Archive for the ‘MikroTik’ Category
Posted by jpluimers on 2017/10/09
After reading [WayBack] Script job killer – MikroTik RouterOS I put lines like these into a few of my frequently running scripts:
/system script environment get systemScriptJobCountTypeIsCommand
:global systemScriptJobCountTypeIsCommand
:local scriptsOfTypeCommandCount [$systemScriptJobCountTypeIsCommand];
:if ($scriptsOfTypeCommandCount > 4) do={
$outputError value=("$scriptName; too many runnings commands ($scriptsOfTypeCommandCount); bailing out early");
:return -1;
}
They in turn use this underlying function:
:local scriptName "Function.systemScriptJobCountTypeIsCommand.rsc"
/system script environment remove [ find where name="systemScriptJobCountTypeIsCommand" ];
:global systemScriptJobCountTypeIsCommand do={
:local result [:len [/system script job find where type=command]];
# :put "result=$result"
:return $result;
}
## Example:
## /import scripts/Function.systemScriptJobCountTypeIsCommand.rsc
## :put [$systemScriptJobCountTypeIsCommand];
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/09/27
When logging on a Mikrotik is high-volume, then you need to have either:
- separate logging actions (they end up in logging buffers each having the same name as the action) and logging rules for specific information that you want to retain
- log to file in stead of memory
Since my devices have plenty memory, I made a separate accountAction with a rule sending the topic account to accountAction which I then can query like either of these:
/log print detail where message~"logged"
/log print detail where message~"logged" && buffer=accountAction
Here is the /system logging export condensed result:
/system logging action add name=accountAction target=memory
/system logging add action=accountAction topics=account
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/09/21
Reminder to self as it would be useful to have these Mikrotik functions in the new function syntax:
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/09/08
Some blacklist filters you can use on Mikrotik RouterOS devices:
You might consider to use these instead of action=drop:
–jeroen
Read the rest of this entry »
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 2 Comments »
Posted by jpluimers on 2017/09/01
For debugging purposes:
/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))
This will result in an answer like this:
13:43:59 l2tp,info first L2TP UDP packet received from 93.184.216.34
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in, 192.168.73.239
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda
Some links for when you cannot get connections to work:
Before digging deeper, check the output of settings like these:
/system logging add topics=ipsec
/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print
It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):
> /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 pfs-modp1024
> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
> /ip ipsec remote-peers print
0 local-address=37.153.243.243 port=4500 remote-address=93.184.216.34 port=15390 state=established side=responder established=22m16s
> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address=93.184.216.34:15390 dst-address=37.153.243.243:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128
1 E spi=0xE0A95C3 src-address=37.153.243.243:4500 dst-address=93.184.216.34:15390 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128
In order to switch away from default as Policy Template Group, you will have to:
- add a new
IPSec group (in /ip ipsec policy group)
- add a new
IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
- add a new
IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.
Some links on hardening IPSEC with DH algorigthm:
Miscellaneous links:
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/08/29
Some ideas for date and time calculation:
It should get better (and verifyable) implementations in stead of these Julian (not Gregorian!) date conversions:
Notes:
–jeroen
Posted in Algorithms, Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/28
Example:
/ip firewall filter export file=ip-firewall-filter.rsc
This exports the Filters parts of the IP Firewall into a file named ip-firewall-filter.rsc in the user-space root of the Mikrotik router file system that you can access through the Files menu entry in WinBox or by external access through FTP or SFTP (SSH File Transfer Protocol).
–jeroen
via: exporting firewall config – MikroTik RouterOS
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/22
The Cloud Router Switches support three types of mirroring. Port based mirroring can be applied to any of switch-chip ports, VLAN based mirroring works for all specified VLANs regardless switch-chip ports and MAC based mirroring copies traffic sent or received from specific device reachable from the port configured in Unicast Forwarding Database.
Port Based Mirroring
The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port based ingress and egress mirroring is enabled from ether6 port.
/interface ethernet switch
set ingress-mirror0=ether5 egress-mirror0=ether5
/interface ethernet switch port
set ether6 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
Source: Manual:CRS examples – MikroTik Wiki [WayBack]
This allows you to torch traffic from a specific port despite that port being grouped to a master-port.
Via: Torch not working with CRS226-24G-2S+ – MikroTik RouterOS [WayBack]
But, when using Bridge, all ports share a single 1 gbps link to the CPU, so your layer 2 performance will suffer horribly.
If you need to see all the traffic from a single port when using Master/slave port configuration, use port mirroring.
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/22
Found out about this a while ago:
MAC-Telnet – Open source MAC Telnet client and server for connecting to Microtik RouterOS routers and Posix machines via MAC address.
Source: haakonnessjoen/MAC-Telnet: Open source MAC Telnet client and server for connecting to Microtik RouterOS routers and Posix machines via MAC address. [Fork]
Background:
Earlier, I wrote about a Wireshark plugin for dissecting Mac-Telnet packets. Now I have created an open source application for connecting to a RouterOS router.
Source: RouterOS Mac-Telnet application for Linux users | Håkon Nessjøen [WayBack]
My previous post was about RouterOS Mac-Telnet application for Linux users where I talked about the MAC-Telnet client I created for Linux users.
Source: MAC-address based Telnet server in Linux | Håkon Nessjøen [WayBack]
–jeroen
Posted in C, Development, Internet, MikroTik, Power User, routers, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/14
Just in case you see UDP port 5678 in the firewall log of your MikroTik device: it’s usage of the MikroTik Neighbor Discovery Protocol (MNDP) [WayBack] protocol.
You can either block Neighbour Discovery [WayBack] in the firewall or turn it off on the MikroTik Services [WayBack] or inspect any of these protocols:
| Proto/Port |
Description |
| 20/tcp |
FTP data connection |
| 21/tcp |
FTP control connection |
| 22/tcp |
Secure Shell (SSH) remote Login protocol |
| 23/tcp |
Telnet protocol |
53/tcp
53/udp |
DNS |
| 67/udp |
Bootstrap protocol or DHCP Server |
| 68/udp |
Bootstrap protocol or DHCP Client |
| 80/tcp |
World Wide Web HTTP |
| 123/udp |
Network Time Protocol ( NTP) |
| 161/udp |
Simple Network Management Protocol (SNMP) |
| 179/tcp |
Border Gateway Protocol ( BGP) |
| 443/tcp |
Secure Socket Layer (SSL) encrypted HTTP |
| 500/udp |
Internet Key Exchange (IKE) protocol |
520/udp
521/udp |
RIP routing protocol |
| 646/tcp |
LDP transport session |
| 646/udp |
LDP hello protocol |
| 1080/tcp |
SOCKS proxy protocol |
| 1698/udp 1699/udp |
RSVP TE Tunnels |
| 1701/udp |
Layer 2 Tunnel Protocol ( L2TP) |
| 1723/tcp |
Point-To-Point Tunneling Protocol ( PPTP) |
1900/udp
2828/tcp |
Universal Plug and Play ( uPnP) |
| 1966/udp |
MME originator message traffic |
| 1966/tcp |
MME gateway protocol |
| 2000/tcp |
Bandwidth test server |
| 5246,5247/udp |
CAPsMan |
| 5678/udp |
Mikrotik Neighbor Discovery Protocol |
| 6343/tcp |
Default OpenFlow port |
| 8080/tcp |
HTTP Web Proxy |
| 8291/tcp |
Winbox |
| 8728/tcp |
API |
| 8729/tcp |
API-SSL |
| 20561/udp |
MAC winbox |
| /1 |
ICMP |
| /2 |
Multicast | IGMP |
| /4 |
IPIP encapsulation |
| /41 |
IPv6 (encapsulation) |
| /46 |
RSVP TE tunnels |
| /47 |
General Routing Encapsulation (GRE) – used for PPTP and EoIP tunnels |
| /50 |
Encapsulating Security Payload for IPv4 (ESP) |
| /51 |
Authentication Header for IPv4 (AH) |
| /89 |
OSPF routing protocol |
| /103 |
Multicast | PIM |
| /112 |
VRRP |
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
The Wiert Corner - irregular stream of stuff 
