Manual:Winbox

Contents
[hide]

1 Summary

2 Starting the Winbox

2.1 IPv6 connectivity

3 Interface Overview

4 Work Area and child windows

4.1 Child window menu bar

4.2 Sorting out displayed items

4.3 Customizing list of displayed columns

4.3.1 Detail mode

4.3.2 Category view

4.4 Drag & Drop

4.5 Traffic monitoring

4.6 Item copy

5 Transferring Settings

6 Troubleshooting

Summary
Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and
simple GUI. It is a native Win32 binary, but can be run on Linux and Mac OSX using
Wine.
All Winbox interface functions are as close as possible to Console functions, that is why
there are no Winbox sections in the manual.
Some of advanced and system critical configurations are not possible from winbox, like
MAC address change on an interface.

Starting the Winbox

Winbox loader can be downloaded directly from the router.

Open your browser and enter router's IP address, RouterOS welcome page will be
displayed. Click on the link to downloadwinbox.exe

When winbox.exe is downloaded, double click on it and winbox loader window will pop up:

To connect to the router enter IP or MAC address of the router, specify username and
password (if any) and click onConnect button. You can also enter the port number after
the IP address, separating them with a colon, like this 192.168.88.1:9999. The port can be
changed in RouterOS services menu.

Note: It is recommended to use IP address whenever possible. MAC session uses network
broadcasts and is not 100% reliable.

You can also use neighbor discovery, to list available routers by clicking on [...] button:

From list of discovered routers you can click on IP or MAC address column to connect to
that router. If you click on IP address then IP will be used to connect, but if you click on
MAC Address then MAC address will be used to connect to the router.
Note: Neighbor discovery will show also devices which are not compatible with Winbox, like
Cisco routers or any other device that uses CDP (Cisco Discovery Protocol)

Description of buttons and fields of loader screen

[...] - discovers and shows MNDP (MikroTik Neighbor Discovery Protocol) or CDP
(Cisco Discovery Protocol) devices.

Connect - Connect to the router

Save - Save address, login, password and note. Saved entries are listed at the
bottom of loader window.

Remove - Remove selected entry from saved list

Tools... - Allows to run various tools: removes all items from the list, clears cache
on the local disk, imports addresses from wbx file or exports them to wbx file.

Connect To: - destination IP or MAC address of the router

Login - username used for authentication

Password - password used for authentication

Keep Password - if unchecked, password is not saved to the list

Secure Mode - if checked, winbox will use TLS encryption to secure session

Load Previous Session - if checked, winbox will try to restore all previously
opened windows.

Note - description of the router that will be saved to the list.

Warning: Passwords are saved in plain text. Anyone with access to your file system will be
able to retrieve passwords.

It is possible to use command line to pass connect to user and password parameters
automatically:

winbox.exe[<connectto>[<login>[<password>]]]

For example (with no password):

winbox.exe10.5.101.1admin""

Will connect to router 10.5.101.1 with username "admin"without password.

IPv6 connectivity
Starting from v5RC6 Winbox supports IPv6 connectivity. To connect to the routers IPv6
address, it must be placed in square braces the same as in web browsers when connecting
to IPv6 server. Example:

Winbox neighbor discovery is now capable of discovering IPv6 enabled routers. As you can
see from the image below, there are two entries for each IPv6 enabled router, one entry is

with IPv4 address and another one with IPv6 link-local address. You can easily choose to
which one you want to connect:

Interface Overview
Winbox interface has been designed to be intuitive for most of the users. Interface consists
of:

Main toolbar at the top where users ca add various info fields, like CPU and
memory usage.

Menu bar on the left - list of all available menus and sub-menus. This list changes
depending on what packages are installed. For example if IPv6 package is disabled,
then IPv6 menu and all it's sub-menus will not be displayed.

Work area - area where all menu windows are opened.

Title bar shows information to identify with which router Winbox session is opened.
Information is displayed in following format:

[username]@[Router'sIPorMAC]([RouterID])Winbox[ROS
version]on[RBmodel]([platform])

From screenshot above we can see that user admin is logged into router with IP
address 10.1.101.18. Router's ID isMikroTik, currently installed RouterOS version
is v5.0beta1, RouterBoard is RB800 and platform is PowerPC.
On the Main toolbar's left side is located undo and redo buttons to quickly undo any
changes made to configuration. On the right side is located:

winbox traffic indicator displayed as a green bar,

indicator that shows whether winbox session uses TLS encryption

checkbox Hide password. This checkbox replaces all sensitive information (for
example, ppp secret passwords) with '*' asterisk symbols.

Work Area and child windows

Winbox has MDI interface meaning that all menu configuration (child) widows are attached
to main (parent) Winbox window and are showed in work area.

Child windows can not be dragged out of working area. Notice in screenshot above
that Interface window is dragged out of visible working area and horizontal scroll bar
appeared at the bottom. If any window is outside visible work area boundaries the vertical
or/and horizontal scrollbars will appear.

Child window menu bar

Each child window has its own toolbar. Most of the windows have the same set of toolbar
buttons:

Add - add new item to the list

Remove - remove selected item from the list

Enable - enable selected item (the same as enable command from console)

Disable - disable selected item (the same as disable command from

console)

Comment - add or edit comment

Sort - allows to sort out items depending on various parameters. Read

more>>

Almost all windows have quick search input field at the right side of the toolbar. Any text
entered in this field is searched through all the items and highlighted as illustrated in
screenshot below

Notice that at the right side next to quick find input filed there is a dropdown box. For
currently opened (IP Route) window this dropdown box allows to quickly sort out items by
routing tables. For example if main is selected, then only routes from main routing table
will be listed.
Similar dropdown box is also in all firewall windows to quickly sort out rules by chains.

Sorting out displayed items

Almost every window has a Sort button. When clicking on this button several options
appear as illustrated in screenshot below

Example shows how to quickly filter out routes that are in 10.0.0.0/8 range
1.Press Sort button
2.Chose Dst.Address from the first dropdown box.
3.Chose in form the second dropdown box. "in" means that filter will check if dst
address value is in range of specified network.
4.Enter network against which values will be compared (in our example enter
"10.0.0.0/8")
5.These buttons are to add or remove another filter to the stack.
6.Press Filter button to apply our filter.
As you can see from screenshot winbox sorted out only routes that are within 10.0.0.0/8
range.
Comparison operators (Number 3 in screenshot) may be different for each window. For
example "Ip Route" window has only two is and in. Other windows may have operators
such as "is not", "contains", "contains not".
Winbox allows to build stack of filters. For example if there is a need to filter by destination
address and gateway, then

set first filter as described in example above,

press [+] button to add another filter bar in stack.

set up seconf filter to filter by gateway

press Filter button to apply filters.

You can also remove unnecessary filter from the stack by pressing [-] button.

Customizing list of displayed columns

By default winbox shows most commonly used parameters. However sometimes it is
needed to see another parameters, for example "BGP AS Path" or other BGP attributes to
monitor if routes are selected properly.
Winbox allows to customize displayed columns for each individual window. For example to
add BGP AS path column:

Click on little arrow button (1) on the right side of the column titles or right mouse
click on the route list.

From popped up menu move to Show Columns (2) and from the sub-menu pick
desired column, in our case click on BGP AS Path (3)

Changes made to window layout are saved and next time when winbox is opened the same
column order and size is applied.

Detail mode
It is also possible to enable Detail mode. In this mode all parameters are displayed in
columns, first column is parameter name, second column is parameter's value.
To enable detail mode right mouse click on the item list and from the popupmenu
pick Detail mode

Category view
It is possible to list items by categories. In tis mode all items will be grouped alphabetically
or by other category. For example items may be categorized alphabetically if sorted by
name, items can also be categorized by type like in screenshot below.
To enable Category view, right mouse click on the item list and from the popupmenu
pick Show Categories

Drag & Drop

It is possible to upload and download files to/from router using winbox drag & drop
functionality.

Note: Drag & Drop does not work if winbox is running on Linux using wine. This is not a
winbox problem, wine does not support drag & drop.

Traffic monitoring
Winbox can be used as a tool to monitor traffic of every interface, queue or firewall rule in
real-time. Screenshot below shows ethernet traffic monitoring graphs.

Item copy
This shows how easy it is to copy an item in Winbox. In this example, we will use the COPY
button to make a Dynamic WDS interface into a Static interface.
This image shows us the initial state, as you see DRA indicates "D" which means Dynamic:

Double-Click on the interface and click on COPY:

A new interface window will appear, a new name will be created automatically (in this case
WDS2)

You can see that the new interface status has changed:

Transferring Settings
On Windows Vista/7 Winbox settings are stored in: %USERPROFILE
%\AppData\Roaming\Mikrotik\Winbox\winbox.cfg
Simply copy this file to the same location on the new host.

Troubleshooting
Winbox cannot connect to router's IP address
Make sure that Windows firewall is set to allow Winbox connections or disable
windows firewall.
I get an error '(port 20561) timed out' when connecting to routers mac
address
Windows (7/8) does not allow mac connection if file and print sharing is disabled.

Pengertian mikrotik
Rabu, Juli 15, 2009

Mikrotik routerOS adalah sistem operasi dan perangkat lunak yang dapat digunakan untuk
menjadikan komputer biasa menjadi router network yang handal,mencakup berbagai fitur
yang dibuat untuk ip network dan jaringan wireless.

Fitur-fitur tersebut diantaranya : Firewall & Nat, Routing, Hotspot, Point to Point Tunneling
Protocol, DNS server, DHCP server, Hotspot, dan masih banyak lagi fitur lainnya.
Mikrotik dapat digunakan dalam 2 tipe, yaitu dalam bentuk perangkat keras dan perangkat
lunak. Dalam bentuk perangkat keras, Mikrotik biasanya sudah diinstalasi pada suatu
board tertentu, sedangkan dalam bentuk perangkat lunak, Mikrotik merupakan satu distro
Linux yang memang dikhususkan untuk fungsi router.
Mikrotik 2
MikroTik RouterOS, merupakan sistem operasi Linux base yang diperuntukkan sebagai
network router. Didesain untuk memberikan kemudahan bagi penggunanya.
Administrasinya bisa dilakukan melalui Windows Application (WinBox). Selain itu instalasi
dapat dilakukan pada Standard komputer PC (Personal
Computer). PC yang akan dijadikan router mikrotik pun tidak memerlukan resource yang
cukup besar untuk penggunaan standard, misalnya hanya sebagai gateway. Untuk
keperluan beban yang besar (network yang kompleks, routing yang rumit) disarankan
untuk mempertimbangkan pemilihan resource PC yang memadai.

1.4.1 Sejarah MikroTik RouterOS

MikroTik adalah sebuah perusahaan kecil berkantor pusat di Latvia, bersebelahan dengan
Rusia. Pembentukannya diprakarsai oleh John Trully dan Arnis Riekstins. John Trully adalah
seorang berkewarganegaraan Amerika yang berimigrasi ke Latvia. Di Latvia ia bejumpa
dengan Arnis, Seorang darjana Fisika dan Mekanik sekitar tahun 1995. John dan Arnis
mulai me-routing dunia pada tahun 1996 (misi MikroTik adalah merouting seluruh dunia).
Mulai dengan sistem Linux dan MS-DOS yang dikombinasikan dengan teknologi WirelessLAN (WLAN) Aeronet berkecepatan 2 Mbps di Moldova, negara tetangga Latvia, baru
kemudian melayani lima pelanggannya di Latvia. Prinsip dasar mereka bukan membuat
Wireless ISP (W-ISP), tetapi membuat program router yang handal dan dapat dijalankan
diseluruh dunia. Latvia hanya merupakan tempat eksperimen John dan Arnis, karena saat
ini mereka sudah membantu negara-negara lain termasuk Srilanka yang melayani sekitar
400 pengguna.
Linux yang pertama kali digunakan adalah Kernel 2.2 yang dikembangkan secara bersamasama denag bantuan 5-15 orang staff Research and Development (R&D) MikroTik yang
sekarang menguasai dunia routing di negara-negara berkembang. Menurut Arnis, selain
staf di lingkungan MikroTik, mereka juga merekrut tenega-tenaga lepas dan pihak ketiga
yang dengan intensif mengembangkan MikroTik secara marathon.

2.3.2 JENIS-JENIS MIKROTIK

1. MikroTik RouterOS yang berbentuk software yang dapat di-download di

www.mikrotik.com. Dapat diinstal pada kompuetr rumahan (PC).
2. BUILT-IN Hardware MikroTik dalam bentuk perangkat keras yang khusus dikemas dalam
board router yang didalamnya sudah terinstal MikroTik RouterOS.

2.3.4 FITUR-FITUR MIKROTIK

1. Address List : Pengelompokan IP Address berdasarkan nama
2. Asynchronous : Mendukung serial PPP dial-in / dial-out, dengan otentikasi CHAP,
PAP, MSCHAPv1 dan MSCHAPv2, Radius, dial on demand, modem pool hingga 128 ports.

3. Bonding : Mendukung dalam pengkombinasian beberapa antarmuka ethernet ke dalam

1 pipa pada koneksi cepat.
4. Bridge : Mendukung fungsi bridge spinning tree, multiple bridge interface, bridging
firewalling.
5. Data Rate Management : QoS berbasis HTB dengan penggunaan burst, PCQ, RED, SFQ,
FIFO queue, CIR, MIR, limit antar peer to peer
6. DHCP : Mendukung DHCP tiap antarmuka; DHCP Relay; DHCP Client, multiple network
DHCP; static and dynamic DHCP leases.
7. Firewall dan NAT : Mendukung pemfilteran koneksi peer to peer, source NAT dan
destination NAT. Mampu memfilter berdasarkan MAC, IP address, range port, protokol IP,
pemilihan opsi protokol seperti ICMP, TCP Flags dan MSS.
8. Hotspot : Hotspot gateway dengan otentikasi RADIUS. Mendukung limit data rate,
SSL ,HTTPS.
9. IPSec : Protokol AH dan ESP untuk IPSec; MODP Diffie-Hellmann groups 1, 2, 5; MD5
dan algoritma SHA1 hashing; algoritma enkirpsi menggunakan DES, 3DES, AES-128, AES192, AES-256; Perfect Forwarding Secresy (PFS) MODP groups 1, 2,5
10. ISDN : mendukung ISDN dial-in/dial-out. Dengan otentikasi PAP, CHAP, MSCHAPv1
dan MSCHAPv2, Radius. Mendukung 128K bundle, Cisco HDLC, x751, x75ui, x75bui line
protokol.
11. M3P : MikroTik Protokol Paket Packer untuk wireless links dan ethernet.
12. MNDP : MikroTik Discovery Neighbour Protokol, juga mendukung Cisco Discovery
Protokol (CDP).
13. Monitoring / Accounting : Laporan Traffic IP, log, statistik graph yang dapat diakses
melalui HTTP.
14. NTP : Network Time Protokol untuk server dan clients; sinkronisasi menggunakan
system GPS.
15. Poin to Point Tunneling Protocol : PPTP, PPPoE dan L2TP Access Consentrator; protokol
otentikasi menggunakan PAP, CHAP, MSCHAPv1, MSCHAPv2; otentikasi dan laporan
Radius; enkripsi MPPE; kompresi untuk PPoE; limit data rate.
16. Proxy : Cache untuk FTP dan HTTP proxy server, HTTPS proxy; transparent proxy
untuk DNS dan HTTP; mendukung protokol SOCKS; mendukung parent proxy; static DNS.
17. Routing : Routing statik dan dinamik; RIP v1/v2, OSPF v2, BGP v4.
18. SDSL : Mendukung Single Line DSL; mode pemutusan jalur koneksi dan jaringan.
19. Simple Tunnel : Tunnel IPIP dan EoIP (Ethernet over IP).
20. SNMP : Simple Network Monitoring Protocol mode akses read-only.
21. Synchronous : V.35, V.24, E1/T1, X21, DS3 (T3) media ttypes; sync-PPP, Cisco HDLC;
Frame Relay line protokol; ANSI-617d (ANDI atau annex D) dan Q933a (CCITT atau annex
A); Frame Relay jenis LMI.
22. Tool : Ping, Traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer;
Dinamik DNS update.
23. UPnP : Mendukung antarmuka Universal Plug and Play.
24. VLAN : Mendukung Virtual LAN IEEE 802.1q untuk jaringan ethernet dan wireless;
multiple VLAN; VLAN bridging.
25. VoIP : Mendukung aplikasi voice over IP.
26. VRRP : Mendukung Virtual Router Redudant Protocol.
27. WinBox : Aplikasi mode GUI untuk meremote dan mengkonfigurasi MikroTik
RouterOS.

Memblokir Suatu Situs Pada Jam Tertentu

Minggu, Desember 12, 2010

Berikut ini adalah suatu trik untuk memblok situs yang di atur sesuai jam. Salah satu
contoh adalah situs facebook yang beberapa kantor ingin di blok pada jam kerja.

Pertama, supaya waktu yang berjalan di router sesuai dengan waktu lokasi
setempat, maka kita perlu mengatur agar clock di MikroTik mengacu pada NTP
Server. Jika kita memiliki NTP Server sendiri, maka kita tinggal mengarahkan
MikroTik ke NTP Server tersebut, namun jika kita tidak memiliki NTP Server,
maka tidak perlu khawatir karena banyak NTP Server di luar yang bisa kita
gunakan sebagai acuan. Beberapa diantaranya adalah NTP Server milik LIPI
(Lembaga Ilmu Pengetahuan Indonesia) dengan URL: ntp.kim.lipi.go.id
(203.160.128.6) dan NTP Pool Project dengan salah satu URLnya:
0.id.pool.ntp.org (202.169.224.16). Untuk mensettingnya di MikroTik, ketikkan
perintah berikut :

/system ntp client set primary-ntp=203.160.128.6

secondary-ntp=202.169.224.16 \ mode=unicast enabled=yes
Kedua, membuat rule di firewall filter. Dalam hal ini saya ingin memblokir situs
Facebook yang menggunakan port HTTP (80), sehingga selain port tersebut
masih diijinkan. Tujuannya agar pengguna masih dapat menerima update status
facebook melalui email. Untuk mensettingnya ketikkan perintah berikut :

/ip firewall filter add chain=forward srcaddress=0.0.0.0/0 protocol=tcp \ dst-port=80

content="facebook" action=drop comment="Blokir Akses
Facebook";
Via Winbox :

Ketiga, membuat script untuk mengaktifkan firewall tersebut selama jam kerja
dan mematikannya pada jam istirahat dan diluar jam kerja. Disini saya
membuat 3 script, yaitu script untuk mengaktifkan (enable) firewall, script

untuk mematikan (disable) firewall serta script untuk dieksekusi pada hari libur
(Sabtu-Minggu) dan hari kerja. Berikut ini scriptnya :
Script untuk mematikan (disable) firewall :

/system script add name="fb-allow"

policy=write,read,policy,test,sniff source={/ip firewall
filter set [/ip firewall filter find content="facebook"]
disabled=yes
Via Winbox :

Script untuk mengaktifkan (enable) firewall :

/system script add name="fb-deny"

policy=write,read,policy,test,sniff source={/ip firewall
filter set [/ip firewall filter find content="facebook"]
disabled=no}
Via Winbox :

Script untuk disable firewall di hari libur dan enable di hari kerja :

/system script add name="fb-holiday"

policy=write,read,policy,test,sniff source={:if ([/system
scheduler get [/system scheduler find on-event="fb-deny"]
disabled] = true) do [/system scheduler set [/system
scheduler find on-event="fb-deny"] disabled=no] else
[/system scheduler set [/system scheduler find onevent="fb-deny"] disabled=yes]}
Keempat, membuat schedule untuk menentukan kapan firewall tersebut akan
diaktifkan atau dinon-aktifkan. Disini saya membuat 6 scheduler berdasarkan
jam kerja dan hari kerja, yaitu jam 08:00, jam 12:00, jam 13:00, jam 17:00,
hari sabtu-minggu, dan hari senin. Berikut ini scriptnya :
Schedule untuk mengaktifkan (enable) firewall pada jam kerja (08:00) :

/system scheduler add name="fb-08:00" startdate=jan/01/2010 start-time=08:00:00 interval=1d onevent="fb-deny"

Via Winbox :

Schedule untuk mematikan (disable) firewall pada jam istirahat (12:00) :

/system scheduler add name="fb-12:00" startdate=jan/01/2010 start-time=11:30:00 interval=1d onevent="fb-allow"

Via Winbox :

Schedule untuk mengaktifkan kembali (enable) firewall pada jam kerja

(13:00) :

/system scheduler add name="fb-13:00" startdate=jan/01/2010 start-time=13:00:00 interval=1d onevent="fb-deny"

Via Winbox :

Schedule untuk mematikan (disable) firewall di luar jam kerja ke atas ( > 17:00)
:

/system scheduler add name="fb-16:00" startdate=jan/01/2010 start-time=16:00:00 interval=1d onevent="fb-allow"

Via Winbox :

Schedule untuk mematikan (disable) firewall di hari libur (Sabtu-Minggu) :

/system scheduler add name="fb-sabtu-minggu" startdate=aug/01/2009 start-time=00:00:00 interval=7d onevent="fb-holiday"

Pastikan bahwa tanggal yang didefinisikan pada parameter "start-date"
scheduler adalah Hari Sabtu. Dan parameter "interval" diberi nilai 7d.
Schedule untuk mengaktifkan kembali (enable) firewall di hari kerja (Senin) :

/system scheduler add name="fb-senin" startdate=aug/03/2009 start-time=00:00:00 interval=7d onevent="fb-holiday"

Pastikan bahwa tanggal yang didefinisikan pada parameter "start-date"
scheduler adalah Hari Senin. Dan parameter "interval" diberi nilai 7d.