MikroTik Invisible Tools. By : Haydar Fadel 2014

MikroTik Invisible Tools By : Haydar Fadel 2014

E-mail Tool A tool that allows you to send e-mail from the router. It can be used, along with other tools, to send the network administrator regular configuration backups, for example. Tool CLI path /tools e-mail

E-mail, Example Configuring E-mail tool parameters: For Gmail configuration: /tool e-mail set address=173.194.77.108 set port=587 set from=routerid@gmail.com set user=routerid set password=mypassword /tool e-mail send from=router@gmail.com server=173.194.77.108 to=youremail@domain.com subject=host-monitor Above script used to verify email tool working normally

Send Automatic Backup Email-Tool example will end auto Backup to network administrator. The following steps must be implement : 1. System script and name the script (export-send) /export compact file=export /tool e-mail send to= router@doamin.com" subject="$[/system identity get name] " \ body="$[/system clock get date] configuration file" file=export.rsc 2. System schedule /system scheduler add on-event="export-send" start-time=00:00:00 interval=24h name=email

Send Automatic Backup 1 2

Netwatch A tool that allows you to monitor the status of network devices For each entry, you can specify: IP address Ping interval Up and/or Down scripts

Netwatch VERY useful to: Be made aware of network failures Automate a change of default gateway, for example, should the main router fail Just to have a quick view of what is up Whatever else you can come up with to simplify and speed up your job (and make you look efficient!)

Netwatch Host: IP address of host that should be monitored. Intervals: the time between pings.

Netwatch Netwatch Use these scripts: /tool e-mail send from=router@gmail.com server=173.194.77.108 to=youremail@domain.com subject=host-monitor Above script used to verify email tool working normally Up /tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \ body="$[/system clock get date] $[/system clock get time] Node up." Down /tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \ body="$[/system clock get date] $[/system clock get time] Node down."

Netwatch In this example the Netwatch will monitor specific host and it is will send Email to network administrator every time where that host will goes down or up.

Interface Traffic Monitor The traffic monitor tool is used to run scripts when an interface traffic reaches a certain threshold. Example /tool traffic-monitor add interface=ether1 name=trafficmon1 on-event=script1 threshold=1500000 \ traffic=received /system script add name=script1 policy=ftp,read,test,winbox,api source="/tool e-mail send to=\"\ YOU@DOMAIN.CA\" subject=([/system identity get name]. \" Log \ \". [/system clock get date]) body=\"hello World. You're going too fast!\""

Interface Traffic Monitor 1 3

Watchdog This menu allows to configure system to reboot on kernel panic, when an IP address does not respond, or in case the system has locked up. Software watchdog timer is used to provide the last option, so in very rare cases (caused by hardware malfunction) it can lock up by itself. There is a hardware watchdog device available in all RouterBOARD PowerPC and Mipsbe models, which can reboot the system in any case.

Watchdog Properties Property watch-address (IP; Default: none) watchdog-timer (yes no; Default: yes) no-ping-delay (time; Default: 5m) automatic-supout (yes no; Default: yes) auto-send-supout (yes no; Default: no) send-email-from (string; Default: ) send-email-to (string; Default: ) send-smtp-server (string; Default: ) Description The system will reboot in case 6 sequental pings to the given IP address (sent once per 10 seconds) will fail. If set to none this feature is disabled. Whether to reboot if system is unresponsive for a minute Specifies how long after reboot not to test and ping watch-address. The default setting means that if watch-address is set and is not reachable, the router will reboot about every 6 minutes. When software failure happens, a file named "autosupout.rif" is generated automatically. The previous "autosupout.rif" file is renamed to "autosupout.old.rif" After the support output file is automatically generated, it can be sent by email e-mail address to send the support output file from. If not set, the value set in /tool e-mail is used e-mail address to send the support output file to. SMTP server address to send the support output file through. If not set, the value set in /tool e-mail is used.

Watchdog Example

Traffic Flow MikroTik Traffic-Flow is a system that provides statistic information about packets which pass through the router. Besides network monitoring and accounting, system administrators can identify various problems that may occur in the network. With help of Traffic-Flow, it is possible to analyze and optimize the overall network performance. As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow.

Traffic Flow Traffic-Flow supports the following NetFlow formats: version 1 - the first version of NetFlow data format, do not use it, unless you have to. version 5 - in addition to version 1, version 5 has possibility to inlude BGP AS and flow sequence number information. Currently RouterOS does not include BGP AS numbers. version 9 - a new format which can be extended with new fields and record types thank's to its template-style design.

Traffic Flow Sub menu :/ ip traffic-flow This section lists the configuration properties of Traffic-Flow. Property interfaces (string all; Default: all) cache-entries (128k 16k 1k 256k 2k... ; Default: 4k) active-flow-timeout (time; Default: 30m) inactive-flow-timeout (time; Default: 15s) Description Names of those interfaces which will be used to gather statistics for traffic-flow. To specify more than one interface, separate them with a comma. Number of flows which can be in router's memory simultaneously. Maximum life-time of a flow. How long to keep the flow active, if it is idle. If connection does not see any packet within this timeout, then trafficflow will send packet out as new flow. If this timeout is too small it can create significant amount of flows and overflow the buffer.

Traffic Flow Note: Starting 6.0rc14 release setting interface will show RX and TX for the interface. Previously traffic-flow reported only RX fraffic for the interface and to see bidirectional data it was required to set up more interfaces.

Targets Traffic Flow Sub-menu / ip traffic-flow target With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information from router. Property address (IP:port; Default: ) v9-template-refresh (integer; Default: 20) v9-template-timeout (time; Default: ) version (1 5 9; Default: ) Description IP address and port (UDP) of the host which receives Traffic- Flow statistic packets from the router. Number of packets after which the template is sent to the receiving host (only for NetFlow version 9) After how long to send the template, if it has not been sent. Which version format of NetFlow to use

Targets Traffic Flow Notes : By looking at packet flow diagram you can see that traffic flow is at the end of input, forward and output chain stack. It means that traffic flow will count only traffic that reaches one of those chains. For example, you set up mirror port on switch, connect mirror port to router and set traffic flow to count mirrored packets. Unfortunately such setup will not work, because mirrored packets are dropped before they reach input chain. Other interfaces will appear in report if traffic is passing through them and monitored interface.

Traffic Flow Example This example shows how to configure Traffic-Flow on a router. Enable Traffic-Flow on the router: [admin@haydar-router] > ip traffic-flow set enabled=yes [admin@haydar-router] > ip traffic-flow print enabled: yes interfaces: ether1 cache-entries: 256k active-flow-timeout: 30m inactive-flow-timeout: 15s [admin@haydar-router] >

Traffic Flow Example Specify IP address and port of the host, which will receive Traffic-Flow packets: [admin@haydar-router] > ip traffic-flow target print Flags: X - disabled # ADDRESS VERSION 0 192.168.0.13:2055 9 [admin@haydar-router] >

Traffic Flow Example Now the router starts to send packets with Traffic-Flow information. Some screenshots from NTop program, which has gathered Traffic-Flow information from our router and displays it in nice graphs and statistics. Really I prefer manageengine management. for network programs monitoring and Please visit : http://www.manageengine.com/ For example, where what kind of traffic has flown:

Traffic Flow Example

Traffic Flow Example

Traffic Flow Example

Traffic Flow Example

Open Flow Overview OpenFlow is an open standard that enables researchers to run experimental protocols in the campus networks we use every day OpenFlow is added as a feature to commercial Ethernet switches, routers and wireless access points and provides a standardized hook to allow researchers to run experiments, without requiring vendors to expose the internal workings of their network devices OpenFlow is currently being implemented by major vendors, with OpenFlow-enabled switches now commercially available.

Open Flow Overview What does this really mean, though? You start with an OF switch and a controller. The OF switch is a switch/router/access point that runs the OF client. Most switches have a flow table built from TCAM. This flow table determines which traffic moves where.

Open Flow Overview

Open Flow Overview OpenFlow(OF) is meant to be a means of testing new routing or forwarding methods to build these flow tables. It is designed to allow for layer 3 or layer 2 forwarding based on: port, MAC, VLAN, TCP header, or IP header. The way it accomplishes this is to establish a secure SSH tunnel between the OF switch and the controller. When a new flow starts, it sends the first packets to the controller. The controller then builds an entry into the flow table to handle the remainder of this connection.

Open Flow Overview They also have the ability to segregate the OF flow table from that of the standard switch. The idea is you can choose a handful of ports on a device and have them participate in the OF test. Your controller will then update all of the OF switches in the chain with the new flow information. Since this is a separate flow table the device will continue to process all other traffic based on the standard flow table.

Open Flow Overview So long as you can maintain the SSH connectivity to the controller you can write your own proprietary mesh algorithm and have the MTKs use it. You could write your own algorithm that monitors all of your ISP interfaces via SNMP and adjust routing on the fly according to congestion really the sky is the limit at this point. Right now there are really only two commands in the Mikrotik

Open Flow Overview

Open Flow Implementation Currently RouterOS implements OpenFlow version 1.0.0 required features. Support for newer versions, optional features and switching hardware acceleration are to be added. Current implementation should be considered experimental - NOT production ready and is available for evaluation purposes. OpenFlow support is available as standalone openflow package.

Open Flow Implementation Due to this care must be taken to not disable access to the device when configuring OpenFlow. Currently only unencrypted TCP is available as the communications channel between RouterOS OpenFlow switch and controller.

Open flow Implementation RouterOS supports multiple OpenFlow switch instances, each of which can have separate controller(s) and sets of ports. Switch instance can be added using command: [admin@mikrotik] > /openflow add name=ofswitch1 controllers=10.0.0.18

Open flow Implementation

Open flow Implementation [admin@mikrotik] > /openflow add name=ofswitch1 controllers=10.0.0.18 Switch ports can be added using command: [admin@mikrotik] > /openflow port add switch=ofswitch1 interface=ether2 [admin@mikrotik] > /openflow port add switch=ofswitch1 interface=ether2

Traffic Generate Overview Traffic Generator is a tool that allows to evaluate performance of DUT (Device Under Test) or SUT (System Under Test). Tool can generate and send RAW packets over specific ports. It also collects latency and jitter values, tx/rx rates, counts lost packets and detects Out-of-Order (OOO) packets. Traffic Generator can be used similar to bandwidth test tool as well as generate packets that will be routed back to packet generator for advanced status collection.

Traffic Generate Overview RouterOS Version 6 introduces a new tool - "traffic generator", which allows to perform performance testing without expensive testing hardware. Traffic is generated from one more router in the network. This article shows necessary configuration and hardware to replicate the tests published in routerboard.com.

Traffic Generate Implementation

Traffic Generate Implementation

Traffic Generate Implementation

Traffic Generate Implementation

Traffic Generate Implementation

Traffic Generate Implementation

Traffic Generate Implementation

IPsec-Tunnel IPsec Tunnel, Site-to-Site VPN So you have multiple sites that all have internet connections. You want to securely connect the internal subnets together how would one accomplish this? You would use an IPSEC tunnel. Imagine it as a nice secure pipe that connects one site to the other. This tutorial will show you just how this configuration is accomplished.

Site 1 MT 1 Step 1: Configuring NAT

Site 1 MT 1 Step 1: Configuring NAT

Site 1 MT 1 Step1: Configuring NAT Troubleshooting The NAT Rule We created must be the first rule in the Nat configuration.

Site 1 MT 1 Step 2: add IPsec Policy 1. src.address will be local network address. 2. dst.address will be destination network.

Site 1 MT 1 Step 2: add IPsec Policy 1. SA src.address it s source public IP address. 2. SA dst.address it s destination public IP address.

Site 1 MT 1 Step 3: add IPsec Peer Notes : 1. Address it s destination router public IP address. 2. Secret must be match between two public routers. 3. If packet going through any natted devices check NAT Traversal and you will be fine when always check it.

Site 1 MT 1 Step4: optionally you can change phase two connection of IPsec

Site 2 MT 2 Step 1: Configuring NAT

Site 2 MT 2 Step 1: Configuring NAT

Site 2 MT 2 Step1: Configuring NAT Troubleshooting The NAT Rule We created must be the first rule in the Nat configuration.

Site 2 MT 2 Step 2: add IPsec Policy 1. src.address will be local network address. 2. dst.address will be destination network.

Site 2 MT 2 Step 2: add IPsec Policy 1. SA src.address it s source public IP address. 2. SA dst.address it s destination public IP address.

Site 2 MT 2 Step 3: add IPsec Peer Notes : 1. Address it s destination router public IP address. 2. Secret must be match between two public routers. 3. If packet going through any natted devices check NAT Traversal and you will be fine when always check it.

Site 2 MT 2 Step4: optionally you can change phase two connection of IPsec

IPsec Connectivity Check IPsec automatic Peer from Router 1

IPsec Connectivity Check Traceroute from Router 2 to LAN 1