How to Install Mikrotik RouterOS on VirtualBox


Note that there are a couple of limitations of using the Cloud Hosted Router (CHR). The main issue is that the default license doesn’t allow for more than 1Mbps on each interface.

https://help.mikrotik.com/docs/display/ROS/Cloud+Hosted+Router%2C+CHR#CloudHostedRouter,CHR-CHRLicensing

Download the VDI version of CHR from the Mikrotik downloads page.

https://mikrotik.com/download

Mikrotik has instructions for installing CHR in VirtualBox, so this post is more of just a summary.

https://wiki.mikrotik.com/wiki/Manual:CHR_VirtualBox_installation

  1. Create a VM with Type Linux, Version Other Linux (64-bit)
  2. While setting up the VM, select the VDI downloaded from Mikrotik as the virtual disk.
  3. Start the VM and login with admin for the username and nothing for the password.

The easiest way to spin up more vm’s to right click on the VM and Clone.

How to Create WireGuard Point-to-point Between Mikrotik Routers

We’ll create a tunnel between two Mikrotik RouterOS routers. Once we have the tunnel connected, we can then route traffic between them.

Note: You can add Preshared keys, but we don’t cover that in this post, just to keep things simple. Check out the following post if you want to add Preshared keys.

How to Create a Preshared Key for Wireguard

Here is how we will want our routers set up. The WireGuard PtP IP is the IP addresses used on both ends of the tunnel. The WAN IP is the IP of each Router. Local IP on Host B is setup to distribute DHCP.

Host A

WAN IP: 172.16.0.1
WireGuard PtP IP: 10.1.1.1/30

Host B

WAN IP: 10.0.0.2
WireGuard PtP IP: 10.1.1.2/30
Local IP: 192.168.0.1/24

We need Host A to be able to access Private IP’s (192.168.0.0/24) behind Host B.

We’ll pretend that the 172.16.0.1 address is a public IP, and Host B, is behind some sort of NAT network.

To create the Point-to-point, or PtP, we will create a WireGuard VPN tunnel, and then add routes from Host A to Host B.

For each Mikrotik we need to create a WireGuard interface, and then a peer. One of the peers needs a keep alive if we are behind a NAT.

Wireguard Setup Overview

Here is an overview screenshot of what our WireGuard settings will look like. Host A is on top, and Host B on the bottom. On the left are the WireGuard interfaces, and the right contains the Peers.

We copy the Public Key from the remote WireGuard interface, to the Public Key on the local Peer. I.e. The Host_B Peer contains Host_A’s Interface Public Key and vice verse

Host A

If you want to, you can use the WinBox GUI to setup and configure the router.

Create the WireGuard interface

 /interface/wireguard/add name=wireguard-Host_A disabled=no

Add IP address 10.1.1.1/30 to the newly created WireGuard Interface in /IP/Address

/ip/address/add address=10.1.1.1/30 interface=wireguard-Host_A disabled=no

Create WireGuard Peer, WireGuard -> Peers

  • Select the WireGuard interface,
  • In the Allowed Addresses, put 10.1.1.0/30 and 192.168.0.0/24*.
  • Finally, put in the Public Key from Host B.
    Note that we can’t do this until we create the WireGuard Interface on Host B, so you’ll need to come back for this step.
interface/wireguard/peers/add interface=wireguard-Host_A public-key=HOST_B_WG_PUBLIC_KEY allowed-address=10.1.1.0/30,192.168.0.0/24

Add route for 192.168.0.0/24 to point to 10.1.1.2

/ip/route/add dst-address=192.168.0.0/24 gateway=10.1.1.2

*The Allowed Address sets which addresses work on the other side of the tunnel. If we don’t specify 192.168.0.0/24, then we won’t be able to route to those addresses. If we don’t add 10.1.1.0/30, then our tunnel won’t work at all. Since we only need to route to the 192.168.0.0/24 network from the Host A side, we don’t need this IP range on Host B.

Host B

Create the WireGuard interface, WireGuard -> Add

 /interface/wireguard/add name=wireguard-Host_B disabled=no

Add IP address 10.1.1.2/30 to the newly created WireGuard Interface in /IP/Address

/ip/address/add address=10.1.1.2/30 interface=wireguard-Host_B disabled=no

Create a WireGuard Peer, WireGuard -> Peers

  • Select the WireGuard interface,
  • In the Allowed Addresses, put 10.1.1.0/30
  • Finally, put in the Public Key from Host A.
/interface/wireguard/peers/add interface=wireguard-Host_A public-key=HOST_A_WG_PUBLIC_KEY endpoint-address=172.16.0.1 endpoint-port=13231 allowed-address=10.1.1.0/30 persistent-keepalive=00:00:30

Conclusion

That should be it. Verify that there is a connection. From Host A, ping 192.168.0.1 or any other remote device.

Troubleshooting

Unfortunately, there appear to be some wonky bugs with WireGuard on RouterOS. It does appear to be getting better, but here are a couple things to check if the tunnel is not connecting.

  1. Verify that the Firewall is not blocking WireGuard. You can allow the WireGuard port in the Firewall.
  2. Try disabling and re-enabling the Interfaces and/or Peers
  3. Verify that all the routes for the PtP are in /ip/routes. If not, try manually adding the route (10.1.1.0/30) on the WireGuard interface on both routers.
  4. Add a keep alive if a router is behind a firewall/NAT.
  5. Reboot and or Upgrade the RouterOS version and firmware.

Configure SNMPv3 on Cisco Router

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html

How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus (bestmonitoringtools.com)

Enter configuration mode

enable
conf t

Everything in bold you should look at changing.

snmp-server view ViewDefault iso include
snmp-server group GroupName v3 priv read ViewDefault
snmp-server location address
snmp-server user MyUsername GroupName v3 auth sha AuthPass1 priv aes 128 PrivPass

Exit and save changes

exit
write

Now we can verify the snmp details with

show snmp

Setup Remote Syslog on Cisco

Configure Logging

First we need to drop into configuration mode

conf t

Now we run the following command. Change ip-address to the address of you remote syslog server.

logging host ip-address

You will want to make sure that your time/timezone is correct.

https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-logging-in-cisco-ios/ta-p/3132434

Set timezone

Change UTC and 0 to your your timezone and how many hours off UTC you are. For example for EST you would do EST -5

clock timezone UTC 0

Cisco, Reload in X Minutes and Canceling

Cisco’s can be rebooted with the reload command. The reload command allows you to specify how many minutes like

reload 5

to reload in 5 minutes. We can also reload at a specific time. For instance

reload 13:30

will reload the router at 1:30PM.

For a Cisco config to remain permanent, we have to “write” i.e. save the config. By default, making changes, for instance an IP address on an interface, will get wiped on a reboot or reload.

We can take advantage of this behavior to “test” changes on a Cisco router.

Example:

  1. Run the command “reload 10” to reboot the router in 10 minutes. The plan is to cancel the reload after making sure our changes work
  2. Make the needed changes to the Router.
  3. After verifying that everything is working, run the “reload cancel” command to cancel the reload
  4. Now we can run “write” to save our new config

To recap reload 10 will reload a router in 10 minutes
If we loose access to the router while making changes, once 10 minutes has expired, the router will reload, returning it to the last know working state.
The reload cancel command will cancel the reload.
write will make our config persistent across reboots/reloads

https://superuser.com/questions/1080513/cisco-router-auto-restart-in-x-seconds

Simple OSPF between Mikrotik Routers

https://help.mikrotik.com/docs/display/ROS/OSPF

Setting up OSPF between Mikrotik routers is not too difficult. The following commands should work with RouterOS version 7+. Run these commands on each Mikrotik changing out the router-id.

Create a Loop-back interface

First it would be a good idea to create an loopback interface that will stay up. We’ll use this address as the router-id. This should be unique per router.

/interface/bridge/add name=loopback
/ip/address/add address=1.2.3.4 interface=loopback

Now lets setup OSPF.

Create OSPF Instance

First we’ll create the instance. Use the address from the above loopback address. Technically you can use whatever id you want as long as it is a 32 bit “address” and is unique.

/routing/ospf/instance/add name=default router-id=1.2.3.4

IMPORTANT NOTE: If this router is also the default gateway, you’ll need to specify the “originate-default=always” option to share the default gateway over OSPF to the other routers. You don’t have to do this if you don’t want to share the default route.

Create OSPF Area

Now we can create an OSPF area. For a simple OSPF setup, we’ll just use the default 0.0.0.0 area.

routing/ospf/area/ add name=default area-id=0.0.0.0 instance=default

Create Instance

Now we can add an instance. This is responsible for what networks get shared with OSPF. If you want to do all the addresses on the router, then use 0.0.0.0/0. If you only want to do specific networks, run an entry for every network, changing 0.0.0.0/0 to the network of interest.

/routing/ospf/interface-template/add networks=0.0.0.0/0 area=default

Wrapping Up

After that we can check to make sure things worked.

/routing/ospf/neighbor/print

You should see at a neighbor. It can take a little bit for the neighbors to show up.

You can also check the routes on the router.

/ip/route/print

OSPF has a default distance of 110, so checking the routes is a quick way to verify the routes are getting updated. Do note that if you have a static route in with a lower distance, that will take precedence over OSPF.

RSTP Alternative Port vs Backup Port

The following is some basic info on STP and RSTP. This list is not comprehensive. Refer to the link at the bottom of the page for more in depth details.

RSTP Priority

Default Priority is 32768 + VLAN ID

For example, if we are using vlan 10, then our default priority is 32768 + 10 = 32778

RSTP Priority can be set from 0 – 61440 in increments of 4096.

RSTP Port Roles

Ports can fill 1 of 4 roles.

Port RoleDescription
Root PortPort closest to the Root Bridge (Switches going to the Root switch)
Designated PortPorts going away from the Root Bridge (To clients)
Alternate PortA “backup” port for the Root port. If the Root Port fails, this port takes over
Backup PortEssentially a backup port for the designated port
RSTP Port Roles

RSTP Port States

A port can be in one of 3 states. Well technically 4 states if you include down/unplugged.

Port StateDescription
DiscardingPort discards packets (Alternate and Backup Ports)
LearningPort learns MACs and doesn’t forward data
ForwardingPort forwards data and learns MACs
RSTP Port States

RSTP Port Types

There are 3 port Types. Not to be confused with port States or Roles.

Port TypeDescription
Point to PointSwitch to Switch
Point to Point EdgeEdge of Network. Connected to a PC, Printer etc.
SharedHalf Duplex, Port connected to a Hub
STP/RSTP Port Types

RSTP Timers

There are three RSTP timers. STP has the same timers, but the MaxAge is 10 seconds, and the Forward Delay is used for both Learning and Listening states which takes a total of 30 seconds to complete.

Timer NameDefault ValueDescription
Hello Timer2 SecondsTime between Hellos created by Root
MaxAge6 Seconds (Hello Timer * 3)How long a Switch should wait before trying to readjust the network
Forward Delay15 SecondsDelay used for Learning/Listening in STP. Shouldn’t be necessary if legacy bridges are not used.
RSTP/STP Timers

Port Cost

There are technically two types of cost. The newer cost values were introduced so we could use faster ethernet speeds.

By default Cisco switches use the old cost values, but they can be changed to use the new ones.

spanning-tree pathcost method long
Ethernet SpeedOld CostNew Cost
10 Mbps1002,000,000
100 Mbps19200,000
1 Gbps420,000
10 Gbps22000
100 GbpsN/A200
1 TbpsN/A20
STP/RSTP Path Cost

More information can be found at the following link.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html

How to Stop a Continuous Ping on Cambium Radio

The Cambium equipment comes with a nice little ping utility when you SSH to it. Very simple to use. Maybe we should say too simple.

usage: ping <host>
       ping -n <count> <host>
                count = 0 for continuous ping

So if I want to continuously ping a website, say incredigeek.com, I can put in the following

ping -n 0 incredigeek.com

Hit return and we are off to the races. But wait. I can’t get it to stop. Ctrl + C, doesn’t do anything, Ctrl + D or Ctrl +Z don’t help either.

Okay well fine. We’ll launch another terminal and ssh into it again and see what we can do. Excellent, now we are in aaand… wait… why are the ping results showing up here too? Help!!!

Buried in the heart of the helpful help command are these lines.

       ping -- Send ICMP ECHO_REQUEST packets to network hosts
    pingend -- End ICMP ECHO_REQUEST packets to network hosts

You don’t say. Well lets try typing in pingend with all the commotion going on in the terminal.

SSH+> pingend
Ping statistics for 142.250.191.206:
        Packets: Sent = 3, Received = 3, Lost = 0 (0% loss)

Well good to know. Saves having to reboot the device.