MikroTik Router OS V3.0 User Manual

							[admin@MikroTik] ip socks connections>
Application Examples
FTP service through SOCKS server
A
  
 
	
  	( 	 

!&%!)(%+%+&1  	8	 
 	 
 
 	
 *$!+%!%+%!+1&1	
 	 (	
 *$!&%!)(%+%!&1 ! 
 
 

  	
 #$ (

 *$ 	!+%*%(%( 6 	

 
 	 	 
 
 #$ (  	 

 
  	 

 

*$ 	!&%!)(%+%&&1
6 	( 		 	8	  	 


[admin@MikroTik] ip firewall nat> printFlags: X - disabled, I - invalid, D - dynamic0 chain=srcnat action=masquerade src-address=192.168.0.0/24[admin@MikroTik] ip firewall nat>
+
 
 	 
  #$ (  
 
 	
[admin@MikroTik] ip firewall filter> printFlags: X - disabled, I - invalid, D - dynamic0 chain=forward action=drop src-address=192.168.0.0/24 dst-port=21 protocol=tcp[admin@MikroTik] ip firewall filter>
6 
 
 
	 
 ! 3L! (
[admin@MikroTik] ip socks> set enabled=yes[admin@MikroTik] ip socks> printenabled: yesport: 1080connection-idle-timeout: 2mmax-connections: 200[admin@MikroTik] ip socks>
+ 	 
 	 

 
 	
 *$ 	!&%!)(%+%&2&
 ! 3L! 	 
 	 	
	 
	
 
#$ ( 
 

 &	 

	

 
  /.-D 
 G add dst-port=1024-65535 action=allow[admin@MikroTik] ip socks access> add action=deny[admin@MikroTik] ip socks access> printFlags: X - disabled0 src-address=192.168.0.2 dst-port=21 action=allow1 dst-port=1024-65535 action=allow2 action=deny[admin@MikroTik] ip socks access>
	
% 	 7 
 ! 3L! (  
   	
( 



 	
 	
	 
	


 	
 (
[admin@MikroTik] ip socks connections> print# SRC-ADDRESS DST-ADDRESS TX RX0 192.168.0.2:1238 10.5.8.8:21 1163 46251 192.168.0.2:1258 10.5.8.8:3423 0 3231744[admin@MikroTik] ip socks connections>
Page 410 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
6*
  
  ! 3L!  (  	( 
  
 *$ 	 	
 
 
  #$ 

 *


 	 *$ 	  !&%!)(%+%!&	 *$ 	  
 
1! 3L! ( 	
 3$ 
!+(+
Page 411 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							UPnP
Document revision 2.3 (January 14, 2008, 11:56 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Description
AdditionalDocuments
EnablingUniversalPlug-n-Play
PropertyDescription
Notes
Example
UPnPInterfaces
PropertyDescription
Notes
Example
General Information
Summary
  
 ! 
 0
(	 $ 	
 $	 	

  
	
	

 7
7 





(
  
	 
 	
 

7
	 



 (  		
 0$
$ 

	 
 ( 
 	
	
	 


 
 
 	

 	
  

 
 	 



   
Specifications
Packages required:system
License required:level1
Home menu level:/ip upnp
Standards and Technologies:TCP/IP,HTTP,XML,IGD
Hardware usage:Not significant
Description
0$
$ 
	 	
	 
	

 

 	
 
 ( 
 
 	
  	
 

 ( 


 

 0
(	 $ 	
 $	  
 



  	
 	
	 	  *

 


 
 	
	
 ( 

 	
 

	 
	

  	 ( 	


		 4
 	 

 5,3$ 	
 59! ( 	 

	 	
     	(		 
 
 


0$
$ 

  
  9+ 
	(	 

 
	
 
	 
 

 
 
  
7	
7
7 

 
  
 
 9+
 	 
 

	 
  0$
$ 


	 &
 
 	 

 	 


 
 	
 

	 &

Page 412 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
 
 *



  


 
 + 
 	 
 	( 
 

	 

	 
 	 %% *$ 	 


 	
 	 	
 


	 

	 	 
 	 
 79+
 %


	% *$ 	
 0$
$ 
    	
 
 		

  
  5
B 	 	  	  (	
6
 
 	
 &
 	
	
 		

 	
  
	
 ( (  

	 	
Additional Documents
Enabling Universal Plug-n-Play
Home menu level:/ip upnp
Property Description
allow-disable-external-interface(yes | no; default:yes) - whether or not should the users be
allowed to disable routers external interface. This functionality (for users to be able to turn the
routers external interface off without any authentication procedure) is required by the standard, but
as it is sometimes not expected or unwanted in UPnP deployments which the standard was not
designed for (it was designed mostly for home users to establish their ownlocal networks), you can
disable this behavior
enabled(yes | no; default:no) - whether UPnP feature is enabled
show-dummy-rule(yes | no; default:yes) - this is to enable a workaround for some broken
implementations, which are handling the absense of UPnP rules incorrectly (for example, popping
up error messages). This option will instruct the server to install a dummy (meaningless) UPnP rule
that can be observed by the clients, which refuse to work correctly otherwise
Notes
,.N#4 set enable=yes[admin@MikroTik] ip upnp> printenabled: yesallow-disable-external-interface: yesshow-dummy-rule: yes[admin@MikroTik] ip upnp>
UPnP Interfaces
Home menu level:/ip upnp interfaces
Property Description
Page 413 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							interface(name) - interface name UPnP will be run on
type(external|internal) - interface type, one of the:
•external- the interface a global IP address is assigned to
•internal- routers local interface the clients are connected to
Notes
*
   
 
 	 5
B 

 	 
 (
5
B;.  	
 6


 
 (
6

 /ip firewall src-nat printFlags: X - disabled, I - invalid, D - dynamic0 chain=srcnat action=masquerade out-interface=ether1[admin@MikroTik] ip upnp interfaces>
9 	  	( 
   
 	 

	 	
 
	 0$
$
[admin@MikroTik] ip upnp interfaces> add interface=ether1 type=external[admin@MikroTik] ip upnp interfaces> add interface=ether2 type=internal
Page 414 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							[admin@MikroTik] ip upnp interfaces> printFlags: X - disabled# INTERFACE TYPE0 X ether1 external1 X ether2 internal
[admin@MikroTik] ip upnp interfaces> enable 0,1[admin@MikroTik] ip upnp interfaces> .. set enabled=yes[admin@MikroTik] ip upnp interfaces>
Page 415 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Certificate Management
Document revision 2.4 (January 23, 2008, 14:31 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Description
Certificates
Description
PropertyDescription
CommandDescription
Notes
Example
General Information
Summary
!!A &! !
 A	  	 
 

 
 
 

 
	
	

 ( 	  


 

 
 	
	 	
 


    

	
 !!A 
  
 3
	
 
 

	
 	
  	
	 



Specifications
Packages required:system
License required:level1
Home menu level:/certificate
Standards and Technologies:SSLv2,SSLv3,TLS
Hardware usage:high CPU usage
Description
!!A 

 	 
 

  9
	 
 
  
	
	

 

  	
 
( 6
 	  8
 	   	 &	 
 3$ 
 DD: 	  ( 
 
 	
3
	
  

	
 	    
 


  

	

 
 
	 	 +
 
 



  

	
 
  (  
 
 8
 	 

 
 
  
 
  &	

	 
    	 
 
 
 	
	  
 
 (
!!A 3
	
 
 
  ( 


  3
	
 

	
 
	

 	
 
  &
59! 
	 	
 3

  &
 


 	 
 
 3
	
 	
 	 
    



	
 
 


  *
  	 3
	
 
 	 
  
   
  	 
 	

&3
	
 +

  
 	
 

 
  
	
 
 !!A 
 	( 	 
  

3
	
 +

 
 

 &
 
 

 	
 

 3+  O!
 
 
	
  

 
 
 

Page 416 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							  	 3
	
 & 

	
 	   ( 
 	 (	
   
  
    



 	
 
 
 7  

 *
  
	

 
 

	
 
	
 
  	
 

 	


 
 	
  

  
  
 	
  
 
 	

 $(	
  
 

   
	
 
  	
 
 
 	
  
 
	
 0	 (	
   

 
 	
		

 

 3
	
 +

  
 (  

 3
	
 &3
	
 	 	( 	 


(	
 
    	( 
 	 	 *
  	  
 	
 	 7
 3
	
 & 	

	
 
 
 
 09*B1A
  
 
 

 	 
 3
	
 +

 	( 7

3
	
 
  
  

 

 
 	 % 	
		 
     	 
 	


	
 
	
 
 3
	
  

 

 &

 	 
	
 
  
 

 
 3
	


 
 	
		
Certificates
Home menu level:/certificate
Description
 
 ! 	
 
 3
	
  
 !!A ( 
 ( &
 ,
!
  
 

   
 	
	 3
	
  
 (
Property Description
alias(read-only: text) - alias (comment) used for generating the certificate
ca(yes | no; default:yes) - whether the certificate is used for building or verifying certificate chains
(as Certificate Authority)
email(read-only: text) - e-mail address of the holder
invalid-after(read-only: date) - date the certificate is valid until
invalid-before(read-only: date) - date the certificate is valid from
issuer(read-only: text) - issuer of the certificate
name(name) - reference name
serial-number(read-only: text) - serial number of the certificate
subject(read-only: text) - holder (subject) of the certificate
Command Description
create-certificate-request- creates an RSA certificate request to be signed by a Certificate
Authority. After this, download both private key and certificate request files from the router. When
you receive your signed certificate from the CA, upload it and the private key (that is made by this
command) to a router and use /certificate import command to install it
•certificate request file name- name for the certificate request file (if it already exists, it will be
overwritten). This is the original certificate that will be signed by the Certificate Authority
•file name- name of private key file. If such file does not exist, it will be created during the next
step. Private key is used to encrypt the certificate
•passphrase- the passphrase that will be used to encrypt generated private key file. You must
Page 417 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							enter it twice to be sure you have not made any typing errors
•rsa key bits- number of bits for RSA (encryption) key. Longer keys take more time to
generate. 4096 bit key takes about 30 seconds on Celeron 800 system to generate
•country name- (C) ISO two-character country code (e.g., LV for Latvia)
•state or province name- (ST) full name of state or province
•locality name- (L) locality (e.g. city) name
•organization name- (O) name of the organization or company
•organization unit name- (OU) organization unit name
•common name- (CN) the servers common name. For SSL web servers this must be the fully
qualified domain name (FQDN) of the server that will use this certificate (like
www.example.com). This is checked by web browsers
•email address- (Email) e-mail address of the person responsible for the certificate
•challenge password- the challenge password. Its use depends on your CA. It may be used to
revoke this certificate
•unstructured address- unstructured address (like street address). Enter only if your CA
accepts or requires it
decrypt- decrypt and cache public keys
•passphrase- passphrase for the found encrypted private key
•keys-decrypted- how many keys were successfully decrypted and cached
import- install new certificates
•file-name- import only this file (all files are searched for certificates by default)
•passphrase- passphrase for the found encrypted private key
•certificates-imported- how many new certificates were successfully imported
•private-keys-imported- how many private keys for existing certificates were successfully
imported
•files-imported- how many files contained at least one item that was successfully imported
•decryption-failures- how many files could not be decrypted
•keys-with-no-certificate- how many public keys were successfully decrypted, but did not have
matching certificate already installed
reset-certificate-cache- delete all cached decrypted public keys and rebuild the certificate cache
Notes
!( 
	
 	 	(
 
 
 
 3
	
 +

 
	
 
 	( 
 
 


3
	
 	
 

 (	
  	 
  	
 
 
 
 
% #$ ( $
 	 

 
 
 	 
 
 


  3	 
 (	
  	 
 
 


 
  
	
  (  
 
 *5 $		 	 

 
 
 

3
	

 	  

 
 	 
 (	
  +
 

 	 	 
	


 (	
  
  
 		
 

	
 
 
 
 		
9 
 
	
 	

 	   
	

 	 
Page 418 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							6
 	
 	 
	
 8
  	 	(   
  
 3+ 	 4
  
	

8
    
 (	 	 

  
  	  	
 	 
 8

  
3+
Example
 
 	 
	
 	
 
 
( (	
  		 	 
 
 

[admin@MikroTik] certificate> importpassphrase: xxxxcertificates-imported: 1private-keys-imported: 1files-imported: 2decryption-failures: 0keys-with-no-certificate: 1[admin@MikroTik] certificate> printFlags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa0 QR name=cert1 subject=C=LV,ST=.,O=.,CN=cert.example.comissuer=C=LV,ST=.,O=.,CN=third serial-number=01invalid-before=sep/17/2003 11:56:19 invalid-after=sep/16/2004 11:56:19ca=yes
[admin@MikroTik] certificate> decryptpassphrase: xxxxkeys-decrypted: 1[admin@MikroTik] certificate> printFlags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa0 KR name=cert1 subject=C=LV,ST=.,O=.,CN=cert.example.comissuer=C=LV,ST=.,O=.,CN=third serial-number=01invalid-before=sep/17/2003 11:56:19 invalid-after=sep/16/2004 11:56:19ca=yes
[admin@MikroTik] certificate>
9 
 
	
 	    ,
!
 (

[admin@MikroTik] ip service> printFlags: X - disabled, I - invalid# NAME PORT ADDRESS CERTIFICATE0 telnet 23 0.0.0.0/01 ftp 21 0.0.0.0/02 www 8081 0.0.0.0/03 hotspot 80 0.0.0.0/04 ssh 22 0.0.0.0/05 hotspot-ssl 443 0.0.0.0/0 none
[admin@MikroTik] ip service> set hotspot-ssl certificate=cert1 none[admin@MikroTik] ip service> set hotspot-ssl certificate=cert1[admin@MikroTik] ip service> printFlags: X - disabled, I - invalid# NAME PORT ADDRESS CERTIFICATE0 telnet 23 0.0.0.0/01 ftp 21 0.0.0.0/02 www 8081 0.0.0.0/03 hotspot 80 0.0.0.0/04 ssh 22 0.0.0.0/05 hotspot-ssl 443 0.0.0.0/0 cert1
[admin@MikroTik] ip service>
Page 419 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.