Difference between revisions of "Manual:Interface/Wireless"

From MikroTik Wiki
Jump to navigation Jump to search
m (add property divs)
m (Reverted edits by Eep (Talk); changed back to last version by Normis)
Line 1: Line 1:
<div class=manual>
__TOC__
<h2>Wireless interface configuration</h2>
__NOEDITSECTION__
<div class=properties>
{{DEFAULTSORT:wireless}}
<h4>Basic settings</h4>
{{ManFooter|Reference}}
 
<div class="properties">
   
<h3>Basic settings</h3>


<h5><var>master-interface</var></h5>
<h5><var>master-interface</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
interface name</p>
interface name
<p><strong>Description: </strong>
<br><strong>Description: </strong>
Name of wireless interface that has <i>virtual-ap</i> capability.
Name of wireless interface that has <i>virtual-ap</i> capability.
<br>Virtual AP interface will only work if master interface is in <i>ap-bridge</i>, <i>bridge</i> or <i>wds-slave</i> mode.
<br>Virtual AP interface will only work if master interface is in <i>ap-bridge</i>, <i>bridge</i> or <i>wds-slave</i> mode.
<br>This property is only for virtual AP interfaces.</p>
<br>This property is only for virtual AP interfaces.


<h5><var>mode</var></h5>
<h5><var>mode</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
One of <i>station</i>, <i>station-wds</i>, <i>ap-bridge</i>, <i>bridge</i>, <i>alignment-only</i>, <i>nstreme-dual-slave,</i> <i>wds-slave</i>, <i>station-pseudobridge</i> or <i>station-pseudobridge-clone</i></p>
One of <i>station</i>, <i>station-wds</i>, <i>ap-bridge</i>, <i>bridge</i>, <i>alignment-only</i>, <i>nstreme-dual-slave,</i> <i>wds-slave</i>, <i>station-pseudobridge</i> or <i>station-pseudobridge-clone</i>
<p><strong>Default value: </strong>
<br><strong>Default value: </strong>
station</p>
station
<p><strong>Description: </strong>
<br><strong>Description: </strong>
<br>Station modes:<ul>
<br>Station modes:<ul>
     <li><i>station</i> - Basic station mode. Find and connect to acceptable AP.
     <li><i>station</i> - Basic station mode. Find and connect to acceptable AP.
Line 34: Line 38:
</ul>
</ul>
<br>MAC address translation in pseudobridge modes works by inspecting packets and building table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is single entry in address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols.
<br>MAC address translation in pseudobridge modes works by inspecting packets and building table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is single entry in address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols.
<br>Virtual AP interfaces do not have this property, they follow the <var>mode</var> of their master interface.</p>
<br>Virtual AP interfaces do not have this property, they follow the <var>mode</var> of their master interface.


<h5><var>ssid</var></h5>
<h5><var>ssid</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
text, up to 32 characters long</p>
text, up to 32 characters long
<p><strong>Default value: </strong>
<br><strong>Default value: </strong>
value of [[system/identity]]</p>
value of [[system/identity]]
<p><strong>Description: </strong>
<br><strong>Description: </strong>
SSID (service set identifier) is a name that identifies wireless network.</p>
SSID (service set identifier) is a name that identifies wireless network.


<h5><var>frequency</var></h5>
<h5><var>frequency</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Frequency value in MHz.</p>
Frequency value in MHz.
<p><strong>Description: </strong>
<br><strong>Description: </strong>
Channel frequency on which AP will operate.
Channel frequency on which AP will operate.
<br>Allowed values depend on selected band, and are restricted by <var>country</var> setting and wireless card capabilities.
<br>Allowed values depend on selected band, and are restricted by <var>country</var> setting and wireless card capabilities.
This setting has no effect if interface is in any of station modes, or in 'wds-slave' mode, or if DFS is active.</p>
This setting has no effect if interface is in any of station modes, or in 'wds-slave' mode, or if DFS is active.


<h5><var>band</var></h5>
<h5><var>band</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
one of <i>2.4ghz-b</i>, <i>5ghz</i>, <i>5ghz-turbo</i>, <i>2.4ghz-b/g</i>, <i>2.4ghz-g-turbo</i>, <i>5ghz-10mhz</i>, <i>5ghz-5mhz</i>, <i>2ghz-10mhz</i>, <i>2ghz-5mhz</i>, <i>5ghz-11n</i>, <i>2ghz-11n</i>, <i>2.4ghz-onlyg</i></p>
one of <i>2.4ghz-b</i>, <i>5ghz</i>, <i>5ghz-turbo</i>, <i>2.4ghz-b/g</i>, <i>2.4ghz-g-turbo</i>, <i>5ghz-10mhz</i>, <i>5ghz-5mhz</i>, <i>2ghz-10mhz</i>, <i>2ghz-5mhz</i>, <i>5ghz-11n</i>, <i>2ghz-11n</i>, <i>2.4ghz-onlyg</i>


<h5><var>scan-list</var></h5>
<h5><var>scan-list</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
comma separated list of frequencies and frequency ranges, or <i>default</i></p>
comma separated list of frequencies and frequency ranges, or <i>default</i>
<p><strong>Description: </strong>
<br><strong>Description: </strong>
The <i>default</i> value is all channels from selected band that are supported by card and allowed by the <var>country</var> and <var>frequency-mode</var> settings (this list can be seen in [[info]]). For default scan list in <i>5ghz</i> band channels are taken with 20MHz step, in <i>5ghz-turbo</i> band - with 40MHz step, for all other bands - with 5MHz step. If <var>scan-list</var> is specified manually, then all matching channels are taken.
The <i>default</i> value is all channels from selected band that are supported by card and allowed by the <var>country</var> and <var>frequency-mode</var> settings (this list can be seen in [[info]]). For default scan list in <i>5ghz</i> band channels are taken with 20MHz step, in <i>5ghz-turbo</i> band - with 40MHz step, for all other bands - with 5MHz step. If <var>scan-list</var> is specified manually, then all matching channels are taken.
<br><em>Example: </em>
<br><em>Example: </em>
<code>scan-list=default,5200-5245,2412-2427</code>
<code>scan-list=default,5200-5245,2412-2427</code>
This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.</p>
This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.


<h5><var>antenna-mode</var></h5>
<h5><var>antenna-mode</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
one of these values:<ul>
one of these values:<ul>
     <li><i>ant-a</i> - use only 'a' antenna
     <li><i>ant-a</i> - use only 'a' antenna
Line 72: Line 76:
     <li><i>txa-rxb</i> - use antenna 'a' for transmitting, antenna 'b' for receiving
     <li><i>txa-rxb</i> - use antenna 'a' for transmitting, antenna 'b' for receiving
     <li><i>rxa-txb</i> - use antenna 'b' for transmitting, antenna 'a' for receiving
     <li><i>rxa-txb</i> - use antenna 'b' for transmitting, antenna 'a' for receiving
</ul></p>
</ul>


<h5><var>wds-mode</var></h5>
<h5><var>wds-mode</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
one of <i>disabled</i>, <i>static</i>, <i>dynamic</i>, <i>static-mesh</i> or <i>dynamic-mesh</i></p>
one of <i>disabled</i>, <i>static</i>, <i>dynamic</i>, <i>static-mesh</i> or <i>dynamic-mesh</i>
<p><strong>Description: </strong>
<br><strong>Description: </strong>
Controls how WDS links with other devices (APs and clients in <i>station-wds</i> mode) are established.<ul>
Controls how WDS links with other devices (APs and clients in <i>station-wds</i> mode) are established.<ul>
     <li><i>disabled</i> does not allow WDS links.
     <li><i>disabled</i> does not allow WDS links.
Line 85: Line 89:
<br>"<i>-mesh</i>" modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.
<br>"<i>-mesh</i>" modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.
<br>When AP or station is establishing WDS connection with another AP, it uses [[connect-list]] to check whether this connection is allowed. If station in <i>station-wds</i> mode is establishing connection with AP, AP uses [[access-list]] to check whether this connection is allowed.
<br>When AP or station is establishing WDS connection with another AP, it uses [[connect-list]] to check whether this connection is allowed. If station in <i>station-wds</i> mode is establishing connection with AP, AP uses [[access-list]] to check whether this connection is allowed.
<br>If <var>mode</var> is <i>station-wds</i>, then this property has no effect.</p>
<br>If <var>mode</var> is <i>station-wds</i>, then this property has no effect.


<h5><var>wds-default-bridge</var></h5>
<h5><var>wds-default-bridge</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
<i>none</i>, or name of bridge interface</p>
<i>none</i>, or name of bridge interface
<p><strong>Description: </strong>
<br><strong>Description: </strong>
When WDS link is established and status of the wds interface becomes 'running', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge.
When WDS link is established and status of the wds interface becomes 'running', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge.
<br>If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will {{...}}</p>
<br>If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will  


<h5><var>wds-ignore-ssid</var></h5>
<h5><var>wds-ignore-ssid</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i></p>
<i>yes</i> or <i>no</i>
<p><strong>Default value: </strong>
<br><strong>Default value: </strong>
<i>no</i></p>
<i>no</i>
<p><strong>Description: </strong>
<br><strong>Description: </strong>
By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to <i>yes</i>, then SSID of the remote AP will not be checked. This property has no effect on connections from clients in <i>station-wds</i> mode. It also does not work if <var>wds-mode</var> is <i>static-mesh</i> or <i>dynamic-mesh</i>.</p>
By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to <i>yes</i>, then SSID of the remote AP will not be checked. This property has no effect on connections from clients in <i>station-wds</i> mode. It also does not work if <var>wds-mode</var> is <i>static-mesh</i> or <i>dynamic-mesh</i>.


<h5><var>default-authentication</var></h5>
<h5><var>default-authentication</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i></p>
<i>yes</i> or <i>no</i>
<p><strong>Default value: </strong>
<br><strong>Default value: </strong>
<i>yes</i></p>
<i>yes</i>
<p><strong>Description: </strong>
<br><strong>Description: </strong>
For AP mode, this is the value of <var>authentication</var> for clients that do not match any entry in the [[access-list]]. For station mode, this is the value of <var>connect</var> for APs that do not match any entry in the [[connect-list]].</p>
For AP mode, this is the value of <var>authentication</var> for clients that do not match any entry in the [[access-list]]. For station mode, this is the value of <var>connect</var> for APs that do not match any entry in the [[connect-list]].


<h5><var>default-forwarding</var></h5>
<h5><var>default-forwarding</var></h5>
<p><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i></p>
<i>yes</i> or <i>no</i>
<p><strong>Default value: </strong>
<br><strong>Default value: </strong>
<i>yes</i></p>
<i>yes</i>
<p><strong>Description: </strong>
<br><strong>Description: </strong>
This is the value of <var>forwarding</var> for clients that do not match any entry in the [[access-list]].</p>
This is the value of <var>forwarding</var> for clients that do not match any entry in the [[access-list]].


<h5><var>default-ap-tx-limit</var></h5>
<h5><var>default-ap-tx-limit</var></h5>
Line 156: Line 160:
This specifies type of wireless interface. Some properties have meaning only for certain types of interfaces.
This specifies type of wireless interface. Some properties have meaning only for certain types of interfaces.


<h4>Advanced settings</h4>
<h3>Advanced settings</h3>


<h5><var>frequency-mode</var></h5>
<h5><var>frequency-mode</var></h5>
Line 205: Line 209:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
<br>Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.
<br>Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.
<h5>basic-rates-b</h5>
<h5>basic-rates-b</h5>
<br><strong>Description: </strong>
<br><strong>Description: </strong>
Line 212: Line 215:
AP will establish WDS link only if it supports all basic rates of the other AP.
AP will establish WDS link only if it supports all basic rates of the other AP.
This property has effect only in AP modes, and when value of <var>rate-set</var> is 'configured'.
This property has effect only in AP modes, and when value of <var>rate-set</var> is 'configured'.
<h5>basic-rates-a/g</h5>
<h5>basic-rates-a/g</h5>
<br><strong>Description: </strong>
<br><strong>Description: </strong>
<br>Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.
<br>Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.
<h5>max-station-count</h5>
<h5>max-station-count</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 224: Line 225:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
Maximum number of associated clients. WDS links also count toward this limit.
Maximum number of associated clients. WDS links also count toward this limit.
<h5>ack-timeout</h5>
<h5>ack-timeout</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 231: Line 231:
<br>How long to wait for confirmation of unicast frames before considering transmission unsuccessful. Value 'dynamic' causes AP to detect and use smallest timeout that works with all connected clients.
<br>How long to wait for confirmation of unicast frames before considering transmission unsuccessful. Value 'dynamic' causes AP to detect and use smallest timeout that works with all connected clients.
Acknowledgements are not used in Nstreme protocol.
Acknowledgements are not used in Nstreme protocol.
<h5>tx-power</h5>
<h5>tx-power</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
value in the -30..30 range</p>
value in the -30..30 range</p></div>
 
<h5>tx-power-mode</h5>
<h5>tx-power-mode</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 244: Line 242:
     <li>manual-table -
     <li>manual-table -
</ul>
</ul>
<h5>dfs-mode</h5>
<h5>dfs-mode</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 257: Line 254:
</ul>
</ul>
<br>This property has effect only in AP mode.
<br>This property has effect only in AP mode.
<h5>wds-default-cost</h5>
<h5>wds-default-cost</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 265: Line 261:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
Initial bridge port cost of the WDS links.
Initial bridge port cost of the WDS links.
<h5>wds-cost-range</h5>
<h5>wds-cost-range</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 275: Line 270:
Setting this property to '0' disables  automatic cost adjustment.
Setting this property to '0' disables  automatic cost adjustment.
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.
<h5>wmm-support</h5>
<h5>wmm-support</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
'disabled', 'enabled' or 'required'
'disabled', 'enabled' or 'required'
<h5>disconnect-timeout</h5>
<h5>disconnect-timeout</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 288: Line 281:
<br>This interval is measured from third sending failure on the lowest data rate. At this point 3 * (<var>hw-retries</var> + 1) frame transmits on the lowest data rate had failed.
<br>This interval is measured from third sending failure on the lowest data rate. At this point 3 * (<var>hw-retries</var> + 1) frame transmits on the lowest data rate had failed.
During <var>disconnect-timeout</var> packet transmission will be retried with <var>on-fail-retry-time</var> interval. If no frame can be transmitted successfully during <var>diconnect-timeout</var>, connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.
During <var>disconnect-timeout</var> packet transmission will be retried with <var>on-fail-retry-time</var> interval. If no frame can be transmitted successfully during <var>diconnect-timeout</var>, connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.
<h5>on-fail-retry-time</h5>
<h5>on-fail-retry-time</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 296: Line 288:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
After third sending failure on the lowest data rate, wait for this long before retrying.
After third sending failure on the lowest data rate, wait for this long before retrying.
<h5>frame-lifetime</h5>
<h5>frame-lifetime</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 304: Line 295:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
<br>Discard frames that have been queued for sending longer than <var>frame-lifetime</var>. By default, when value of this property is 0, frames are discarded only after connection is closed.
<br>Discard frames that have been queued for sending longer than <var>frame-lifetime</var>. By default, when value of this property is 0, frames are discarded only after connection is closed.
<h5>preamble-mode</h5>
<h5>preamble-mode</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 322: Line 312:
     <li>both - Use short preamble if AP supports it.
     <li>both - Use short preamble if AP supports it.
</ul>
</ul>
<h5>allow-sharedkey</h5>
<h5>allow-sharedkey</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 330: Line 319:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
Allow WEP Shared Key cilents to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that).
Allow WEP Shared Key cilents to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that).
<h5>station-bridge-clone-mac</h5>
<h5>station-bridge-clone-mac</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 338: Line 326:
<br>Use this MAC address when connection to AP. If this value is 00:00:00:00:00:00, station will initially use MAC address of the wireless interface.
<br>Use this MAC address when connection to AP. If this value is 00:00:00:00:00:00, station will initially use MAC address of the wireless interface.
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.
<h5>hw-retries</h5>
<h5>hw-retries</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 347: Line 334:
<br>Number of times sending frame is retried without considering it a transmission failure.
<br>Number of times sending frame is retried without considering it a transmission failure.
Data rate is decreased upon failure and frame is sent again. Three sequential failures on lowest supported rate suspend transmission to this destination for the duration of <var>on-fail-retry-time</var>. After that, frame is sent again. The frame is being retransmitted until transmission success, or until client is disconnected after <var>disconnect-timeout</var>. Frame can be discarded during this time if <var>frame-lifetime</var> is exceeded.
Data rate is decreased upon failure and frame is sent again. Three sequential failures on lowest supported rate suspend transmission to this destination for the duration of <var>on-fail-retry-time</var>. After that, frame is sent again. The frame is being retransmitted until transmission success, or until client is disconnected after <var>disconnect-timeout</var>. Frame can be discarded during this time if <var>frame-lifetime</var> is exceeded.
<h4>Proprietary extensions</h4>
<h4>Proprietary extensions</h4>
<h5>radio-name</h5>
<h5>radio-name</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 356: Line 341:
Descriptive name of the device, that is shown in registration table entries on the remote devices.
Descriptive name of the device, that is shown in registration table entries on the remote devices.
<br>This is a proprietary extension.
<br>This is a proprietary extension.
<h5>area</h5>
<h5>area</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 365: Line 349:
Identifies group of wireless networks. This value is announced by AP, and can be matched in [[connect-list]] by <var>area-prefix</var>.  
Identifies group of wireless networks. This value is announced by AP, and can be matched in [[connect-list]] by <var>area-prefix</var>.  
This is a proprietary extension.
This is a proprietary extension.
<h5>update-stats-interval</h5>
<h5>update-stats-interval</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 375: Line 358:
Access to [[registration-table]] also triggers update of these values.
Access to [[registration-table]] also triggers update of these values.
This is proprietary extension.
This is proprietary extension.
<h5>proprietary-extensions</h5>
<h5>proprietary-extensions</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 386: Line 368:
     <li>post-2.9.25 - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.
     <li>post-2.9.25 - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.
</ul>
</ul>
<h4>Atheros specific</h4>
<h4>Atheros specific</h4>
<h5>noise-floor-threshold</h5>
<h5>noise-floor-threshold</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 394: Line 374:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
This property is only effective for cards based on AR5211 chipset.
This property is only effective for cards based on AR5211 chipset.
<h5>adaptive-noise-immunity</h5>
<h5>adaptive-noise-immunity</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 402: Line 381:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
This property is only effective for cards based on Atheros chipset.
This property is only effective for cards based on Atheros chipset.
<h5>periodic-calibration</h5>
<h5>periodic-calibration</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Line 409: Line 387:
Setting 'default' enables periodic calibration if [[info]] <var>default-periodic-calibration</var> property is 'enabled'. Value of that property depends on the type of wireless card.
Setting 'default' enables periodic calibration if [[info]] <var>default-periodic-calibration</var> property is 'enabled'. Value of that property depends on the type of wireless card.
This property is only effective for cards based on Atheros chipset.
This property is only effective for cards based on Atheros chipset.
 
<h5>periodic-calibration-interval</h5>
<h5><var>periodic-calibration-interval</var></h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
value in range 1..10000
value in range 1..10000
Line 417: Line 394:
<br><strong>Description: </strong>
<br><strong>Description: </strong>
This property is only effective for cards based on Atheros chipset.
This property is only effective for cards based on Atheros chipset.
<h4>Prism specific</h4>
<h4>Prism specific</h4>
 
<h5>prism-cardtype</h5>
<h5><var>prism-cardtype</var></h5>
<p><strong>Syntax: </strong>
'30mW', '100mW', '200mW'</p>
<p><strong>Description: </strong>
Specify type of the installed wireless card.</p>
</div>
 
<h2>Access lists</h2>
 
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.
 
<h3>Operation</h3><ul>
    <li>Access list rules are checked sequentially.
    <li>Disabled rules are always ignored.
    <li>Only the first matching rule is applied.
    <li>If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.
    <li>If remote device is matched by rule that has <code>authentication=no</code> value, the connection from that remote device is rejected.
</ul>
 
 
<h3>Properties</h3>
<p>Access list configuration is located in <code>/interface wireless access-list</code> console path, and "Access List" tab in the WinBox "Wireless" window.</p>
 
<div class=properties>
<h4>Match properties</h4>
 
<h5>mac-address</h5>
<br><strong>Default value: </strong>
00:00:00:00:00:00
<br><strong>Description: </strong>
Rule matches client with the specified MAC address.
Value 00:00:00:00:00:00 matches always.
 
<h5>interface</h5>
<br><strong>Syntax: </strong>
<br><strong>Syntax: </strong>
Name of wireless interface, or 'all'.
'30mW', '100mW', '200mW'
<br><strong>Default value: </strong>
all
<br><strong>Description: </strong>
<br><strong>Description: </strong>
Rules with <code>interface=all</code> are used for all wireless interfaces. To make rule that applies only to one wireless interface, specify that interface as a value of this property.
Specify type of the installed wireless card.
 
<h4>Match properties that also set connection parameters</h4>
 
<h5>signal-range</h5>
<br><strong>Syntax: </strong>
number..number (both numbers are in the range -120..120)
<br><strong>Default value: </strong>
-120..120
<br><strong>Description: </strong>
Rule matches if signal strength of the station is within the range.
If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.
 
<h5>time</h5>
<br><strong>Syntax: </strong>
TIME-TIME,sun,mon,tue,wed,thu,fri,sat (TIME is time interval 0..86400 seconds; all day names are optional)
<br>Value can be unset.
<br><strong>Default value: </strong>
not set
<br><strong>Description: </strong>
Rule will match only during specified time.
Station will be disconnected after specified time ends.
Both start and end time is expressed as time since midnight, 00:00.
Rule will match only during specified days of the week.
 
<h4>Connection properties</h4>
 
<h5>authentication</h5>
<br><strong>Syntax: </strong>
'yes' or 'no'.
<br><strong>Description: </strong><ul>
    <li>no - Client association will always fail.
    <li>yes - Use authentication procedure that is specified in the <code>security-profile</code> of the interface.
</ul>
 
<h5>forwarding</h5>
<br><strong>Syntax: </strong>
'yes' or 'no'.
<br><strong>Description: </strong><ul>
    <li>no - Client cannot send frames to other station that are connected to same access point.
    <li>yes - Client can send frames to other stations on the same access point.
</ul>
 
<h5>ap-tx-limit</h5>
<br><strong>Syntax: </strong>
Number, in bits per second.
<br><strong>Default value: </strong>
0
<br><strong>Description: </strong>
Limit rate of data transmission to this client.
Value 0 means no limit.
 
<h5>client-tx-limit</h5>
<br><strong>Syntax: </strong>
Number, in bits per second.
<br><strong>Default value: </strong>
0
<br><strong>Description: </strong>
Ask client to limit rate of data transmission.
This is a proprietary extension that is supported by RouterOS clients.
Value 0 means no limit.
 
<h4>Security related connection properties</h4>
 
<h5>private-algo</h5>
<br><strong>Syntax: </strong>
'none', '40bit-wep', '104bit-wep', 'aes-ccm' or 'tkip'
<br><strong>Description: </strong>
Only for WEP modes.
 
<h5>private-key</h5>
<br><strong>Description: </strong>
Only for WEP modes.
 
<h5>private-pre-shared-key</h5>
<br><strong>Description: </strong>
Used in WPA PSK mode.
</div>
 
<h2>Connect lists</h2>
 
<p>connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections.</p>
<p>connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the <code>interface</code> property of that rule <small>(this is unlike [[access-list]], where rules can apply to all interfaces).</small>
Rule can match MAC address of remote access point, it's signal strength and many other parameters.</p>
 
 
<h3>Operation</h3><ul>
 
    <li>connect-list rules are always checked sequentially, starting from the first.
    <li>disabled rules are always ignored.
    <li>Only the first matching rule is applied.
    <li>If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.
    <li>If access point is matched by rule that has <code>connect=no</code> value, connection with this access point will not be attempted.
    <li>If access point is matched by rule that has <code>connect=yes</code> value, connection with this access point will be attempted.<ul>
<li>In station mode, if several remote access points are matched by connect list rules with <code>connect=yes</code> value, connection will be attempted with access point that is matched by rule higher in the connect-list.
<li>If no remote access points are matched by connect-list rules with <code>connect=yes</code> value, then value of <code>default-authentication</code> interface property determines whether station will attempt to connect to any access point. If <code>default-authentication=yes</code>, station will choose access point with best signal and compatible security.
    </ul>
    <li>In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of <code>default-authentication</code> determines whether WDS link will be established.
</ul>
 
 
<h3>Usage</h3>
 
<h4>Restrict station connections only to specific access points</h4><ul>
    <li>Set value of <code>default-authentication</code> interface property to 'no'.
    <nowiki><tt>
<span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span>
    </samp>
    <li>Create rules that matches allowed access points. These rules must have <code>connect=yes</code> and <code>interface</code> equal to the name of station wireless interface.
    <samp>
<span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:01
<span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:00:02
    </tt></nowiki>
</ul>
 
<h4>Disallow connections to specific access points</h4><ul>
    <li>Set value of <code>default-authentication</code> interface property to 'yes'.
    <nowiki><tt>
<span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #9B009B;'>set</span> station-wlan <span style='color: #009B00;'>default-authentication</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>yes</span>
    </tt></nowiki>
    <li>Create <code>connect=no</code> rules that match those access points that station should not connect to. These rules must have <code>connect=no</code> and <code>interface</code> equal to the name of station wireless interface.
    <nowiki><tt>
<span style='color: #009B9B;'>/interface</span> <span style='color: #009B9B;'>wireless</span> <span style='color: #009B9B;'>connect-list</span> <span style='color: #9B009B;'>add</span> <span style='color: #55FF55;'>interface</span><span style='color: #9B9B00;'>=</span>station-wlan <span style='color: #009B00;'>connect</span><span style='color: #9B9B00;'>=</span><span style='color: #009B00;'>no</span> <span style='color: #009B00;'>mac-address</span><span style='color: #9B9B00;'>=</span>00:11:22:33:44:55
    </tt></nowiki>
</ul>
 
<h4>Select preferred access points</h4><ul>
    <li>Create rules that match preferred access points. These rules must have <code>connect=yes</code> and <code>interface</code> equal to the name of station wireless interface.
    <li>Put rules that match preferred access points higher in the connect-list, in the order of preference.
</ul>
 
<h4>Restrict WDS link establishment</h4><ul>
    <li>Place rules that match allowed access points at the top.
    <li>Add deny-all rule at the end of connect list.
</ul>
 
 
<h3>Configuration Reference</h3>
<p>Connect lists are configured under the <code>/interface wireless connect-list</code> path in the console, or in the "Connect List" tab of the "Wireless" window in the WinBox.</p>
 
<div class=properties>
<h4>Match properties</h4>
 
<h5>interface</h5>
<br><strong>Syntax: </strong>
Name of wireless interface.
Required.
<br><strong>Description: </strong>
Each rule in connect list applies only to one wireless interface that is specified by this setting.
 
<h5>area-prefix</h5>
<br><strong>Syntax: </strong>
Text.
<br><strong>Description: </strong>
Rule matches if area value of AP (a proprietary extension) begins with value of <code>area-prefix</code>.
<code>area</code> value is a proprietary extension.
 
<h5>mac-address</h5>
<br><strong>Default value: </strong>
00:00:00:00:00:00
<br><strong>Description: </strong>
Rule matches only AP with the specified MAC address.
Value 00:00:00:00:00:00 matches always.
 
<h5>ssid</h5>
<br><strong>Syntax: </strong>
String
<br><strong>Description: </strong>
Rule matches access points that have this SSID. Empty value matches any SSID.
<br>This property has effect only when station mode interface <code>ssid</code> is empty, or when access point mode interface has <code>wds-ignore-ssid=yes</code>.
 
<h4>Match properties that also set connection parameters</h4>
 
<h5>signal-range</h5>
<br><strong>Syntax: </strong>
number..number (both numbers are in the range -120..120)
<br><strong>Description: </strong>
Rule matches if signal strength of the access point is within the range.
If station establishes connection to access point that is matched by this rule, it will disconnect from that access point when signal strength goes out of the specified range.
 
<h5>security-profile</h5>
<br><strong>Syntax: </strong>
name of [[security-profile]], or 'none'
<br><strong>Description: </strong>
Name of security profile that is used when connecting to matching access points, If value of this property is 'none', then security profile specified in the interface configuration will be used.
<br>In station mode, rule will match only access points that can support specified security profile. Value 'none' will match access point that support security profile that is specified in the interface configuration. In access point mode value of this property will not be used to match remote devices.
 
<h4>Connection properties</h4>
 
<h5>connect</h5>
<br><strong>Syntax: </strong>
'yes' or 'no'
<br><strong>Description: </strong><ul>
    <li>yes - Connect to access point that matches this rule.
    <li>no - Do not connect to any access point that matches this rule.
</ul>
</div>
 
<h2>Security profiles</h2>
 
 
<h3>Configuration Reference</h3>
<p>Security profiles are configured under the <code>/interface wireless security-profiles</code> path in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced only by the wireless interface [[#security-profile|security-profile]] parameter.</p>
 
<div class=properties>
<h4>Basic properties</h4>
 
<h5><var>mode</var></h5>
<br><strong>Syntax: </strong>
One of <i>none</i>, <i>static-keys-optional</i>, <i>static-keys-required</i> or <i>dynamic-keys</i>
<br><strong>Default value: </strong>
none
<br><strong>Description: </strong><ul>
    <li><i>none</i> - Encryption is not used. Encrypted frames are not accepted.
    <li><i>static-keys-required</i> - WEP mode. Do not accept and do not send unencrypted frames.
    <br>Station in <i>static-keys-required</i> mode will not connect to an access point in <i>static-keys-optional</i> mode.
    <li><i>static-keys-optional</i> - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as <i>none</i>.
    <br>Station in <i>static-keys-optional</i> mode will not connect to an access point in <i>static-keys-required</i> mode.
    <br><strong>See also: </strong><var>static-sta-private-algo</var>, <var>static-transmit-key</var>.
    <li><i>dynamic-keys</i> - WPA mode.
</ul>
 
<h5><var>name</var></h5>
<br><strong>See: </strong>[[generic properties]]
 
 
<h4>WPA properties</h4>
 
<br>These properties have effect only when <var>mode</var>=<i>dynamic-keys</i>.
 
<h5><var>authentication-types</var></h5>
<br><strong>Syntax: </strong>
Multiple choice of <i>wpa-psk</i>, <i>wpa2-psk</i>, <i>wpa-eap</i> and <i>wpa2-eap</i>.
<br><strong>Default value: </strong>
empty
<br><strong>Description: </strong>
Set of supported authentication types. Access point will advertise supported authentication types, and client will connect to access point only if supports any of the advertised authentication types.
 
<h5><var>unicast-ciphers</var></h5>
<br><strong>Syntax: </strong>
Multiple choice of <i>tkip</i>, <i>aes-ccm</i>.
<br><strong>Default value: </strong>
empty
<br><strong>Description: </strong>
Access point advertises that it supports specified ciphers. Client attempts connection only to access points that supports at least one of the specified ciphers.
<br>One of the ciphers will be used to encrypt unicast frames that are sent between access point and station.
 
<h5><var>group-ciphers</var></h5>
<br><strong>Syntax: </strong>
Multiple choice of <i>tkip</i>, <i>aes-ccm</i>.
<br><strong>Default value: </strong>
empty
<br><strong>Description: </strong>
Access point advertises one of these ciphers, and uses it to encrypt all broadcast and multicast frames. Client attempts connection only to access points that use one of the specified group ciphers.
 
<h5><var>group-key-update</var></h5>
<br><strong>Syntax: </strong>
Time interval in the 30s..1h range.
<br><strong>Default value: </strong>
5m
<br><strong>Description: </strong>
Controls how often access point updates group key. This key is used to encrypt all broadcast and multicast frames.
<br>This property has no effect in station mode.
 
<br><h5 style="display:inline;"><var>wpa-pre-shared-key</var></h5>, <h5 style="display:inline;"><var>wpa2-pre-shared-key</var></h5></p>
<br><strong>Syntax: </strong>
Text
<br><strong>Description: </strong>
<br>WPA and WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text.
<br>RouterOS also allows to override pre-shared key value for specific clients, using either <var>private-pre-shared-key</var> property in the [[access-list]], or the Mikrotik-Wireless-Psk attribute in the RADIUS MAC authentication response. This is an extension.
<br>These properties have effect only when <var>authentication-types</var> contains either <i>wpa-psk</i> or <i>wpa2-psk</i>.
<br><var>wpa-pre-shared-key</var> is used for <i>wpa-psk</i> authentication type. <var>wpa2-pre-shared-key</var> is used for <i>wpa2-psk</i>.
 
 
<h4>WPA EAP properties</h4>
 
<br>These properties has effect only when <var>authentication-types</var> contains <i>wpa-eap</i> or <i>wpa2-eap</i>, and <var>mode</var>=<i>dynamic-keys</i>.
 
<h5><var>eap-methods</var></h5>
<br><strong>Syntax: </strong>
Array of <i>eap-tls</i>, <i>passthrough</i>
<br><strong>Description: </strong><ul>
    <li><i>eap-tls</i> - Use built-in EAP TLS authentication. Both client and server certificates are supported. See description of <var>tls-mode</var> and <var>tls-certificate</var> properties.
    <li><i>passthrough</i> - Access point will relay authentication process to the RADIUS server. This value is ignored in station mode.
</ul>
<br>Order of values is significant for access point configuration, it is used by access point when offering specified methods to clients.
<br><strong>Example: </strong>Access point uses security-profile where <var>eap-methods</var>=<i>eap-tls</i>,<i>passthrough</i><ul>
    <li>Access point offers EAP-TLS method to the client.
    <li>Client refuses.
    <li>Access point starts relaying EAP communication to the radius server.
</ul>
 
<h5><var>supplicant-identity</var></h5>
<br><strong>Syntax: </strong>
Text
<br><strong>Default value: </strong>
Same as [[system/identity]] of router at the moment of profile creation.
<br><strong>Description: </strong>
EAP identity that is sent by client at the beginning of EAP authentication. This value is used as a value for User-Name attribute in RADIUS messages sent by RADIUS EAP accounting and RADIUS EAP pass-through authentication.
 
<h5><var>tls-mode</var></h5>
<br><strong>Syntax: </strong>
One of <i>verify-certificate</i>, <i>dont-verify-certificate</i>, <i>no-certificates</i>.
<br><strong>Default value: </strong>
<i>no-certificates</i>
<br><strong>Description: </strong><ul>
    <li><i>verify-certificate</i> - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done.
    <br><strong>Note: </strong> Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period.
    <br><strong>See also: </strong>[[certificate]] configuration.
    <li><i>dont-verify-certificate</i> - Do not check certificate of the remote device. Access point will not require client to provide certificate.
    <li><i>no-certificates</i> - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.
</ul>
<br>When using first two modes, remote device has to support one of the "RC4-MD5", "RC4-SHA" or "DES-CBC3-SHA" TLS cipher suites. In the last mode remote device must support "ADH-DES-CBC3-SHA" cipher suite.
<br>This property has effect only when <var>eap-methods</var> contains <i>eap-tls</i>.
 
<h5><var>tls-certificate</var></h5>
<br><strong>Syntax: </strong>
<i>none</i> or name of certificate.
<br><strong>Default value: </strong>
<i>none</i>
<br><strong>Description: </strong>
<br>Access point always needs certificate when configured with <var>tls-mode</var>=<i>verify-certificate</i>, or <var>tls-mode</var>=<i>dont-verify-certificate</i>. Client needs certificate only if <em>access point</em> is configured with <var>tls-mode</var>=<i>verify-certificate</i>. In this case client needs valid certificate that is signed by CA known to the access point.
<br>This property has effect only if <var>tls-mode</var>&ne;<i>no-certificates</i>.
<br>This property has effect only when <var>eap-methods</var> contains <i>eap-tls</i>.
 
 
<h4>RADIUS properties</h4>
 
<h5><var>radius-mac-authentication</var></h5>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i>.
<br><strong>Default value: </strong>
<i>no</i>
<br><strong>Description: </strong>
This property affects the way how access point processes clients that are not found in the [[access-list]].<ul>
    <li><i>no</i> - allow or reject client authentication based on the value of <var>default-authentication</var> property of the wireless interface.
    <li><i>yes</i> - Query RADIUS server using MAC address of client as user name. With this setting the value of <var>default-authentication</var> has no effect.
</ul>
 
<h5><var>radius-mac-accounting</var></h5>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i>
<br><strong>Default value: </strong>
<i>no</i>
<br><strong>Description: </strong>
 
<h5><var>radius-eap-accounting</var></h5>
<br><strong>Syntax: </strong>
<i>yes</i> or <i>no</i>
<br><strong>Default value: </strong>
<i>no</i>
<br><strong>Description: </strong>
 
<h5><var>interim-update</var></h5>
<br><strong>Syntax: </strong>
Time interval
<br><strong>Default value: </strong>
0
<br><strong>Description: </strong>
When RADIUS accounting is used, access point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using Acct-Interim-Interval attribute.
 
<h5><var>radius-mac-format</var></h5>
<br><strong>Syntax: </strong>
One of <i>XX:XX:XX:XX:XX:XX</i>, <i>XXXX:XXXX:XXXX</i>, <i>XXXXXX:XXXXXX</i>, <i>XX-XX-XX-XX-XX-XX</i>, <i>XXXXXX-XXXXXX</i>, <i>XXXXXXXXXXXX</i>, <i>XX XX XX XX XX XX</i>.
<br><strong>Default value: </strong>
<i>XX:XX:XX:XX:XX:XX</i>
<br><strong>Description: </strong>
Controls how MAC address of the client is encoded by access point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.
 
<h5><var>radius-mac-mode</var></h5>
<br><strong>Syntax: </strong>
One of <i>as-username</i>, <i>as-username-and-password</i>.
<br><strong>Default value: </strong>
<i>as-username</i>
<br><strong>Description: </strong>
By default access point uses empty password, when sending Access-Request during MAC authentication. When this property is set to <i>as-username-and-password</i>, access point will use the same value for User-Password attribute as for the User-Name attribute.
 
 
<h5><var>radius-mac-caching</var></h5>
<br><strong>Syntax: </strong>
Either <i>disabled</i> or time interval.
<br><strong>Default value: </strong>
<i>disabled</i>
<br><strong>Description: </strong>
If this value is set to time interval, the access point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value <i>disabled</i> will disable cache, access point will always contact RADIUS server.
 
 
<h4>WEP properties</h4>
<br>These properties have effect only when <var>mode</var> is <i>static-keys-required</i> or <i>static-keys-optional</i>. See section "[[Statically configured WEP keys]]".
<br><h5 style="display:inline;"><var>static-key-0</var></h5>, <h5 style="display:inline;"><var>static-key-1</var></h5>, <h5 style="display:inline;"><var>static-key-2</var></h5>, <h5 style="display:inline;"><var>static-key-3</var></h5></p>
<br><strong>Syntax: </strong>
Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See section "[[Statically configured WEP keys]]".
<br><strong>Default value: </strong>
empty
<br><strong>Description: </strong>
 
<br><h5 style="display:inline;"><var>static-algo-0</var></h5>, <h5 style="display:inline;"><var>static-algo-1</var></h5>, <h5 style="display:inline;"><var>static-algo-2</var></h5>, <h5 style="display:inline;"><var>static-algo-3</var></h5></p>
<br><strong>Syntax: </strong>
One of <i>none</i>, <i>40bit-wep</i>, <i>104bit-wep</i>, <i>tkip</i> or <i>aes-ccm</i>.
<br><strong>Default value: </strong>
<i>none</i>
<br><strong>Description: </strong>
Encryption algorithm to use with the corresponding key.
 
<h5><var>static-transmit-key</var></h5>
<br><strong>Syntax: </strong>
One of <i>key-0</i>, <i>key-1</i>, <i>key-2</i> or <i>key-3</i>.
<br><strong>Default value: </strong>
<i>key-0</i>
<br><strong>Description: </strong>
Access point will use the specified key to encrypt frames for clients that do not use private key. Access point will also use this key to encrypt broadcast and multicast frames.
<br>Client will use the specified key to encrypt frames if <var>static-sta-private-algo</var>=<i>none</i>.
<br>If corresponding <var>static-algo-</var> property has value <i>none</i>, frame will be sent unencrypted (when <var>mode</var>=<i>static-keys-optional</i>) or will not be sent at all (when <var>mode</var>=<i>static-keys-required</i>).
 
<h5><var>static-sta-private-key</var></h5>
<br><strong>Syntax: </strong>
Hexadecimal representation of the key. Length of key must be appropriate for selected algorithm. See section "[[Statically configured WEP keys]]".
<br><strong>Description: </strong>
<br>This property is used only in station mode. Access point uses corresponding key either from <var>private-key</var> property of [[access-list]], or from Mikrotik-Wireless-Enc-Key attribute in RADIUS Access-Accept MAC authentication response.
 
<h5><var>static-sta-private-algo</var></h5>
<br><strong>Syntax: </strong>
One of <i>none</i>, <i>40bit-wep</i>, <i>104bit-wep</i>, <i>tkip</i> or <i>aes-ccm</i>.
<br><strong>Description: </strong>
Encryption algorithm to use with station private key. Value <i>none</i> disables use of the private key.
<br>This property is used only in station mode. Access point has to get corresponding value either from <var>private-algo</var> property of [[access-list]], or from Mikrotik-Wireless-Enc-Algo attribute in RADIUS Access-Accept MAC authentication response.
<br>Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast frames.
</div>
 
<h3>Operation details</h3>
 
 
<h4>RADIUS MAC authentication</h4>
<br><strong>Note: </strong>
<br>RAIDUS MAC authentication is used by access point for clients that are not found in the [[access-list]], similarly to the <var>default-authentication</var> property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.
 
<br>When <var>radius-mac-authentication</var>=<i>yes</i>, access point queries RADIUS server by sending Access-Request with the following attributes:<ul>
    <li>User-Name - Client MAC address. This is encoded as specified by the <var>radius-mac-format</var> setting. Default encoding is "XX:XX:XX:XX:XX:XX".
    <li>Nas-Port-Id - <var>name</var> of wireless interface.
    <li>User-Password - When <var>radius-mac-mode</var>=<i>as-username-and-password</i> this is set to the same value as User-Name. Otherwise this attribute is empty.
    <li>Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
    <li>Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
    <li>Acct-Session-Id - Added when <var>radius-mac-accounting</var>=<i>yes</i>.
</ul>
<br>When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:<ul>
    <li>Ascend-Data-Rate
    <li>Ascend-Xmit-Rate
    <li>Mikrotik-Wireless-Forward - Same as [[access-list]] <var>forwarding</var>.
    <li>Mikrotik-Wireless-Enc-Algo - Same as [[access-list]] <var>private-algo</var>.
    <li>Mikrotik-Wireless-Enc-Key - Same as [[access-list]] <var>private-key</var>.
    <li>Mikrotik-Wireless-Psk - Same as [[access-list]] <var>private-pre-shared-key</var>.
    <li>Session-Timeout - Time, after which client will be disconnected.
    <li>Acct-Interim-Interval - Overrides value of <var>interim-update</var>.
    <li>Class - If present, value of this attribute is saved and included in Accounting-Request messages.
</ul>
 
<h5>Caching</h5>
<br>Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.
 
<H4>RADIUS EAP pass-through authentication</H4>
<br>When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message: <ul>
    <li>User-Name - EAP supplicant identity. This value is configured in the <var>supplicant-identity</var> property of the client security profile.
    <li>Nas-Port-Id - <var>name</var> of wireless interface.
    <li>Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
    <li>Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).
    <li>Acct-Session-Id - Added when <var>radius-eap-accounting</var>=<i>yes</i>.
    <li>Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded as <i>AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX</i>.
    <br>Added when <var>radius-eap-accounting</var>=<i>yes</i>.
</ul>
<br>Access point uses following RADIUS attributes from the Access-Accept server response:<ul>
    <li>Class - If present, value of this attribute is saved and included in Accounting-Request messages.
    <li>Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.
    <li>Acct-Interim-Interval - Overrides value of <var>interim-update</var>.
</ul>
 
 
<h4>Statically configured WEP keys</h4>
Different algorithms require different length of keys:<ul>
    <li><i>40bit-wep</i> - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.
    <li><i>104bit-wep</i> - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.
    <li><i>tkip</i> - At least 64 hexadecimal digits (256 bits).
    <li><i>aes-ccm</i> - At least 32 hexadecimal digits (128 bits).
</ul>
Key must contain even number of hexadecimal digits.
 
 
<h4>WDS security configuration</h4>
<br>WDS links can use all available security features. However, they require careful configuration of security parameters.
<br>It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in [[connect-list]]. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has <var>connect</var>=<i>yes</i> and specifies compatible <var>security-profile</var>.
 
<h5>WDS and WPA/WPA2</h5>
<br>If access point uses security profile with <var>mode</var>=<i>dynamic-keys</i>, then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how <i>static-mesh</i> and <i>dynamic-mesh</i> WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non<i>-mesh</i> mode, is not possible if WPA encryption is enabled. However, non<i>-mesh</i> modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the <i>-mesh</i> WDS modes.
<br>In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are <var>authentication-types</var>, <var>unicast-ciphers</var>, <var>group-ciphers</var>. For non<i>-mesh</i> WDS mode these properties need to have the same values on both devices. In <i>mesh</i> WDS mode each access point has to support the other one as a client.
<br>Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.
<br>Implementation of <i>eap-tls</i> EAP method in RouterOS is particularly well suited for WDS link encryption. <var>tls-mode</var>=<i>no-certificates</i> requires no additional configuration, and provides very strong encryption.
 
<h5>WDS and WEP</h5>
 
<br><var>mode</var>, <var>static-sta-private-key</var> and <var>static-sta-private-algo</var> parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.
 
<h4>Security profile and access point matching in the connect list</h4>
 
Client uses value of [[connect-list]] <var>security-profile</var> property to match only those access points that support necessary security.<ul>
    <li><var>mode</var>=<i>static-keys-required</i> and <var>mode</var>=<i>static-keys-optional</i> matches only access points with the same <var>mode</var> in interface <var>security-profile</var>.
    <li>If <var>mode</var>=<i>dynamic-keys</i>, then connect list entry matches if all of the <var>authentication-types</var>, <var>unicast-ciphers</var> and <var>group-ciphers</var> contain at least one value that is advertised by access point.
</ul>
</div>
[[Category:Manual]]

Revision as of 12:43, 17 September 2008


{{ #if: Reference|}}{{ #if: |[[Category:{{{2}}}]]}}{{ #if: |[[Category:{{{3}}}]]}}{{ #if: |[[Category:{{{4}}}]]}}{{ #if: |[[Category:{{{5}}}]]}}{{ #if: |[[Category:{{{6}}}]]}}{{ #if: |[[Category:{{{7}}}]]}}{{ #if: |[[Category:{{{8}}}]]}}{{ #if: |[[Category:{{{9}}}]]}}

Basic settings

master-interface


Syntax: interface name
Description: Name of wireless interface that has virtual-ap capability.
Virtual AP interface will only work if master interface is in ap-bridge, bridge or wds-slave mode.
This property is only for virtual AP interfaces.

mode


Syntax: One of station, station-wds, ap-bridge, bridge, alignment-only, nstreme-dual-slave, wds-slave, station-pseudobridge or station-pseudobridge-clone
Default value: station
Description:


Station modes:
  • station - Basic station mode. Find and connect to acceptable AP.
  • station-wds - Same as station, but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in wds.
  • station-pseudobridge - Same as station, but additionally perform MAC address translation of all traffic. Allows interface to be bridged.
  • station-pseudobridge-clone - Same as station-pseudobridge, but use station-bridge-clone-mac address to connect to AP.

AP modes:
  • ap-bridge - Basic access point mode.
  • bridge - Same as ap-bridge, but limited to one associated client.
  • wds-slave - Same as ap-bridge, but scan for AP with the same ssid and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If dfs-mode is radar-detect, then APs with enabled hide-ssid will not be found during scanning.

Special modes:
  • alignment-only - Put interface in a continuous transmit mode that is used for aiming remote antenna.
  • nstreme-dual-slave - allow this interface to be used in nstreme-dual setup.


MAC address translation in pseudobridge modes works by inspecting packets and building table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is single entry in address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols.
Virtual AP interfaces do not have this property, they follow the mode of their master interface.

ssid


Syntax: text, up to 32 characters long
Default value: value of system/identity
Description: SSID (service set identifier) is a name that identifies wireless network.

frequency


Syntax: Frequency value in MHz.
Description: Channel frequency on which AP will operate.
Allowed values depend on selected band, and are restricted by country setting and wireless card capabilities. This setting has no effect if interface is in any of station modes, or in 'wds-slave' mode, or if DFS is active.

band


Syntax: one of 2.4ghz-b, 5ghz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-g-turbo, 5ghz-10mhz, 5ghz-5mhz, 2ghz-10mhz, 2ghz-5mhz, 5ghz-11n, 2ghz-11n, 2.4ghz-onlyg

scan-list


Syntax: comma separated list of frequencies and frequency ranges, or default
Description: The default value is all channels from selected band that are supported by card and allowed by the country and frequency-mode settings (this list can be seen in info). For default scan list in 5ghz band channels are taken with 20MHz step, in 5ghz-turbo band - with 40MHz step, for all other bands - with 5MHz step. If scan-list is specified manually, then all matching channels are taken.
Example: scan-list=default,5200-5245,2412-2427 This will use the default value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.

antenna-mode


Syntax:

one of these values:
  • ant-a - use only 'a' antenna
  • ant-b - use only 'b' antenna
  • txa-rxb - use antenna 'a' for transmitting, antenna 'b' for receiving
  • rxa-txb - use antenna 'b' for transmitting, antenna 'a' for receiving
wds-mode


Syntax: one of disabled, static, dynamic, static-mesh or dynamic-mesh
Description:

Controls how WDS links with other devices (APs and clients in station-wds mode) are established.
  • disabled does not allow WDS links.
  • static only allows WDS links that are manually configured in wds
  • dynamic also allows WDS links with devices that are not configured in wds, by creating required entries dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is lost.


"-mesh" modes use different (better) method for establishing link between AP, that is not compatible with APs in non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such links cannot pass any data.
When AP or station is establishing WDS connection with another AP, it uses connect-list to check whether this connection is allowed. If station in station-wds mode is establishing connection with AP, AP uses access-list to check whether this connection is allowed.
If mode is station-wds, then this property has no effect.

wds-default-bridge


Syntax: none, or name of bridge interface
Description: When WDS link is established and status of the wds interface becomes 'running', it will be added as a bridge port to the bridge interface specified by this property. When WDS link is lost, wds interface is removed from the bridge.
If wds interface is already included in a bridge setup when WDS link becomes active, it will not be added to bridge specified by , and will

wds-ignore-ssid


Syntax: yes or no
Default value: no
Description: By default, WDS link between two APs can be created only when they work on the same frequency and have the same SSID value. If this property is set to yes, then SSID of the remote AP will not be checked. This property has no effect on connections from clients in station-wds mode. It also does not work if wds-mode is static-mesh or dynamic-mesh.

default-authentication


Syntax: yes or no
Default value: yes
Description: For AP mode, this is the value of authentication for clients that do not match any entry in the access-list. For station mode, this is the value of connect for APs that do not match any entry in the connect-list.

default-forwarding


Syntax: yes or no
Default value: yes
Description: This is the value of forwarding for clients that do not match any entry in the access-list.

default-ap-tx-limit


Description: This is the value of ap-tx-limit for clients that do not match any entry in the access-list.

default-client-tx-limit


Description: This is the value of client-tx-limit for clients that do not match any entry in the access-list.

hide-ssid


Syntax: yes or no
Default value: no


Description:
  • yes - AP does not include SSID the beacon frames, and does not reply to probe requests that have broadcast SSID.
  • no - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.


This property has effect only in AP mode. Setting it to yes can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve security of the wireless network, because SSID is included in other frames sent by the AP.

security-profile


Syntax: name of profile from security-profiles

compression


Syntax: yes or no
Default value: no
Description: Setting this property to yes will allow use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work.

interface-type


Syntax: virtual-AP, Prism, or Atheros model_name
Read-only property
Description: This specifies type of wireless interface. Some properties have meaning only for certain types of interfaces.

Advanced settings

frequency-mode


Syntax:

one of these values:
  • regulatory-domain - Limit available channels and maximum transmit power for each channel according to the value of country
  • manual-txpower - Same as above, but do not limit maximum transmit power.
  • superchannel - Allow all channels supported by the card.


Description: List of available channels for each band can be seen in info.

country


Syntax: either no_country_set, or name of regulatory domain
Description: Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of scan-list. Value no_country_set is an FCC compliant set of channels.

antenna-gain


Default value: 0
Description:
Antenna gain in dBi, used to calculate maximum transmit power according to country limitations.

Default basic and supported rates, depending on selected band
bandbasic ratessupported rates
2.4ghz-b11 .. 11
5ghz66 .. 54
2.4ghz-onlyg61 .. 11 and 6 .. 54
2.4ghz-b/g1 .. 111 .. 11 and 6 .. 54
2.4ghz-g-turbo66 .. 54
rate-set


Syntax: default or configured


Description:
  • default - default basic and supported rate sets are used. Values from basic-rates and supported-rates parameters have no effect.
  • configured - use values from basic-rates and supported-rates parameters. Note that g mode bands use rates from both "rates-b" and "rates-a/g" properties.
supported-rates-b


Description:
List of supported rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands. Two devices will communicate only using rates that are supported by both devices. This property has effect only when value of rate-set is configured.

supported-rates-a/g


Description:
Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.

basic-rates-b


Description:
List of basic rates, used for 2.4ghz-b, 2.4ghz-b/g and 2.4ghz-onlyg bands.
Client will connect to AP only if it supports all basic rates announced by the AP. AP will establish WDS link only if it supports all basic rates of the other AP. This property has effect only in AP modes, and when value of rate-set is 'configured'.

basic-rates-a/g


Description:
Similar to the above property, but used for 5ghz, 5ghz-10mhz, 5ghz-5mhz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-onlyg, 2ghz-10mhz, 2ghz-5mhz and 2.4ghz-g-turbo bands.

max-station-count


Syntax: 1..2007
Default value: 2007
Description: Maximum number of associated clients. WDS links also count toward this limit.

ack-timeout


Syntax: 'indoors', 'dynamic', or value in microseconds
Description:
How long to wait for confirmation of unicast frames before considering transmission unsuccessful. Value 'dynamic' causes AP to detect and use smallest timeout that works with all connected clients. Acknowledgements are not used in Nstreme protocol.

tx-power


Syntax:

value in the -30..30 range

tx-power-mode


Syntax:

one of these values:

  • default -
  • all-rates-fixed -
  • card-rates -
  • manual-table -
dfs-mode


Syntax: one of 'none', 'no-radar-detect' and 'radar-detect'
Default value: none
Description:


Controls DFS (Dynamic Frequency Selection).

  • none - disables DFS.
  • no-radar-detect - Select channel from scan-list with the lowest number of detected networks. In 'wds-slave' mode this setting has no effect.
  • radar-detect - Select channel with the lowest number of detected networks and use it if no radar is detected on it for 60 seconds. Otherwise, select different channel. This setting may be required by the country regulations.


This property has effect only in AP mode.

wds-default-cost


Syntax: Number
Default value: 100
Description: Initial bridge port cost of the WDS links.

wds-cost-range


Syntax: Numeric range
Default value: 50-150
Description:
Bridge port cost of WDS links are automatically adjusted, depending on measured link throughput. Port cost is recalculated and adjusted every 5 seconds if it has changed by more than 10%, or if more than 20 seconds have passed since the last adjustment. Setting this property to '0' disables automatic cost adjustment. Automatic adjustment does not work for WDS links that are manually configured as a bridge port.

wmm-support


Syntax: 'disabled', 'enabled' or 'required'

disconnect-timeout


Syntax: time interval in the 0..15s range, in units of 10ms
Default value: 3s
Description:
This interval is measured from third sending failure on the lowest data rate. At this point 3 * (hw-retries + 1) frame transmits on the lowest data rate had failed. During disconnect-timeout packet transmission will be retried with on-fail-retry-time interval. If no frame can be transmitted successfully during diconnect-timeout, connection is closed, and this event is logged as "extensive data loss". Successful frame transmission resets this timer.

on-fail-retry-time


Syntax: time interval in the 10ms..1s range, in 10ms units
Default value: 100ms
Description: After third sending failure on the lowest data rate, wait for this long before retrying.

frame-lifetime


Syntax: time in hundredths of a second
Default value: 0
Description:
Discard frames that have been queued for sending longer than frame-lifetime. By default, when value of this property is 0, frames are discarded only after connection is closed.

preamble-mode


Syntax: one of 'long', 'short' or 'both'
Default value: both
Description: Short preamble mode is an option of 802.11b standard that reduces per-frame overhead.

On AP:

  • long - Do not use short preamble.
  • short - Announce short preamble capability. Do not accept connections from clients that do not have this capability.
  • both - Announce short preamble capability.


On station:

  • long - do not use short preamble.
  • short - do not connect to AP if it does not support short preamble.
  • both - Use short preamble if AP supports it.
allow-sharedkey


Syntax: 'yes' or 'no'
Default value: no
Description: Allow WEP Shared Key cilents to connect. Note that no authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted at once (if access list allows that).

station-bridge-clone-mac


Syntax: MAC address
Description: This property has effect only in the 'station-pseudobridge-clone' mode.
Use this MAC address when connection to AP. If this value is 00:00:00:00:00:00, station will initially use MAC address of the wireless interface. As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.

hw-retries


Syntax: number 0..15
Default value: 15
Description:
Number of times sending frame is retried without considering it a transmission failure. Data rate is decreased upon failure and frame is sent again. Three sequential failures on lowest supported rate suspend transmission to this destination for the duration of on-fail-retry-time. After that, frame is sent again. The frame is being retransmitted until transmission success, or until client is disconnected after disconnect-timeout. Frame can be discarded during this time if frame-lifetime is exceeded.

Proprietary extensions

radio-name


Syntax: Text
Description: Descriptive name of the device, that is shown in registration table entries on the remote devices.
This is a proprietary extension.

area


Syntax: Text
Default value: empty
Description: Identifies group of wireless networks. This value is announced by AP, and can be matched in connect-list by area-prefix. This is a proprietary extension.

update-stats-interval


Syntax: 'disabled' or time interval in the 10s..5h range
Default value: disabled
Description: How often to request update of signals strength and ccq values from clients. Access to registration-table also triggers update of these values. This is proprietary extension.

proprietary-extensions


Syntax: 'pre-2.9.25' or 'post-2.9.25'
Default value: post-2.9.25
Description:

RouterOS includes proprietary information in an information element of management frames. This parameter controls how this information is included.

  • pre-2.9.25 - This is older method. It can interoperate with newer versions of RouterOS. This method is incompatible with some clients, for example, Centrino based ones.
  • post-2.9.25 - This uses standardized way of including vendor specific information, that is compatible with newer wireless clients.

Atheros specific

noise-floor-threshold


Syntax: 'default' or value in the -128..127 range
Description: This property is only effective for cards based on AR5211 chipset.

adaptive-noise-immunity


Syntax: 'yes' or 'no'
Default value: yes
Description: This property is only effective for cards based on Atheros chipset.

periodic-calibration


Syntax: one of 'default', 'enabled' or 'disabled'
Description: Setting 'default' enables periodic calibration if info default-periodic-calibration property is 'enabled'. Value of that property depends on the type of wireless card. This property is only effective for cards based on Atheros chipset.

periodic-calibration-interval


Syntax: value in range 1..10000
Default value: 60
Description: This property is only effective for cards based on Atheros chipset.

Prism specific

prism-cardtype


Syntax: '30mW', '100mW', '200mW'
Description: Specify type of the installed wireless card.