Quick and simple way to check the details on a fiber SFP on a Mikrotik router. Replace sfp1_name with the SFP name or leave out the name and select a number.
Note that there are a couple of limitations of using the Cloud Hosted Router (CHR). The main issue is that the default license doesn’t allow for more than 1Mbps on each interface.
We’ll create a tunnel between two Mikrotik RouterOS routers. Once we have the tunnel connected, we can then route traffic between them.
Note: You can add Preshared keys, but we don’t cover that in this post, just to keep things simple. Check out the following post if you want to add Preshared keys.
Here is how we will want our routers set up. The WireGuard PtP IP is the IP addresses used on both ends of the tunnel. The WAN IP is the IP of each Router. Local IP on Host B is setup to distribute DHCP.
Host A
WAN IP: 172.16.0.1 WireGuard PtP IP: 10.1.1.1/30
Host B
WAN IP: 10.0.0.2 WireGuard PtP IP: 10.1.1.2/30 Local IP: 192.168.0.1/24
We need Host A to be able to access Private IP’s (192.168.0.0/24) behind Host B.
We’ll pretend that the 172.16.0.1 address is a public IP, and Host B, is behind some sort of NAT network.
To create the Point-to-point, or PtP, we will create a WireGuard VPN tunnel, and then add routes from Host A to Host B.
For each Mikrotik we need to create a WireGuard interface, and then a peer. One of the peers needs a keep alive if we are behind a NAT.
Wireguard Setup Overview
Here is an overview screenshot of what our WireGuard settings will look like. Host A is on top, and Host B on the bottom. On the left are the WireGuard interfaces, and the right contains the Peers.
We copy the Public Key from the remote WireGuard interface, to the Public Key on the local Peer. I.e. The Host_B Peer contains Host_A’s Interface Public Key and vice verse
Host A
If you want to, you can use the WinBox GUI to setup and configure the router.
In the Allowed Addresses, put 10.1.1.0/30 and 192.168.0.0/24*.
Finally, put in the Public Key from Host B. Note that we can’t do this until we create the WireGuard Interface on Host B, so you’ll need to come back for this step.
*The Allowed Address sets which addresses work on the other side of the tunnel. If we don’t specify 192.168.0.0/24, then we won’t be able to route to those addresses. If we don’t add 10.1.1.0/30, then our tunnel won’t work at all. Since we only need to route to the 192.168.0.0/24 network from the Host A side, we don’t need this IP range on Host B.
That should be it. Verify that there is a connection. From Host A, ping 192.168.0.1 or any other remote device.
Troubleshooting
Unfortunately, there appear to be some wonky bugs with WireGuard on RouterOS. It does appear to be getting better, but here are a couple things to check if the tunnel is not connecting.
Verify that the Firewall is not blocking WireGuard. You can allow the WireGuard port in the Firewall.
Try disabling and re-enabling the Interfaces and/or Peers
Verify that all the routes for the PtP are in /ip/routes. If not, try manually adding the route (10.1.1.0/30) on the WireGuard interface on both routers.
Add a keep alive if a router is behind a firewall/NAT.
Reboot and or Upgrade the RouterOS version and firmware.
Cisco’s can be rebooted with the reload command. The reload command allows you to specify how many minutes like
reload 5
to reload in 5 minutes. We can also reload at a specific time. For instance
reload 13:30
will reload the router at 1:30PM.
For a Cisco config to remain permanent, we have to “write” i.e. save the config. By default, making changes, for instance an IP address on an interface, will get wiped on a reboot or reload.
We can take advantage of this behavior to “test” changes on a Cisco router.
Example:
Run the command “reload 10” to reboot the router in 10 minutes. The plan is to cancel the reload after making sure our changes work
Make the needed changes to the Router.
After verifying that everything is working, run the “reload cancel” command to cancel the reload
Now we can run “write” to save our new config
To recap reload 10 will reload a router in 10 minutes If we loose access to the router while making changes, once 10 minutes has expired, the router will reload, returning it to the last know working state. The reload cancel command will cancel the reload. write will make our config persistent across reboots/reloads
Setting up OSPF between Mikrotik routers is not too difficult. The following commands should work with RouterOS version 7+. Run these commands on each Mikrotik changing out the router-id.
Create a Loop-back interface
First it would be a good idea to create an loopback interface that will stay up. We’ll use this address as the router-id. This should be unique per router.
First we’ll create the instance. Use the address from the above loopback address. Technically you can use whatever id you want as long as it is a 32 bit “address” and is unique.
IMPORTANT NOTE: If this router is also the default gateway, you’ll need to specify the “originate-default=always” option to share the default gateway over OSPF to the other routers. You don’t have to do this if you don’t want to share the default route.
Create OSPF Area
Now we can create an OSPF area. For a simple OSPF setup, we’ll just use the default 0.0.0.0 area.
Now we can add an instance. This is responsible for what networks get shared with OSPF. If you want to do all the addresses on the router, then use 0.0.0.0/0. If you only want to do specific networks, run an entry for every network, changing 0.0.0.0/0 to the network of interest.
After that we can check to make sure things worked.
/routing/ospf/neighbor/print
You should see at a neighbor. It can take a little bit for the neighbors to show up.
You can also check the routes on the router.
/ip/route/print
OSPF has a default distance of 110, so checking the routes is a quick way to verify the routes are getting updated. Do note that if you have a static route in with a lower distance, that will take precedence over OSPF.