Sometimes it is nice to have a list of just the IP addresses and the hostname or mac address. Can be especially helpful when you are trying to get a list of devices to do a bulk update in LibreNMS. Helpful LibreNMS links for renaming and showing down devices
we are going to run the command to pull the DHCP information and then use Unix utilities to parse the data out.
Replace dhcp8 with the correct dhcp server in the mikrotik.
First, SSH into your Mikrotik router.
ssh user@mikrotik
Next we’ll want to go to the ip dhcp-server lease directory
/ip dhcp-server lease
Now we can run the following command to loop through and pull out all the info we need. You can change the info like “mac-address” for something like “status”. You can use Tab to see what options are available. Just delete mac-address and hit tab twice.
Problem : Lots of CPU utilization. Profile shows a good bit of it is DNS related.
DNS eating CPU on Router
The router is setup to allow DNS to pass through to web servers so rDNS and other records can be looked up and resolved. This is a specific IP block that gets it’s addresses from the router. The firewall rules explicitly allow this address range. We’ll say 192.168.88.0/24, and blocks everything else. This works for the web servers. But why are we still getting a bunch of CPU utilization with DNS?
As it turns out, the firewall rule that allows the server address range also includes routers own address! So we have unintentionally whitelisted DNS access to our router.
To resolve the issue we can add another firewall rule that explicitly blocks DNS traffic to the routers IP address. We are using two rules, one to block TCP and the other UDP.
ip firewall filter add chain=input dst-address=192.168.88.1 protocol=6 dst-port=53 in-interface-list=WAN action=drop
ip firewall filter add chain=input dst-address=192.168.88.1 protocol=17 dst-port=53 in-interface-list=WAN action=drop
Rules 6 & 7 are the two new rules we just applied. 14 & 15 block input to the router, however rules 8 & 9 inadvertently allowed access to the router’s public IP.
Firewall Rules for Router
The Result? Our CPU usage dropped!
CPU Usage dropped after adding DNS firewall rules.
Quite dramatically too as the following LibreNMS screenshot shows.
LibreNMS CPU graph showing the overall CPU utilization improvement
For more information about DNS Amplification attacks, refer to the following links.
Can look here to set a certificate up in Winbox or here to configure from command line
Enable OpenVPN server
To setup a OpenVPN server on a router there are a few things that need to be done.
Create certificates (See top of post)
Create IP pool for clients to use
Configure default-encryption profile
Create User
Configure OpenVPN server
Create IP Pool
Create an IP pool that clients can pull and address from when they connect
Setup VPN IP pool
Modify Profiles
Modify the default-encryptoin Profile and specify the VPN IP pool.
Specify IP pool in profile
Create User
Create new user, specify the default-encryptio profile
Create VPN user
Turn OVPN Server on
Enable the OVPN server. Specify the “Default Profile:” to be the default-encyption, specify the certificate to be the server-template, or whatever the name is of the certificate you created.
Open up the Certificates window by going to /System -> Certificates. Hit the + to add a new certificate
Create Certificate Authority Certificate
First we are going to create a Certificate Authority template
Setup Certificate Authority template
Specify the key usage to “crl sign” and “key cert. sign” and apply
Set Certificate Authority Key Usage
Setup Server Certificate
Now we are going to create a server template
Setup Server Template
We need to specify “Digital signature, key encipherment, and tls server” You may need to enable/disable more depending on your use case scenario. In this case we are setting it up for OpenVPN.
Configure Server Key Usage
Sign Templates
First we need to sign the ca-template by opening up the the Certificate and hitting Sign on the right hand side. Should get the little Sign window pop up.
Sign Certificate Authority
Progress will show done when it is finished signing.
Next we need to sign the server-template. When Signing the server template, specify the ca-template in the CA: field. See below
Move all the VLANs under ether7 to ether6. Instead of an “=” sign, you can use a “~” to do a partial match.
foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local $i }
Move IP address to new port programmatically
Move ip address from ether6 to ether7. Change 192.168.88.1/24 to the address and the find command will find it regardless of the port and assign it to ether6 or whichever port is specified.
ip address set interface=ether6-master-local [find address="192.168.88.1/24"]
Using Delay
You can add a delay before a command runs by specifying delay and then the time to wait.
delay 60
Use the ; to separate commands. Example below, wait 5 seconds then print the ip addresses.
delay 5 ; ip address print
Putting it all together
The following command/s will wait 60 seconds then move all the VLANs on ether7 to ether6 and then move the 192.168.88.1/24 address to ether6.
delay 60 ; foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local $i } ; ip address set interface=ether6-master-local [find address="192.168.88.1/24"]
Sometime the following warning can show up in the log.
10:48:45 interface,warning ether2: bridge port received packet with own address as source address (74:4d:28:69:89:9d), probably loop
Check and verify that your interface MAC addresses are unique. VLANs look to be the exception as they should share the MAC address of the interface the VLAN is on.