Tag Archives: routeros

Simple OSPF between Mikrotik Routers

Posted on by
Reply

https://help.mikrotik.com/docs/display/ROS/OSPF

Setting up OSPF between Mikrotik routers is not too difficult. The following commands should work with RouterOS version 7+. Run these commands on each Mikrotik changing out the router-id.

Create a Loop-back interface

First it would be a good idea to create an loopback interface that will stay up. We’ll use this address as the router-id. This should be unique per router.

/interface/bridge/add name=loopback
/ip/address/add address=1.2.3.4 interface=loopback

Now lets setup OSPF.

Create OSPF Instance

First we’ll create the instance. Use the address from the above loopback address. Technically you can use whatever id you want as long as it is a 32 bit “address” and is unique.

/routing/ospf/instance/add name=default router-id=1.2.3.4

IMPORTANT NOTE: If this router is also the default gateway, you’ll need to specify the “originate-default=always” option to share the default gateway over OSPF to the other routers. You don’t have to do this if you don’t want to share the default route.

Create OSPF Area

Now we can create an OSPF area. For a simple OSPF setup, we’ll just use the default 0.0.0.0 area.

routing/ospf/area/ add name=default area-id=0.0.0.0 instance=default

Create Instance

Now we can add an instance. This is responsible for what networks get shared with OSPF. If you want to do all the addresses on the router, then use 0.0.0.0/0. If you only want to do specific networks, run an entry for every network, changing 0.0.0.0/0 to the network of interest.

/routing/ospf/interface-template/add networks=0.0.0.0/0 area=default

Wrapping Up

After that we can check to make sure things worked.

/routing/ospf/neighbor/print

You should see at a neighbor. It can take a little bit for the neighbors to show up.

You can also check the routes on the router.

/ip/route/print

OSPF has a default distance of 110, so checking the routes is a quick way to verify the routes are getting updated. Do note that if you have a static route in with a lower distance, that will take precedence over OSPF.

Mikrotik Script – Send Webhook when Power Fails on PSU

Posted on by
Reply

The goal for this script is to alert us if a remote site looses power. We can do this using a Mikrotik that has two PSUs. One is plugged into battery backup and the other in the non battery plug.

In this example, we are using PSU2 “number 8” We can find the number using 

/system/health/print

We can now create a new scheduler entry with the following. Change out the number 8 to your PSU number, and change the webhook to your Teams webhook.

:local curState [system/health/get value-name=value  number=8]
:local name [/system/identity/get value-name=name]
:local webhook "https://teams.webhook.microsoft.com/webhook/more"

if ($curState != $lastState) do={
if ($curState = "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is on.\"}" url="$webhook"
}
if ($curState != "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is off.  On battery backup\"}" url="$webhook"
}
:global lastState $curState
}

Set to the appropriate interval (i.e. 5 minutes). The script will only alert once when the power state changes. This minimizes receiving an alert every 5 minutes while the power is off.

Mikrotik DHCP Scripts

Posted on by
Reply

The purpose of these scripts is to update the local DHCP lease table with a remote IP Address Management (IPAM) system.

Scheduler Script

This little script is added to the scheduler and goes through the entire DHCP lease table and uploads each MAC address and IP address pair to a website.

Change out the top three variables. May also need to change out the URL depending on how the website receives data.

:local url "upload.incredigeek.com"
:local username "myapiuser"
:local password "passwordforapiuserwebsite"

/ip/dhcp-server/lease/
:foreach i in=[find] do={ :put ([get $i address]." ".[get $i mac-address])
:local ipaddress ([get $i address])
:local macaddress ([get $i mac-address])
/tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$ipaddress&mac_address=$macaddress&expired=0" mode=https keep-result=no user=$username password=$password
:delay 1s;
}

DHCP Script

This script is to be used on the DHCP server script. Can add it by going to DHCP Server -> DHCP -> Double Click Server -> Script

Any time a new DHCP lease is obtained, this script is fired. Note that some of the variables like $leaseBound are specific to the script being used by the “DHCP server”

Also helpful to note that the script only runs if a new lease is obtained, or a lease expires and it disappears from the leases page. A DHCP renew does not trigger the script. 

:local username "myapiuser"
:global password "myapipassword"
:global url "upload.incredigeek.com"

# The maximum retries
:local max 60
:local attempts 0
:local success 0
:do {
  :set attempts ($attempts+1);
  :if ($leaseBound = 0) do {
    :do {
      /tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=1" mode=https keep-result=no user=$username password=$password
      :set success 1;
    } on-error={
      :log error "DHCP FAILED to send unassignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
      :delay 10s;
    }
  } else {
    :delay 1s;
    # see note below
    :local remoteID [/ip dhcp-server lease get [find where address=$leaseActIP] agent-remote-id];
    :do {
      /tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=0" mode=https keep-result=no user=$username password=$password
      :set success 1;
    } on-error={
      :log error "DHCP FAILED to send assignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
      :delay 10s;
    }
  }
  :if ($success) do {
    :log info "DHCP lease message successfully sent $leaseActMAC / $leaseActIP to $url";
    :set attempts $max;  # break out of the do..while loop
  }
} while ( $attempts < $max )
}

Send Post Webhook Message to Teams from Mikrotik RouterOS

Posted on by
Reply

The following is the correct syntax needed to send a message to Microsoft Teams from a Mikrotik router. You will need a valid Teams webhook to send to.

Change “Test Message” out for your message. You should receive a “status: finished” response.

/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"Test Message\"}" url=https://domain.webhook.office.com/webhook/long/string

https://help.mikrotik.com/docs/display/ROS/Fetch

Hardening SSH on Mikrotik Routers

Posted on by
Reply

Here are the commands you’ll need to harden SSH on your Mikrotik Routers. It looks like it still can use SSH-RSA, but it does get rid of most of the weaker crytpo algorithms.

/ip/ssh/set strong-crypto=yes allow-none-crypto=no always-allow-password-login=no host-key-size=4096

We’ll want to regenerate the Host Key now that the settings have been changed.

/ip/ssh/regenerate-host-key

It will prompt to enter [y/N] to confirm that you actually want to regenerate the host key. Hit y

After your done, you can use something like ssh-audit to check your equipment.
https://www.ssh-audit.com/

Further hardening information is available at the following link.
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Configure MikroTik Router as WireGuard VPN Appliance

Posted on by
Reply

You may need to upgrade your MikroTik if the WireGuard options are not available.

Quick overview of setting up a MikroTik Router as a VPN appliance.

  1. Configure WireGuard Interface on MikroTik Router
    1. Copy interface public key
    2. Add IP address on WireGuard interface
  2. Create WireGuard client config
    1. Use above interface public key
    2. Copy the client Public Key
  3. Create a WireGuard Peer on the MikroTik Router
    1. Use client Public Key
    2. Assign proper IP address

Configure WireGuard on Router

First we need to create a WireGuard interface to use.

/interface/wireguard add listen-port=51820 mtu=1420 name=wireguard1

We’ll need to copy the public key, shown in the following command, for use in the client config.

/interfaces/wireguard print

Next we’ll configure an IP address/range for the new WireGuard interface. 

/ip/address add address=192.168.1.1/24 network=192.168.1.0 interface=wireguard1

Configure WireGuard Client

Download and install the WireGuard application on your computer or phone.

Create an empty config (Ctrl +N), click edit, add the following. 

Address = 192.168.1.2/24
DNS = 9.9.9.9

[Peer]
PublicKey = ReplaceWithInterfacePublicKeyFromMikrotik
AllowedIPs = 0.0.0.0/0
Endpoint = endpointip:51820

Here is a screenshot as an example. We need to copy the public key. We’ll use that when we create the peer.

Configure WireGuard Client

Create WireGuard Peer

Now lets create a peer. Back on the MikroTik, run the following command. Change the allowed address and public key.

/interface/wireguard/peers add allowed-address=192.128.1.2/32 interface=wireguard1 public-key="PublicKeyFromClientCreatedInNextStep"

Note that the 192.168.1.2/32 is important. If you have multiple clients connected and one of them is setup with a /24 instead of a /32, it will cause issues. I think this is because WireGuard tries to route the whole /24 over that peer.

Also note that you can not use DHCP with WireGuard. Each client will have a static IP address assigned in the config. In this example, 192.168.1.2.

You should now be all set up and able to connect from your device.

Troubleshooting

Some issues you may run into.

Unable to have two devices connected at the same time.

First, you’ll need to have one Peer per Client connection. Either that, or do not connect at the same time.

Second, check and verify that each peer has the ClientIP/32 in the Allowed Address.

For example, if the WireGuard interface is using 192.168.1.0/24, and one of the peers has 192.168.1.4/24 in the Allowed Address option, then only one client will work. It appears that the MikroTik will attempt to route all 192.168.1.0/24 request to 192.168.1.4.

Get list of IP DHCP Leases from Mikrotik RouterOS Command Line

Posted on by
Reply

Sometimes it is nice to have a list of just the IP addresses and the hostname or mac address. Can be especially helpful when you are trying to get a list of devices to do a bulk update in LibreNMS. Helpful LibreNMS links for renaming and showing down devices

we are going to run the command to pull the DHCP information and then use Unix utilities to parse the data out.

Replace dhcp8 with the correct dhcp server in the mikrotik.

First, SSH into your Mikrotik router.

ssh user@mikrotik

Next we’ll want to go to the ip dhcp-server lease directory

/ip dhcp-server lease

Now we can run the following command to loop through and pull out all the info we need.
You can change the info like “mac-address” for something like “status”. You can use Tab to see what options are available. Just delete mac-address and hit tab twice.

:foreach i in=[find] do={ :put ([get $i address].",".[get $i mac-address].",".[get $i server].",".[get $i host-name ])}

Found the above helpful info from the following pdf file.

https://mum.mikrotik.com/presentations/PH18/presentation_5113_1516612695.pdf

Troubleshooting DNS CPU Usage on Mikrotik Router

Posted on by
Reply

Problem : Lots of CPU utilization. Profile shows a good bit of it is DNS related.

DNS eating CPU on Router

The router is setup to allow DNS to pass through to web servers so rDNS and other records can be looked up and resolved. This is a specific IP block that gets it’s addresses from the router. The firewall rules explicitly allow this address range. We’ll say 192.168.88.0/24, and blocks everything else. This works for the web servers. But why are we still getting a bunch of CPU utilization with DNS?

As it turns out, the firewall rule that allows the server address range also includes routers own address! So we have unintentionally whitelisted DNS access to our router.

To resolve the issue we can add another firewall rule that explicitly blocks DNS traffic to the routers IP address. We are using two rules, one to block TCP and the other UDP.

ip firewall filter add chain=input dst-address=192.168.88.1 protocol=6 dst-port=53 in-interface-list=WAN action=drop
ip firewall filter add chain=input dst-address=192.168.88.1 protocol=17 dst-port=53 in-interface-list=WAN action=drop

Rules 6 & 7 are the two new rules we just applied. 14 & 15 block input to the router, however rules 8 & 9 inadvertently allowed access to the router’s public IP.

Firewall Rules for Router

The Result? Our CPU usage dropped!

CPU Usage dropped after adding DNS firewall rules.

Quite dramatically too as the following LibreNMS screenshot shows.

LibreNMS CPU graph showing the overall CPU utilization improvement

For more information about DNS Amplification attacks, refer to the following links.

https://ask.wireshark.org/question/6865/dns-amplification-attack/
https://security.stackexchange.com/questions/237127/why-would-hackers-attack-a-dns-server-with-a-dos

How To setup a L2TP vpn in Mikrotik

Posted on by
Reply

Open up PPP and select L2TP Server. Set it to Enabled, set IPsec to yes, and set the IPsec secret.

Add L2TP Server

Next go to PPP -> Profiles and modify the default-encryption one. You can setup an IP Pool to use for the VPN clients when they connect.

Setup Profiles

Next go to the PPP -> Secrets and configure the user to connect.

Setup User

Setup your VPN client and connect.