Some links for MikroTik tips and scripts
Posted by jpluimers on 2017/04/25
MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.
So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.
- Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- When you import a configuration, those settings are added to your current configuration.
- If your configuration gets more complex, it pays to split the textual exports into logical blocks so you can import each of them individually.
- You can even put the downloaded exports into a version control system like Git or SVN.
- The exported configurations are stored in the file system. You cannot manually rename these files, but there is a scripting trick to perform the rename.
- You can download the exported configurations from the UIs in webfig, winbox or through sftp after configuring certificate logon.
- Choosing ports for WAN and LAN
- On the CCR1009, the first 4 ports can be used for switching (see also other ref), so it makes sense using those for LAN and others for WAN as it can increase speed: CCR 1009 switch chip menu – MikroTik RouterOS
- Just look at the block diagrams of the various CCR1009-8G-1S models (currently CCR1009-8G-1S-PC, CCR1009-8G-1S-1S+, CCR1009-8G-1S-1S+PC) as they all have the first four ports connected to an Atheros 8327 Gigabit Switch chip.
- All ports of the CRS226 models (CRS226-24G-2S+RM and CRS226-24G-2S+IN) are connected through the combined QCA8519-AC2C switching and CPU chip).
- Note that the switching chips won’t allow for Torch. But you can find the MAC addresses per physical switch ports in the unicast FDBs: Switch -> Unicast FDB shows you every mac and the physical port it is connected to.
- On the CCR1009, the first 4 ports can be used for switching (see also other ref), so it makes sense using those for LAN and others for WAN as it can increase speed: CCR 1009 switch chip menu – MikroTik RouterOS
- Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Windows Winbox: MikroTik Routers and Wireless: Downloads
- Mac OS X Winbox: “Winbox” by MikroTik with Wine in order to make it usable on Mac – Joshaven.com
- Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
- Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
- Assign fixed / static IP address via Mikrotik DHCP server
- Notes:
- the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
- usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
/ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
- Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
- Client DNS issue (reddit)
- Firewall filter rules for DNS – MikroTik RouterOS
/ip firewall filter
add chain=input protocol=tcp dst-port=53 action=drop in-interface=!bridge_lan
add chain=input protocol=udp dst-port=53 action=drop in-interface=!bridge_lan- If you run your internal DNS servers for the outside world, modify the rules to forward non non-LAN ports; see https://www.youtube.com/watch?v=X-wkLYKYaj8: How to redirect DNS to own DNS server using mikrotik routerboard
- You can add statis DNS entries to your caching server; see https://www.youtube.com/watch?v=zDEx7TxCm1s: Mikrotik Training- Static DNS Entries (With Closed Captioning)
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
- nslookup on the Mikrotik itself is called
put[: resolv ...]syntax: nslookup on Mikrotik – MikroTik RouterOS- Examples (first uses the internal DNS, second one one of the Google DNS servers):
put [:resolve shell.xs4all.nl]put [:resolve shell.xs4all.nl 8.8.8.8]put [:resolve 194.109.21.9]
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
- tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Router Hardening — Manito Networks
- Not sure if disabling Neighbour discovery is a good thing, as it will disable this from the console as well
/ip neighbor print; - Blacklist Filter update script – MikroTik RouterOS
- As the above is much better maintained it is preferred over Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS! – MikroTik RouterOS
- Manual:Upgrading RouterOS – MikroTik Wiki
- Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
- Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
- You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell):
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
After a few seconds the Winbox will update theSNTP Clientdialog and a few seconds later, theClockdialog will also update itself.
- Setup SNTP (Winbox) aka NTP (shell):
- Manual:IP/Firewall/NAT – MikroTik Wiki
- dstnat: Forwarding a port to an internal IP – MikroTik Wiki and https://www.youtube.com/watch?v=8sGL58AhQCQ:
Mikrotik Training- Port Forwarding (With Closed Captioning) - srcnat: getting NAT to work
- Hairpin NAT – MikroTik Wiki
- netmap vs srcnat/dstnat: IP Firewall rules, need help with optimization – MikroTik RouterOS
- dstnat: Forwarding a port to an internal IP – MikroTik Wiki and https://www.youtube.com/watch?v=8sGL58AhQCQ:
- I like these ones as they use Winbox:
- Sharing Ideas … Mikrotik with Kannel/playSMS
- Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
- Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
- DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
- Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
- Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
- Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS- Using staged address list to perform Bruteforce login prevention – MikroTik Wiki
Very advanced stuff:
- VPN
- VPN with Android Mobile to MikroTik RouterOS version 6.13 – MikroTik RouterOS
- PPTP (not secure)
- OpenVPN
- IPSec
- Mikrotik as VPN client – MikroTik RouterOS
- VLAN
- DNS Conditional forwarders with Mikrotik RouterOS | Dale Macartney
- Pointing Mikrotik RouterOS hardware logging to a remote Syslog server | Dale Macartney
- trying to setup CRS226-24G-2S+IN, could use some help : mikrotik
- Video: VLANs using the Switching chips do not take the brdige penalty when you can do switching
- Be carful with CRS226 and SFP+ link aggregation
- Vlans on Mikrotik environment – MikroTik Wiki
- Block traffic like WhatsApp.
- API Links – MikroTik RouterOS (in various language, for which I’m most interested in C#, Delphi, Perl and Python.
- Routing from mikrotik two IP addresses to same gateway – Server Fault
- RouterOS – public subnet routed and NAT-ed to internal clients – MikroTik RouterOS
- Known issues and bugs – a list – MikroTik RouterOS
- Tutorials blogs and other helpful RouterOS resources – MikroTik RouterOS
- ethernet ports overrunning – default interface queue (only-hardware-queue) not working well – MikroTik RouterOS
- MAC-Ping is described in Manual:Tools/Ping – MikroTik Wiki but *only* works for MikroTik devices having MAC-Ping Server enabled.
- How to auto-reboot if remote IP down for 5 minutes – MikroTik RouterOS
- ping, traceroute, log files, torch, sniffer, bandwidth tester, profile: Manual:Troubleshooting tools – MikroTik Wiki
- majbthrd/miksms: controlling external devices with Mikrotik RouterOS
- Howto Recover Mikrotik ADMIN account Forgotten Password | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik script to change PUBLIC ip from available pool | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts | Syed Jahanzaib Personal Blog to Share Knowledge !
- SIP Poblem with Mikrotik | Syed Jahanzaib Personal Blog to Share Knowledge !
- VPN/PPTP Static Routes Loose gateway when client reconnects | Syed Jahanzaib Personal Blog to Share Knowledge !
Packet flow (maybe the toughest part to wrap your head around):
- Manual:Packet Flow – MikroTik Wiki (with diagrams on RouterOS 6.x and 3.x can flow).
- Manual:Packet Flow v6 – MikroTik Wiki (with updated RouterOS 6.x diagram).
- New Packet flow diagram – Page 2 – MikroTik RouterOS (Visio / PDF version of an even newer diagram)
Scripts:
- Running scripts at certain intervals: Manual:System/Scheduler – MikroTik Wiki
- Sending Email on Router Reboot with Logs and LASTSEEN time ! | Syed Jahanzaib Personal Blog to Share Knowledge ! [WayBack]
- Useful scripts – MikroTik RouterOS like save export to variable – MikroTik RouterOS
- Scripts – MikroTik Wiki
- Manual:Scripting – MikroTik Wiki
- The Report Script
- Reboot Boards due to low Memory with notification – MikroTik Wiki
- Generate bogons firewall chain based on routing-marks – MikroTik Wiki
- Wake on Lan before connection to Remote Desktop – MikroTik Wiki
- Use Mikrotik as Fail2ban firewall – MikroTik Wiki
- Useful Bash Scripts – MikroTik Wiki
- Routing via a DHCP allocated gateway – MikroTik Wiki
- Backup graphing data – MikroTik Wiki
- Calculate with decimal numbers – MikroTik Wiki
- Use host names in firewall rules – MikroTik Wiki
- Sending your self an e-mail with DSL interface IP address – MikroTik Wiki
- Mikrotik Related | Syed Jahanzaib Personal Blog to Share Knowledge !
- Automated RouterOS Backup to FTP – Harry’s TechBlog
- Filter traffic from and to Tor IP addresses automatically with Mikrotik RouterOS | Robert Penz Blog
- Block Ransomware botnet C&C traffic with a Mikrotik router | Robert Penz Blog
Load balancing:
- Band-width based load balancing – presentation by Tomas Kirnak
- PCC based: mikrotik howto combine multiple wan links | Syed Jahanzaib Personal Blog to Share Knowledge ! based on Manual:PCC – MikroTik Wiki
- Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB | Syed Jahanzaib Personal Blog to Share Knowledge !
- Monitoring multiple WAN links in PCC using BLACK-HOLE route approach ! | Syed Jahanzaib Personal Blog to Share Knowledge !
- Multiple IF statement matching with Mikrotik Script | Syed Jahanzaib Personal Blog to Share Knowledge !
- Routing & Natting with Failover ! Brothers in Arms | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik: Using Firewall Filters to Acquire Wan Data Usage via Email | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik with Multiple WAN IP’s and Port Forwarding / HAIRPIN NAT | Syed Jahanzaib Personal Blog to Share Knowledge !
- Playing with the Mikrotik’s PCC | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik WAN monitoring script with multiple host check | Syed Jahanzaib Personal Blog to Share Knowledge !
- Tiktube – MUM PL 2010: Load balancing
- https://aacable.wordpress.com/category/mikrotik-related/feed/
Syntax highlighting:
- Syntax highlighting and completions for Sublime Text – MikroTik RouterOS
- external editor syntax highlighting – MikroTik RouterOS (Notepad++, Textpad, VIM, EditPlus – look for the word Download and the .zip, .rar and .gz extensions)
- Atom: language-routeros-script and ofstudio/atom-language-routeros-script: MikroTik RouterOS script language support in Atom
- TextMate2: tiktuk / RouterOS.tmbundle — Bitbucket
- GEdit: webpagetech/gedit-routeros: Mikrotik RouterOS code syntax highlighting for .rsc Files
- Notepad++: jtroybailey/RouterOS-Notepad—Syntax-Highlighting: Syntax highlighting for routeros exports in notepad++
Pictures
Very well written blog:
Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.
Source: Mikrotik — Manito Networks
Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.
Source: Mikrotik-1 — Manito Networks
- 20160303 – Wireless optimization on SOHO Mikrotik routers: SOHO Wireless Optimization — Manito Networks [WayBack]
- 20160304 – Port forwarding using NAT on Mikrotik routers: NAT Port Forwarding — Manito Networks [WayBack]
- 20160304 – Filtering P2P (peer-to-peer) connections using Mikrotik routers: P2P Filtering — Manito Networks [WayBack]
- 20160304 – Setting up GRE tunnels between Mikrotik routers: GRE Tunnel — Manito Networks [WayBack]
- 20160305 – VLAN trunking on Mikrotik routers. Configuring router-on-a-stick and routing between VLANs: VLAN Trunking — Manito Networks [WayBack]
- 20160305 – Setting up site-to-site IPSEC tunnels using Mikrotik routers: IPSEC Tunnels — Manito Networks [WayBack]
- 20160305 – Setting up a GRE over IPSEC VPN tunnel architectures using Mikrotik routers: GRE over IPSEC Tunnels — Manito Networks [WayBack]
- 20160309 – Setting up site-to-site PPTP tunnels using Mikrotik routers: Site to Site PPTP — Manito Networks [WayBack]
- 20160309 – Setting up site-to-site EoIP tunnels using Mikrotik routers: EoIP Tunnel — Manito Networks [WayBack]
- 20160309 – Using UPnP to forward ports for XBox and Playstation consoles on Mikrotik routers: XBox and Playstation UPnP — Manito Networks [WayBack]
- 20160309 – Configuring Syslog logging on Mikrotik devices using The Dude: Syslog Logging — Manito Networks [WayBack]
- 20160309 – Throttling download speeds on Mikrotik routers, using PCQ Queues: Throttling Download Speeds — Manito Networks [WayBack]
- 20160414 – Configuring NTP on Mikrotik routers, so devices will synchronize their clocks to a reliable external time source. This tutorial uses the pool.ntp.org project to synchronize clocks on Mikrotik routers.Source: Mikrotik NTP Synchronization — Manito Networks [WayBack]
- 20160522 – Configuring the Master Port on Mikrotik devices, to switch multiple ports together.Source: Master Port Configuration — Manito Networks [WayBack]
- 20160522 – Configuring VRRP on Mikrotik routers for robust failover.Source: Mikrotik VRRP — Manito Networks [WayBack]
- 20160522 – Configuring FastTrack firewall rules on Mikrotik routers.Source: Mikrotik FastTrack Firewall Rules — Manito Networks [WayBack]
- 20160524 – Configuring VPLS tunnels using MPLS on Mikrotik routers.Source: Mikrotik MPLS with VPLS — Manito Networks [WayBack]
- 20160524 – Hardening steps for Mikrotik routers, implementing security best practices and robust firewalling. This includes some best practices for securing Mikrotik routers for PCI and HIPAA compliance.Source: Mikrotik Router Hardening — Manito Networks [WayBack]
- 20160527 – Enabling Client Isolation on Mikrotik Access Points.Source: Mikrotik Wireless Client Isolation — Manito Networks [WayBack]
- 20160527 – Mikrotik firewall fundamentals and best practices. Including RouterOS firewall chains, actions, rules, and tips on optimizing your firewall.Source: Mikrotik Firewall — Manito Networks [WayBack]
- 20160816 – Firewalling zones using interfaces lists on Mikrotik routers.Source: Firewalling Zones with Interface Lists — Manito Networks [WayBack]
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply