====== Mikrotik notes ====== Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1 or ether2 port. Default username is **admin** with empty password. http://wiki.mikrotik.com/wiki/Manual:First_time_startup **RQ :** pour les points d'accès WIFI : se connecter au SSID Mikrotik_XXXX Soit avant de brancher : on charge le backup boot loader, Soit juste après avoir branché : on charge le default loader. ===== Buttons and Jumpers ===== ==== Loading the backup RouterBOOT loader ==== Hold this button before applying power, release after three seconds since powering, to load backup Boot loader. This might be necessary if the device is not operation because of a failed RouterBOOT upgrade. When you have started the device with the backup loader, you can either set RouterOS to force backup loader in the RouterBOARD settings, or have a chance to reinstall the failed RouterBOOT from a fwf file (total 3 seconds). ==== Resetting the RouterOS configuration ==== If you keep holding this button for 2 more seconds until LED light starts flashing, release the button to reset RouterOS configuration (total 5 seconds). ==== Enabling CAPs mode ==== To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more seconds, LED turns solid, release now to turn on CAPs mode (total 10 seconds). ==== Starting the RouterBOARD in Netinstall mode ==== Or Keep holding the button for 5 more seconds until until LED turns off, then release it to make the RouterBOARD look for Netinstall servers. You can also simply keep the button pressed until the device shows up in the Netinstall program on Windows (total 15 seconds). ===== netinstall ===== Mettre IP fixe sur carte, donner IP du sous réseau à netinstall. **/!\** Ne pas cocher intégrer un script, sinon ce sera la conf par defaut si restauration de conf. **/!\** Lors du netinstall, la partition est reformatée, tout ce qui était dans la flash est perdu ! /export /import **attention :** si tous les paquets ne sont pas présents, cela génère des erreurs L'export ne contient pas user/passwd d'admin Attention au nom et nombre d'interfaces. Pour plus de chance de succès, utiliser le scripting : set [ find default-name=ether6 ] name=ether2 Vérifier que les règles de firewall ont été rechargées /system reboot ===== Configurations (gérer les) ===== ==== sauvegarder une configuration ==== export file=date_equipment ==== RECHARGER une configuration ==== Se connecter en Out Of Band Management, reseter la conf : /certificate> /system reset-configuration no-defaults=yes Passer la sauvegarde de la conf à la main (gros copier coller) Régénérer le certificat SSL et le mot de passe d'administration : # /!\ !!! CHANGE ME !!!! /!\ : :global adminUserName "sqdfkljqskjh" :global adminPassword "lsqdkjfqhflhj" :global localFqdn "slqdkfjhqlh.liberasys.com"; # /!\ !!! CHANGE ME !!!! /!\ : # Compute hostname :global localHostname; :set localHostname; :global localHostname; :set localHostname [:pick ($localFqdn) 0 [:find ($localFqdn) "."]]; # Change default admin user /user add name=$"adminUserName" group=full password="$adminPassword" disabled=no /user remove admin :put "" :put "======================================================================" :put " = HTTPS certificate generation (takes some time...)" :put "======================================================================" /certificate add name="catmpl-$localHostname" common-name="ca-$localHostname" key-usage=key-cert-sign,crl-sign days-valid=10000 key-size=2048 add name="fwtmpl-$localHostname" common-name="$localFqdn" days-valid=10000 key-size=2048 sign "catmpl-$localHostname" ca-crl-host=127.0.0.1 name="ca-$localHostname" :delay 1s sign ca="ca-$localHostname" "fwtmpl-$localHostname" name="$localHostname" :delay 1s set "ca-$localHostname" trusted=yes set "$localHostname" trusted=yes export-certificate "ca-$localHostname" /ip service set www-ssl certificate="$localHostname" disabled=no # Wait for certificates to be created { :local count 0; :while ([/certificate find where name="$localHostname"] = "") do={ :if ($count = 30) do={ /quit; } :delay 1s; :set count ($count +1); }; } Reseter l'équipement : /system reboot ==== factory conf ==== /system reset-configuration ==== blank conf ==== /system reset-configuration no-defaults=yes ==== afficher le script de config par defaut ==== /system default-configuration print ===== Le /system backup ===== - génère un fichier chiffré en RC4, avec le mot de passe du user en cours. - ne sauvegarde pas les données user/password ni Dude - est considéré comme un binaire - permet un restore sur le même type déquipement seulement - reset button : http://wiki.mikrotik.com/wiki/Manual:Reset_button - downloads : http://www.mikrotik.com/download - netinstall : http://wiki.mikrotik.com/wiki/Manual:Netinstall - config reset : http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Configuration_Reset ===== upgrade ===== menu quick set, upgrade ou (>6.31) : { /system package update check-for-updates once :delay 1s; :if ( [get status] = "New version is available") do={ install } } ===== certificats pour openvpn (CA et certificat routeur) ===== /certificate add name=catmpl-sd-114049-fw common-name=ca-sd-114049-fw key-usage=key-cert-sign,crl-sign days-valid=10000 add name=fwtmpl-sd-114049-fw common-name=sd-114049-fw days-valid=10000 sign catmpl-sd-114049-fw name=ca-sd-114049-fw sign ca=ca-sd-114049-fw fwtmpl-sd-114049-fw name=sd-114049-fw set ca-sd-114049-fw trusted=yes set sd-114049-fw trusted=yes export-certificate ca-sd-114049-fw ==== Pool, profile ppp et config openvpn ==== /ip pool add name=admin-ovpn-pool ranges=192.168.2.200-192.168.2.250 /ppp profile add change-tcp-mss=default comment="" bridge=br-admin \ name="ovpn-admin" only-one=default \ use-compression=default use-encryption=required \ local-address=admin-ovpn-pool only-one=no remote-address=admin-ovpn-pool /ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="username" password="password" \ routes="" service=any /interface ovpn-server server set auth=sha1,md5 certificate=sd-114049-fw \ cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn-admin \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ethernet netmask=24 \ port=1194 require-client-certificate=no ==== config client ==== - TCP - TAP - pas de compression - IPV4 : adresses automatiques uniquement, renseigner IP du FW comme DNS - routes : cocher "utiliser cette connexion, uniquement pour les ressources de son réseau". Ajouter les routes utiles à la main. ===== check install ===== /system check-installation ===== debug spanning tree ===== /interface bridge port monitor [find] ==== LOOP (externe) ==== [admin@plmagw03] /interface vlan> /interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU 0 RS ether1 ether 1500 1588 4064 1 S ether2 ether 1500 1588 4064 2 S ether3 ether 1500 1588 4064 3 S ether4 ether 1500 1588 4064 4 S ether5 ether 1500 1588 4064 5 S ether6 ether 1500 1588 4064 6 S ether7 ether 1500 1588 4064 7 S ether8 ether 1500 1588 4064 8 S ether9 ether 1500 1588 4064 9 S ether10 ether 1500 1588 4064 10 S ether11 ether 1500 1588 4064 11 S ether12 ether 1500 1588 4064 12 S ether13 ether 1500 1588 4064 13 S ether14 ether 1500 1588 4064 14 S ether15 ether 1500 1588 4064 15 S ether16 ether 1500 1588 4064 16 S ether17 ether 1500 1588 4064 17 RS ether18 ether 1500 1588 4064 18 S ether19 ether 1500 1588 4064 19 S ether20 ether 1500 1588 4064 20 S ether21 ether 1500 1588 4064 21 S ether22 ether 1500 1588 4064 22 S ether23 ether 1500 1588 4064 23 RS ether24 ether 1500 1588 4064 24 sfp1 ether 1500 1588 4064 25 R br-spanning-tree bridge 1500 1588 26 ;;; 1970.01.02-18:14:44: received loop protect packet originated from 6C:3B:6B:8... vlan1 vlan 1500 1584 ==== LOOP (interne) ==== [admin@plmagw03] /interface vlan> /interface bridge port monitor [find] interface: ether1 ether2 ether3 ethe> status: in-bridge in-bridge in-bridge in-b> port-number: 1 2 3 4 > role: designated-port designated-port backup-port disa> edge-port: no no no no > edge-port-discovery: yes yes yes yes > point-to-point-port: no no no no > external-fdb: no no no no > sending-rstp: yes yes yes no > learning: yes yes no no > forwarding: yes yes no no > root-path-cost: 10 > designated-bridge: 0x8000.6C:3B:6B:85:B8:85 > designated-cost: 0 > designated-port-number: 2 > -- [Q quit|D dump|C-z pause|right] ==== NORMAL ==== [admin@plmagw03] /interface vlan> /interface bridge port monitor [find] interface: ether1 ether2 ether3 ether4 ethe> status: in-bridge in-bridge in-bridge in-bridge in-b> port-number: 1 2 3 4 5 > role: designated-port designated-port disabled-port disabled-port disa> edge-port: no yes no no no > edge-port-discovery: yes yes yes yes yes > point-to-point-port: no no no no no > external-fdb: no no no no no > sending-rstp: yes yes no no yes > learning: yes yes no no no > forwarding: yes yes no no no > ===== script de backup ===== { :local curDate [/system clock get date] :local curTime [/system clock get time] :local systemName [/system identity get name] :local curMonth [:pick $curDate 0 3] :set curMonth ( [ :find key="$curMonth" in="jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec" from=-1 ] / 4 + 1) if ( $curMonth < 10 ) do={ :set curMonth ( "0".$curMonth ) } else={ :set curMonth $curMonth } :local curDay [:pick $curDate 4 6] :local curYear [:pick $curDate 7 13] :local curHour [:pick $curTime 0 2] :local curMin [:pick $curTime 3 5] / /export show-sensitive file=( "$systemName"."-"."$curYear"."$curMonth"."$curDay" ."-"."$curHour"."$curMin" ) /file print } ===== Automatic Import ===== In RouterOS it is possible to automatically execute scripts - your script file has to be named anything.auto.rsc - once this file is uploaded using FTP to the router, it will automatically be executed, just like with the '/import' command. This method only works with FTP. Once the file is uploaded, it is automatically executed. Information about the success of the commands that were executed is written to anything.auto.log ===== Simple queue : partager un lien internet de manière équitable ===== /queue type add kind=pcq name=PCQ_download pcq-classifier=dst-address add kind=pcq name=PCQ_upload pcq-classifier=src-address /queue simple add max-limit=100M/100M name=queue1 queue=PCQ_upload/PCQ_download target=192.168.1.0/24 ===== Editer les scripts ===== /system script remove brvlan /system script add name=brvlan /system script edit brvlan source paste your script Ctrl+o /system script edit brvlan source review your syntax other solution : /system script print where name=brvlan - https://www.sublimetext.com - https://forum.mikrotik.com/viewtopic.php?f=9&t=81868 - install "package control", restart sublime text - Ctrl + P => install package => mikrotik scripting