Client Node Configuration

BE SURE YOU ALWAYS HAVE AN ANTENNA OR DUMMY LOAD PLUGGED IN WHEN THE MODEM IS POWERED ON

RouterOS Versions

As of this writing, most equipment you purchase will be running some version of RouterOS 6 (e.g. 6.48.1). Some time ago, Mikrotik released RouterOS 7 (ROS7), which HamWAN initially avoided, but over the past year, ROS7 has improved significantly, has many useful features and tracks a much newer underlying Linux kernal and software stack. We are now steadily upgrading the HamWAN core infrastructure to ROS7 and we can recommend that clients do the same at their convenience. There is no critical need to do so, but long term support should be better and some newer features are much better supported there (e.g. Wireguard tunnels and IPSEC support). If you are setting up from scratch, you may want to upgrade your device to ROS7 first. See the section below Upgrading RouterOS to Version 7.

Instructions

These instructions are meant to be entered from the command line interface to the router. You can open a command line in WinBox by clicking on "New Terminal". To paste commands in winbox, it's necessary to right-click and select paste rather than trying to use Ctrl-V.

  1. Upgrade your modem to the latest RouterOS version (either v6 or v7). Note that you also need to upgrade the RouterOS firmware which is an extra step.
    • If you have connected the modem to your LAN in a way that provides Internet access, the following command can be used:

      /system package update install

      (system reboots)

      /system routerboard upgrade

      (answer queries, system reboots)

    • Otherwise, use the standalone upgrade method: http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS (also works on older ROS 5.xx that does not support the upgrade command)

  2. Reset the router to a blank configuration.

    /system reset-configuration no-defaults=yes
  3. Give your modem a name that tells us where it's located and which site it's linking to. For example, AE7SJ's modem linked to the Paine Field cell site:

    /system identity
    set name=AE7SJ-Paine
  4. Set a password for the admin user.
    • Using Winbox:
      • Click System -> Users -> Users tab -> double click admin -> Password...
    • Or using terminal:

      /user set admin password=
      /console clear-history

      This is an example password generated in your browser. You may choose any password you like.

  5. To support shared administration, add the following HamWAN Network Administration accounts into the "full" group. Usernames are case sensitive.

    /user
    add group=full name=KD7DK password=
    add group=full name=NQ1E password=
    add group=full name=dylan password=
    add group=full name=eo password=
    add group=full name=kc7aad password=
    add group=full name=kennyr password=
    add group=full name=nigel password=
    add group=full name=nr3o password=
    add group=full name=osburn password=
    add group=full name=tom password=
    add group=full name=va7dbi password=
    add group=full name=ve7alb password=
    add group=read name=monitoring password=
    /console clear-history

    The passwords above are randomly generated in your browser, not stored anywhere, and will never be used. Any HamWAN access to your modem will be done with crypto keys.

  6. To support shared administration, add SSH keys for the HamWAN Network Administration accounts. There is an online and offline option.
    1. If you are going to configure while you are connected to the internet, fetch the files directly from the HamWAN server.

      /tool fetch url="https://monitoring.hamwan.net/keys/KD7DK.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/NQ1E.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/dylan.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/eo.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/kc7aad.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/kennyr.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/monitoring.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/nigel.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/nr3o.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/osburn.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/tom.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/va7dbi.key"
      /tool fetch url="https://monitoring.hamwan.net/keys/ve7alb.key"
    2. If you are NOT going to be configuring while you have internet access, download the key files ahead of time from the HamWAN monitoring server to your computer. Download all the files ending in .key you see above from https://monitoring.hamwan.net/keys/. When configuring the modem, drag and drop the files into the Winbox Files window on your modem.
    3. In either case, import SSH keys and associate them with the right accounts.

      /user ssh-keys
      import public-key-file=KD7DK.key user=KD7DK
      import public-key-file=NQ1E.key user=NQ1E
      import public-key-file=dylan.key user=dylan
      import public-key-file=eo.key user=eo
      import public-key-file=kc7aad.key user=kc7aad
      import public-key-file=kennyr.key user=kennyr
      import public-key-file=monitoring.key user=monitoring
      import public-key-file=nigel.key user=nigel
      import public-key-file=nr3o.key user=nr3o
      import public-key-file=osburn.key user=osburn
      import public-key-file=tom.key user=tom
      import public-key-file=va7dbi.key user=va7dbi
      import public-key-file=ve7alb.key user=ve7alb
  7. Enable Ethernet boot in case you ever need to reinstall the router with NetInstall. Also set auto-update on Routerboard firmware. This will help keep RouterOS and the frimware in sync. Running firmware that is out of sync with RouterOS has been known to cause problematic operation in rare cases.

    /system routerboard settings set boot-device=try-ethernet-once-then-nand
    /system routerboard settings set auto-upgrade=yes
  8. Remote Logging

    /system logging action set 3 bsd-syslog=no name=remote remote=44.25.0.8 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
    /system logging add action=remote disabled=no prefix="" topics=info
    /system logging add action=remote disabled=no prefix="" topics=warning
    /system logging add action=remote disabled=no prefix="" topics=error
  9. SNMP Monitoring

    /snmp set contact="IRC #hamwan-support on libera.chat" enabled=yes
    /snmp community set name=hamwan addresses=44.24.240.0/20,44.25.0.0/16 read-access=yes write-access=no numbers=0
  10. Use HamWAN's Anycast NTP Servers

    /system ntp client set enabled=yes primary-ntp=44.25.0.4 secondary-ntp=44.25.1.4
  11. Clear firewall filter rules

    /ip firewall filter remove [find dynamic=no]
  12. Set the HamWAN Maximum Transmission Unit (MTU) policy

    /ip firewall mangle
    add action=change-mss chain=output new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
    add action=change-mss chain=forward new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
  13. Remove local DHCP server

    /ip dhcp-server
    remove [find]
    /ip dhcp-server network
    remove [find]
  14. Remove IP address from wireless interface

    /ip address remove [find interface~"^wlan1"]
  15. Disable DNS service

    /ip dns
    set allow-remote-requests=no
  16. OPTIONAL: Disable unused services

    These have been used as attack vectors in the past, so it's best practice to disable anything you aren't using. The following will leave only SSH, Winbox, and mac-winbox enabled for administration. Winbox is blocked at the HamWAN edge routers, so only SSH will be available from the internet. You will be able to use SSH, Winbox, and mac-winbox from your LAN.

    /ip service disable telnet,ftp,www,api,api-ssl
  17. OPTIONAL: Move SSH to port 222

    This doesn't really improve security, but it significantly decreases the cracking attempts that clutter the logs and burn CPU time.

    /ip service set ssh port=222

    From now on, you must specify the non-standard port when using SSH, like this:

    ssh -p 222 YOUR-MODEM.hamwan.net

    As a shortcut, you can change the default in your ~/.ssh/config file:

    Host *.hamwan.net
      Port 222
  18. Add HamWAN sector channels

    /interface wireless channels
    add band=5ghz-onlyn comment="Cell sites radiate this at 0 degrees (north)" frequency=5920 list=HamWAN name=Sector1-5 width=5
    add band=5ghz-onlyn comment="Cell sites radiate this at 120 degrees (south-east)" frequency=5900 list=HamWAN name=Sector2-5 width=5
    add band=5ghz-onlyn comment="Cell sites radiate this at 240 degrees (south-west)" frequency=5880 list=HamWAN name=Sector3-5 width=5
    add band=5ghz-onlyn comment="Cell sites radiate this at 0 degrees (north)" frequency=5920 list=HamWAN name=Sector1-10 width=10
    add band=5ghz-onlyn comment="Cell sites radiate this at 120 degrees (south-east)" frequency=5900 list=HamWAN name=Sector2-10 width=10
    add band=5ghz-onlyn comment="Cell sites radiate this at 240 degrees (south-west)" frequency=5880 list=HamWAN name=Sector3-10 width=10
  19. Configure the modem to announce your callsign and location

    /interface wireless
    set 0 radio-name="CALLSIGN/YourLocation-DestinationCell" # For example, set 0 radio-name="AE7SJ/Monroe-Paine"
  20. Configure dual chain operation

    If you have a modern, dual chain radio (horizontal and vertical polarized antennas), enable both chains.

    /interface wireless
    set 0 rx-chains=0,1 tx-chains=0,1
  21. Set your location, so that your station shows up on the HamWAN map. Supply your latitude and longitude in decimal degrees separated by a comma, like location=47.1234,-121.1234.

    /snmp set location=LAT,LON
  22. Configure the wireless card to use HamWAN

    /interface wireless
    set 0 disabled=no country=no_country_set frequency-mode=superchannel band=5ghz-onlyn mode=station scan-list="HamWAN" ssid=HamWAN wireless-protocol=nv2

    If you get an error of "input does not match any value of name", re-run the set command WITHOUT the scan-list=HamWAN parameter. Use winbox to set the scan-list to HamWAN instead. This is a suspected bug. If the command results in a "failure: incompatible band and channel-width" message, add "channel-width=5mhz" to the command

  23. Tell your modem to pull DHCP, including default gateway, from HamWAN

    /ip dhcp-client
    add add-default-route=yes dhcp-options=hostname,clientid disabled=no interface=wlan1

    If you have a bridge configured that contains wlan1 (/interface bridge port print), then you will need to either remove wlan1 from the bridge or specify bridge=wlan1 above. The error you would see would be: "failure: can not run on slave interface".

  24. OPTIONAL: Tell your modem to pull DHCP without default gateway or DNS from your LAN as well

    /ip dhcp-client
    add add-default-route=no use-peer-dns=no dhcp-options=hostname,clientid disabled=no interface=ether1

Connect

  1. Point your dish at any cell sites and look for beacons. Optimize for best signal.

    /interface wireless scan 0
  2. When signal is optimized, stop scanning and verify you have an association with the cell site

    /interface wireless monitor 0
  3. Verify you can reach the Internet using HamWAN

    /tool traceroute 8.8.8.8
  4. Verify you can resolve DNS

    /ping google.com
  5. Verify NTP synchronization

    /system ntp client print
    # Should see "status: reached", "status: synchronized", or a recent number like "last-update-before: 4s490ms" if you're connected to the network.
    
    /system clock print
    # Should display the correct date + time if you're connected to the network, or have internet available through other means.

Next Steps

Integrating HamWAN into your LAN

Check out the LAN Integration article for ideas on how you might structure your network to include HamWAN. The simplest option is to not integrate your LAN at all, but to create a new isolated LAN. This is a great way to initially test your HamWAN connection.

Create an isolated LAN for use with HamWAN

  1. Assign an IP address to your modem's LAN port

    /ip address
    add address=192.168.88.1/24 interface=ether1
  2. Configure DHCP server

    /ip pool
    add name=dhcp-pool ranges=192.168.88.100-192.168.88.199
    /ip dhcp-server network
    add address=192.168.88.0/24 dns-server=44.25.0.1,44.25.1.1 gateway=192.168.88.1
    /ip dhcp-server
    add address-pool=dhcp-pool interface=ether1 name=dhcp disabled=no
  3. Configure NAT (Network Address Translation)

    /ip firewall nat add chain=srcnat action=masquerade out-interface=wlan1
  4. Connect one end of an Ethernet cable to your modem and the other to the PoE injector (the injector included with the Metal feeds power to the socket side of the adapter). Plug the injector directly into your PC, or into a switch for use with multiple PCs. The modem will assign IP addresses to connected PCs and route their packets to HamWAN.

Upgrading RouterOS to Version 7.x

Please note that there was a package refactoring starting with ROS version 7.13 that breaks out the wireless support into a separate package for devices that have wireless functionality. If you upgrade manually beyond version 7.12, be sure you install/upgrade the necessary wireless supoort. See this discussion of packages in the upgrading documenation.

Please note the description of feature compatibility in ROS7 relative to ROS6.

Mikrotik's upgrading instructions describe the Winbox GUI based update proccess. If you want to upgrade from the command line, you would first upgrade to the lastest version of ROS6, and then upgrade to ROS7 as follows:

  1. /system packages update install, system reboots
  2. /system routerboard upgrade, answer queries, system reboots
  3. /system packages update set channel=upgrade
  4. /system packages update install, system reboots
  5. /system routerboard upgrade, answer queries, system reboots

Attachments

Filename Size Modified
Configure Radio Modem_1080 dlr .mp4 59MiB 2016-08-06 14:46:40