This is going to get technical as its a reference article for the masses of RouterOS uses out there.
To establish a Point to Point wireless link using RouterOS 2.9.14 and the following hardware:
2 x PC Engines WRAP 1-1 (w/64Mb CF card)
2 x Senao NL-2511MP PLUS 200mW miniPCI wireless adaptor
2 x Hills 15dBi Grid Directional Antenna
Plus various bits of hardware for mounting and connecting the aforementioned items together. I used thin RG58 coaxial cable since I had power to spare and the distances weren't large.
Since the Prism chipset doesn't support hidden SSID nor WEP correctly while in AP mode I had to make up the security using other methods. So I included mac filtering, limited subnet and ipsec - I'll also include a tightened firewall to keep out the randoms, but that can wait.
I'm in the process of having our supplier of these bits and peices source Ubiquiti Networks SR5 wireless adapters. The specs are 400mW 802.11a (5.8GHz), with 100mW@54Mbps and very reasonable receive sensitivities. These cards would be much better solution for this point to point link, however the added costs of 5.8GHz antennas, cable, connectors and the adapters themselves would put this link in the red. However it does offer an upgrade path.
All electonic items were purchased from Yawarra Information Appliances (http://www.yawarra.com.au). I highly recommend them, excellent service and prompt delivery and more than happy to assist.
Antennas and associated mounting equipment were sourced from Hills Australia - DJC Wholesale Pty Ltd (http://www.djcoulter.com.au)
Connectors and coaxial cable were sourced from RF Industries Pty Ltd (http://www.rfindustries.com.au).
Budget came to about $1,500.ooAUD.
The RouterOS configuration particulars are as follows:
Office End:
Wireless Interface (P2P):
name="P2P" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled disable-running-check=no interface-type=Prismprism-cardtype=200mW radio-name="office" mode=bridge ssid="xxxxx" area="" frequency-mode=regulatory-domain country=australia antenna-gain=0 frequency=2462 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps basic-rates-b=1Mbps max-station-count=2007 tx-power=23 tx-power-mode=all-rates-fixed periodic-calibration=default periodic-calibration-interval=60 dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no update-stats-interval=disabled default-authentication=no default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms compression=no allow-sharedkey=no
Home End:
Wireless Interface (P2P):
name="P2P" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled disable-running-check=no interface-type=Prism prism-cardtype=200mW radio-name="home" mode=station ssid="xxxxx" area="" frequency-mode=regulatory-domain country=australia antenna-gain=0 frequency=2462 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps basic-rates-b=1Mbps max-station-count=2007 tx-power=23 tx-power-mode=all-rates-fixed periodic-calibration=default periodic-calibration-interval=60 dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no update-stats-interval=disabled default-authentication=no default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms compression=no allow-sharedkey=no
IPSec (both ends, substitute 'x' for appropriate addresses):
IPSec Peer:
address=192.168.254.xxx/32:500 /
secret="xxxxxxxxxxxxxxx" /
generate-policy=no exchange-mode=main /
send-initial-contact=yes proposal-check=obey /
hash-algorithm=md5 enc-algorithm=3des /
dh-group=modp1024 lifetime=12h lifebytes=0
IPSec Policy:
src-address=192.168.x.0/24:any /
dst-address=192.168.x.0/24:any protocol=all /
action=encrypt level=require ipsec-protocols=esp /
tunnel=yes sa-src-address=192.168.254.xxx /
sa-dst-address=192.168.254.xxx proposal=default /
manual-sa=none dont-fragment=clear
IPSec Proposal:
name="default" auth-algorithms=sha1 /
enc-algorithms=3des lifetime=30m /
lifebytes=0 pfs-group=modp1024
Since the network only consists of three subnets I made do wit h static routing. Dynamic routing is possible but adds complexity in a otherwise static network.
I may include 'watch' scripts that keep an eye on the link and makes appropriate configuration changes or interface restarts as necessary.
But otherwise, thats all there is to it.
No comments:
Post a Comment