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge-fast-forward-packets<br />
|type=integer<br />
|default=''<br />
|desc=Shows packet count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=bridge-fast-forward-bytes<br />
|type=integer<br />
|default=''<br />
|desc=Shows byte count forwarded by Bridge Fast Forward.<br />
}}<br />
<br />
{{ Note | In case you want to assign [[Manual:Queue#Simple_Queues | Simple Queues]] (Simple QoS) or global [[ Manual:Queue#Queue_Tree | Queue Trees]] to traffic that is being forwarded by a bridge, then you need to enable the <var>use-ip-firewall</var> property. Without using this property the bridge traffic will never reach the postrouting chain, [[Manual:Queue#Simple_Queues | Simple Queues]] and global [[ Manual:Queue#Queue_Tree | Queue Trees]] are working in the postrouting chain. To assign [[Manual:Queue#Simple_Queues | Simple Queues]] or global [[ Manual:Queue#Queue_Tree | Queue Trees]] for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well. }}<br />
<br />
=Port Settings=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port</code></p><br />
<br /><br />
<p>Port submenu is used to enslave interfaces in a particular bridge interface.</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=auto-isolate<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, prevents a port moving from discarding into forwarding state if no BPDUs are received from the neighboring bridge. The port will change into a forwarding state only when a BPDU is received. This property only has an effect when <var>protocol-mode</var> is set to <code>rstp</code> or <code>mstp</code> and <var>edge</var> is set to <code>no</code>. <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bpdu-guard<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables BPDU Guard feature on a port. This feature puts the port in a disabled role if it receives a BPDU and requires the port to be manually disabled and enabled if a BPDU was received. Should be used to prevent a bridge from BPDU related attacks. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface the respective interface is grouped in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=broadcast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses '''FF:FF:FF:FF:FF:FF''' as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall) and others. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=edge<br />
|type=auto {{!}} no {{!}} no-discover {{!}} yes {{!}} yes-discover<br />
|default=auto<br />
|desc=Set port as edge port or non-edge port, or enable edge discovery. Edge ports are connected to a LAN that has no other bridges attached. An edge port will skip the learning and the listening states in STP and will transition directly to the forwarding state, this reduces the STP initialization time. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
* <code>no</code> - non-edge port, will participate in learning and listening states in STP.<br />
* <code>no-discover</code> - non-edge port with enabled discovery, will participate in learning and listening states in STP, a port can become edge port if no BPDU is received.<br />
* <code>yes</code> - edge port without discovery, will transit directly to forwarding state.<br />
* <code>yes-discover</code> - edge port with enabled discovery, will transit directly to forwarding state.<br />
* <code>auto</code> - same as <code>no-discover</code>, but will additionally detect if bridge port is a Wireless interface with disabled bridge-mode, such interface will be automatically set as an edge port without discovery.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=external-fdb<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Whether to use wireless registration table to speed up bridge host learning. If there are no Wireless interfaces in a bridge, then setting <var>external-fdb</var> to <code>yes</code> will disable MAC learning and the bridge will act as a hub (disables hardware offloading). Replaced with <var>learn</var> parameter in RouterOS v6.42<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=fast-leave<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables IGMP Fast leave feature on the port. Bridge will stop forwarding traffic to a bridge port whenever a IGMP Leave message is received for appropriate multicast stream. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=frame-types<br />
|type=admit-all {{!}} admit-only-untagged-and-priority-tagged {{!}} admit-only-vlan-tagged<br />
|default=admit-all<br />
|desc=Specifies allowed ingress frame types on a bridge port. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-filtering<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables VLAN ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the bridge VLAN table. Should be used with <var>frame-types</var> to specify if the ingress traffic should be tagged or untagged. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=learn<br />
|type=auto {{!}} no {{!}} yes<br />
|default=auto<br />
|desc=Changes MAC learning behaviour on a bridge port<br />
* <code>yes</code> - enables MAC learning<br />
* <code>no</code> - disables MAC learning<br />
* <code>auto</code> - detects if bridge port is a Wireless interface and uses Wireless registration table instead of MAC learning, will use Wireless registration table if the [[Manual:Interface/Wireless | Wireless interface]] is set to one of <var>ap-bridge,bridge,wds-slave</var> mode and bridge mode for the [[Manual:Interface/Wireless | Wireless interface]] is disabled.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=multicast-router<br />
|type=disabled {{!}} permanent {{!}} temporary-query<br />
|default=temporary-query<br />
|desc=Changes the state of a bridge port whether IGMP membership reports are going to be forwarded to this port. By default IGMP membership reports (most importantly IGMP Join messages) are only forwarded to ports that have a multicast router or a IGMP Snooping enabled bridge connected to. Without at least one port marked as a <code>multicast-router</code> IPTV might not work properly, it can be either detected automatically or forced manually.<br />
* <code>disabled</code> - IGMP membership reports are not forwarded through this port regardless what is connected to it.<br />
* <code>permanent</code> - IGMP membership reports are forwarded through this port regardless what is connected to it.<br />
* <code>temporary-query</code> - automatically detect multicast routers and IGMP Snooping enabled bridges.<br />
You can improve security by forcing ports that have IPTV boxes connected to never become ports marked as <code>multicast-router</code>. This property only has effect when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=horizon<br />
|type=integer 0..429496729<br />
|default=none<br />
|desc=Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about [[MPLSVPLS#Split_horizon_bridging | Bridge split horizon]].<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=internal-path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface for MSTI0 inside a region. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=path-cost<br />
|type=integer: 0..4294967295<br />
|default=10<br />
|desc=Path cost to the interface, used by STP to determine the "best" path, used by MSTP to determine "best" path between regions. This property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=point-to-point<br />
|type=auto {{!}} yes {{!}} no<br />
|default=auto<br />
|desc=Specifies if a bridge port is connected to a bridge using a point-to-point link for faster convergence in case of failure. By setting this property to <code>yes</code>, you are forcing the link to be a point-to-point link, which will skip the checking mechanism, which detects and waits BPDUs from other devices from this single link, by setting this property to <code>no</code>, you are expecting that a link can receive BPDUs from multiple devices. By setting the property to <code>yes</code>, you are significantly improving (R/M)STP convergence time. In general, you should only set this property to <code>no</code> if it is possible that another device can be connected between a link, this is mostly relevant to Wireless mediums and Ethernet hubs. If the Ethernet link is full-duplex, <code>auto</code> enables point-to-point functionality. And this property has no effect when <var>protocol-mode</var> is set to <code>none</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=priority<br />
|type=integer: 0..240<br />
|default=128<br />
|desc=The priority of the interface, used by STP to determine the root port, used by MSTP to determine root port between regions.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=pvid<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-role<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable the restricted role on a port, used by STP to forbid a port becoming a root port. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=restricted-tcn<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disable topology change notification (TCN) sending on a port, used by STP to forbid network topology changes to propagate. This property only has effect when <var>protocol-mode</var> is set to <code>mstp</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tag-stacking<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Forces all packets to be treated as untagged packets. Packets on ingress port will be tagged with another VLAN tag regardless if a VLAN tag already exists, packets will be tagged with a VLAN ID that matches the <var>pvid</var> value and will use EtherType that is specified in <var>ether-type</var>. This property only has effect when <var>vlan-filtering</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=trusted<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=When enabled, it allows to forward DHCP packets towards DHCP server through this port. Mainly used to limit unauthorized servers to provide malicious information for users. This property only has effect when <var>dhcp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=unknown-multicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in <code>/interface bridge mdb</code> are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when <var>unknown-multicast-flood</var> is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when <var>igmp-snooping</var> is set to <code>yes</code>.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=unknown-unicast-flood<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in <code>/interface bridge host</code>, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.<br />
}}<br />
<br />
==Example==<br />
<br />
<p>To group <b>ether1</b> and <b>ether2</b> in the already created <b>bridge1</b> bridge</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1<br />
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2<br />
[admin@MikroTik] /interface bridge port> print <br />
Flags: X - disabled, I - inactive, D - dynamic <br />
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON <br />
0 ether1 bridge1 0x80 10 none <br />
1 ether2 bridge1 0x80 10 none <br />
[admin@MikroTik] /interface bridge port> <br />
</pre><br />
<br />
=Interface lists=<br />
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them. Interface lists are useful for creating simpler firewall rules, you can read more about interface lists at the [[Manual:Interface/List | Interface List ]] section. Below is an example how to add interface list to a bridge:<br />
<pre><br />
/interface list member<br />
add interface=ether1 list=LAN1<br />
add interface=ether2 list=LAN1<br />
add interface=ether3 list=LAN2<br />
add interface=ether4 list=LAN2<br />
/interface bridge port<br />
add bridge=bridge1 interface=LAN1<br />
add bridge=bridge1 interface=LAN2<br />
</pre><br />
<br />
Ports from a interface list added to a bridge will show up as dynamic ports:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN1 bridge1<br />
1 D ether1 bridge1<br />
2 D ether2 bridge1<br />
3 LAN2 bridge1<br />
4 D ether3 bridge1<br />
5 D ether4 bridge1 <br />
</pre><br />
<br />
It is also possible to sort the order of lists in which they appear in the <code>/interface bridge port</code> menu. This can be done using the <code>move</code> command. Below is an example how to sort interface lists:<br />
<pre><br />
[admin@MikroTik] > /interface bridge port move 3 0<br />
[admin@MikroTik] > /interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE<br />
0 LAN2 bridge1<br />
1 D ether3 bridge1<br />
2 D ether4 bridge1<br />
3 LAN1 bridge1<br />
4 D ether1 bridge1<br />
5 D ether2 bridge1<br />
</pre><br />
<br />
{{ Note | The second parameter when moving interface lists is considered as "before id", the second parameter specifies before which interface list should be the selected interface list moved. When moving first interface list in place of the second interface list, then the command will have no effect since the first list will be moved before the second list, which is the current state either way.}}<br />
<br />
=Hosts Table=<br />
<br />
MAC addresses that have been learned on a bridge interface can be viewed in the <code>/interface bridge host</code> menu. Below is a table of parameters and flags that can be viewed.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>age</b></var> (<em>read-only: time</em>)</td><br />
<td>The time since the last packet was received from the host. Appears only for dynamic, non-external and non-local host entries</td><br />
</tr><br />
<tr><br />
<td><var><b>bridge</b></var> (<em>read-only: name</em>)</td><br />
<td>The bridge the entry belongs to</td><br />
</tr><br />
<tr><br />
<td><var><b>disabled</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the static host entry is disabled</td><br />
</tr><br />
<tr><br />
<td><var><b>dynamic</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been dynamically created</td><br />
</tr><br />
<tr><br />
<td><var><b>external</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host has been learned using an external table, for example, from a switch chip or Wireless registration table. Adding a static host entry on a hardware-offloaded bridge port will also display an active external flag</td><br />
</tr><br />
<tr><br />
<td><var><b>invalid</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is invalid, can appear for statically configured hosts on already removed interface</td><br />
</tr><br />
<tr><br />
<td><var><b>local</b></var> (<em>read-only: flag</em>)</td><br />
<td>Whether the host entry is created from the bridge itself (that way all local interfaces are shown)</td><br />
</tr><br />
<tr><br />
<td><var><b>mac-address</b></var> (<em>read-only: MAC address</em>)</td><br />
<td>Host's MAC address</td><br />
</tr><br />
<tr><br />
<td><var><b>on-interface</b></var> (<em>read-only: name</em>)</td><br />
<td>Which of the bridged interfaces the host is connected to</td><br />
</tr><br />
</table><br />
<br />
==Monitoring==<br />
<p>To get the active hosts table:</p><br />
<pre><br />
[admin@MikroTik] > interface bridge host print <br />
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external <br />
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE<br />
0 D E D4:CA:6D:E1:B5:7E ether2 bridge1<br />
1 DL E4:8D:8C:73:70:37 bridge1 bridge1<br />
2 D D4:CA:6D:E1:B5:7F ether3 bridge2 27s<br />
3 DL E4:8D:8C:73:70:38 bridge2 bridge2<br />
</pre><br />
<br />
==Static entries==<br />
<br />
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table. This can be used to forward a certain type of traffic through a specific port. Another use case for static host entries is for protecting the device resources by disabling the dynamic learning and rely only on configured static host entries. Below is a table of possible parameters that can be set when adding a static MAC address entry into the hosts table.<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br /><br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface to which the MAC address is going to be assigned to.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Disables/enables static MAC address entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=name<br />
|default=none<br />
|desc=Name of the interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=MAC address that will be added to the hosts table statically.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vid<br />
|type=integer: 1..4094<br />
|default=<br />
|desc=VLAN ID for the statically added MAC address entry.<br />
}}<br />
<br />
For example, if it was required that all traffic destined to '''4C:5E:0C:4D:12:43''' is forwarded only through '''ether2''', then the following commands can be used:<br />
<pre><br />
/interface bridge host<br />
add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43<br />
</pre><br />
<br />
=Bridge Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge monitor</code></p><br />
<br /><br />
<p>Used to monitor the current status of a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="35%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>current-mac-address</b></var> (<em>MAC address</em>)</td><br />
<td>Current MAC address of the bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>designated-port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of designated bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>port-count</b></var> (<em>integer</em>)</td><br />
<td>Number of the bridge ports</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge</b></var> (<em>yes | no</em>)</td><br />
<td>Shows whether bridge is the root bridge of the spanning tree</td><br />
</tr><br />
<tr><br />
<td><var><b>root-bridge-id</b></var> (<em>text</em>)</td><br />
<td>The root bridge ID, which is in form of bridge-priority.bridge-MAC-address</td><br />
</tr><br />
<tr><br />
<td><var><b>root-path-cost</b></var> (<em>integer</em>)</td><br />
<td>The total cost of the path to the root-bridge</td><br />
</tr><br />
<tr><br />
<td><var><b>root-port</b></var> (<em>name</em>)</td><br />
<td>Port to which the root bridge is connected to</td><br />
</tr><br />
<tr><br />
<td><var><b>state</b></var> (<em>enabled | disabled</em>)</td><br />
<td>State of the bridge</td><br />
</tr><br />
</table><br />
<br />
<h3>Example</h3><br />
<br />
<p>To monitor a bridge:</p><br />
<br />
<pre><br />
[admin@MikroTik] /interface bridge> monitor bridge1 <br />
state: enabled<br />
current-mac-address: 00:0C:42:52:2E:CE<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
<br />
[admin@MikroTik] /interface bridge><br />
</pre><br />
<br />
=Bridge Port Monitoring=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge port monitor</code></p><br />
<br /><br />
<p>Statistics of an interface that belongs to a bridge.</p><br />
<br />
<table class="styled_table"><br />
<tr><br />
<th width="40%">Property</th><br />
<th >Description</th><br />
</tr><br />
<tr><br />
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is an edge port or not.</td><br />
</tr><br />
<tr><br />
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td><br />
<td>Whether port is set to automatically detect edge ports.</td><br />
</tr><br />
<tr><br />
<td><var><b>external-fdb</b></var> (<em>yes | no</em>)</td><br />
<td>Whether registration table is used instead of forwarding data base.</td><br />
</tr><br />
<tr><br />
<td><var><b>forwarding</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is not blocked by (R/M)STP.</td><br />
</tr><br />
<tr><br />
<td><var><b>hw-offload-group</b></var> (<em>switchX</em>)</td><br />
<td>Switch chip used by the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>learning</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if the port is currently listening for BPDUs.</td><br />
</tr><br />
<tr><br />
<td><var><b>multicast-router</b></var> (<em>yes | no</em>)</td><br />
<td>Shows if a multicast router is detected on the port.</td><br />
</tr><br />
<tr><br />
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td><br />
<td>port-number will be assigned in the order that ports got added to the bridge, but this is only true until reboot. After reboot internal numbering will be used - for example, sfp ports will have first port-numbers, followed by Ethernet ports in order, ether1, ether2, etc.</td><br />
</tr><br />
<tr><br />
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is connected to a bridge port using full-duplex (yes) or half-duplex (no).</td><br />
</tr><br />
<tr><br />
<td><var><b>role</b></var> (<em>designated | root port | alternate | backup | disabled</em>)</td><br />
<td><br />
(R/M)STP algorithm assigned role of the port:<br />
* <code>Disabled port</code> - not strictly part of STP, a network administrator can manually disable a port<br />
* <code>Root port</code> - a forwarding port that is the best port from Nonroot-bridge to Rootbridge<br />
* <code>Alternative port</code> - an alternate path to the root bridge. This path is different than using the root port<br />
* <code>Designated port</code> - a forwarding port for every LAN segment<br />
* <code>Backup port</code> - a backup/redundant path to a segment where another bridge port already connects.<br />
</td><br />
</tr><br />
<tr><br />
<td><var><b>sending-rstp</b></var> (<em>yes | no</em>)</td><br />
<td>Whether the port is sending BPDU messages</td><br />
</tr><br />
<tr><br />
<td><var><b>status</b></var> (<em>in-bridge | inactive</em>)</td><br />
<td>Port status:<br />
* <code>in-bridge</code> - port is enabled.<br />
* <code>inactive</code> - port is disabled.<br />
</td><br />
</tr><br />
</table><br />
<br />
==Example==<br />
<br />
<p>To monitor a bridge port:</p><br />
<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor 0 <br />
status: in-bridge<br />
port-number: 1<br />
role: designated-port<br />
edge-port: no<br />
edge-port-discovery: yes<br />
point-to-point-port: no<br />
external-fdb: no<br />
sending-rstp: no<br />
learning: yes<br />
forwarding: yes<br />
<br />
[admin@MikroTik] /interface bridge port><br />
</pre><br />
<br />
=Bridge Hardware Offloading=<br />
<br />
Since RouterOS v6.41 it is possible to switch multiple ports together if a device has a built-in switch chip. While a bridge is a software feature that will consume CPU's resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly. In previous versions (prior to RouterOS v6.41) you had to use the <var>master-port</var> property to switch multiple ports together, but in RouterOS v6.41 this property is replaced with the bridge hardware offloading feature, which allows your to switch ports and use some of the bridge features, for example, [[ Manual:Spanning_Tree_Protocol | Spanning Tree Protocol]]. More details about the outdated <var>master-port</var> property can be found in the [[Manual:Master-port | Master-port]] page.<br />
<br />
{{ Note | When upgrading from previous versions (before RouterOS v6.41), the old <var>master-port</var> configuration is automatically converted to the new '''Bridge Hardware Offloading''' configuration. When downgrading from newer versions (RouterOS v6.41 and newer) to older versions (before RouterOS v6.41) the configuration is not converted back, a bridge without hardware offloading will exist instead, in such a case you need to reconfigure your device to use the old <var>master-port</var> configuration. }}<br />
<br />
Below is a list of devices and feature that supports hardware offloading (+) or disables hardware offloading (-):<br />
<br />
{| border="1" class="wikitable collapsible sortable" style="text-align: center"<br />
| nowrap style="background-color: #CCC;* " | <b><u>RouterBoard/[Switch Chip] Model</u></b><br />
| nowrap style="background-color: #CCC;* " | <b>Features in Switch menu</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge STP/RSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge MSTP</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge IGMP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge DHCP Snooping</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bridge VLAN Filtering</b><br />
| nowrap style="background-color: #CCC;* " | <b>Bonding</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS3xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
| <b>+</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | CRS1xx/CRS2xx series<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>+ <small style="font-size:60%;">1</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [QCA8337]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8327]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|-<br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8227]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros8316]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>+ <small style="font-size:60%;">2</small></b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [Atheros7240]<br />
| <b>+</b><br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [MT7621]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [RTL8367]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
| style="background-color: #CCC;font-weight: bold;" | [ICPlus175D]<br />
| <b>+</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
| <b>-</b><br />
|- <br />
|}<br />
<br />
<b>NOTES:</b><br />
# Feature will not work properly in VLAN switching setups. It is possible to correctly snoop DHCP packets only for a single VLAN, but this requires that these DHCP messages get tagged with the correct VLAN tag using an ACL rule, for example, <code>/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu</code>. DHCP Option 82 will not contain any information regarding VLAN-ID. <br />
# Feature will not work properly in VLAN switching setups.<br />
<br />
{{ Note | When upgrading from older versions (before RouterOS v6.41), only the <var>master-port</var> configuration is converted. For each <var>master-port</var> a bridge will be created. VLAN configuration is not converted and should not be changed, check the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide to be sure how VLAN switching should be configured for your device. }}<br />
<br />
Bridge Hardware Offloading should be considered as port switching, but with more possible features. By enabling hardware offloading you are allowing a built-in switch chip to processes packets using it's switching logic. The diagram below illustrates that switching occurs before any software related action:<br />
<br />
[[File:switch-png.png|center]]<br />
<br />
A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to (most commonly this decision is made based on the destination MAC address of a packet, but there might be other criteria that might be involved based on the packet and the configuration). In most cases the packet will not be visible to RouterOS (only statistics will show that a packet has passed through), this is because the packet was already processed by the switch chip and never reached the CPU, though it is possible in certain situations to allow a packet to be processed by the CPU. To allow the CPU process a packet you need to forward the packet to the CPU and not allow the switch chip to forward the packet through a switch port directly, this is usually called passing a packet to the switch CPU port (or the bridge CPU port in bridge VLAN filtering scenario).<br />
<br />
By passing a packet to the switch CPU port you are prohibiting the switch chip to forward the packet directly, this allows the CPU to process the packet and lets the CPU to forward the packet. Passing the packet to the CPU port will give you the opportunity to route packets to different networks, perform traffic control and other software related packet processing actions. To allow a packet to be processed by the CPU, you need to make certain configuration changes depending on your needs and on the device you are using (most commonly passing packets to the CPU are required for VLAN filtering setups). Check the manual page for your specific device:<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches_examples | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | non-CRS series switches]]<br />
<br />
{{ Warning | Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a '''switch chip reset''', that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control and others (exact settings that can trigger a switch chip reset depends on the device's model). }}<br />
<br />
==Example==<br />
<br />
Port switching with bridge configuration and enabled hardware offloading since RouterOS v6.41:<br />
<pre><br />
/interface bridge<br />
add name=bridge1<br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2 hw=yes<br />
add bridge=bridge1 interface=ether3 hw=yes<br />
add bridge=bridge1 interface=ether4 hw=yes<br />
add bridge=bridge1 interface=ether5 hw=yes<br />
</pre><br />
<br />
Make sure that hardware offloading is enabled by checking the "H" flag:<br />
<pre><br />
[admin@MikroTik] > interface bridge port print <br />
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload <br />
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON<br />
0 H ether2 bridge1 yes 1 0x80 10 10 none<br />
1 H ether3 bridge1 yes 1 0x80 10 10 none<br />
2 H ether4 bridge1 yes 1 0x80 10 10 none<br />
3 H ether5 bridge1 yes 1 0x80 10 10 none<br />
</pre><br />
<br />
{{ Note | Port switching in RouterOS v6.41 and newer is done using the bridge configuration. Prior to RouterOS v6.41 port switching was done using the <var>master-port</var> property, for more details check the [[Manual:Master-port | Master-port]] page. }}<br />
<br />
=Bridge VLAN Filtering=<br />
<br />
{{ Note | Currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the [[ Manual:Basic_VLAN_switching | Basic VLAN switching]] guide. If an improper configuration method is used, your device can cause throughput issues in your network. }}<br />
<br />
<p>Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.<br />
This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged.<br />
Bridge VLAN Filtering configuration is highly recommended to comply with STP (IEEE 802.1D), RSTP (IEEE 802.1W) standards and is mandatory to enable MSTP (IEEE 802.1s) support in RouterOS.</p><br />
<br />
<p>The main VLAN setting is <code>vlan-filtering</code> which globally controls vlan-awareness and VLAN tag processing in the bridge.<br />
If <code>vlan-filtering=no</code>, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.<br />
Turning on <code>vlan-filtering</code> enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.<br />
Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).</p><br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge vlan</code></p><br />
<br />
<p>Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.<br />
<code>tagged</code> ports send out frames with a learned VLAN ID tag.<br />
<code>untagged</code> ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port <code>pvid</code>.<br />
</p><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=name<br />
|default=none<br />
|desc=The bridge interface which the respective VLAN entry is intended for.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enables or disables Bridge VLAN entry.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag adding action in egress. This setting accepts comma separated values. E.g. <code>tagged=ether1,ether2</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=untagged<br />
|type=interfaces<br />
|default=none<br />
|desc=Interface list with a VLAN tag removing action in egress. This setting accepts comma separated values. E.g. <code>untagged=ether3,ether4</code><br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-ids<br />
|type=integer 1..4094<br />
|default=1<br />
|desc=The list of VLAN IDs for certain port configuration. This setting accepts VLAN ID range as well as comma separated values. E.g. <code>vlan-ids=100-115,120,122,128-130</code>.<br />
}}<br />
<br /><br />
{{ Warning | The <var>vlan-ids</var> parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the <var>PVID</var> value. }}<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge host</code></p><br />
<br />
<p>Bridge Host table allows monitoring learned MAC addresses and when <code>vlan-filtering</code> is enabled shows learned VLAN ID as well.</p><br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge host print where !local<br />
Flags: L - local, E - external-fdb <br />
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE <br />
bridge1 200 D4:CA:6D:77:2E:F0 ether3 7s <br />
bridge1 200 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 300 D4:CA:6D:74:65:9D ether4 3s <br />
bridge1 300 E4:8D:8C:1B:05:F0 ether2 2s <br />
bridge1 400 4C:5E:0C:4B:89:5C ether5 0s <br />
bridge1 400 E4:8D:8C:1B:05:F0 ether2 0s <br />
[admin@MikroTik] > <br />
</pre><br />
<br />
{{ Note | Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found at the [[Manual:Interface/Bridge#Management_port| Management port]] section.}}<br />
<br />
{{ Warning | When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.}}<br />
<br />
==VLAN Example #1 (Trunk and Access Ports)==<br />
<br />
{{ Note | Improperly configured bridge VLAN filtering can cause security issues, make sure you fully understand how [[ Manual:Bridge_VLAN_Table | Bridge VLAN table]] works before deploying your device into production environments. }}<br />
<br />
[[File:portbased-vlan1.png|center|frame|alt=Alt text|Trunk and Access Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the device before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==VLAN Example #2 (Trunk and Hybrid Ports)==<br />
<br />
[[File:portbased-vlan2.png|center|frame|alt=Alt text|Trunk and Hybrid Ports]]<br />
<br />
* Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured.<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* Add bridge ports and specify <code>pvid</code> on hybrid VLAN ports to assign untagged traffic to the intended VLAN.<br />
<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether2<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
* Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
* In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.<br />
<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | You don't have to add access ports as untagged ports, they will be added dynamically as untagged port with the VLAN ID that is specified in <code>PVID</code>, you can specify just the trunk port as tagged port. All ports that have the same <code>PVID</code> set will be added as untagged ports in a single entry. You must take into account that the bridge itself is a port and it also has a <code>PVID</code> value, this means that the bridge port also will be added as untagged port for the ports that have the same <code>PVID</code>. You can circumvent this behaviour by either setting different <code>PVID</code> on all ports (even the trunk port and bridge itself), or to use <code>frame-type</code> set to <code>accept-only-vlan-tagged</code>. }}<br />
<br />
==VLAN Example #3 (InterVLAN Routing by Bridge)==<br />
<br />
[[File:bridge-vlan-routing.png|center|frame|alt=Alt text|InterVLAN Routing by Bridge]]<br />
<br />
Create a bridge with disabled <code>vlan-filtering</code> to avoid losing access to the router before VLANs are completely configured:<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
Add bridge ports and specify <code>pvid</code> for VLAN access ports to assign their untagged traffic to the intended VLAN:<br />
<pre><br />
/interface bridge port<br />
add bridge=bridge1 interface=ether6 pvid=200<br />
add bridge=bridge1 interface=ether7 pvid=300<br />
add bridge=bridge1 interface=ether8 pvid=400<br />
</pre><br />
<br />
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example '''bridge1''' interface is the VLAN trunk that will send traffic further to do InterVLAN routing:<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200<br />
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300<br />
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400<br />
</pre><br />
<br />
Configure VLAN interfaces on the '''bridge1''' to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned:<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=VLAN200 vlan-id=200<br />
add interface=bridge1 name=VLAN300 vlan-id=300<br />
add interface=bridge1 name=VLAN400 vlan-id=400<br />
<br />
/ip address<br />
add address=20.0.0.1/24 interface=VLAN200<br />
add address=30.0.0.1/24 interface=VLAN300<br />
add address=40.0.0.1/24 interface=VLAN400<br />
</pre><br />
<br />
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
==Management access configuration==<br />
<br />
There are multiple ways to setup management access on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no<br />
</pre><br />
<br />
* In case VLAN filtering will not be used and access with untagged traffic is desired<br />
<br />
The only requirement is to create an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.99.1/24 interface=bridge1<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired<br />
<br />
In this example VLAN99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.<br />
<br />
<pre><br />
/interface vlan<br />
add interface=bridge1 name=MGMT vlan-id=99<br />
/ip address<br />
add address=192.168.99.1/24 interface=MGMT<br />
</pre><br />
<br />
For example, if you want to allow access to the router/switch from access ports '''ether3''', '''ether4''' and from trunk port '''sfp-sfpplus1''', then you must add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
* In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired<br />
<br />
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.<br />
<br />
<pre><br />
/ip address<br />
add address=192.168.88.1/24 interface=bridge1<br />
</pre><br />
<br />
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports '''ether3''', '''ether4''' add this entry to the VLAN table:<br />
<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1<br />
</pre><br />
<br />
Make sure that PVID on the bridge interface matches the PVID value on these ports:<br />
<pre><br />
/interface bridge set bridge1 pvid=1<br />
/interface bridge port set ether3,ether4 pvid=1<br />
</pre><br />
<br />
After that you can enable VLAN filtering:<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Note | If connection to the router/switch through an IP address is not required, then steps adding this IP address can be skipped since connection to the router/switch through Layer2 protocols (e.g. MAC-telnet) will be working either way. }}<br />
<br />
==VLAN Tunneling (Q-in-Q)==<br />
Since RouterOS v6.43 the RouterOS bridge is IEEE 802.1ad compliant and it is possible to filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100). The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup examples can be used). Below is a topology for a common '''Provider bridge''':<br />
<br />
[[File:provider_bridge.png|700px|thumb|center|alt=Alt text|Provider bridge topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic by 802.1Q (CVID), but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by enabling <code>802.1ad</code> VLAN protocol on the bridge, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x88a8<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' are going to be access ports (untagged), use the <code>pvid</code> parameter to tag all ingress traffic on each port, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200<br />
add interface=ether2 bridge=bridge1 pvid=300<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. The difference between using different EtherTypes is that you must use a Service VLAN interface. Service VLAN interfaces can be created as regular VLAN interface, but the <var>use-service-tag</var> parameter toggles if the interface will use Service VLAN tag. }}<br />
<br />
{{ Note | Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering based on SVID (Service VLAN ID) tag when <var>ether-type</var> is set to 0x88a8. }}<br />
<br />
{{ Warning | When <code>ether-type&#61;0x8100</code>, then the bridge checks the outer VLAN tag if it is using EtherType <code>0x8100</code>. If the bridge receives a packet with an outer tag that has a different EtherType, it will mark the packet as <code>untagged</code>. Since RouterOS only checks the outer tag of a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used. }}<br />
<br />
===Tag stacking===<br />
<br />
Since RouterOS v6.43 it is possible to forcefully add a new VLAN tag over any existing VLAN tags, this feature can be used to achieve a CVID stacking setup, where a CVID (0x8100) tag is added before an existing CVID tag. This type of setup is very similar to [[ Manual:Interface/Bridge#VLAN_Tunneling_.28Q-in-Q.29 | Provider bridge]] setup, to achieve the same setup but with multiple CVID tags (CVID stacking) we can use the same topology:<br />
<br />
[[File:tag_stacking.png|700px|thumb|center|alt=Alt text|Tag stacking topology]]<br />
<br />
In this example '''R1''', '''R2''', '''R3''' and '''R4''' might be sending any VLAN tagged traffic, it can be 802.1ad, 802.1Q or any other type of traffic, but '''SW1''' and '''SW2''' needs isolate traffic between routers in a way that '''R1''' is able to communicate only with '''R3''' and '''R2''' is only able to communicate with '''R4'''. To do so, you can tag all ingress traffic with a new CVID tag and only allow these VLANs on certain ports. Start by selecting the proper EtherType, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge<br />
add name=bridge1 vlan-filtering=no ether-type=0x8100<br />
</pre><br />
<br />
In this setup '''ether1''' and '''ether2''' will ignore any VLAN tags that are present and add a new VLAN tag, use the <code>pvid</code> parameter to tag all ingress traffic on each port and allow <code>tag-stacking</code> on these ports, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge port<br />
add interface=ether1 bridge=bridge1 pvid=200 tag-stacking=yes<br />
add interface=ether2 bridge=bridge1 pvid=300 tag-stacking=yes<br />
add interface=ether3 bridge=bridge1<br />
</pre><br />
<br />
Specify tagged and untagged ports in the bridge VLAN table, you only need to specify the VLAN ID of the outer tag, use these commands on '''SW1''' and '''SW2''':<br />
<pre><br />
/interface bridge vlan<br />
add bridge=bridge1 tagged=ether3 untagged=ether1 vlan-ids=200<br />
add bridge=bridge1 tagged=ether3 untagged=ether2 vlan-ids=300<br />
</pre><br />
<br />
When bridge VLAN table is configured, you can enable bridge VLAN filtering, which is required in order for the <code>PVID</code> parameter have any effect, use these commands on '''SW1''' and '''SW2'''<br />
<pre><br />
/interface bridge set bridge1 vlan-filtering=yes<br />
</pre><br />
<br />
{{ Warning | By enabling <var>vlan-filtering</var> you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a [[Manual:Interface/Bridge#Management_port| Management port]]. }}<br />
<br />
=Fast Forward=<br />
<br />
Fast Forward allows to forward packets faster under special conditions. When Fast Forward is enabled, then the bridge can process packets even faster since it can skip multiple bridge related checks, including MAC learning. Below you can find a list of conditions that '''MUST''' be met in order for Fast Forward to be active:<br />
* Bridge has <var>fast-forward</var> set to <code>yes</code><br />
* Bridge has only 2 running ports<br />
* Both bridge ports support [[ Manual:Fast_Path | Fast Path]], Fast Path is active on ports and globally on the bridge<br />
* [[ Manual:Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] is disabled<br />
* <var>protocol-mode</var> is set to <code>none</code><br />
* [[ Manual:Interface/Bridge#Bridge_VLAN_Filtering | Bridge VLAN Filtering]] is disabled<br />
* [[Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 | bridge DHCP snooping]] is disabled<br />
* <var>unknown-multicast-flood</var> is set to <code>yes</code><br />
* <var>unknown-unicast-flood</var> is set to <code>yes</code><br />
* <var>broadcast-flood</var> is set to <code>yes</code><br />
* MAC address for the bridge matches with a MAC address from one of the bridge slaves<br />
* <var>horizon</var> for both ports is set to <code>none</code><br />
<br />
{{ Note | Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out trough just one interface. }}<br />
<br />
{{ Warning | Fast Forward is disabled when hardware offloading is enabled. Hardware offloading can achieve full write-speed performance when it is active since it will use the built-in switch chip (if such exists on your device), fast forward uses the CPU to forward packets. When comparing throughput results, you would get such results: Hardware offloading > Fast Forward > Fast Path > Slow Path. }}<br />
<br />
It is possible to check how many packets where processed by Fast Forward:<br />
<pre><br />
[admin@MikroTik] > /interface bridge settings print <br />
use-ip-firewall: no<br />
use-ip-firewall-for-vlan: no<br />
use-ip-firewall-for-pppoe: no<br />
allow-fast-path: yes<br />
bridge-fast-path-active: yes<br />
bridge-fast-path-packets: 0<br />
bridge-fast-path-bytes: 0<br />
bridge-fast-forward-packets: 1279812<br />
bridge-fast-forward-bytes: 655263744<br />
</pre><br />
<br />
{{ Note | If packets are processed by Fast Path, then Fast Forward is not active. Packet count can be used as an indicator whether Fast Forward is active or not. }}<br />
<br />
Since RouterOS 6.44beta28 it is possible to monitor Fast Forward status, for example:<br />
<pre><br />
[admin@MikroTik] > /interface bridge monitor bridge1 <br />
state: enabled<br />
current-mac-address: D4:CA:6D:E1:B5:82<br />
root-bridge: yes<br />
root-bridge-id: 0x8000.00:00:00:00:00:00<br />
root-path-cost: 0<br />
root-port: none<br />
port-count: 2<br />
designated-port-count: 0<br />
fast-forward: yes<br />
<br />
</pre><br />
<br />
{{ Warning | Disabling or enabling <var>fast-forward</var> will temporarily disable all bridge ports for settings to take effect. This must be taken into account whenever changing this property on production environments since it can cause all packets to be temporarily dropped. }}<br />
<br />
=IGMP Snooping=<br />
<br />
<p>IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in RouterOS starting from version 6.41.<br /><br />
It's settings are placed in bridge menu and it works independently in every bridge interface.<br /><br />
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping with hardware offloading.</p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge mdb</code></p><br />
<br />
* Enabling IGMP Snooping on Bridge.<br />
<br />
<pre><br />
/interface bridge set bridge1 igmp-snooping=yes<br />
</pre><br />
<br />
* Monitoring multicast groups in the Bridge Multicast Database<br />
<br />
<pre><br />
[admin@MikroTik] > interface bridge mdb print <br />
BRIDGE VID GROUP PORTS <br />
bridge1 200 229.1.1.2 ether3 <br />
ether2 <br />
ether1 <br />
bridge1 300 231.1.3.3 ether4 <br />
ether3 <br />
ether2 <br />
bridge1 400 229.10.10.4 ether4 <br />
ether3 <br />
bridge1 500 234.5.1.5 ether5 <br />
ether1 <br />
</pre><br />
<br />
* Monitoring ports that are connected to a multicast router<br />
<pre><br />
[admin@MikroTik] > /interface bridge port monitor [f]<br />
interface: ether1 ether2<br />
status: in-bridge in-bridge<br />
port-number: 1 2<br />
role: designated-port designated-port<br />
edge-port: yes yes<br />
edge-port-discovery: yes yes<br />
point-to-point-port: yes yes<br />
external-fdb: no no<br />
sending-rstp: yes yes<br />
learning: yes yes<br />
forwarding: yes yes<br />
multicast-router: yes no<br />
</pre><br />
<br />
{{ Note | IGMP membership reports are only forwarded to ports that are connected to a multicast router or to another IGMP Snooping enabled bridge. If no port is marked as a <var>multicast-router</var> then IGMP membership reports will not be forwarded to any port. }}<br />
<br />
=DHCP Snooping and DHCP Option 82=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code> <code>/interface bridge port</code></p><br />
<br /><br />
Starting from RouterOS version 6.43, bridge supports DHCP Snooping and DHCP Option 82. The DHCP Snooping is a Layer2 security feature, that limits unauthorized DHCP servers from providing a malicious information to users. In RouterOS you can specify which bridge ports are trusted (where known DHCP server resides and DHCP messages should be forwarded) and which are untrusted (usually used for access ports, received DHCP server messages will be dropped). The DHCP Option 82 is an additional information (Agent Circuit ID and Agent Remote ID) provided by DHCP Snooping enabled devices that allows identifying the device itself and DHCP clients.<br />
<br />
[[File:dhcp_snooping.png|700px|thumb|center|alt=Alt text|DHCP Snooping and Option 82 setup]]<br />
<br />
In this example, SW1 and SW2 are DHCP Snooping and Option 82 enabled devices. First, we need to create a bridge, assign interfaces and mark trusted ports. Use these commands on <b>SW1</b>:<br />
<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1<br />
add bridge=bridge interface=ether2 trusted=yes<br />
</pre><br />
<br />
For SW2 configuration will be similar, but we also need to mark ether1 as trusted, because this interface is going to receive DHCP messages with Option 82 already added. You need to mark all ports as trusted if they are going to receive DHCP messages with added Option 82, otherwise these messages will be dropped. Also, we add ether3 to the same bridge and leave this port untrusted, imagine there is an unauthorized (rogue) DHCP server. Use these commands on <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
add name=bridge<br />
/interface bridge port<br />
add bridge=bridge interface=ether1 trusted=yes<br />
add bridge=bridge interface=ether2 trusted=yes<br />
add bridge=bridge interface=ether3<br />
</pre><br />
<br />
Then we need to enable DHCP Snooping and Option 82. In case your DHCP server does not support DHCP Option 82 or you do not implement any Option 82 related policies, this option can be disabled. Use these commands on <b>SW1</b> and <b>SW2</b>:<br />
<pre><br />
/interface bridge<br />
set [find where name="bridge"] dhcp-snooping=yes add-dhcp-option82=yes<br />
</pre><br />
<br />
Now both devices will analyze what DHCP messages are received on bridge ports. The <b>SW1</b> is responsible for adding and removing the DHCP Option 82. The <b>SW2</b> will limit rogue DHCP server form receiving any discovery messages and drop malicious DHCP server messages from ether3.<br />
<br />
{{ Note | Currently only CRS3xx devices fully support hardware DHCP Snooping and Option 82. For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules. Other devices are capable of using DHCP Snooping and Option 82 features along with hardware offloading, but you must make sure that there is no VLAN related configuration applied on the device, otherwise DHCP Snooping and Option 82 might not work properly. See [[ Switch_Chip_Features#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features.}}<br />
<br />
=Bridge Firewall=<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter, /interface bridge nat</code></p><br />
<br /><br />
<p>The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.</p><br />
<br />
<p>[[Packet Flow | Packet flow diagram]] shows how packets are processed through router. It is possible to force bridge traffic to go through <code>/ip firewall filter</code> rules (see: [[#Bridge Settings | Bridge Settings]])</p><br />
<br />
<p><br />
There are two bridge firewall tables:<br />
<br />
*'''filter''' - bridge firewall with three predefined chains:<br />
**'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)<br />
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally)<br />
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)<br />
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:<br />
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface<br />
**'''dstnat''' - used for redirecting some packets to other destinations<br />
</p><br />
<br />
<p><br />
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.<br />
</p><br />
<br />
<p><br />
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.<br />
</p><br />
<br />
==Properties==<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-sap<br />
|type=integer<br />
|default=<br />
|desc=DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=802.3-type<br />
|type=integer<br />
|default=<br />
|desc=Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=<br />
|desc= Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. Packet is not passed to next firewall rule<br />
* <var>drop</var> - silently drop the packet<br />
* <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code><br />
* <var>mark-packet</var> - place a mark specified by the new-packet-mark parameter on a packet that matches the rule<br />
* <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics)<br />
* <var>return</var> - passes control back to the chain from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP destination IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=ARP destination MAC address<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-gratuitous<br />
|type=yes {{!}} no<br />
|default=<br />
|desc=Matches ARP gratuitous packets.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-hardware-type<br />
|type=integer<br />
|default=1<br />
|desc=ARP hardware type. This is normally Ethernet (Type 1).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-opcode<br />
|type=arp-nak {{!}} drarp-error {{!}} drarp-reply {{!}} drarp-request {{!}} inarp-reply {{!}} inarp-request {{!}} reply {{!}} reply-reverse {{!}} request {{!}} request-reverse<br />
|default=<br />
|desc=ARP opcode (packet type)<br />
* <var>arp-nak</var> - negative ARP reply (rarely used, mostly in ATM networks) <br />
* <var>drarp-error</var> - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated <br />
* <var>drarp-reply</var> - Dynamic RARP reply, with a temporaty IP address assignment for a host <br />
* <var>drarp-request</var> - Dynamic RARP request to assign a temporary IP address for the given MAC address <br />
* <var>inarp-reply</var> - InverseARP Reply<br />
* <var>inarp-request</var> - InverseARP Request<br />
* <var>reply</var> - standard ARP reply with a MAC address <br />
* <var>reply-reverse</var> - reverse ARP (RARP) reply with an IP address assigned <br />
* <var>request</var> - standard ARP request to a known IP address to find out unknown MAC address <br />
* <var>request-reverse</var> - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-packet-type<br />
|type=integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=ARP Packet Type.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-address<br />
|type=IP address<br />
|default=<br />
|desc=ARP source IP address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=arp-src-mac-address<br />
|type=MAC addres<br />
|default=<br />
|desc=ARP source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=chain<br />
|type=text<br />
|default=<br />
|desc=Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-address<br />
|type=IP address<br />
|default=<br />
|desc=Destination IP address (only if MAC protocol is set to IP).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dst-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Destination port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-bridge<br />
|type=name<br />
|default=<br />
|desc=Bridge interface through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface<br />
|type=name<br />
|default=<br />
|desc=Physical interface (i.e., bridge port) through which the packet is coming in.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=in-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>in-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ingress-priority<br />
|type=integer 0..63<br />
|default=<br />
|desc=Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more&#187;]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=ip-protocol<br />
|type=dccp {{!}} ddp {{!}} egp {{!}} encap {{!}} etherip {{!}} ggp {{!}} gre {{!}} hmp {{!}} icmp {{!}} icmpv6 {{!}} idpr-cmtp {{!}} igmp {{!}} ipencap {{!}} ipip {{!}} ipsec-ah {{!}} ipsec-esp {{!}} ipv6 {{!}} ipv6-frag {{!}} ipv6-nonxt {{!}} ipv6-opts {{!}} ipv6-route {{!}} iso-tp4 {{!}} l2tp {{!}} ospf {{!}} pim {{!}} pup {{!}} rdp {{!}} rspf {{!}} rsvp {{!}} sctp {{!}} st {{!}} tcp {{!}} udp {{!}} udp-lite {{!}} vmtp {{!}} vrrp {{!}} xns-idp {{!}} xtp<br />
|default=<br />
|desc=IP protocol (only if MAC protocol is set to IPv4)<br />
* <var>dccp</var> - Datagram Congestion Control Protocol<br />
* <var>ddp</var> - Datagram Delivery Protocol<br />
* <var>egp</var> - Exterior Gateway Protocol<br />
* <var>encap</var> - Encapsulation Header<br />
* <var>etherip</var> - Ethernet-within-IP Encapsulation<br />
* <var>ggp</var> - Gateway-to-Gateway Protocol<br />
* <var>gre</var> - Generic Routing Encapsulation<br />
* <var>hmp</var> - Host Monitoring Protocol<br />
* <var>icmp</var> - IPv4 Internet Control Message Protocol<br />
* <var>icmpv6</var> - IPv6 Internet Control Message Protocol<br />
* <var>idpr-cmtp</var> - Inter-Domain Policy Routing Control Message Transport Protocol <br />
* <var>igmp</var> - Internet Group Management Protocol<br />
* <var>ipencap</var> - IP in IP (encapsulation)<br />
* <var>ipip</var> - IP-within-IP Encapsulation Protocol<br />
* <var>ipsec-ah</var> - IPsec Authentication Header<br />
* <var>ipsec-esp</var> - IPsec Encapsulating Security Payload<br />
* <var>ipv6</var> - Internet Protocol version 6<br />
* <var>ipv6-frag</var> - Fragment Header for IPv6<br />
* <var>ipv6-nonxt</var> - No Next Header for IPv6<br />
* <var>ipv6-opts</var> - Destination Options for IPv6<br />
* <var>ipv6-route</var> - Routing Header for IPv6<br />
* <var>iso-tp4</var> - ISO Transport Protocol Class 4<br />
* <var>l2tp</var> - Layer Two Tunneling Protocol<br />
* <var>ospf</var> - Open Shortest Path First<br />
* <var>pim</var> - Protocol Independent Multicast<br />
* <var>pup</var> - PARC Universal Packet<br />
* <var>rdp</var> - Reliable Data Protocol<br />
* <var>rspf</var> - Radio Shortest Path First<br />
* <var>rsvp</var> - Reservation Protocol<br />
* <var>sctp</var> - Stream Control Transmission Protocol<br />
* <var>st</var> - Internet Stream Protocol<br />
* <var>tcp</var> - Transmission Control Protocol<br />
* <var>udp</var> - User Datagram Protocol<br />
* <var>udp-lite</var> - Lightweight User Datagram Protocol<br />
* <var>vmtp</var> - Versatile Message Transaction Protocol<br />
* <var>vrrp</var> - Virtual Router Redundancy Protocol<br />
* <var>xns-idp</var> - Xerox Network Systems Internet Datagram Protocol<br />
* <var>xtp</var> - Xpress Transport Protocol<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=jump-target<br />
|type=name<br />
|default=<br />
|desc=If <code>action=jump</code> specified, then specifies the user-defined firewall chain to process the packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit<br />
|type=integer/time,integer<br />
|default=<br />
|desc=Restricts packet match rate to a given limit.<br />
* <var>count</var> - maximum average packet rate, measured in packets per second (pps), unless followed by Time option <br />
* <var>time</var> - specifies the time interval over which the packet rate is measured <br />
* <var>burst</var> - number of packets to match in a burst<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=log-prefix<br />
|type=text<br />
|default=<br />
|desc=Defines the prefix to be printed before the logging information.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=mac-protocol<br />
|type=802.2 {{!}} arp {{!}} homeplug-av {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} lldp {{!}} loop-protect {{!}} mpls-multicast {{!}} mpls-unicast {{!}} packing-compr {{!}} packing-simple {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} service-vlan {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a <var>vlan-encap</var> property should be used.<br />
* <var>802.2</var> - 802.2 Frames (0x0004)<br />
* <var>arp</var> - Address Resolution Protocol (0x0806)<br />
* <var>homeplug-av</var> - HomePlug AV MME (0x88E1)<br />
* <var>ip</var> - Internet Protocol version 4 (0x0800)<br />
* <var>ipv6</var> - Internet Protocol Version 6 (0x86DD)<br />
* <var>ipx</var> - Internetwork Packet Exchange (0x8137)<br />
* <var>length</var> - Packets with length field (0x0000-0x05DC)<br />
* <var>lldp</var> - Link Layer Discovery Protocol (0x88CC)<br />
* <var>loop-protect</var> - Loop Protect Protocol (0x9003)<br />
* <var>mpls-multicast</var> - MPLS multicast (0x8848)<br />
* <var>mpls-unicast</var> - MPLS unicast (0x8847)<br />
* <var>packing-compr</var> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)<br />
* <var>packing-simple</var> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)<br />
* <var>pppoe</var> - PPPoE Session Stage (0x8864)<br />
* <var>pppoe-discovery</var> - PPPoE Discovery Stage (0x8863)<br />
* <var>rarp</var> - Reverse Address Resolution Protocol (0x8035)<br />
* <var>service-vlan</var> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) <br />
* <var>vlan</var> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-bridge<br />
|type=name<br />
|default=<br />
|desc=Outgoing bridge interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface<br />
|type=name<br />
|default=<br />
|desc=Interface that the packet is leaving the bridge through.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=out-interface-list<br />
|type=name<br />
|default=<br />
|desc=Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <code>out-interface</code>.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-mark<br />
|type=name<br />
|default=<br />
|desc=Match packets with certain packet mark.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=packet-type<br />
|type=broadcast {{!}} host {{!}} multicast {{!}} other-host<br />
|default=<br />
|desc=MAC frame type:<br />
* <var>broadcast</var> - broadcast MAC packet <br />
* <var>host</var> - packet is destined to the bridge itself <br />
* <var>multicast</var> - multicast MAC packet <br />
* <var>other-host</var> - packet is destined to some other unicast address, not to the bridge itself<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-address<br />
|type=IP address<br />
|default=<br />
|desc=Source IP address (only if MAC protocol is set to IPv4).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=src-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Source port number or range (only for TCP or UDP protocols).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-flags<br />
|type=topology-change {{!}} topology-change-ack<br />
|default=<br />
|desc=The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops<br />
* <var>topology-change</var> - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology <br />
* <var>topology-change-ack</var> - topology change acknowledgement flag is sent in replies to the notification packets <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-forward-delay<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Forward delay timer.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-hello-time<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP hello packets time.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-max-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Maximal STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-msg-age<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP message age.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-port<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP port identifier.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-address<br />
|type=MAC address<br />
|default=<br />
|desc=Root bridge MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-cost<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge cost.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-root-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=Root bridge priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-address<br />
|type=MAC address<br />
|default=<br />
|desc=STP message sender MAC address.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-sender-priority<br />
|type=integer 0..65535<br />
|default=<br />
|desc=STP sender priority.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=stp-type<br />
|type=config {{!}} tcn<br />
|default=<br />
|desc=The BPDU type:<br />
* <var>config</var> - configuration BPDU <br />
* <var>tcn</var> - topology change notification<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=tls-host<br />
|type=string<br />
|default=<br />
|desc=Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-encap<br />
|type=802.2 {{!}} arp {{!}} ip {{!}} ipv6 {{!}} ipx {{!}} length {{!}} mpls-multicast {{!}} mpls-unicast {{!}} pppoe {{!}} pppoe-discovery {{!}} rarp {{!}} vlan {{!}} integer 0..65535 {{!}} hex 0x0000-0xffff<br />
|default=<br />
|desc=Matches the MAC protocol type encapsulated in the VLAN frame.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=vlan-id<br />
|type=integer 0..4095<br />
|default=<br />
|desc=Matches the VLAN identifier field.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=vlan-priority<br />
|type=integer 0..7<br />
|default=<br />
|desc=Matches the VLAN priority<br />
}}<br />
<br />
<br />
<h3>Notes</h3><br />
<br />
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled.<br />
<br />
*ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code><br />
<br />
*VLAN matchers are only valid for <code>0x8100</code> or <code>0x88a8</code> ethernet protocols<br />
<br />
*IP or IPv6 related matchers are only valid if <var>mac-protocol</var> is either set to <code>ip</code> or <code>ipv6</code><br />
<br />
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.<br />
<br />
==Bridge Packet Filter==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p><br />
<br /><br />
<p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p><br />
<br />
<h3>Properties</h3><br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} log {{!}} mark-packet {{!}} passthrough {{!}} return {{!}} set-priority<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule: <br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, dst-mac, eth-proto, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough<br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
}}<br />
<br />
==Bridge NAT==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p><br />
<br /><br />
<p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p><br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=action<br />
|type=accept {{!}} drop {{!}} jump {{!}} mark-packet {{!}} redirect {{!}} set-priority {{!}} arp-reply {{!}} dst-nat {{!}} log {{!}} passthrough {{!}} return {{!}} src-nat<br />
|default=accept<br />
|desc=Action to take if packet is matched by the rule:<br />
* <var>accept</var> - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain <br />
* <var>arp-reply</var> - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) <br />
* <var>drop</var> - silently drop the packet (without sending the ICMP reject message) <br />
* <var>dst-nat</var> - change destination MAC address of a packet (only valid in dstnat chain) <br />
* <var>jump</var> - jump to the chain specified by the value of the jump-target argument <br />
* <var>log</var> - log the packet <br />
* <var>mark</var> - mark the packet to use the mark later <br />
* <var>passthrough</var> - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets <br />
* <var>redirect</var> - redirect the packet to the bridge itself (only valid in dstnat chain) <br />
* <var>return</var> - return to the previous chain, from where the jump took place<br />
* <var>set-priority</var> - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]]<br />
* <var>src-nat</var> - change source MAC address of a packet (only valid in srcnat chain) <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-arp-reply-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frame and ARP payload, when <code>action=arp-reply</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=to-dst-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Destination MAC address to put in Ethernet frames, when <code>action=dst-nat</code> is selected<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=to-src-mac-address<br />
|type=MAC address<br />
|default=<br />
|desc=Source MAC address to put in Ethernet frames, when <code>action=src-nat</code> is selected<br />
}}<br />
<br />
=See also=<br />
<br />
* [[Manual:CRS1xx/2xx_series_switches | CRS1xx/2xx series switches]]<br />
* [[Manual:CRS3xx_series_switches | CRS3xx series switches]]<br />
* [[Manual:Switch_Chip_Features | Swith chip features]]<br />
* [[M:Maximum_Transmission_Unit_on_RouterBoards | MTU on RouterBOARD]]<br />
* [[Manual:Layer2_misconfiguration | Layer2 misconfiguration]]<br />
* [[Manual:Bridge_VLAN_Table | Bridge VLAN Table]]<br />
* [[Manual:Wireless VLAN Trunk | Wireless VLAN Trunk]]<br />
* [[Manual:VLANs_on_Wireless | VLANs on Wireless]]<br />
<br />
{{Cont}}<br />
<br />
[[Category:Manual|B]]<br />
[[Category:Interface|B]]<br />
[[Category:Bridging and switching]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:PPP_AAA&diff=34132Manual:PPP AAA2020-07-29T06:58:10Z<p>Guntis: </p>
<hr />
<div>{{Versions|2.9, v3, v4, v5}}<br />
<br />
==Summary==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp</code></p><br />
<br />
<br />
The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA) functionality.<br />
<br />
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using respective user record from the User Database, associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on.<br />
<br />
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a [[M:RADIUS_Client | RADIUS client]] which can authenticate for PPP, [[M:Interface/PPPoE | PPPoE]], [[M:Interface/PPTP | PPTP]], [[M:Interface/L2TP | L2TP]] and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.<br />
<br />
<br />
<br />
==User Profiles==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp profile</code></p><br />
<br />
PPP profiles are used to define default values for user access records stored under <code>/ppp secret</code> submenu. Settings in <code>/ppp secret</code> User Database override corresponding <code>/ppp profile</code> settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=address-list<br />
|type=string<br />
|default=<br />
|desc=[[M:IP/Firewall/Address_list | Address list]] name to which ppp assigned address will be added.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=bridge<br />
|type=string<br />
|default=<br />
|desc=Name of the [[M:Interface/Bridge | bridge]] interface to which ppp interface will be added as slave port. Both tunnel end point (server and client) must be in bridge in order to make this work.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=change-tcp-mss<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Modifies connection MSS settings (applies only for IPv4):<br />
* <var>yes</var> - adjust connection MSS value <br />
* <var>no</var> - do not adjust connection MSS value <br />
* <var>default</var> - derive this value from the interface default profile; same as no if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=dhcpv6-pd-pool<br />
|type=string<br />
|default=<br />
|desc=Name of the [[M:IPv6/Pool | IPv6 pool]] which will be used by dynamically created [[Manual:IPv6/DHCP_Server | DHCPv6-PD server]] when client connects. [[Manual:IPv6_PD_over_PPP | <code>Read more >></code>]]<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=dns-server<br />
|type=IP<br />
|default=<br />
|desc=IP address of the DNS server that is supplied to ppp clients<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=idle-timeout<br />
|type=time<br />
|default=<br />
|desc=Specifies the amount of time after which the link will be terminated if there are no activity present. Timeout is not set by default<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=incoming-filter<br />
|type=string<br />
|default=<br />
|desc=Firewall chain name for incoming packets. Specified chain gets control for each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the [[#Examples | examples]] section<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=local-address<br />
|type=IP address {{!}} pool<br />
|default=<br />
|desc=Tunnel address or name of the [[M:IP/Pools | pool]] from which address is assigned to ppp interface locally.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=PPP profile name<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=only-one<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Defines whether a user is allowed to have more than one ppp session at a time<br />
* <var>yes</var> - a user is not allowed to have more than one ppp session at a time <br />
* <var>no</var> - the user is allowed to have more than one ppp session at a time <br />
* <var>default</var> - derive this value from the interface default profile; same as no if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=outgoing-filter<br />
|type=string<br />
|default=<br />
|desc=Firewall chain name for outgoing packets. Specified chain gets control for each packet going to the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=rate-limit<br />
|type=string<br />
|default=<br />
|desc=Rate limitation in form of '''rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]''' from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates are measured in bits per second, unless followed by optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-address<br />
|type=IP<br />
|default=<br />
|desc=Tunnel address or name of the [[M:IP/Pools | pool]] from which address is assigned to remote ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-ipv6-prefix-pool<br />
|type=string {{!}} none<br />
|default=none<br />
|desc=Assign prefix from IPv6 pool to the client and install corresponding IPv6 route.<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=session-timeout<br />
|type=time<br />
|default=<br />
|desc=Maximum time the connection can stay up. By default no time limit is set.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-compression<br />
|type=yes {{!}} no {{!}} default<br />
|default=default<br />
|desc=Specifies whether to use data compression or not.<br />
* <var>yes</var> - enable data compression <br />
* <var>no</var> - disable data compression<br />
* <var>default</var> - derive this value from the interface default profile; same as no if this is the interface default profile <br />
<br />
This setting does not affect OVPN tunnels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-encryption<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to use data encryption or not.<br />
* <var>yes</var> - enable data encryption <br />
* <var>no</var> - disable data encryption<br />
* <var>default</var> - derive this value from the interface default profile; same as no if this is the interface default profile <br />
* <var>require</var> - explicitly requires encryption<br />
<br />
This setting does not work on OVPN and SSTP tunnels.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-ipv6<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to allow IPv6. By default is enabled if IPv6 package is installed.<br />
* <var>yes</var> - enable IPv6 support<br />
* <var>no</var> - disable IPv6 support<br />
* <var>default</var> - derive this value from the interface default profile; same as <b>no</b> if this is the interface default profile <br />
* <var>require</var> - explicitly requires IPv6 support<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-mpls<br />
|type=yes {{!}} no {{!}} default {{!}} require<br />
|default=default<br />
|desc=Specifies whether to allow MPLS over PPP.<br />
* <var>yes</var> - enable MPLS support<br />
* <var>no</var> - disable MPLS support<br />
* <var>default</var> - derive this value from the interface default profile; same as <b>no</b> if this is the interface default profile <br />
* <var>require</var> - explicitly requires MPLS support<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=use-vj-compression<br />
|type=yes {{!}} no {{!}} default <br />
|default=default<br />
|desc=Specifies whether to use Van Jacobson header compression algorithm.<br />
* <var>yes</var> - enable Van Jacobson header compression<br />
* <var>no</var> - disable Van Jacobson header compression <br />
* <var>default</var> - derive this value from the interface default profile; same as no if this is the interface default profile <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-up<br />
|type=script<br />
|default=<br />
|desc=Execute script on user login-event. These are available variables that are accessible for the event script:<br />
* <var>user</var><br />
* <var>local-address</var><br />
* <var>remote-address</var><br />
* <var>caller-id</var><br />
* <var>called-id</var><br />
* <var>interface</var><br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=on-down<br />
|type=script<br />
|default=<br />
|desc=Execute script on user logging off. See <var>on-up</var> for more details<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=wins-server<br />
|type=IP address<br />
|default=<br />
|desc=IP address of the WINS server to supply to Windows clients<br />
}}<br />
<br />
===Notes===<br />
<br />
There are two default profiles that cannot be removed:<br />
<pre><br />
[admin@rb13] ppp profile> print<br />
Flags: * - default<br />
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no<br />
change-tcp-mss=yes<br />
1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes<br />
only-one=default change-tcp-mss=default<br />
[admin@rb13] ppp profile><br />
</pre><br />
Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels.<br />
<br />
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp should be manually added before changing these arguments.<br />
<br />
<var>only-one</var> parameter is ignored if RADIUS authentication is used.<br />
<br />
If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the <var>change-mss</var> property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.<br />
<br />
==User Database==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp secret</code></p><br />
<br />
<br />
PPP User Database stores PPP user access records with PPP user profile assigned to each user.<br />
<br />
<br />
===Properties===<br />
<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=caller-id<br />
|type=string<br />
|default=<br />
|desc=For [[M:Interface/PPTP | PPTP]] and [[M:Interface/L2TP | L2TP]] it is the IP address a client must connect from. For [[PPPoE]] it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it is the caller's number (that may or may not be provided by the operator) the client may dial-in from<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Short description of the user.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Whether secret will be used.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit-bytes-in<br />
|type=integer<br />
|default=0<br />
|desc=Maximal amount of bytes for a session that client can upload.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=limit-bytes-out<br />
|type=integer<br />
|default=0<br />
|desc=Maximal amount of bytes for a session that client can download.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=local-address<br />
|type=IP address<br />
|default=<br />
|desc=IP address that will be set locally on ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=name<br />
|type=string<br />
|default=<br />
|desc=Name used for authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=password<br />
|type=string<br />
|default=<br />
|desc=Password used for authentication<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=profile<br />
|type=string<br />
|default=default<br />
|desc=Which [[#User profiles | user profile]] to use.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-address<br />
|type=IP<br />
|default=<br />
|desc=IP address that will be assigned to remote ppp interface.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=remote-ipv6-prefix<br />
|type=IPv6 prefix<br />
|default=<br />
|desc=IPv6 prefix assigned to ppp client. Prefix is added to [[M:IPv6/ND | ND prefix list]] enabling [[Manual:IPv6/ND#Stateless_address_autoconfiguration | stateless]] address auto-configuration on ppp interface.Available starting from v5.0.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=routes<br />
|type=string<br />
|default=<br />
|desc=Routes that appear on the server when the client is connected. The route format is: dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Other syntax is not acceptable since it can be represented in incorrect way. Several routes may be specified separated with commas. This parameter will be ignored for [[OpenVPN]].<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=service<br />
|type=any {{!}} async {{!}} isdn {{!}} l2tp {{!}} pppoe {{!}} pptp {{!}} ovpn {{!}} sstp<br />
|default=any<br />
|desc=Specifies the services that particular user will be able to use.<br />
}}<br />
<br />
==Active Users==<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ppp active</code></p><br />
<br />
This submenu allows to monitor active (connected) users.<br />
<br />
<code>/ppp active print</code> command will show all currently connected users. <br />
<br />
<code>/ppp active print stats</code> command will show received/sent bytes and packets<br />
<br />
<br />
<br />
===Properties===<br />
<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=address<br />
|type=IP address<br />
|desc=IP address the client got from the server<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=bytes<br />
|type=integer<br />
|desc=Amount of bytes transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=caller-id<br />
|type=string<br />
|desc=For [[M:Interface/PPTP | PPTP]] and [[M:Interface/L2TP | L2TP]] it is the IP address the client connected from. For [[M:Interface/PPPoE | PPPoE]] it is the MAC address the client connected from.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=encoding<br />
|type=string<br />
|desc=Shows encryption and encoding (separated with '/' if asymmetric) being used in this connection<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=limit-bytes-in<br />
|type=integer<br />
|desc=Maximal amount of bytes the user is allowed to send to the router.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=limit-bytes-out<br />
|type=integer<br />
|desc=Maximal amount of bytes the user is allowed to send to the client.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=name<br />
|type=string<br />
|desc=User name supplied at authentication stage<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=packets<br />
|type=integer/integer<br />
|desc=Amount of packets transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=service<br />
|type=async {{!}} isdn {{!}} l2tp {{!}} pppoe {{!}} pptp {{!}} ovpn {{!}} sstp<br />
|desc=Type of service the user is using.<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=session-id<br />
|type=string<br />
|desc=Shows unique client identifier.<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=uptime<br />
|type=time<br />
|desc=User's uptime<br />
}}<br />
<br />
==Remote AAA==<br />
<p><b>Sub-menu:</b> <code>/ppp aaa</code></p><br />
<br />
Settings in this submenu allows to set RADIUS accounting and authentication.<br />
Note that RADIUS user database is consulted only if the required username is not found in local user database.<br />
<br />
<br />
<br />
===Properties===<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=accounting<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Enable RADIUS accounting<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interim-update<br />
|type=time<br />
|default=0s<br />
|desc=Interim-Update time interval<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=use-radius<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS.<br />
}}<br />
<br />
==Examples==<br />
<br />
===Add new profile===<br />
<br />
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients, filtering traffic coming from clients through mypppclients chain:<br />
<pre><br />
[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex incoming-filter=mypppclients<br />
[admin@rb13] ppp profile> print<br />
Flags: * - default<br />
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no<br />
change-tcp-mss=yes<br />
1 name="ex" local-address=10.0.0.1 remote-address=ex use-compression=default<br />
use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default<br />
incoming-filter=mypppclients<br />
2 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes<br />
only-one=default change-tcp-mss=default<br />
[admin@rb13] ppp profile><br />
</pre><br />
<br />
===Add new user===<br />
<br />
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following command:<br />
<pre><br />
[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex<br />
[admin@rb13] ppp secret> print<br />
Flags: X - disabled<br />
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS<br />
0 ex pptp lkjrht ex 0.0.0.0<br />
[admin@rb13] ppp secret><br />
</pre><br />
<br />
<br />
<br />
[[Category:Manual|PPP AAA]]<br />
[[Category:AAA|PPP AAA]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Etherboot&diff=34113Manual:Etherboot2020-07-08T09:41:55Z<p>Guntis: /* Reset button */</p>
<hr />
<div>__TOC__<br />
<br />
=Introduction=<br />
<br />
Etherboot mode is a special state for a MikroTik device that allows you to reinstall your device using [[Manual:Netinstall | Netinstall]]. There are several ways to put your device into Etherboot mode depending on your device you are using.<br />
<br />
=Reset button=<br />
<br />
The '''Reset''' can be found on all MikroTik devices, this button can be used to put the device into Etherboot mode. You can read about all possible modes that the '''Reset''' button can put your device into by reading the [[Manual:Reset_button | Reset button]] manual page. An easy way to put a device into Etherboot mode using the '''Reset''' button is by powering off the device, hold the '''Reset''' button, power on the device while holding the '''Reset''' button and keep holding it until the device shows up in your '''Netinstall''' window.<br />
<br />
{{ Note | Some devices (for example, RB1100 series) don't have the reset button easily accessible, for these devices the reset button is located inside the device's enclosure and requires you to remove the device's cover. }}<br />
<br />
[[File:262 hi res.png]]<br />
<br /><br />
<br />
{{ Warning | If you have set up [[Manual:RouterBOARD_settings#Protected_bootloader | Protected bootloader]], then the reset button's behaviour is changed. Make sure you remember the settings you used to set up the Protected bootloader, otherwise you will not be able to use Eterboot mode and will not be able to reset your device. }}<br />
<br />
=RouterOS=<br />
<br />
If your device is able to boot up and you are able to login, then you can easily put the device into Etherboot mode. To do so, just connect to your device and execute the following command:<br />
<pre><br />
/system routerboard settings set boot-device=try-ethernet-once-then-nand<br />
</pre><br />
After that either reboot the device or do a power cycle on the device. Next time the device will boot up, then it will first try going in to Etherboot mode. Note that after the first boot up, the device will not try going into Etherboot mode and will boot directly of NAND or of the storage type the device is using.<br />
<br />
=Serial console=<br />
<br />
Some devices come with a serial console that can be used to put the device into Etherboot mode. To do so, make sure you configure your computer's serial console. The required parameters for all MikroTik devices (except for RouterBOARD 230 series) are as following:<br />
<pre><br />
115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none by default.<br />
</pre><br />
<br />
For RouterBOARD 230 series devices the parameters are as following:<br />
<pre><br />
9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS) flow control by default.<br />
</pre><br />
<br />
Make sure you are using a proper null modem cable, you can find the proper pinout [[Manual:System/Serial_Console#Serial_Console_Configuration | here]]. When the device is booting up, keep pressing '''CTRL+E''' on your keyboard until the device shows that it is '''trying bootp protocol''':<br />
<pre><br />
RouterBOOT booter 6.42.3<br />
<br />
CRS125-24G-1S<br />
<br />
CPU frequency: 600 MHz<br />
Memory speed: 175 MHz<br />
Memory size: 128 MiB<br />
NAND size: 128 MiB<br />
<br />
Press any key within 2 seconds to enter setup<br />
Ethernet link absent...<br />
trying bootp protocol.....................<br />
</pre><br />
At this point your device is in Etherboot mode, now the device should show up in your Netinstall window.<br />
<br />
=Jumper pin/hole reset=<br />
<br />
Some devices have a special jumper pin/hole reset function. You can read more about [[Manual:Reset#Jumper_hole_reset | Jumper hole]] and [[Manual:Reset#Jumper_reset_for_older_models | Jumper pin]], though not all devices have such a feature.<br />
<br />
[[Category:Manual]]<br />
[[Category:Basic]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:Tools/Graphing&diff=34110Manual:Tools/Graphing2020-07-03T10:10:33Z<p>Guntis: </p>
<hr />
<div>{{Versions|v3, v4, v5 +}}<br />
<br />
__TOC__<br />
<br />
==Summary==<br />
<br />
Graphing is a tool to monitor various RouterOS parameters over time and put collected data in nice graphs.<br />
<br />
<br />
The Graphing tool can display graphics for:<br />
* Resource usage (CPU, Memory and Disk usage)<br />
* Traffic which is passed through interfaces<br />
* Traffic which is passed through simple queues<br />
<br />
Graphing consists of two parts - first part collects information and other part displays data in a Web page. To access the graphics, type '''http://[Router_IP_address]/graphs/''' and choose a graphic to display in your Web browser.<br />
<br />
Example of memory graphs:<br />
[[file: graphing-mem.png | 650px]]<br />
<br />
==General==<br />
<p id="shbox"><b>Sub-menu</b> <code>/tool graphing</code></p><br />
<br />
<br />
Common graphing configuration can be set in this submenu.<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=store-every<br />
|type=24hours {{!}} 5min {{!}} hour<br />
|default=5min<br />
|desc=How often to write collected data to system drive.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=page-refresh<br />
|type=integer {{!}} never<br />
|default=300<br />
|desc=How often graph page is refreshed<br />
}}<br />
<br />
<br />
==Interface graphing==<br />
<p id="shbox"><b>Sub-menu</b> <code>/tool graphing interface</code></p><br />
<br />
<br />
Sub-menu allows to configure on which interfaces graphing will collect bandwidth usage data.<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-address<br />
|type=IP/IPv6 prefix<br />
|default=0.0.0.0/0<br />
|desc=IP address range from which is allowed to access graphing information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Description of current entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Defines whether item is used<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=interface<br />
|type=all {{!}} interface name<br />
|default=all<br />
|desc=Defines which interface will be monitored. '''all''' means that all interfaces on router will be monitored.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=store-on-disk<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Defines whether to store collected information on system drive.<br />
}}<br />
<br />
<br />
==Queue graphing==<br />
<p id="shbox"><b>Sub-menu</b> <code>/tool graphing queue</code></p><br />
<br />
<br />
Sub-menu allows to configure about which simple queues graphing will collect bandwidth usage data.<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-address<br />
|type=IP/IPv6 prefix<br />
|default=0.0.0.0/0<br />
|desc=IP address range from which is allowed to access graphing information<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-target<br />
|type=yes {{!}} no<br />
|default=yes <br />
|desc=Whether to allow access to graphs from queue's target-address <br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Description of current entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Defines whether item is used<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=simple-queue<br />
|type=all {{!}} queue name<br />
|default=all<br />
|desc=Defines which queues will be monitored. '''all''' means that all queues on router will be monitored.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=store-on-disk<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Defines whether to store collected information on system drive.<br />
}}<br />
<br />
<br />
<br />
{{Note | If simple queue has target-address set to 0.0.0.0/0 everyone will be able to access queue graphs even if allow address is set to specific address. This happens because by default queue graphs are accessible also from target address.}}<br />
<br />
==Resource graphing==<br />
<p id="shbox"><b>Sub-menu</b> <code>/tool graphing resource</code></p><br />
<br />
<br />
Sub-menu allows to enable graphing of system resources. Graphing collects data of:<br />
* CPU usage<br />
* Memory usage<br />
* Disk usage<br />
<br />
<br />
<br />
'''Properties'''<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-address<br />
|type=IP/IPv6 prefix<br />
|default=0.0.0.0/0<br />
|desc=IP address range from which is allowed to access graphing information<br />
}}<br />
<br />
<br />
{{Mr-arg-table<br />
|arg=comment<br />
|type=string<br />
|default=<br />
|desc=Description of current entry<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=disabled<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Defines whether item is used<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=store-on-disk<br />
|type=yes {{!}} no<br />
|default=yes<br />
|desc=Defines whether to store collected information on system drive.<br />
}}<br />
<br />
<br />
==Graphing graphics in WinBox==<br />
<br />
Winbox allows to view the same collected information as in web page.<br />
Open '''Tools->Graphing''' window. Double click on entry of which you want to see graphs. <br />
<br />
Image below shows winbox graphs of memory usage:<br />
[[file: graphing-mem-winbox.png | center]]<br />
<br />
<br />
{{cont}}<br />
<br />
<br />
[[Category:Manual|G]]<br />
[[Category:Tools|G]]</div>Guntishttps://wiki.mikrotik.com/index.php?title=Manual:IP/DNS&diff=34108Manual:IP/DNS2020-07-01T07:02:01Z<p>Guntis: </p>
<hr />
<div>{{Versions|v4.6}}<br />
<br />
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple DNS cache with local items.<br />
<br />
==Specifications==<br />
<br />
*Packages required: system<br />
*License required: Level1<br />
*Submenu level: /ip dns<br />
*Standards and Technologies: DNS<br />
*Hardware usage: Not significant<br />
<br />
==Description==<br />
<br />
A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, MikroTik router can be specified as a primary DNS server under its dhcp-server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.<br />
<br />
==DNS Cache Setup==<br />
<br />
<p id="shbox"><b>Sub-menu:</b> <code>/ip dns</code></p><br />
<br />
DNS facility is used to provide domain name resolution for router itself as well as for the clients connected to it.<br />
<br />
====Properties====<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=allow-remote-requests<br />
|type=yes {{!}} no<br />
|default=no<br />
|desc=Specifies whether to allow network requests<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cache-max-ttl<br />
|type=time<br />
|default=1w<br />
|desc=Maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=cache-size<br />
|type=integer[64..4294967295]<br />
|default=2048<br />
|desc=Specifies the size of DNS cache in KiB<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-concurrent-queries<br />
|type=integer<br />
|default=100<br />
|desc=Specifies how much concurrent queries are allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-concurrent-tcp-sessions<br />
|type=integer<br />
|default=20<br />
|desc=Specifies how much concurrent TCP sessions are allowed<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=max-udp-packet-size<br />
|type=integer [50..65507]<br />
|default=4096<br />
|desc=Maximum size of allowed UDP packet.<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-server-timeout<br />
|type=time<br />
|default=2s<br />
|desc=Specifies how long to wait for query response from one server<br />
}}<br />
<br />
{{Mr-arg-table<br />
|arg=query-total-timeout<br />
|type=time<br />
|default=10s<br />
|desc=Specifies how long to wait for query response in total. Note that this setting must be configured taking into account <var>query-server-timeout</var> and number of used DNS server.<br />
}}<br />
<br />
{{Mr-arg-table-end<br />
|arg=servers<br />
|type=list of IPv4/IPv6 addresses<br />
|default=<br />
|desc=List of DNS server IPv4/IPv6 addresses <br />
}}<br />
<br />
Read-only Properties<br />
<br />
{{Mr-arg-table-h<br />
|prop=Property<br />
|desc=Description<br />
}}<br />
<br />
{{Mr-arg-ro-table<br />
|arg=cache-used<br />
|type=integer<br />
|desc=Shows the currently used cache size in KiB<br />
}}<br />
<br />
{{Mr-arg-ro-table-end<br />
|arg=dynamic-server<br />
|type=IPv4/IPv6 list<br />
|desc=List of dynamically added DNS server from different services, for example, DHCP.<br />
}}<br />
<br />
<br />
<br><br />
<br />
When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred).<br />
<br />
{{Note| If '''''allow-remote-requests''''' is used make sure that you limit access to your server over TCP and UDP protocol.}}<br />
<br />
====Example====<br />
<br />
To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do the following:<br />
<pre><br />
[admin@MikroTik] ip dns> set servers=159.148.60.2 \<br />
\... allow-remote-requests=yes<br />
[admin@MikroTik] ip dns> print<br />
servers: 159.148.60.2<br />
allow-remote-requests: yes<br />
cache-size: 2048KiB<br />
cache-max-ttl: 1w<br />
cache-used: 7KiB<br />
[admin@MikroTik] ip dns><br />
</pre><br />
<br />
==Cache Monitoring==<br />
<br />
* Submenu level: '''/ip dns cache'''<br />
<br />
====Description====<br />
<br />
This menu provides a list with all address (DNS type "A") records stored on the server<br />
<br />
====Property Description====<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''address''' (read-only: IP address)<br />
|style="border-bottom:1px solid gray;" valign="top"|IP address of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (read-only: name)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (read-only: time)<br />
|style="border-bottom:1px solid gray;" valign="top"|remaining time-to-live for the record<br />
|}<br />
<br />
==All DNS Entries==<br />
<br />
* Submenu level: '''/ip dns cache all'''<br />
<br />
===Description===<br />
<br />
This menu provides a complete list with all DNS records stored on the server<br />
<br />
===Property Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''data''' (read-only: text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS data field. IP address for type "A" records. Other record types may have different contents of the data field (like hostname or arbitrary text)<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (read-only: name)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name of the host<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (read-only: time)<br />
|style="border-bottom:1px solid gray;" valign="top"|remaining time-to-live for the record<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''type''' (read-only: text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS record type<br />
|}<br />
<br />
== Static DNS Entries == <br />
<br />
* Submenu level: '''/ip dns static'''<br />
<br />
===Description===<br />
<br />
The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients. For example, resolving any DNS request for a certain set of domains (or for the whole Internet) to your own page.<br />
<br />
The server is capable of resolving DNS requests based on POSIX basic regular expressions, so that multiple requets can be matched with the same entry. In case an entry does not conform with DNS naming standards, it is considered a regular expression and marked with ‘R’ flag. The list is ordered and is checked from top to bottom. Regular expressions are checked first, then the plain records.<br />
<br />
===Property Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''address''' (IP address)<br />
|style="border-bottom:1px solid gray;" valign="top"|IP address to resolve domain name with<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''name''' (text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS name to be resolved to a given IP address.<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''regex''' (text)<br />
|style="border-bottom:1px solid gray;" valign="top"|DNS regex<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''ttl''' (time)<br />
|style="border-bottom:1px solid gray;" valign="top"|time-to-live of the DNS record<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''type''' (time)<br />
|style="border-bottom:1px solid gray;" valign="top"|type of the DNS record. Available values are: A, AAAA, CNAME, FWD, MX, NS, NXDOMAIN, SRV, TXT<br />
|}<br />
<br />
===Notes===<br />
<br />
Reverse DNS lookup (Address to Name) of the regular expression entries is not possible. You can, however, add an additional plain record with the same IP address and specify some name for it.<br />
<br />
Remember that the meaning of a dot (.) in regular expressions is any character, so the expression should be escaped properly. For example, if you need to match anything within example.com domain but not all the domains that just end with ''example.com'', like ''www.another-example.com'', use ''regexp=".*\\.example\\.com"''<br />
<br />
Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves.<br />
Example<br />
<br />
To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:<br />
<br />
<pre><br />
[admin@MikroTik] ip dns static> add name=www.example.com address=10.0.0.1<br />
[admin@MikroTik] ip dns static> print<br />
Flags: D - dynamic, X - disabled, R - regexp<br />
# NAME ADDRESS TTL<br />
0 www.example.com 10.0.0.1 1d<br />
[admin@MikroTik] ip dns static><br />
<br />
</pre><br />
<br />
It is also possible to forward specific DNS requests to a different server using <var>FWD</var> type. This will fordward all subdomains of "example.com" to server 10.0.0.1:<br />
<br />
<pre><br />
[admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com" forward-to=10.0.0.1<br />
</pre><br />
<br />
{{Note| '''''regexp''''' entries are case sensitive, but since DNS requests are not case sensitive, RouterOS converts DNS names to lowercase, you should write regex only with lowercase letters.}}<br />
<br />
==Flushing DNS cache==<br />
<br />
* Command name: '''/ip dns cache flush'''<br />
<br />
===Command Description===<br />
<br />
{| cellpadding="2" <br />
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Command<br />
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption<br />
|-<br />
|style="border-bottom:1px solid gray;" valign="top"|'''flush'''<br />
|style="border-bottom:1px solid gray;" valign="top"|clears internal DNS cache<br />
|}<br />
<br />
===Example===<br />
<br />
<pre><br />
[admin@MikroTik] ip dns> cache flush<br />
[admin@MikroTik] ip dns> print<br />
servers: 159.148.60.2<br />
allow-remote-requests: yes<br />
cache-size: 2048 KiB<br />
cache-max-ttl: 1w<br />
cache-used: 10 KiB<br />
[admin@MikroTik] ip dns><br />
</pre><br />
<br />
<br />
==DNS over HTTPS==<br />
<br />
Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man in the middle attacks (MITM). Currently DoH is not compatible with FWD type static entries, in order to utilize FWD entries, DoH must not be configured.<br />
<br />
===Example===<br />
<br />
It is advised to import the root CA certificate of the DoH server you have choosen to use for increased security.<br />
<br />
{{Warning | We strongly suggest to not use third party download links for certificate fetching. Use the Certificate Authority own website.}}<br />
<br />
There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the websites security. Using Firefox we can see that DigiCert Global Root CA is used by CloudFlare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.<br />
<br />
[[file:Rootca.PNG]]<br />
<br />
Download the certificate and import it:<br />
<br />
<pre><br />
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"<br />
/certificate import file-name=DigiCertGlobalRootCA.crt.pem<br />
</pre><br />
<br />
Configure the DoH server:<br />
<br />
<pre><br />
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes<br />
</pre><br />
<br />
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, configure it like this:<br />
<br />
<pre><br />
/ip dns set servers=1.1.1.1<br />
</pre><br />
<br />
==See Also==<br />
<br />
* https://en.wikibooks.org/wiki/Regular_Expressions/POSIX_Basic_Regular_Expressions<br />
* http://www.freesoft.org/CIE/Course/Section2/3.htm<br />
* http://www.networksorcery.com/enp/protocol/dns.htm<br />
* [http://www.ietf.org/rfc/rfc1035.txt?number=1035 RFC1035]<br />
<br />
[[Category:Manual|D]]<br />
[[Category:IP|D]]</div>Guntis