September 21, 2021

mikrotik

Mikrotik makes (among other things) lowish cost routers, and RouterOS which comes loaded on their router hardware. They also make wireless WiFi equipment for home users, WISP’s, etc.

RouterOS works like many other routing OS implementations (Cisco, Juniper, Linux), but does it in a, um, Mikrotik way. That’s not bad, just different. Here are some basics:

Mikrotik setup

you can either use the GUI or ssh, but many of the howto’s you’ll find on the Internet use the command line. The command line interface has a weird linux-ish ssh interface where it checks your command as you type it and changes colors if your command/syntax is correct or wrong. the ‘print’ command tells you about current setings, and tab will help you auto-complete commands. Everything starts by typing ‘/’ which *sorta* puts you at / where all the commands are implemented. Sort of. Anyway, if you go to / then start typing your command, it will do stuff.

what it is what it does
default IP 192.168.88.1
default username: admin
default password: none, just hit “enter”
reset to factory defaults: power off unit FOR 30 SECONDS, hold paper clip in hole on back panel depressing switch while plugging in the power cord. Keep it held in for around 5 seconds while it boots and the USER LED starts flashing. Now release the button to clear configuration. Note: If you wait until LED stops flashing, and only then release the button – this will instead launch Netinstall mode, to reinstall RouterOS.

interfaces

to figure out what interfaces are doing what, do:

[admin@MikroTik] > /interface print                                            
  Flags: D - dynamic, X - disabled, R - running, S - slave 
   #     NAME                                                                     TYPE               MTU L2MTU  MAX-L2MTU
   0     ether1-gateway                                                           ether             1500  1598       4074
   1  R  ether2-master-local                                                      ether             1500  1598       4074
   2     ether3-slave-local                                                       ether             1500  1598       4074
   3     ether4-slave-local                                                       ether             1500  1598       4074
   4     ether5                                                                   ether             1500  1598       4074
   5     wlan1                                                                    wlan              1500  2290
   6  R  bridge-local                                                             bridge            1500  1598
   7  R  whateverbridgename                                                       bridge            1500 65535

bridges

to create a new bridge, you have to make sure your interfaces aren’t slaves to another bridge first, which you can do like:

/interface ethernet set ether4,ether5 master-port=none

now look at your bridges and then add your interface(s) to them

/interface bridge port print
/interface bridge port remove numbers=(the number it just showed you, not interface name)
/interface bridge port add bridge=whateveryoucalledit interface=ether5

Now you probably have to assign an IP/subnet to the bridge, which you by creating a new IP > address and selecting the bridge as the interface.

backup your config:

/export file=whateverbacknameyouwant

now you can either ftp it off, or just go the GUI > Files > Download the file you just created with the command line export. This file has all your rules, settings and stuff in case you screw something up later.

routing

to make all the traffic from all interfaces go to the upstream router from ether1 (default, er, WAN) login and do:

/ip route add dst-address=0.0.0.0/0 gateway=upstream.routers.i.p

rate limit an IP/subnet

this can either be used to limit a whole subnet, like all the people on the 192.168.1.0/24 (all 255 of them), or on a single 192.168.1.5/32 (that slash 32 means a single one). In this example, we limit 192.168.1.5 to 256K upload, and 2M download speeds, and the user has to be plugged into ether2. Obviously, change these to suit your needs, because these will be different in your environment.

/interface bridge settings set use-ip-firewall=yes
/queue simple add name=something target-addresses=192.168.1.5/32 max-limit=256K/2M interface=all

or if you have a different version you might have to use this line instead:

/queue simple add name=whatever target=192.168.1.5/32 max-limit=256K/2M

manage Mikrotik from ether1/WAN via http

Depending on where your Mikrotik sits in your network, you may want the ability to manage it from a more untrusted network like ether1. If so, here are the steps (original reference):

    Click on IP, then Firewall, then Filter Rules.
    Click the Add button to add a new rule.
    Change Chain to input.
    Change Protocol to tcp.
    Change Dst. Port to 80.
    Click on the Action tab and make sure Action is set to accept.
    Click Comment and name it something like “remote management”.
    Click OK.
    MOST IMPORTANT RULE
    Your new Filter Rule will be at the bottom of the list.  Drag it up above the last “drop” rule from the default configuration.
    Filter Rules are matched in order. They start at the top and work through each one.  If your new rule is AFTER the “drop” rule, it will not work.

find cable problems

This command will tell you which cable has problems, what wires in that cable has problems, and how far it is away from your router—cool huh 🙂 In this example, the pairs are open 4 meters from your Mikrotik.

interface ethernet cable-test ether1
         name: ether1
       status: no-link
  cable-pairs: open:4,open:4,open:4,open:4

firewall rules

You probably should use the gui if you’re new to this, but if you choose to add them via command line, keep in mind you can totally lock yourself out of your box…everyone does that at least once 🙂 If you still want to try, here’s what you do. Keep in mind, if you’re not sure of each part of this command, after you type a word then space, hit the Tab button and it will give you all the options available. This is a lifesaver in the Mikrotik world 🙂

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=22

this command would allow you to talk to your box on ports 22 from some remote place via ssh, for example. Use that specific port with caution, you have been warned…

port forwarding

This would be if you had a camera on your LAN that you wanted to view over the Internet. Obviously, change your ports to what you need:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=97.90.101.37 dst-port=560-564 protocol=tcp to-addresses=192.168.1.200
 
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6080 protocol=tcp to-addresses=lan.camer.a.ip
add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6001 protocol=tcp to-addresses=lan.camer.a.ip
add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6002 protocol=tcp to-addresses=lan.camer.a.ip

enable PoE

Sometimes it’s hard to find the settings on the web menu, so if you login via ssh (here I show default settings, change to suit your environment if you need to). In the example, here I set interface #2 (which is really port 3/ether3, but they count by zero first) to do auto-PoE, which means it will detect if there’s a PoE doo-dad attached and power it up, or just treat it like a regular port if you plug your laptop into it.

ssh admin@192.168.88.1
[admin@MikroTik] > /interface ethernet print           
Flags: X - disabled, R - running, S - slave 
 #    NAME                           MTU MAC-ADDRESS       ARP        MASTER-PORT                        SWITCH                       
 0    ether1-gateway                1500 00:0C:42:E9:AB:B7 enabled   
 1 R  ether2-master-local           1500 00:0C:42:E9:AB:B8 enabled    none                               switch1                      
 2  S ether3-slave-local            1500 00:0C:42:E9:AB:B9 enabled    ether2-master-local                switch1                      
 3 RS ether4-slave-local            1500 00:0C:42:E9:AB:BA enabled    ether2-master-local                switch1                      
 4  S ether5-slave-local            1500 00:0C:42:E9:AB:BB enabled    ether2-master-local                switch1 
[admin@MikroTik] > /interface ethernet set poe-out=auto
numbers: 2

set up a DHCP server

There is a default one set up, but there is a tasty wizard in case you want to do another/different one:

[admin@MikroTik] ip dhcp-server> setup
Select interface to run DHCP server on
 
dhcp server interface: ether1
Select network for DHCP addresses
 
dhcp address space: 192.168.0.0/24
Select gateway for given network
 
gateway for dhcp network: 192.168.0.1
Select pool of ip addresses given out by DHCP server
 
addresses to give out: 192.168.0.2-192.168.0254
Select DNS servers
 
dns servers: 8.8.8.8
Select lease time
 
lease time: 3d
[admin@MikroTik] ip dhcp-server>

If the DNS server defaults to something strange, do:

ip dhcp-server network print (note first number, that's the one you'd use next, mine is zero, meaning the first entry)
ip dhcp-server network set 0 dns-server=dns 8.8.8.8

SNMP / MRTG / RRD

SNMP can monitor mikrotik health, interface speed, temp, stuff like that. Turning that into a pretty graph you can use and trend with is an entirely different matter. First you have to find out what you want to monitor. Also, you have to set up a “Community” in IP -> SNMP (change the name to something besides “Public”) and check the box that says “Enable”. Then login via ssh and do:

/system health print oid
  active-fan: .1.3.6.1.4.1.14988.1.1.3.9.0
     voltage: .1.3.6.1.4.1.14988.1.1.3.8.0
 temperature: .1.3.6.1.4.1.14988.1.1.3.10.0
 processor-temperature: .1.3.6.1.4.1.14988.1.1.3.11.0
/system health print
  voltage: 25.7V
  temperature: 47C

Now you at least know if you want to graph voltage, you have to point mrtg/snmp at .1.3.6.1.4.1.14988.1.1.3.8.0 and it should tell you the voltage is 25.7VDC. If you want to check from your remote Linux box, do:

snmpget -v 1 -c whatevernameyousetup i.p.of.mikrotik .1.3.6.1.4.1.14988.1.1.3.8.0
  iso.3.6.1.4.1.14988.1.1.3.8.0 = INTEGER: 257

That means it’s reading the info from your mikrotik box. If you don’t get anything, stop here, the rest of your system won’t work until you fix your community string setup.
the Mikrotik forums are here, and the folks there are usually pretty helpful.