Archive for the ‘Network-and-equipment’ Category
Posted by jpluimers on 2017/10/19
minimum schedule and script policies: read/write/policy/test
A year later, Mikrotik still needs to update their documentation, so from my question at [WayBack] [Mikrotik follow-up needed] Router OS 6.37.1 – scheduled script cannot execute script – MikroTik RouterOS.
TL;DR:
- use the same policies for scripts and schedules
- use these policies as a minimum for scripts and schedules:
Forum post:
I found out two things:
- the
testFunctionScript needs at least these policies to call a function: read, write, policy, test
- a
schedule needs at least the same permissions as a script in order to run the script at all
This is how the various permissions affect the testFunctionScript script:
- no policies only allow
:log info "testFunctionScript"; .
read allows the above and :local testFunctionJobs [/system script job print as-value detail]; which then is be logged with :log info "testFunctionJobs=$testFunctionJobs";- only
write seems equivalent to no policies as it will only allow :log info "testFunctionScript";
read and write is equivalent to read- a lone
policy or test policy (talk about confusion!) do not add functionality, so any combinations of just policy or testwith read and/or write get the same functionality as above
policy and test without any other seem equivalent to no policies as they result in only :log info "testFunctionScript"; to execute- the combined policies
read, write, policy, test allow full script functionality including the function call and using the function call result
The above findings show that more logging is needed: the scheduler should log when (and why!) it does not have enough permissions to run a script. Right now you’re in the dark on when (and why!) a script isn’t ran by the scheduler.
The above findings show that these parts of the documentation need updating:
– http://wiki.mikrotik.com/wiki/Manual:Sc … repository (update with info about the above policy combinations)
– http://wiki.mikrotik.com/wiki/Manual:Ro … Properties (update with info about the above policy combinations)
– http://wiki.mikrotik.com/wiki/Manual:System/Scheduler (does not document anything about policies at all)
The various scripts (apply your mix of policies that you need)
## logon as user jeroenp
/system script environment remove [ /system script environment find where name="testFunction" ];
:global testFunction do={
:local result [/system resource get uptime];
:return $result;
}
/system script environment print detail where name=testFunction
# 0 name="testFunction" value=";(eval /system scheduler (eval /localname=$result;value=(eval (eval /system resource getvalue-name=uptime))) (eval /returnvalue=$result))"
:log info "direct execution of testFunction"
{
:global testFunction;
:local testFunctionType [:typeof testFunction];
:local testFunctionResult [$testFunction];
:log info "testFunctionScript";
:log info "testFunctionType=$testFunctionType";
:log info "testFunctionResult=$testFunctionResult";
:log info "testFunction=$testFunction";
}
/log print where buffer=memory && (message~"testFunction" || topics~"info")
/system script remove [ /system script find where name="testFunctionScript" ];
/system script add name=testFunctionScript owner=jeroenp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global testFunction;\r\
\n:log info \"testFunctionScript\";\r\
\n:local testFunctionType [:typeof testFunction];\r\
\n:local testFunctionResult [\$testFunction];\r\
\n:log info \"testFunctionType=\$testFunctionType\";\r\
\n:log info \"testFunctionResult=\$testFunctionResult\";\r\
\n:log info \"testFunction=\$testFunction\";\r\
\n"
:log info "execution of testFunction via testFunctionScript"
/system script run testFunctionScript
/log print where buffer=memory && (message~"testFunction" || topics~"info")
/system scheduler remove [ /system scheduler find where name="testFunctionScriptSchedule" ];
/system scheduler add interval=10s name=testFunctionScriptSchedule on-event=testFunctionScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=sep/22/2015 start-time=12:02:37
:log info "execution of testFunction via testFunctionScriptSchedule calling testFunctionScript"
:delay 20s
/system scheduler disable testFunctionScriptSchedule
/log print where buffer=memory && (message~"testFunction" || topics~"info")
/system scheduler print detail where name="testFunctionScriptSchedule"
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/10/09
After reading [WayBack] Script job killer – MikroTik RouterOS I put lines like these into a few of my frequently running scripts:
/system script environment get systemScriptJobCountTypeIsCommand
:global systemScriptJobCountTypeIsCommand
:local scriptsOfTypeCommandCount [$systemScriptJobCountTypeIsCommand];
:if ($scriptsOfTypeCommandCount > 4) do={
$outputError value=("$scriptName; too many runnings commands ($scriptsOfTypeCommandCount); bailing out early");
:return -1;
}
They in turn use this underlying function:
:local scriptName "Function.systemScriptJobCountTypeIsCommand.rsc"
/system script environment remove [ find where name="systemScriptJobCountTypeIsCommand" ];
:global systemScriptJobCountTypeIsCommand do={
:local result [:len [/system script job find where type=command]];
# :put "result=$result"
:return $result;
}
## Example:
## /import scripts/Function.systemScriptJobCountTypeIsCommand.rsc
## :put [$systemScriptJobCountTypeIsCommand];
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/09/29
I’ve some Fritz!Box devices on various locations that each provide VoIP access and either ISDN or PSTN lines.
Wouldn’t it be cool to be able to join them together into a virtual PBX?
I’m not sure how it’s possible and what you need for it, so here are some links that should make my future research on this easier:
–jeroen
Posted in Fritz!, Gigaset, Internet, ISDN, LifeHacker, Power User, PSTN, Telephony, VoIP | Leave a Comment »
Posted by jpluimers on 2017/09/27
How I use Linux to write software for multiple target platforms – Kris Kamil Jacewicz – Google+
WINE has come a long way. Many things do not have a native look and feel, but so do many Delphi FMX or Lazarus LCL applications.
In fact I use quite a few tools (including Mikrotik WinBox) through Wine on Mac OS and it runs a lot more stable than quite a few of the FMX applications I’ve tried and ditched.
So for business applications not requiring a platform specific look and feel this indeed is quite acceptable direction to follow.
More at [Wayback/Archive] How I use Linux to write software for multiple target platforms.
--jeroen
Posted in Apple, Apple Silicon, ARM Mac, Delphi, Development, Hardware, Mac, Mac OS X / OS X / MacOS, MacBook, MikroTik, Network-and-equipment, Power User, routers, Software Development, WinBox | 2 Comments »
Posted by jpluimers on 2017/09/27
When logging on a Mikrotik is high-volume, then you need to have either:
- separate logging actions (they end up in logging buffers each having the same name as the action) and logging rules for specific information that you want to retain
- log to file in stead of memory
Since my devices have plenty memory, I made a separate accountAction with a rule sending the topic account to accountAction which I then can query like either of these:
/log print detail where message~"logged"
/log print detail where message~"logged" && buffer=accountAction
Here is the /system logging export condensed result:
/system logging action add name=accountAction target=memory
/system logging add action=accountAction topics=account
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/09/21
Interesting piece: Don’t Use Regular Expressions To Parse IP Addresses! [WayBack]
TL;DR:
When have neither then for quad-dotted decimal IPv4 addresses (ignoring for instance octals and grouped quads), this is suitable: regex – Regular expression to match DNS hostname or IP Address? – Stack Overflow [WayBack]
ValidIpAddressRegex = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$";
Which explained looks like this:
https://regex101.com/r/Wyr2Zd/1
Regular expression:
/ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ / g
Explanation:
^ asserts position at start of the string
- 1st Capturing Group
(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}
{3} Quantifier — Matches exactly 3 times
A repeated capturing group will only capture the last iteration. Put a capturing group around the repeated group to capture all iterations or use a non-capturing group instead if you’re not interested in the data
- 2nd Capturing Group
([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
- 1st Alternative
[0-9]
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 2nd Alternative
[1-9][0-9]
- Match a single character present in the list below
[1-9]
1-9 a single character in the range between 1 (ASCII 49) and 9 (ASCII 57) (case sensitive)
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 3rd Alternative
1[0-9]{2}
1 matches the character 1 literally (case sensitive)- Match a single character present in the list below
[0-9]{2}
{2} Quantifier — Matches exactly 2 times
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 4th Alternative
2[0-4][0-9]
- 2 matches the character 2 literally (case sensitive)
- Match a single character present in the list below
[0-4]
0-4 a single character in the range between 0 (ASCII 48) and 4 (ASCII 52) (case sensitive)
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 5th Alternative
25[0-5]
25 matches the characters 25 literally (case sensitive)- Match a single character present in the list below
[0-5]
0-5 a single character in the range between 0 (ASCII 48) and 5 (ASCII 53) (case sensitive)
\. matches the character . literally (case sensitive)
- 3rd Capturing Group
([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
- 1st Alternative
[0-9]
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 2nd Alternative
[1-9][0-9]
- Match a single character present in the list below
[1-9]
1-9 a single character in the range between 1 (ASCII 49) and 9 (ASCII 57) (case sensitive)
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 3rd Alternative
1[0-9]{2}
1 matches the character 1 literally (case sensitive)- Match a single character present in the list below
[0-9]{2}
{2} Quantifier — Matches exactly 2 times
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 4th Alternative
2[0-4][0-9]
2 matches the character 2 literally (case sensitive)- Match a single character present in the list below
[0-4]
0-4 a single character in the range between 0 (ASCII 48) and 4 (ASCII 52) (case sensitive)
- Match a single character present in the list below
[0-9]
0-9 a single character in the range between 0 (ASCII 48) and 9 (ASCII 57) (case sensitive)
- 5th Alternative
25[0-5]
25 matches the characters 25 literally (case sensitive)- Match a single character present in the list below
[0-5]
0-5 a single character in the range between 0 (ASCII 48) and 5 (ASCII 53) (case sensitive)
$ asserts position at the end of the string, or before the line terminator right at the end of the string (if any)- Global pattern flags
g modifier: global. All matches (don’t return after first match)
–jeroen
Posted in *nix, Communications Development, Development, Internet protocol suite, Network-and-equipment, Power User, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2017/09/21
Reminder to self as it would be useful to have these Mikrotik functions in the new function syntax:
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/09/08
Some blacklist filters you can use on Mikrotik RouterOS devices:
You might consider to use these instead of action=drop:
–jeroen
Read the rest of this entry »
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 2 Comments »
Posted by jpluimers on 2017/09/01
For debugging purposes:
/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))
This will result in an answer like this:
13:43:59 l2tp,info first L2TP UDP packet received from 93.184.216.34
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in, 192.168.73.239
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda
Some links for when you cannot get connections to work:
Before digging deeper, check the output of settings like these:
/system logging add topics=ipsec
/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print
It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):
> /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 pfs-modp1024
> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
> /ip ipsec remote-peers print
0 local-address=37.153.243.243 port=4500 remote-address=93.184.216.34 port=15390 state=established side=responder established=22m16s
> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address=93.184.216.34:15390 dst-address=37.153.243.243:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128
1 E spi=0xE0A95C3 src-address=37.153.243.243:4500 dst-address=93.184.216.34:15390 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128
In order to switch away from default as Policy Template Group, you will have to:
- add a new
IPSec group (in /ip ipsec policy group)
- add a new
IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
- add a new
IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.
Some links on hardening IPSEC with DH algorigthm:
Miscellaneous links:
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
The Wiert Corner - irregular stream of stuff 
