You need two mikrotik for this example and many many client :D

In this case you need …
1) two mikrotik connect to the internet
2) just one interface
3) Just have IP address for connecting to internet and Default Gateway
4)Copy and past :D

Now start with MT-01

open terminal and paste…


# aug/01/2015 12:00:00 by RouterOS 6.31
# vaheeD MT-S
#Please Attention to all comment
#Secure VPN Server with
#OVPN SERVER ON PORT 10022 ** You can chenage this port to XXXXX
#SSTP SERVER ON PORT 1025 ** You can chenage this port to XXXXX
#WINBOX PORT 6600 ### SSH PORT 2221
#
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
sign ca-template name=myCa
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc
/ip pool
add name=pool ranges=192.168.88.100-192.168.88.200
/ppp profile
set 0 dns-server=8.8.8.8,4.2.2.1 local-address=192.168.88.1 remote-address=\
pool
set 1 dns-server=8.8.8.8,4.2.2.1 local-address=192.168.88.1 \
remote-address=pool
/interface ovpn-server server
set enabled=yes \
port=10022
/interface sstp-server server
set enabled=yes port=1025
/ip address
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add address=PUBLIC_IP interface=ether1
add address=192.168.88.1/24 interface=ether1 network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,4.2.2.1
/ip firewall mangle
/ip firewall nat
add action=masquerade chain=srcnat
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add action=src-nat chain=srcnat to-addresses=PUBLIC_IP
###CHANGE DefaultGateway ADDRESS TO zzz.zzz.zzz.zzz
#/ip route
#add distance=1 gateway=DefaultGateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2221
set winbox port=6600
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=ppp password=ppp
###EXPORT CA For Client ###OPTIONAL
#/certificate export-certificate myCa
#/certificate export-certificate client1 export-passphrase=xxxxxxxx
#/certificate export-certificate client2 export-passphrase=xxxxxxxx
###FINISH SCRIPT.


now paste


/interface ovpn-server server
set certificate=myca


Move to MT-02

****
now change xxx.xxx.xxx.xxx TO Public ip address MT-01
****

open terminal and paste…


# aug/01/2015 12:00:00 by RouterOS 6.31
# vaheeD MT-CS
#Please Attention to all comment
#Secure VPN Server with
#PPTP SERVER With PAP Configuration
#L2TP SERVER With PresharedKEY : 123456789
#WEB_PROXY SERVER ON PORT 9090
#SOCKS_PROXY SERVER ON PORT 10520
#WINBOX PORT 6600 ### SSH PORT 2221
#
### CHANGE xxx.xxx.xxx.xxx TO IP MT-S
:global vpnserverOUT xxx.xxx.xxx.xxx
/interface ovpn-client
add auth=md5 connect-to="$vpnserverOUT" name=\
ovpn-out1 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes192 connect-to="$vpnserverOUT" name=\
ovpn-out2 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes192 connect-to="$vpnserverOUT" name=\
ovpn-out3 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out4 password=ppp port=10022 user=ppp
add cipher=aes256 connect-to="$vpnserverOUT" name=\
ovpn-out5 password=ppp port=10022 user=ppp
add auth=md5 connect-to="$vpnserverOUT" name=\
ovpn-out6 password=ppp port=10022 user=ppp
add cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out7 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out8 password=ppp port=10022 user=ppp
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-256-cbc \
pfs-group=none
/ip pool
add name=vpn ranges=192.168.89.100-192.168.89.200
/ppp profile
add change-tcp-mss=yes dns-server=192.168.89.1,8.8.8.8 \
local-address=192.168.89.1 name=VPN remote-address=vpn
/interface sstp-client
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out1 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out2 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out3 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out4 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out5 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out6 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out7 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out8 password=ppp pfs=yes profile=default-encryption user=ppp
/interface l2tp-server server
set default-profile=VPN enabled=yes max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap default-profile=VPN enabled=yes max-mru=1460 max-mtu=\
1460
/ip address
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add address=PUBLIC_IP interface=ether1
add address=192.168.89.1/24 interface=ether1 network=192.168.89.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB \
max-udp-packet-size=8192 servers=4.2.2.4,8.8.8.8
/ip firewall address-list
add address=192.168.0.0/16 list=local
add address=172.16.0.0/12 list=local
add address=10.0.0.0/8 list=local
/ip firewall mangle
add chain=prerouting comment=accept-internal-network dst-address-list=local
add chain=output comment=accept-internal-network dst-address-list=local
add action=mark-routing chain=prerouting new-routing-mark=VPN src-address=\
192.168.89.0/24
add action=mark-routing chain=output dst-port=80 new-routing-mark=VPN \
protocol=tcp
add action=mark-routing chain=output dst-port=443 new-routing-mark=VPN \
protocol=tcp
add action=mark-routing chain=output dst-port=53 new-routing-mark=VPN \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp \
generate-policy=port-override local-address=0.0.0.0 secret=123456789
/ip proxy
set always-from-cache=yes anonymous=yes cache-administrator=noway! \
cache-on-disk=yes cache-path=disk1/web-proxy1 enabled=yes parent-proxy=\
0.0.0.0 port=9090 serialize-connections=yes
/ip proxy direct
add dst-address=192.168.0.0/16
add dst-address=172.16.0.0/16
add dst-address=10.10.0.0/16
add dst-host=*.ir
/ip route
add comment=OUTPUT distance=1 gateway="ovpn-out1,ovpn-out2,ovpn-out3,ovpn-out4,\
ovpn-out5,ovpn-out6,ovpn-out7,ovpn-out8,sstp-out1,sstp-out2,sstp-out3,sstp\
-out4,sstp-out5,sstp-out6,sstp-out7,sstp-out8" routing-mark=VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2221
set api disabled=yes
set winbox port=6600
/ip socks
set connection-idle-timeout=5m enabled=yes max-connections=500 port=10520
/ppp secret
add name=ppp password=ppp profile=VPN
###FINISH SCRIPT


Client Connect to MT-02 with Public IP address.

Have a GOOD Day!

vaheeD

More Posts - Website

Follow Me:

2 ports were connected with two difference DSL Routers,
and 3rd port was connected with User LAN.
Both DSL are of same speed , i.e 10Mb each.

DSL MODEM IP’S
DSL MODEM 1 = 192.168.1.1
DSL MODEM 2 = 192.168.2.1

If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, then Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.

 

/ip address
add address=192.168.0.1/24 network=192.168.0.0 \
broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 \
broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 \
broadcast=192.168.2.255 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w \
cache-size=5000KiB max-udp-packet-size=512 servers=4.2.2.4,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection \
new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection \
new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing \
new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing \
new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local \
per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection \
new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local \
per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection \
new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local \
action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local \
action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 \
check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 \
check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
 

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something like

Code:

add chain=prerouting dst-address-type=!local in-interface=Local \
per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection \
new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local \
per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection \
new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local \
per-connection-classifier=both-addresses-and-ports:2/2 action=mark-connection \
new-connection-mark=WAN2_conn passthrough=yes

PCC WITH HOTSPOT (Reference)

/ip firewall nat add action=accept chain=pre-hotspot \
disabled=no dst-address-type=!local hotspot=auth
 

vaheeD

More Posts - Website

Follow Me:

Introduction

Munin is a very powerful, feature rich monitoring server based on Tobias Oetiker’s RRDTool. The monitoring server runs every 5 minutes via cron and connect to various configured nodes. Each node runs a daemon listening for connections from the server, and executes a wide range of completely customisable scripts to return data to the munin server to generate graphs from.

As the backend graphing engine is based on RRDTool, any feature available in RRDTool is also available as options to Munin. The really nice thing about Munin and RRDTool, is that negative numbers can be graphed.

In this article I will explain how to install Munin as well as Munin-Node on a single server, and how to get Munin to probe your Mikrotik devices via SNMP as well as Telnet (Depending on the type of graph). I would strongly advise that time is spend reading the Munin as well as RRDTool documentation available at the web sites, so that a clear understanding can be obtained on how Munin operates and generates graphs.

Munin Server Installation and Configuration

Munin-Server is only available in Linux format. As I use Ubuntu and FreeBSD only, I will base this installation guide on a Ubuntu Linux server. Once the general packages has been installed, the configuration should however be pretty much the same to any Munin installation, regardless of the flavour of Linux preferred.

Installing Munin

In our case, we are going to run both munin as well as munin-node on the same machine. Untill such time that (fingers crossed) we can get a munin-node integrated into Mikrotik, the node will be required to run on the same server as Munin itself for best results.

As such, and being Ubuntu, we simply install the two packages, and make sure that we meet all the requirements in terms of dependencies. Additionally, for the Mikrotik scripts below to work, we also need to install the Net::SNMP, and Net::Telnet::Cisco Perl packages.

$sudo apt-get install munin munin-node libnet-telnet-cisco-perl libnet-snmp-perl

Now that we have all that we need installed (I am presuming you have Apache / tinyHTTP Web server already installed), it’s time to head off and do some basic configurations.

Configuring the Master

First things first, we need to edit the Master’s configuration file, by default, /etc/munin/munin.conf. This is the file where you configure every munin-node that the master needs to poll. As we are using a simple model here, we are only going be to polling localhost, which is accessible via 127.0.0.1 (If it isn’t you have bigger problems than monitoring ;-) ).

Your Munin configuration should thus look something similar to below (Paths may vary on different distributions):

dbdir       /var/lib/munin/
htmldir     /var/www/munin/
logdir      /var/log/munin
rundir      /var/run/munin/

[localhost]
        address 127.0.0.1

dbdir will be the database where munin stores its internal state files, as well as the RRD database files
htmldir will be the directory where munin will greate the appropriate html files as well as png images
logdir keeps various log files of what munin is doing – useful when things don’t go as you intended
rundir munin pid files, lock files, etc. Nothing fancy here really

Additionally, we have configured one active node which munin needs to poll. Munin will connect to 127.0.0.1 on 4949/TCP (default port that munin runs on) and pull this node for any nodes and/or scripts configured to be graphed.

Configuring the Node

Whilst Munin-Node is pretty secure out of the box, there are some basic things we need to change. Even though the node only authorizes just localhost to gather data from it, it listens by default on all IP addresses. As a security measure, we are going to alter the munin-node configuration file and ensure that we are only listening on localhost for connections from the Munin Server. As such, we need to open up /etc/munin/munin-node.conf in your faviourite editor of choice.

We need to alter the Host value in order to bind munin-node to the 127.0.0.1 address. Your config should now look like this:

#host *
host 127.0.0.1

This is about all that you need to do to get Munin working. As we have modified the configurations, we need to restart the munin-node service, in Ubuntu I issue:

$ /etc/init.d/munin-node restart

Configuring Apache

Apache needs access to Munin’s htmldir configuration in order for you to see the pretty graphs and generated html in the browser of your choice. As such we need to configure some Alias and Directory settings in Apache’s configuration. This can be done either inside a Virtual Host of your choice, or in apache’s main configuration. As a example, I have elected to configure a new Apache Virtual Host which will only serve up the munin pages. The Virtual Host’s configuration will be something similar to

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName monitor.example.com
        DocumentRoot /var/www/munin
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        CustomLog /var/log/apache2/monitor.example.com.access.log combined
        ErrorLog /var/log/apache2/monitor.example.com.error.log
        ServerSignature On
</VirtualHost>

Verify that your syntax of the Apache configuration file is correct (apache2ctl -t), and then restart your Apache web server to enable the newly configured Virtual Host

$ sudo apache2ctl -t
Syntax OK
$ sudo apache2ctl graceful
$

Open up your faviourite web browser, browse to http://monitor.example.com/, and you should have pretty graphs for the server on which you are running munin.

Munin Node for Mikrotik

To configure Munin to monitor a Mikrotik device, is really a two step process. In a conventional configuration where Munin-Node is available on the target being monitored, we normally would only need to configure Munin to monitor the node in question, however, due to the lack of Munin on Mikrotik, we need to alias the Mikrotik node to our configured Munin-Node server in order to execute scripts on our Mikrotik device. The downside of this is that all scripts will need to be executed twice and as such scripts which use Telnet to obtain data will login two times into the routers that is being monitored.

Configuring additional Nodes in Munin

The first step in monitoring Mikrotik devices, is to configure the nodes as a alias to our locally running Munin-Node. This is done by editing the Munin-Node configuration file, by default located at /etc/munin/munin.conf. We edit this file using our faviourite editor of choice, and define the two new nodes as listed below.

The part in the brackets define the node’s name, and for sanity purposes I recommend that the FQDN always be used to make your life allot easier in the following sections. The address, will always be pointing to 127.0.0.1 as Munin needs to connect to our only real munin-node we have running on localhost.

[node1.somewhere.com]
    address 127.0.0.1

[node2.somewhere.com]
    address 127.0.0.1

Monitoring CPU Usage

Now that we have our Munin node configured, we need to configure the scripts inside Munin-Node to poll our Mikrotik Devices. This is where things get complicated, and as a example I will configure a script to monitor and graph both our router’s CPU usage. The scripts are by default located in/etc/munin/plugins/. The naming of these scripts are very important, and attention need to be given to the location as well as names.

Our CPU Monitoring script utilises SNMP, therefore, make sure that SNMP is enabled on your routers, and that the Server running munin has access to query your router via SNMP. A simple test can be performed to ensure that this is the case:

$ snmpget -v 1 -c public node1.somewhere.com .1.3.6.1.2.1.25.3.3.1.2.1
HOST-RESOURCES-MIB::hrProcessorLoad.1 = INTEGER: 5
$

Congratulations, we have just obtained our CPU usage of our router via a simple SNMP query. Should this query not be successfull, it means that Munin will be unable to query your router via SNMP, and you need to correct this before proceeding.

Now that we know SNMP queries are working like they should, we need to get a simple script operational to pull this data into Munin for monitoring… Copy the script below to query the nodes via SNMP for CPU usage, and save it in the /etc/munin/plugins directory having the specific file name of mikrotikcpu_node1.somewhere.com (where node1.somewhere.com is the same as the node name you configured earlier in /etc/munin/munin.conf). These names MUST be the same, otherwise, the scripts WILL fail.

Mikrotik CPU Usage via SNMP:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::SNMP;
use strict;
use warnings;
###############################################################################
my $CPUOID = ".1.3.6.1.2.1.25.3.3.1.2.1";
my $SNMPCommunity = "public";
my $SNMPPort = "161";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikcpu_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate SNMP Session
my ($Session, $Error) = Net::SNMP->session (-hostname  => $Host,
                                            -community => $SNMPCommunity,
                                            -port      => $SNMPPort,
                                            -timeout   => 60,
                                            -retries   => 5,
                                            -version   => 1);
if (!defined($Session)) {
  die "Croaking: $Error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args -l 0 -r --vertical-label percent --lower-limit 0 --upper-limit 100\n";
  print "graph_title CPU usage\n";
  print "graph_category system\n";
  print "graph_info This graph shows the router's CPU usage.\n";
  print "graph_order Total\n";
  print "graph_vlabel %\n";
  print "graph_scale no\n";
  print "Total.label CPU Usage\n";
  print "Total.draw AREA\n";
  print "Total.warning 60\n";
  print "Total.critical 90\n";
  $Session->close;
  exit;
}

###############################################################################
## Execution
if (my $Result = $Session->get_request(-varbindlist => [$CPUOID])) {
  print "Total.value " . $Result->{$CPUOID} . "\n";
  $Session->close;
  exit;
}

Next, we need to make sure that Munin can execute the file, and that the script os operating successfully

$ chmod u+x /etc/munin/plugins/mikrotikcpu_node1.somewhere.com
$ chown munin:munin /etc/munin/plugins/mikrotikcpu_node1.somewhere.com
$ /etc/munin/plugins/mikrotikcpu_node1.somewhere.com config
host_name node1.somewhere.com
graph_args -l 0 -r --vertical-label percent --lower-limit 0 --upper-limit 100
graph_title CPU usage
graph_category system
graph_info This graph shows the router's CPU usage.
graph_order Total
graph_vlabel %
graph_scale no
Total.label CPU Usage
Total.draw AREA
Total.warning 60
Total.critical 90

Our scripts seems to be working fine. Very important, when the script is executed with the config parameter, make 100% sure that the value of the host_name configuration variable is returned correctly, and that it is identical to the name of the node configured in /etc/munin/munin.conf.

The last step is to restart our munin-node, as we have made changes to it (we added more scripts). We simply execute the restart command:

$ /etc/init.d/munin-node restart

Now that we have restarted munin-node, we can also test the configuration, and see what munin will be seeing when quering the nodes that we have configured. In order to do this, we are going to telnet into Munin-Node, and obtain the graph data ourselves. This is done by telneting to the munin-node engine, running at 127.0.0.1 port 4949 (if you didn’t change any other configurations except that mentioned in this document), and we then send the ‘nodes‘ command, which will give us a list of nodes running under the munin-node that we have configured.

$ telnet localhost 4949
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
# munin node at localhost.somewhere.com
nodes
localhost
node1.somewhere.com
node2.somewhere.com
.

It seems to be perfect. We have localhost, node1.somewhere.com, as well as node2.somewhere.com. Let’s see what plugins is available under each node. Again, we telnet into the munin-node deamon, but this time, we will execute two commands, ‘list node1.somewhere.com‘ and ‘list node2.somewhere.com‘. This will list all the plugins currently configured for these two nodes.

$ telnet 127.0.0.1 4949
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
# munin node at localhost.somewhere.com
list node1.somwehere.com
mikrotikcpu_node1.somewhere.com
list node2.somewhere.com
mikrotikcpu_node2.somewhere.com

We can see in both instances, the mikrotikcpu_ script has been configured, and is activated for both our mikrotik nodes. We can also attempt to fetch the data by executing a ‘fetch mikrotikcpu_node1.somewhere.com‘ command in munin, at which time munin-node will query the Mikrotik Router, and return the data back through Munin.

If all went well, you should by now have two additional nodes listed on the Web Interface munin has, and both these two additional nodes should have graphs indicating the CPU usage as a % value, between 0 and 100.

Available Scripts

From where on out, the installation of the scripts are pretty much the same, regardless of what you monitor or how. Each script that I have so far will be covered in the remaining sections, including details on what is required, the naming of the scripts, limitations, as well as installation instructions. As mentioned previously, if there is any monitoring not covered that you would like to see, please let me know and I will see about writing scritps to do what is required.

mikrotikcpu_

Installation:	Quick & Easy
Technology Used:	SNMP
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::SNMP;
use strict;
use warnings;
###############################################################################
my $CPUOID = ".1.3.6.1.2.1.25.3.3.1.2.1";
my $SNMPCommunity = "public";
my $SNMPPort = "161";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikcpu_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate SNMP Session
my ($Session, $Error) = Net::SNMP->session (-hostname  => $Host,
                                            -community => $SNMPCommunity,
                                            -port      => $SNMPPort,
                                            -timeout   => 60,
                                            -retries   => 5,
                                            -version   => 1);
if (!defined($Session)) {
  die "Croaking: $Error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args -l 0 -r --vertical-label percent --lower-limit 0 --upper-limit 100\n";
  print "graph_title CPU usage\n";
  print "graph_category system\n";
  print "graph_info This graph shows the router's CPU usage.\n";
  print "graph_order Total\n";
  print "graph_vlabel %\n";
  print "graph_scale no\n";
  print "Total.label CPU Usage\n";
  print "Total.draw AREA\n";
  print "Total.warning 60\n";
  print "Total.critical 90\n";
  $Session->close;
  exit;
}

###############################################################################
## Execution
if (my $Result = $Session->get_request(-varbindlist => [$CPUOID])) {
  print "Total.value " . $Result->{$CPUOID} . "\n";
  $Session->close;
  exit;
}

mikrotikdiskspace_

Installation:	Quick & Easy
Technology Used:	SNMP
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::SNMP;
use strict;
use warnings;
###############################################################################
my $DiskTotalOID = ".1.3.6.1.2.1.25.2.3.1.5.1";
my $DiskUsedOID = ".1.3.6.1.2.1.25.2.3.1.6.1";
my $SNMPCommunity = "public";
my $SNMPPort = "161";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikdiskspace_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate SNMP Session
my ($Session, $Error) = Net::SNMP->session (-hostname  => $Host,
                                            -community => $SNMPCommunity,
                                            -port      => $SNMPPort,
                                            -timeout   => 60,
                                            -retries   => 5,
                                            -version   => 1);
if (!defined($Session)) {
  die "Croaking: $Error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  my $Result = $Session->get_request(-varbindlist => [$DiskTotalOID]);
  print "host_name " . $Host . "\n";
  print "graph_args --base 1024 -l 0 --vertical-label Bytes --upper-limit " . ($Result->{$DiskTotalOID} * 1024) . "\n";
  print "graph_title Disk Space usage\n";
  print "graph_category system\n";
  print "graph_info This graph shows the router's Disk Space usage.\n";
  print "graph_order Total Used\n";
  print "graph_vlabel bytes\n";
  print "Total.label Total Disk Space\n";
  print "Total.draw AREA\n";
  print "Used.label Used Disk Space\n";
  print "Used.draw AREA\n";
  $Session->close;
  exit;
}

###############################################################################
## Execution
if (my $Result = $Session->get_request(-varbindlist => [$DiskTotalOID, $DiskUsedOID])) {
  print "Total.value " . ($Result->{$DiskTotalOID} * 1024) . "\n";
  print "Used.value " . ($Result->{$DiskUsedOID} * 1024) . "\n";
  $Session->close;
  exit;
}

mikrotikmemory_

Installation:	Quick & Easy
Technology Used:	SNMP
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::SNMP;
use strict;
use warnings;
###############################################################################
my $MemTotalOID = ".1.3.6.1.2.1.25.2.3.1.5.2";
my $MemUsedOID = ".1.3.6.1.2.1.25.2.3.1.6.2";
my $SNMPCommunity = "public";
my $SNMPPort = "161";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikmemory_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate SNMP Session
my ($Session, $Error) = Net::SNMP->session (-hostname  => $Host,
                                            -community => $SNMPCommunity,
                                            -port      => $SNMPPort,
                                            -timeout   => 60,
                                            -retries   => 5,
                                            -version   => 1);
if (!defined($Session)) {
  die "Croaking: $Error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  my $Result = $Session->get_request(-varbindlist => [$MemTotalOID]);
  print "host_name " . $Host . "\n";
  print "graph_args --base 1024 -l 0 --vertical-label Bytes --upper-limit " . ($Result->{$MemTotalOID} * 1024) . "\n";
  print "graph_title Memory usage\n";
  print "graph_category system\n";
  print "graph_info This graph shows the router's memory usage.\n";
  print "graph_order Total Used\n";
  print "graph_vlabel bytes\n";
  print "Total.label Total Memory\n";
  print "Total.draw AREA\n";
  print "Used.label Used Memory\n";
  print "Used.draw AREA\n";
  $Session->close;
  exit;
}

###############################################################################
## Execution
if (my $Result = $Session->get_request(-varbindlist => [$MemTotalOID, $MemUsedOID])) {
  print "Total.value " . ($Result->{$MemTotalOID} * 1024) . "\n";
  print "Used.value " . ($Result->{$MemUsedOID} * 1024) . "\n";
  $Session->close;
  exit;
}

mikrotikppp_

Installation:	Easy to Intermediate
Technology Used:	Telnet (RO Access, Single Login)
Sample Graph:

Script:

#!/usr/bin/perl
#
# Beware - some perl Net::Telnet::Cisco packages are broken and you may need
# to manually hack a 'g' out of a file if you get an error message!
# Nick Barnes 20090610
#
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
##############################################################################
my $TelnetPort = "23";
my $TelnetUser = "username";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikppp_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title Active PPP Client Connections\n";
  print "graph_vlabel number\n";
  print "graph_category network\n";
  print "graph_info This graph shows the active amount of ppp connections\n";
  print "graph_order async isdn l2tp ovpn pppoe pptp\n";
  print "async.label async\n";
  print "async.info ASync Connections\n";
  print "isdn.label isdn\n";
  print "isdn.info ISDN Connections\n";
  print "l2tp.label l2tp\n";
  print "l2tp.info L2TP Connections\n";
  print "ovpn.label ovpn\n";
  print "ovpn.info OVPN Connections\n";
  print "pppoe.label pppoe\n";
  print "pppoe.info PPPoE Connections\n";
  print "pptp.label pptp\n";
  print "pptp.info PPTP Connections\n";
  exit;
}

###############################################################################
## Execution
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
} else {
  my $async = 0;
  my $isdn = 0;
  my $ltp = 0;
  my $ovpn = 0;
  my $pppoe = 0;
  my $pptp = 0;
  my @Output = $MT->cmd("/ppp active print without-paging terse");
  foreach my $Line (@Output) {
    my ($tmp, $rest) = split(/ name/, $Line, 2);
    if ($rest && $rest =~ /async/ ) { $async++; };
    if ($rest && $rest =~ /isdn/ ) { $isdn++; };
    if ($rest && $rest =~ /l2tp/ ) { $ltp++; };
    if ($rest && $rest =~ /ovpn/ ) { $ovpn++; };
    if ($rest && $rest =~ /pppoe/ ) { $pppoe++; };
    if ($rest && $rest =~ /pptp/ ) { $pptp++; };
  }
  print "async.value " . $async . "\n";
  print "isdn.value " . $isdn . "\n";
  print "l2tp.value " . $ltp . "\n";
  print "ovpn.value " . $ovpn . "\n";
  print "pppoe.value " . $pppoe . "\n";
  print "pptp.value " . $pptp . "\n";
  exit;
}

mikrotikradius_

Installation:	Easy to Intermediate
Technology Used:	Telnet (RO Access, Single Login)
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
###############################################################################
my $RadiusHost = "192.168.1.251";       ## This is the address of the Radius
                                        ## Server we monitor as configured in
                                        ## /radius on Mikrotik
my $TelnetPort = "23";
my $TelnetUser = "username";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikradius_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title Radius Statistics\n";
  print "graph_vlabel requests/s\n";
  print "graph_category system\n";
  print "graph_info This graph shows Radius usage.\n";
  print "graph_period second\n";
  print "graph_order pending requests accepts rejects resends timeouts badreplies\n";
  print "pending.label pending\n";
  print "pending.info Requests Pending\n";
  print "requests.label requests\n";
  print "requests.info Requests Completed\n";
  print "requests.type COUNTER\n";
  print "accepts.label accepts\n";
  print "accepts.info Authentication Accepted\n";
  print "accepts.type COUNTER\n";
  print "rejects.label rejects\n";
  print "rejects.info Authentication Rejected\n";
  print "rejects.type COUNTER\n";
  print "resends.label resends\n";
  print "resends.info Request Resends\n";
  print "resends.type COUNTER\n";
  print "timeouts.label timeouts\n";
  print "timeouts.info Request Timeouts\n";
  print "timeouts.type COUNTER\n";
  print "badreplies.label badreplies\n";
  print "badreplies.info Bad Replies\n";
  print "badreplies.type COUNTER\n";
  exit;
}

###############################################################################
## Execution
my ($tmp, $pending, $requests, $accepts, $rejects, $resends, $timeouts, $badreplies, $rtt) = undef;
my @Output = $MT->cmd("/radius monitor [find address=" . $RadiusHost . "] once");
foreach my $Line (@Output) {
  if ($Line =~ /pending/) {
    ($tmp, $pending) = split(/: /, $Line, 2);
  } elsif ($Line =~ /requests/) {
    ($tmp, $requests) = split(/: /, $Line, 2);
  } elsif ($Line =~ /accepts/) {
    ($tmp, $accepts) = split(/: /, $Line, 2);
  } elsif ($Line =~ /rejects/) {
    ($tmp, $rejects) = split(/: /, $Line, 2);
  } elsif ($Line =~ /resends/) {
    ($tmp, $resends) = split(/: /, $Line, 2);
  } elsif ($Line =~ /timeouts/) {
    ($tmp, $timeouts) = split(/: /, $Line, 2);
  } elsif ($Line =~ /bad-replies/) {
    ($tmp, $badreplies) = split(/: /, $Line, 2);
  }
}
print "pending.value " . $pending;
print "requests.value " . $requests;
print "accepts.value " . $accepts;
print "rejects.value " . $rejects;
print "resends.value " . $resends;
print "timeouts.value " . $timeouts;
print "badreplies.value " . $badreplies;

mikrotikroutes_

Installation:	Easy to Intermediate
Technology Used:	Telnet (RO Access, Single Login)
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
##############################################################################
my ($total, $disabled, $active, $dynamic, $connected, $static, $rip, $bgp, $ospf, $mme, $blackhole, $unreachable, $prohibit) = undef;
my $TelnetPort = "23";
my $TelnetUser = "username";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikroutes_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title Routing Tables\n";
  print "graph_vlabel number\n";
  print "graph_category network\n";
  print "graph_info This graph shows the routing table size\n";
  print "graph_order total disabled active dynamic connected static rip bgp ospf mme blackhole unreachable prohibit\n";
  print "total.label total\n";
  print "total.info Total Routes\n";
  print "disabled.label disabled\n";
  print "disabled.info Total Disabled Routes\n";
  print "active.label active\n";
  print "active.info Total Active Routes\n";
  print "dynamic.label dynamic\n";
  print "dynamic.info Total Dynamic Routes\n";
  print "connected.label connected\n";
  print "connected.info Total Connected Routes\n";
  print "static.label static\n";
  print "static.info Total Static Routes\n";
  print "rip.label rip\n";
  print "rip.info Routes obtained via RIP\n";
  print "bgp.label bgp\n";
  print "bgp.info Routes obtained via BGP\n";
  print "ospf.label ospf\n";
  print "ospf.info Routes obtained via OSPF\n";
  print "mme.label mme\n";
  print "mme.info Routes obtained via MME\n";
  print "blackhole.label blackhold\n";
  print "blackhole.info Blackhole Routes\n";
  print "unreachable.label unreachable\n";
  print "unreachable.info Routes currently unreachable\n";
  print "prohibit.label prohibit\n";
  print "prohibit.info Prohibited routes\n";
  exit;
}

###############################################################################
## Execution
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
} else {
  my @Output = $MT->cmd("/ip route print without-paging terse");
  $total = 0;
  $disabled = 0;
  $active = 0;
  $dynamic = 0;
  $connected = 0;
  $static = 0;
  $rip = 0;
  $bgp = 0;
  $ospf = 0;
  $mme = 0;
  $blackhole = 0;
  $unreachable = 0;
  $prohibit = 0;

  foreach my $Line (@Output) {
    $total = $total + 1;
    my ($tmp, $rest) = split(/  /, $Line, 2);
    if ($tmp && $tmp =~ /X/) {$disabled = $disabled + 1;}
    if ($tmp && $tmp =~ /A/) {$active = $active + 1;}
    if ($tmp && $tmp =~ /D/) {$dynamic = $dynamic + 1;}
    if ($tmp && $tmp =~ /C/) {$connected = $connected + 1;}
    if ($tmp && $tmp =~ /S/) {$static = $static + 1;}
    if ($tmp && $tmp =~ /r/) {$rip = $rip + 1;}
    if ($tmp && $tmp =~ /b/) {$bgp = $bgp + 1;}
    if ($tmp && $tmp =~ /o/) {$ospf = $ospf + 1;}
    if ($tmp && $tmp =~ /m/) {$mme = $mme + 1;}
    if ($tmp && $tmp =~ /B/) {$blackhole = $blackhole + 1;}
    if ($tmp && $tmp =~ /U/) {$unreachable = $unreachable + 1;}
    if ($tmp && $tmp =~ /P/) {$prohibit = $prohibit + 1;}
  }
  print "total.value " . $total . "\n";
  print "disabled.value " . $disabled . "\n";
  print "active.value " . $active . "\n";
  print "dynamic.value " . $dynamic . "\n";
  print "connected.value " . $connected . "\n";
  print "static.value " . $static . "\n";
  print "rip.value " . $rip . "\n";
  print "bgp.value " . $bgp . "\n";
  print "ospf.value " . $ospf . "\n";
  print "mme.value " . $mme . "\n";
  print "blackhole.value " . $blackhole . "\n";
  print "unreachable.value " . $unreachable . "\n";
  print "prohibit.value " . $prohibit . "\n";
  exit;
}

mikrotikwirelessinterface_

Installation:	Easy to Intermediate
Technology Used:	Telnet (RO Access, Single Login)
Notes:	Monitors Wireless Interface (CCQ, Signals, etc) on CPE side only, Interface MUST BE in station mode to operate, Only monitors the first interface found (Interface number 0 in /interface wireless print
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
##############################################################################
my $TelnetPort = "23";
my $TelnetUser = "username";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikwirelessinterface_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args -l 0 --lower-limit -100 --upper-limit 100\n";
  print "graph_title Wireless Interface Quality (MACAddress)\n";
  print "graph_vlabel Comms Quality\n";
  print "graph_category network\n";
  print "graph_info This graph shows the wireless interface statistics\n";
  print "graph_order txccq rxccq txsignal txrate rxrate acttimeout noisefloor\n";
  print "graph_scale no\n";
  print "txccq.label TX CCQ (%)\n";
  print "rxccq.label RX CCQ (%)\n";
  print "txsignal.label TX Signal Strength (dBm)\n";
  print "acttimeout.label ACT Timeout (us)\n";
  print "noisefloor.label Noise Floor (dBm)\n";
  print "txrate.label TX Rate (Mbps)\n";
  print "rxrate.label RX Rate (Mbps)\n";
  exit;
}

###############################################################################
## Execution
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
} else {
  my @Output = $MT->cmd("/interface wireless monitor 0 once\nD\n");
  my ($rest, $tmp, $txccq, $rxccq, $txsignal, $stn, $otxccq, $acttimeout, $noisefloor, $txrate, $rxrate) = undef;
  foreach my $Line (@Output) {
    if (($Line =~ /tx-ccq/ && $Line !~ /overall-tx-ccq/) && $Line =~ m/(\d+)/) {
      $txccq = $1;
    }
    if ($Line =~ /rx-ccq/ && $Line =~ m/(\d+)/) {
      $rxccq = $1;
    }
    if ($Line =~ /tx-signal-strength/ && $Line =~ m/(.\d+)/) {
      $txsignal = $1;
    }
    if ($Line =~ /current-ack-timeout/ && $Line =~ m/(.\d+)/) {
      $acttimeout = $1;
    }
    if ($Line =~ /noise-floor/ && $Line =~ m/(.\d+)/) {
      $noisefloor = $1;
    }
    if ($Line =~ /tx-rate/ && $Line =~ m/(\d+)/) {
      $txrate = $1;
    }
    if ($Line =~ /rx-rate/ && $Line =~ m/(\d+)/) {
      $rxrate = $1;
    }
  }
  print "txccq.value " . $txccq . "\n";
  print "rxccq.value " . $rxccq . "\n";
  print "txsignal.value " . $txsignal . "\n";
  print "acttimeout.value " . $acttimeout . "\n";
  print "noisefloor.value " . $noisefloor . "\n";
  print "txrate.value " . $txrate . "\n";
  print "rxrate.value " . $rxrate . "\n";
  exit;
}

mikrotikwirelessregistration_

Installation:	Advanced
Technology Used:	Telnet (RO Access, Double Login)
Notes:	Script is NOT YET 100%. The registration table is not parsed properly. This script will need editing. Patches and/or updates are welcome!
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
##############################################################################
my @Output = undef;
my $TelnetPort = "23";
my $TelnetUser = "username";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikwirelessregistration_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
}

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args -l 0 --lower-limit -100 --upper-limit 0\n";
  print "graph_title Wireless Interface Registrations (Signal Strength)\n";
  print "graph_vlabel dBm Signal\n";
  print "graph_category network\n";
  print "graph_info This graph shows the wireless registration signal strength\n";
  print "graph_scale no\n";
  @Output = $MT->cmd("/interface wireless registration-table print without-paging");
  foreach my $Line (@Output) {
    my ($tmp, $number, $interface, $radio, $mac, $ap, $signal, $txrate, $uptime) = split(/\s+/, $Line, 9);
    if ($interface && $interface ne "INTERFACE") {
      print $interface . ".label " . $interface . "\n";
    }
  }
  exit;
}

###############################################################################
## Execution
@Output = $MT->cmd("/interface wireless registration-table print without-paging");
foreach my $Line (@Output) {
  my ($tmp, $number, $interface, $radio, $mac, $ap, $signal, $txrate, $uptime) = split(/\s+/, $Line, 9);
  if ($interface && $interface ne "INTERFACE") {
    if ($signal =~ m/(.\d+)/) {
      print $interface . ".value " . $1 . "\n";
    }
  }
}
exit;

—Savage 14:02, 14 January 2009 (EET)

mikrotikdhcpleases_

Installation:	Advanced
Technology Used:	API (PHP)
Notes:	Produces a graph which shows the number of active leases for each DHCP server. Assumes that the DHCP servers are sensibly named! “server 1” and “server1” are treated as the same server!
Sample Graph:

Script:

#!/usr/bin/php
<?php

// Change the following path as appropriate
require('/var/www/html/ros/routeros_api.class.php');

$API = new routeros_api();

// debug
$API->debug = false;

// Work out which hostname we're connecting to.
$hostname = explode("_",$argv[0],2);

if (isset($hostname[1])) {
  $hostname = $hostname[1];
} else {
  die("No hostname available");
}

// First things first, get the information we want to look at
// change username/password as appropriate
if ($API->connect($hostname, 'munin', 'munin')) {

   $API->write('/ip/dhcp-server/getall');
   $dhcp_servers = $API->read();

// Not very optimal - we get the leases even if we don't need them, but it'll do for the moment.
   $API->write('/ip/dhcp-server/lease/getall');
   $dhcp_leases = $API->read();

   $API->disconnect();

   $connect = 'yes';
} else {
   $connect = 'no (could not connect)';
}

if ($argc > 1 && $argv[1] == 'autoconf') {
  print $connect . "\n";
  exit;
}

//Output configuration information
if ($argc > 1 && $argv[1] == 'config') {
  print "host_name $hostname\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title DHCP leases\n";
  print "graph_vlabel number\n";
  print "graph_category network\n";
  print "graph_info This graph shows the number of active leases for each DHCP server\n";
  print "graph_scale no\n";
  if (!empty($dhcp_servers)) {
    foreach ($dhcp_servers as $value) {
      $nicename=ereg_replace("[^A-Za-z0-9]", "",$value["name"]);
      print $nicename . ".label " . $value["name"] . "\n";
    }
  }
  exit;
}

// Exit if we don't have any servers to report on.
if (empty($dhcp_servers)) {
  exit;
}

// Set count for each server to zero.
foreach ($dhcp_servers as $value) {
  $dhcp_server_leases[$value["name"]]=0 ;
}

// Then calculate the count for each server.
if (!empty($dhcp_leases)) {
  foreach ($dhcp_leases as $value) {
    if (array_key_exists("active-server",$value)) {
      $dhcp_server_leases[$value["active-server"]]+=1;
    }
  }
}

// Finally, print it all out.
foreach ($dhcp_server_leases as $key => $value) {
  print ereg_replace("[^A-Za-z0-9]", "",$key) . ".value " . $value . "\n";
}

exit;

?>

mikrotikfirewallrules_

Installation:	Advanced
Technology Used:	API (PHP)
Notes:	Produces a graph which shows the number of active firewall rules for each chain.
Sample Graph:

Script:

#!/usr/bin/php
<?php

require('/var/www/html/ros/routeros_api.class.php');

$API = new routeros_api();

// debug
$API->debug = false;

// Work out which hostname we're connecting to.
$hostname = explode("_",$argv[0],2);

if (isset($hostname[1])) {
  $hostname = $hostname[1];
} else {
  die("No hostname available");
}

// First things first, get the information we want to look at
if ($API->connect($hostname, 'munin', 'munin')) {

   $API->write('/ip/firewall/filter/getall');
   $firewall_rules = $API->read();

   $API->disconnect();

   $rulecount=array();

   foreach ($firewall_rules as $value) {

// Some versions of ROS use disabled=true, others use invalid=true
     if ((array_key_exists("disabled",$value) && $value["disabled"] == 'false') ||
     (array_key_exists("invalid",$value) && $value["invalid"] == 'false')) {
       if (array_key_exists($value["chain"],$rulecount)) {
         $rulecount[$value["chain"]] += 1;
       } else {
         $rulecount[$value["chain"]] = 1;
       }
     }
   }

   $connect = 'yes';
} else {
   $connect = 'no (could not connect)';
}

if ($argc > 1 && $argv[1] == 'autoconf') {
  print $connect . "\n";
  exit;
}

if ($argc > 1 && $argv[1] == 'config') {
  print "host_name $hostname\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title Firewall rules\n";
  print "graph_vlabel number\n";
  print "graph_category network\n";
  print "graph_info This graph shows the number of active firewall rules in each chain\n";
  print "graph_scale no\n";

  if (!empty($rulecount)) {
    foreach ($rulecount as $key => $value) {
      print $key . ".label " . $key . "\n";
    }
  }
  exit;
}

if (empty($rulecount)) {
  exit;
}

foreach ($rulecount as $key => $value) {
  print $key . ".value " . $value . "\n";
}

exit;

?>

mikrotikfirewallcount_

Installation:	Advanced
Technology Used:	API (PHP)
Notes:	Produces a graph which shows the number of packets for specified firewall rules. Packets matching a firewall rule are graphed when the comments field for the rule starts “GRAPH – “. The end of the line is used to label the points (e.g. “GRAPH – Dropped packets”, “Dropped packets is the label”). Note that this does not work on ROS 3.25 as for some bizarre reason, rule comments are no longer accessible from the API.
Sample Graph:

Script:

#!/usr/bin/php
<?php

require('/var/www/html/ros/routeros_api.class.php');

$API = new routeros_api();

// debug
$API->debug = false;

// Work out which hostname we're connecting to.
$hostname = explode("_",$argv[0],2);

if (isset($hostname[1])) {
  $hostname = $hostname[1];
} else {
  die("No hostname available");
}

// First things first, get the information we want to look at
if ($API->connect($hostname, 'munin', 'munin')) {

   $API->write('/ip/firewall/filter/getall');
   $firewall_rules = $API->read();

   $API->disconnect();

   $graphme=array();

   foreach ($firewall_rules as $value) {
     if (array_key_exists("comment",$value)) {
       $comment = explode(" - ",$value["comment"]);
       if ($comment[0] == "GRAPH" && isset($comment[1])) {
         $id=ereg_replace("[^A-Za-z0-9]", "",$value[".id"]);
         $graphme[$id]["name"]=$comment[1];
         $graphme[$id]["packets"]=$value["packets"];
       }
     }
   }

   $connect = 'yes';
} else {
   $connect = 'no (could not connect)';
}

if ($argc > 1 && $argv[1] == 'autoconf') {
  print $connect . "\n";
  exit;
}

if ($argc > 1 && $argv[1] == 'config') {
  print "host_name $hostname\n";
  print "graph_args --base 1000 -l 0 -r --lower-limit 0\n";
  print "graph_title Logged packets \n";
  print "graph_vlabel number\n";
  print "graph_category firewall\n";
  print "graph_info This graph shows the number of packets for logged firewall rules\n";
  print "graph_scale no\n";

  if (!empty($graphme)) {
    foreach ($graphme as $key => $value) {
      $id=ereg_replace("[^A-Za-z0-9]", "",$key);
      print $id . ".label " . $value["name"] . "\n";
      print $id . ".type COUNTER\n";
    }
  }
  exit;
}

// If there's nothing to graph, don't bother.
if (empty($graphme)) {
  exit;
}

foreach ($graphme as $key => $value) {
  print $key . ".value " . $value["packets"] . "\n";
}

exit;

?>

mikrotikifrate_

Installation:	Advanced
Technology Used:	API (PHP)
Notes:	This graph shows the incoming and outgoing transfer rate of a specified interface. Uses PHP API.Tested on v3.30, v4.6, v5.0beta2.
Usage:	As above, except you also need to specify the name of the monitored interface in the filename.
Filename syntax:	mikrotikifrate_hostname_interfacename
Filename example:	mikrotikifrate_example.changeip.net_ether1
Sample Graph:

Script:

#!/usr/bin/php
<?php

// Change the following path as appropriate
require('/var/www/html/ros/routeros_api.class.php');

$API = new routeros_api();

// debug
$API->debug = false;

// Work out hostname and interface name
$param = explode("_",$argv[0],3);

if (isset($param[1])) {
  $hostname = $param[1];
} else {
  die("No hostname available. Filename should be like: mikrotikifrate_example.changeip.net_ether1");
}

if (isset($param[2])) {
  $ifname = $param[2];
} else {
  die("No interface name available. Filename should be like: mikrotikifrate_example.changeip.net_ether1");
}

// change username/password as appropriate
if ($API->connect($hostname, 'munin', 'munin')) {

   $API->write('/interface/print',false);
   $API->write('=stats=');

   $READ = $API->read(false);
   $interfaces = $API->parse_response($READ);

   $API->disconnect();

   $connect = 'yes';
} else {
   $connect = 'no (could not connect)';
}

if ($argc > 1 && $argv[1] == 'autoconf') {
  print $connect . "\n";
  exit;
}

// Output configuration information
if ($argc > 1 && $argv[1] == 'config') {
  print "host_name $hostname\n";
  print "graph_args --base 1000\n";
  print "graph_title $ifname traffic\n";
  print "graph_vlabel bits per second\n";
  print "graph_category network\n";
  print "graph_info This graph shows the incoming and outgoing traffic rate of an interface\n";
  print "in.label received\n";
  print "in.type DERIVE\n";
  print "in.draw AREA\n";
  print "in.min 0\n";
  print "in.cdef in,8,*\n";
  print "out.label sent\n";
  print "out.type DERIVE\n";
  print "out.draw LINE1\n";
  print "out.min 0\n";
  print "out.cdef out,8,*\n";

  exit;
}

// Exit if we don't have any servers to report on.
if (empty($interfaces)) {
  exit;
}

// Finally, print it all out.
    foreach ($interfaces as $interface)
    {
	if ($interface['name']==$ifname)
	{
	    //print_r($interface);
	    $bytes = explode("/", $interface['bytes']);
	    print ("in.value ") . $bytes[0] . "\n";
	    print ("out.value ") . $bytes[1] . "\n";
	}
    }

exit;

?>

mikrotikwirelessconnected_

Installation:	Easy to Intermediate
Technology Used:	Telnet (RO Access, Single Login)
Notes:	This chart shows the number of clients connected to each wireless interface.Tested on v3.30, v4.9.
Usage:	As above, except you also need to specify more than 9 interfaces.
Filename syntax:	mikrotikwirelessconnected_hostname
Filename example:	mikrotikwirelessconnected_ap1.domain.ext
Sample Graph:

Script:

#!/usr/bin/perl
###############################################################################
use diagnostics;
use Net::Telnet::Cisco;
use strict;
use warnings;
##############################################################################
my $TelnetPort = "23";
my $TelnetUser = "munin";
my $TelnetPass = "password";

###############################################################################
## Determine Hostname
my $Host = undef;
$0 =~ /mikrotikwirelessconnected_(.+)*$/;
unless ($Host = $1) {
  exit 2;
}

###############################################################################
## Initiate Telnet Session
my $MT = Net::Telnet::Cisco->new(Host    => $Host,
                                 Port    => $TelnetPort,
                                 Prompt  => '/[\>\#] $/',
                                 Timeout => 30);

###############################################################################
## Configuration
if ($ARGV[0] && $ARGV[0] eq "config") {
  print "host_name " . $Host . "\n";
  print "graph_args -l 0 --lower-limit 0 --upper-limit 40\n";
  print "graph_title Wireless clients in " . $Host . " \n";
  print "graph_vlabel Number of clients\n";
  print "graph_category network\n";
  print "graph_info This graph shows the number of clients connected at the interfaces Wireless\n";
  # Pega num interfaces para grafico
  if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
    die "Croaking: $MT->error";
    } else {
      # Pega o numero de interfaces na AP
	  # Gets the number of interfaces in AP
      my @interfaces = $MT->cmd("/interface wireless print count-only\nD\n");
      my ($count,$int,$cli_online,$inter_number) = undef;

      $count = 0;
      foreach my $Line (@interfaces) {
        if ( $Line =~ m/([0-9]\n)/ && $count<1 ){
          $int = $1;
          $count = $count+1;
        }
      }

      print "graph_order";
      $inter_number = 1;
      for ($count=1;$count<=$int;$count++){
          print " cl_on_wlan" . $inter_number ."";
          $inter_number = $count +1;
      }
      print "\n";

      for ($count=1;$count<=$int;$count++){
        $inter_number = $count ;
        print "cl_on_wlan" . $inter_number . ".warning 25\n";
        print "cl_on_wlan" . $inter_number . ".critical 30\n";
        print "cl_on_wlan" . $inter_number . ".label WLAN". $inter_number . "\n";
        print "cl_on_wlan" . $inter_number . ".info WIRELESS LAN " . $inter_number . "\n";
      }

    }
  exit;
}

###############################################################################
## Execution
if (!defined($MT->login($TelnetUser . "+ct", $TelnetPass))) {
  die "Croaking: $MT->error";
  } else {

  # Pega o numero de interfaces na AP
  # Gets the number of interfaces in AP
  my @interfaces = $MT->cmd("/interface wireless print count-only\nD\n");
  my ($count,$int) = undef;

  $count = 0;
  foreach my $Line (@interfaces) {
  if ( $Line =~ m/([0-9]\n)/ && $count<1 ){
        $int = $1;
        $count = $count+1;
    }
  }

# Pega o número de clientes para cada interface
# Gets the number of customers for each interface
for ($count = 0; $count < $int; $count++) {
  my @Output = $MT->cmd("/interface wireless monitor " . $count . " once\nD\n");
  my ($rest, $tmp, $cli_online, $inter_number, $cl_on_wlan14) = undef;
  foreach my $Line (@Output) {
  # Pega clientes registrados
    if ($Line =~ /registered-clients/ && $Line =~ m/(\d+)/) {
        $cli_online = $1;
        $inter_number = $count+1;
        print "cl_on_wlan" . $inter_number . ".value " . $1 . "\n";
    }
  }
  print "cl_on_wlan" . $inter_number . ".value " . $cli_online . "\n";
  }
  exit;
}

REFERENCE : MikroTik wiki

vaheeD

More Posts - Website

Follow Me:

This script checks all registered stations and forces a disconnect for any station(s) which has a CCQ level less than that specified below (in this example it’s set to 70% for TX and for RX).

The idea is that once they are forced to disconnect, the stations will attempt to reassociate with the best available AP, eliminating the ‘sticky node’ problem.

The only modifications you need to make is to change your minimum allowed CCQ level.

On your APs:

/system script 
add name="station-check" source="/interface \
   wireless registration-table\r\n:foreach i in=[ /interface wireless registration-table find ap=no] \
   do={\r\n   :if ([get \$i tx-ccq] < \"70\" && [get \$i rx-ccq] < \"70\") do={\r\n           :log warning \
   ([get \$i radio-name] . \" was disconnected due to low CCQ - Tx: \" . [get \$i tx-ccq] . \"% / Rx: \" . \
   [get \$i rx-ccq] . \"%\")\r\n           /interface wireless registration-table remove \$i\r\n           \
   :delay 5s\r\n           }\r\n}"

Important: Remember that non-MikroTik stations will not report back their received CCQ, so the TX-CCQ will always be 0%.
Once you have configured the script, set up a scheduler to run the script everytime you want it to check for low signals. In the example below, the script will run every day at 1 second after midnight!

On your APs:

/system scheduler 
add disabled=no interval=1d name="station-check-schedule" on-event="/system script run \
   station-check ;" start-time=00:00:01

Done!

vaheeD

More Posts - Website

Follow Me:

Port knocking is a method of establishing a connection to a networked device that has no open ports.

Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports.

A remote host generates and sends an authentic knock sequence in order to manipulate device firewall rules to open one or more specific ports.

Once the desired ports are opened, the remote host can establish a connection and begin a session (in this example, SSH will be available after issuing the correct Knocking Sequence to a RouterOS Based Router).

Optionally, another knock sequence may used to trigger the closing of the previously enabled port.

/ip firewall filter
 
add action=log chain=input log-prefix="KNOCK STAGE 01" disabled=no\
    protocol=tcp dst-port=1010
add action=add-src-to-address-list address-list="KNOCK STAGE 01"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=1010 protocol=tcp
 
add action=log chain=input log-prefix="KNOCK STAGE 02" disabled=no\
    protocol=tcp dst-port=2020 src-address-list="KNOCK STAGE 01"
add action=add-src-to-address-list address-list="KNOCK STAGE 02"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=2020 protocol=tcp
 
add action=log chain=input log-prefix="KNOCK STAGE 03" disabled=no\
    protocol=tcp dst-port=3030 src-address-list="KNOCK STAGE 02"
add action=add-src-to-address-list address-list="KNOCK STAGE 03"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=3030 protocol=tcp
 
add action=accept chain=input disabled=no\
    dst-port=22 protocol=tcp src-address-list="KNOCK STAGE 03"

In this example Address-Lists are created with a validity of 15s, so the knocking sequence needs to be issued quite fast.

Better security will be granted using a sequence with decreasing port number and different protocols (to avoid basic Port Scans).
Example: 30001/TCP -> 2001/UDP -> 101/TCP => Open 22/TCP.
 

vaheeD

More Posts - Website

Follow Me:

Safe Mode

It is sometimes possible to change router configuration in a way that will make the router inaccessible (except from local console). Usually this is done by accident, but there is no way to undo last change when connection to router is already cut. Safe mode can be used to minimize such risk.

Safe mode is entered by pressing [CTRL]+[X]. To save changes and quit safe mode, press [CTRL]+[X] again. To exit without saving the made changes, hit [CTRL]+[D]

[admin@MikroTik] ip route>[CTRL]+[X]
[Safe Mode taken]

[admin@MikroTik] ip route<SAFE>

Message Safe Mode taken is displayed and prompt changes to reflect that session is now in safe mode. All configuration changes that are made (also from other login sessions), while router is in safe mode, are automatically undone if safe mode session terminates abnormally. You can see all such changes that will be automatically undone tagged with an F flag in system history:

[admin@MikroTik] ip route>
[Safe Mode taken]

[admin@MikroTik] ip route<SAFE> add
[admin@MikroTik] ip route<SAFE> /system history print
Flags: U - undoable, R - redoable, F - floating-undo
  ACTION                                   BY                 POLICY
F route added                              admin              write

Now, if telnet connection (or winbox terminal) is cut, then after a while (TCP timeout is 9 minutes) all changes that were made while in safe mode will be undone. Exiting session by [Ctrl]+[D] also undoes all safe mode changes, while /quit does not.

If another user tries to enter safe mode, he’s given following message:

[admin@MikroTik] >
Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:

• [u] – undoes all safe mode changes, and puts the current session in safe mode.
• [r] – keeps all current safe mode changes, and puts current session in a safe mode. Previous owner of safe mode is notified about this:

 
     [admin@MikroTik] ip firewall rule input
     [Safe mode released by another user]

• [d] – leaves everything as-is.

If too many changes are made while in safe mode, and there’s no room in history to hold them all (currently history keeps up to 100 most recent actions), then session is automatically put out of the safe mode, no changes are automatically undone. Thus, it is best to change configuration in small steps, while in safe mode. Pressing [Ctrl]+[X] twice is an easy way to empty safe mode action list.

HotLock Mode

When HotLock mode is enabled commands will be auto completed.

To enter/exit HotLock mode press [CTRL]+[V].

[admin@MikroTik] /ip address> [CTRL]+[V]
[admin@MikroTik] /ip address>>

Double >> is indication that HotLock mode is enabled. For example if you type /in e, it will be auto completed to

[admin@MikroTik] /ip address>> /interface ethernet

vaheeD

More Posts - Website

Follow Me:

NTH ?

example: nth=Every,Counter,Packet nth=2,3,0. 2,3,1 2,3,2

divide all packets into groups of three (2+1). The packets will be numbered from 0 to 2. So, a sequence of packets the rule matches looks like: (0 1 2)(0 1 2)(0 1 2)(0 1 2)(0 1 2)…

the first rule will match the first packet in each group (“Packet”=0). The second rule will match the second packet in each group (“Packet”=1) and so on. Each successful match increments the counter. When a value of “Every” is reached, the counter is reset to 0. For this to work, the “Counter” should be the same for all rules (you can pick any value from 0 to 15, IIRC).

Introduction

This example is improved (different) version of round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections.

Quick Start for Impatient

Configuration export from the gateway router:

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local 
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1

/ ip firewall mangle
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
  new-connection-mark=odd passthrough=yes 
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
  new-routing-mark=odd passthrough=no
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
  new-connection-mark=even passthrough=yes 
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
  new-routing-mark=even passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=2,1 \ 
    action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
  address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes 
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \ 
    new-routing-mark=odd passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ 
    action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
  address-list=even address-list-timeout=1d connection-mark=even passthrough=yes 
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \ 
    new-routing-mark=even passthrough=no

/ ip firewall nat 
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade

/ ip route 
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even 
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10

Explanation

First we give a code snippet and then explain what it actually does.

IP Addresses

/ ip address 
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name “Local” and IP address of 192.168.0.1/24.

Mangle

/ ip firewall mangle 
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
  new-connection-mark=odd passthrough=yes 
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
  new-routing-mark=odd

All traffic from customers having their IP address previously placed in the address list “odd” is instantly marked with connection and routing marks “odd”. Afterwards the traffic is excluded from processing against successive mangle rules in prerouting chain.

/ ip firewall mangle 
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
  new-connection-mark=even passthrough=yes 
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
  new-routing-mark=even

Same stuff as above, only for customers having their IP address previously placed in the address list “even”.

/ ip firewall mangle 
add chain=prerouting in-interface=Local connection-state=new nth=2,1 \ 
    action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
  address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes 
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \ 
    new-routing-mark=odd passthrough=no

First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark “odd”. Consequently all successive packets belonging to the same session will carry the connection mark “odd”. Note that we are passing these packets to the second and third rules (passthrough=yes). Second rule adds IP address of the client to the address list to enable all successive sessions to go through the same gateway. Third rule places the routing mark “odd” on all packets that belong to the “odd” connection and stops processing all other mangle rules for these packets in prerouting chain.

/ ip firewall mangle 
add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ 
    action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
  address-list=even address-list-timeout=1d connection-mark=even passthrough=yes 
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \ 
    new-routing-mark=even passthrough=no

These rules do the same for the remaining half of the traffic as the first three rules for the first half of the traffic.

The code above effectively means that each new connection initiated through the router from the local network will be marked as either “odd” or “even” with both routing and connection marks.

The above works fine. There are however some situations where you might find that the same IP address is listed under both the ODD and EVEN scr-address-lists. This behavior causes issues with apps that require persistent connections. A simple remedy for this situation is to add the following statement to your mangle rules:

add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ 
    src-address-list=!odd action=mark-connection new-connection-mark=even \
    passthrough=yes

This will ensure that the new connection will not already be part of the ODD src-address-list. You will have to do the same for the ODD mangle rule thus excluding IP’s already part of the EVEN scr-address-list.

NAT

/ ip firewall nat 
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade

Fix the source address according to the outgoing interface.

Routing

/ ip route 
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd 
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even

For all traffic marked “odd” (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked “even” is routed through the 10.112.0.1 gateway.

/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10

Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.

vaheeD

More Posts - Website

Follow Me:

Introduction

This example is improved (different) version of round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections.

Quick Start for Impatient

Configuration export from the gateway router:

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local 
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping 

/ ip firewall nat 
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade

/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla1     
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla2     

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wla1 
add dst-address=0.0.0.0/0 gateway=10.111.0.2 routing-mark=to_wla2

Explanation

First we give a code snippet and then explain what it actually does.

IP Addresses

/ ip address 
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name “Local” and IP address of 192.168.0.1/24.

NAT

/ ip firewall nat 
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade

As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. if this packet will leave via wlan1 it will be NATed to 10.112.0.2/24, if via wlan2 then NATed to 10.111.0.2/24

Routing

/ ip route 
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping

This is typical ECMP (Equal Cost Multi-Path) gateway with check-gateway. ECMP is “persistent per-connection load balancing” or “per-src-dst-address combination load balancing”. As soon as one of the gateway will not be reachable, check-gateway will remove it from gateway list. And you will have a “failover” effect.
You can use asymmetric bandwidth links also – for example one link is 2Mbps other 10Mbps. Just use this command to make load balancing 1:5

/ ip route 
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1 check-gateway=ping

Connections to the router itself

/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1     
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan2

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 
add dst-address=0.0.0.0/0 gateway=10.111.0.2 routing-mark=to_wlan2

With all multi-gateway situations there is a usual problem to reach router from public network via one, other or both gateways. Explanations is very simple – Outgoing packets uses same routing decision as packets that are going trough the router. So reply to a packet that was received via wlan1 might be send out and masqueraded via wlan2.

To avoid that we need to policy routing those connections.

Known Issues

DNS issues

ISP specific DNS servers might have custom configuration that treats specific requests from ISP’s network differently than requests from other network. So in case connection is made via other gateway those sites will not be accessible.

To avoid that we suggest to use 3rd-party (public) DNS servers, and in case you need ISP specific recourse, create static DNS entry and policy route that traffic to specific gateway.

Routing table flushing

Every time when something triggers flush of the routing table and ECMP cache is flushed. Connections will be assigned to gateways once again and may or may not be on the same gateway.(in case of 2 gateways there are 50% chance that traffic will start to flow via other gateway).
If you have fully routed network (clients address can be routed via all available gateway), change of the gateway will have no ill effect, but in case you use masquerade, change of the gateway will result in change of the packet’s source address and connection will be dropped.
Routing table flush can be caused by 2 things:

1) routing table change (dynamic routing protocol update, user manual changes)

2) every 10 minutes routing table is flushed for security reasons (to avoid possible DoS attacks)

So even if you do not have any changes of routing table, connections may jump to other gateway every 10 minutes

vaheeD

More Posts - Website

Follow Me:

Bonding (also called port trunking or link aggregation) can be configured quite easily on RouterOS-Based devices.

Having 2 NICs (ether1 and ether2) in each router (Router1 and Router2), it is possible to get maximum data rate between 2 routers, by aggregating port bandwidth.

To add a bonding interface on Router1 and Router2:

/interface bonding add slaves=ether1,ether2

(bonding interface needs a couple of seconds to get connectivity with its peer)

Link Monitoring:
Currently bonding in RouterOS supports two schemes for monitoring a link state of slave devices: MII and ARP monitoring. It is not possible to use both methods at a time due to restrictions in the bonding driver.

ARP Monitoring:
ARP monitoring sends ARP queries and uses the response as an indication that the link is operational. This also gives assurance that traffic is actually flowing over the links. If balance-rr and balance-xor modes are set, then the switch should be configured to evenly distribute packets across all links. Otherwise all replies from the ARP targets will be received on the same link which could cause other links to fail. ARP monitoring is enabled by setting three properties link-monitoring, arp-ip-targets and arp-interval. Meaning of each option is described later in this article. It is possible to specify multiple ARP targets that can be useful in a High Availability setups. If only one target is set, the target itself may go down. Having an additional targets increases the reliability of the ARP monitoring.

MII Monitoring:
MII monitoring monitors only the state of the local interface. In RouterOS it is possible to configure MII monitoring in two ways:

MII Type 1: device driver determines whether link is up or down. If device driver does not support this option then link will appear as always up.
MII Type 2: deprecated calling sequences within the kernel are used to determine if link is up. This method is less efficient but can be used on all devices. This mode should be set only if MII type 1 is not supported.

Main disadvantage is that MII monitoring can’t tell if the link actually can pass the packets or not even if the link is detected as up.

MII monitoring is configured setting desired link-monitoring mode and mii-interval.

vaheeD

More Posts - Website

Follow Me:

How to do automatic ECMP failover

This script demonstrates one method of doing automatic failover using the Netwatch function and using scripting to enable or disable gateways. This is probably not the most efficient way, but it works. I would welcome any input on how it can be improved.

The situation:

You have 2 lines going out to the internet – 10.0.0.12 and 10.0.0.13. You have setup a mangle to mark HTTP traffic (optional) and want to route http along the 2 lines using load balancing.

You setup the mangle:

   /ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing \
   new-routing-mark=ecmp-http-route passthrough=yes comment=" Route HTTP \
   traffic to ECMP" disabled=no

You set up ECMP (Equal Cost Multipath Routing) by using something like

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12,10.0.0.13 routing-mark=ecmp-http-route comment="ECMP route for HTTP"

Now you have ECMP for HTTP only. This is nice because MSN messenger, banking websites and other programs and problem sites will not be broken in the same way it might be if you used ECMP for all protocols.

What I then do is for example mark SMTP traffic and route this out through 10.0.0.12:

   /ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-routing \
   new-routing-mark=smtp-out passthrough=yes comment="SMTP Traffic" disabled=no

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12 routing-mark=smtp-out comment="SMTP Traffic out"

and route all other traffic through 10.0.0.13

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.13 comment="Default Route to Internet"

Then I need to setup 2 routes to specific addresses to force the router through specific gateways to “test” the links. These should not be popular addresses with your users! Otherwise when a gateway goes down they will have no access to those sites. The addresses I am using as an example are 1.1.1.12 to test 10.0.0.12, and 1.1.1.13 to test 10.0.0.13.

Next I use the Netwatch Function to switch all traffic to the working gateway should any of the gateways fail:

   / tool netwatch 
   add host=1.1.1.13 timeout=2s interval=30s up-script="/ip route set \
   \[find comment=\"Default Route To Internet\"\] gateway=10.0.0.13" \
   down-script="/ip route set \[find comment=\"Default Route To Internet\"\] \
   gateway=10.0.0.12 comment="" disabled=no 
   add host=1.1.1.12 timeout=2s interval=30s up-script="/ip route set \
   \[find comment=\"SMTP Traffic out\"\] gateway=1.0.0.12" down-script="/ip \
   \n" \route set \[find comment=\"SMTP Traffic out\"\] gateway=10.0.0.13
   comment="" disabled=no

The problem is that the ECMP http route will still be active, therefore http traffic wont work, so I have 2 scripts to check if both gateways are up or down and take action accordingly:

/ system script 
   add name="ecmp-startup" source=":if ([/ping 1.1.1.12 count=1]=1 && \
   [/ping 1.1.1.13 count=1]=1 && [/ip route get [find \
   comment=\"ECMP Route For HTTP\"] disabled]=true) do={ :log info \"Both gateways up\" \
   \n/ip route set [find routing-mark=ecmp-http-route] \
   disabled=no}" policy=ftp,reboot,read,write,policy,test,winbox,password 
   add name="ecmp-shutdown" source=":if ([/ping 1.1.1.12 count=1]=1 && \
   [/ping 1.1.1.13 count=1]=0) do={ :log info \"Gateway down\"\
   \n/ip route set [find routing-mark=ecmp-http-route] \
   disabled=yes}" policy=ftp,reboot,read,write,policy,test,winbox,password

   Hi I found this error while trying to use this script, what worked for me was
   ecmp start/shut script. Looks like  in the start and shut script (") are missing
   from the find, well other the script works wonders for me. Thanks a lot savagedavid

   ecmp starthp script
   :if ([/ping 1.1.1.13 count=1]=1 && [/ping 1.1.1.12 count=1]=1 && [/ip route get \
   [find routing-mark="ecmp-http-route"] disabled]=true) do={:log info "Both Gateways are up" \
   /n/ip route set [find routing-mark="ecmp-http-route"] disable=no}

   ecmp shutdown script
   :if ([/ping 1.1.1.13 count=1]=0 || [/ping 1.1.1.12 count=1]=0) do={:log info \
   "Gateway down" /ip route set [find routing-mark="ecmp-http-route"] disabled=yes}

Notice that it first checks to see if the route is enable before trying to re-enable it. Otherwise it will reset the route and users will be dropped momentarily.

Then finally schedule the scripts to check every 30 seconds:

   / system scheduler 
   add name="gateway-check" on-event="/system script run ecmp-shutdown
   script run ecmp-startup" start-date=jan/01/1970 start-time=00:00:00 \
   interval=30s comment="" disabled=no

vaheeD

More Posts - Website

Follow Me: