Create Certificate on Mikrotik – WinBox

Posted on February 25, 2020 by admin

Create Certificates

Open up the Certificates window by going to /System -> Certificates. Hit the + to add a new certificate

Create Certificate Authority Certificate

First we are going to create a Certificate Authority template

Specify the key usage to “crl sign” and “key cert. sign” and apply

Setup Server Certificate

Now we are going to create a server template

We need to specify “Digital signature, key encipherment, and tls server” You may need to enable/disable more depending on your use case scenario. In this case we are setting it up for OpenVPN.

Sign Templates

First we need to sign the ca-template by opening up the the Certificate and hitting Sign on the right hand side. Should get the little Sign window pop up.

Progress will show done when it is finished signing.

Next we need to sign the server-template. When Signing the server template, specify the ca-template in the CA: field. See below

Move multiple VLANs between two interfaces – Mikrotik

Posted on February 6, 2020 by admin

Move VLANs with foreach

Move all the VLANs under ether7 to ether6. Instead of an “=” sign, you can use a “~” to do a partial match.

foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local  $i }

Move IP address to new port programmatically

Move ip address from ether6 to ether7. Change 192.168.88.1/24 to the address and the find command will find it regardless of the port and assign it to ether6 or whichever port is specified.

ip address set interface=ether6-master-local [find address="192.168.88.1/24"]

Using Delay

You can add a delay before a command runs by specifying delay and then the time to wait.

delay 60

Use the ; to separate commands. Example below, wait 5 seconds then print the ip addresses.

delay 5 ; ip address print

Putting it all together

The following command/s will wait 60 seconds then move all the VLANs on ether7 to ether6 and then move the 192.168.88.1/24 address to ether6.

delay 60 ; foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local  $i } ; ip address set interface=ether6-master-local [find address="192.168.88.1/24"]

Mikrotik – bridge port received packet with own address as source address (), probably loop

Posted on February 5, 2020 by admin

Sometime the following warning can show up in the log.

10:48:45 interface,warning ether2: bridge port received packet with own address as source address (74:4d:28:69:89:9d), probably loop

Check and verify that your interface MAC addresses are unique. VLANs look to be the exception as they should share the MAC address of the interface the VLAN is on.

More information in this thread.
https://forum.mikrotik.com/viewtopic.php?p=583064#p703228

Mikrotik RouterOS – VLAN notes

Posted on January 22, 2020 by admin

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

VLAN successfully passes through regular Ethernet bridges

https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration

DHCP offering lease without success issue with Mikrotik on the far side of Ubiquiti device.

Make sure that radio does not have the VLAN configured on just the WAN interface. Easiest way would be to put it in bridge mode and use the management VLAN.

Mikrotik RouterOS – “drop all from WAN not DSTNATed”

Posted on January 10, 2020 by admin

The default DSTNATed firewall rule keeps traffic from the WAN accessing LAN side IP addresses.

More info here

Printing the rules on a router with the default config should show the following.

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1

If you are wanting to add the rule to a router, you can copy and past the following command. Replace in-interface=ether with your in interface.

/ip firewall add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface=ether1

Check if Mikrotik is an Open DNS Resolver

Posted on December 23, 2019 by admin

https://www.openresolver.com

You can test if a router is acting as an open DNS resolver by running the following command from a Linux terminal. If you need to install dig, refer to here for Debian/Ubuntu and here for RPM/CentOS/Fedora Distros.

Replace 192.168.88.1 with the host you want to test against.

dig +short test.openresolver.com TXT @192.168.88.1

If you receive the following

"open-resolver-detected"

The router is acting as an open resolver.

If you get

;; connection timed out; no servers could be reached

Then you are unable to use that router to resolve DNS.

Example running the command against a Mikrotik router with Remote DNS turned on Then adding a firewall rule to block unwanted request.

bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
"open-resolver-detected"
bob@localhost:~$ 
<<-- Put firewall rule on router -->>
bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
;; connection timed out; no servers could be reached  
bob@localhost:~$

Extra notes

If you have firewall rules allowing your IP address to use the router for DNS, then the above command to test will show it as an Open Resolver. Ideally you would want a connection from the outside to test. Or you can use this link and test it from the website. https://www.openresolver.com

SNMPv3 snmpwalk Mikrotik

Posted on July 16, 2019 by admin

Change AuthPass and CryptoPass to their respective passwords.
If needed, change MD5 to SHA1 and DES to AES.

 snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost

RouterOS upgrade firmware and version over SSH

Posted on June 27, 2019 by admin

Connect to Router over SSH

ssh admin@192.168.88.1

Check and install latest version of RouterOS. Will reboot the router. Need to hit Y to confirm upgrade.

system package update install

Upgrade routerboard firmware. Need to hit Y to confirm.

system routerboard upgrade
system reboot

Mikrotik Safe Mode

Posted on May 4, 2019 by admin

Safe Mode is a configuration fail safe for Mikrotik routers. If enabled and you make a change that disconnects your session to the router, whatever changes were made will be rolled back, which should let you get back in the router.

If your in WinBox you can hit the Safe Mode button at the top left

If your in a telnet or ssh session just hit

ctrl + x

You should see the following to let you know that safe mode is active

[Safe Mode taken]

Hit ctrl + x again to release Safe Mode

Mikrotik RouterOS view and set Simple Queue speeds

Posted on April 23, 2019 by admin

list all simple queues

queue simple print

Print queue that matches part of name

queue simple print where name~"John"

Example results

Flags: X - disabled, I - invalid, D - dynamic 
  0    name="John Smith" target=192.168.1.3/32 parent=none packet-marks="" priority=8/8 queue=sfq-up/sfq-down limit-at=0/0 
       max-limit=1M/10M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1 total-queue=default

Change max speed on queue for client name. The Upload is specified first.

queue simple set max-limit=10M/100M "John Smith"

Incredigeek

Tag Archives: routeros