Tr069-best-practices

From MikroTik Wiki
Jump to navigation Jump to search

Get the router ready for use with TR069

This Best Practices Guide shows an example of RouterOS initial setup if it needs safe/preconfigured factory-reset with custom configuration, especially when tr069 is used. It can be useful in cases when the user (or provider unknowingly) has misconfigured device in a non-reversible state. Then factory-reset configuration can be applied using TR069 FactoryReset RPC or through RouterOS /system reset-configuration or by using the reset button on the router.

Overriding factory default-configurations on Netinstall

When performing Netinstall, then the default-configuration script can be adapted to specific needs and installed by overwriting the MikroTik's default one. It should be done by providers who want to have FactoryReset as a backup which could make device "reachable" again in case of some unresolvable misconfiguration. In TR069 case the default-configuration script should at minimum import certificates, setup the IP layer connectivity, enable and configure tr069-client, configure the firewall. After that other configurations can be performed by the ACS.

Warning: On factory-reset all certificates are removed too, so if they are needed after reset, then default-confiugration script must import them


Example script

The example default-configuration script, which assumes that board is using ether1 as WAN port for reaching ACS, a dummy CA certificate and the initial IP configuration is received by DHCP client.

Note: Of course values of certificate, acs-url, username, password must be replaced and extra configurations most probably added. You also might want to define your own interface-list for discovery from LAN side.




# Install certificate
:global acsCaCertTxt "-----BEGIN CERTIFICATE-----
MIIDCDCCAfCgAwIBAgIIBQ68Phid9+owDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
AwwEbXlDYTAeFw03MDAxMDIwMDM0MDZaFw03MTAxMDIwMDM0MDZaMA8xDTALBgNV
BAMMBG15Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDILvvnEc/8
53jevX3MW4qjn9CNdHLexUZSL8qSXzE5sik1kaNOdckOXC8/Ku0qO95elaBaXmLe
QsIQbVtZ768SBQc7q4RaG3AEauLfNl0BS3kl91/nSvYKp20Nvn7LP7CVZj8D81S+
z4lYgab00X6hT65r8cOI4idaJNWkB9+vFujiPpg0H4IEthgslvCu0i2C7VMrZps/
lTI4xD7kUU4ySzpMUDD3SiA1cEtR8SC5gspYFqtUB2Chk4DTeqWzPCT9eIKclIKM
eh/5w7eLCKyjqIBDwWixuHGW7uFffHjmkgtmzG35W/qmgXGXG+BC8NomxmKxdxCT
ZpQCbisMKieTAgMBAAGjaDBmMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBR5poVfi8tXHrD3sEidlLLzm1k3xzAkBglghkgBhvhCAQ0E
FxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9TMA0GCSqGSIb3DQEBCwUAA4IBAQChVt7s
YNL+U7p0OoxdKgCqP3JyrVOAYDs51243IR83BM3WQybWaDcEv50/R668icnnNHgN
GKQ6OjgQbia7ZW38JWlD/n59WDjk9T63lHh5RHmrhPlIDUN8Wh89v6N2q8YQy+rj
o2lOcbZOJTSIirSBcokMRw45yJNO9HU02E9Bl5nb1hq6/xP4pbTS3t8bL+Xpg0eJ
herz/Ap62k/ToRP+yFYN90z8sDHHvKWnq1W60xreLQ95D5IOego0dIWDC8J/a551
Z2AklvEhKfJTQ6zylrhPDy5bySadxy8lAV82+gEZ1AQyS2UXzRAUgCCCzdEmgiWE
6Du6ubASPAEmYfhC
-----END CERTIFICATE-----";

/file print file=tmp_acs_ca_cert.txt;
:delay 2;
/file set tmp_acs_ca_cert.txt contents=$acsCaCertTxt;
/certificate import file-name=tmp_acs_ca_cert.txt passphrase="";
/file remove tmp_acs_ca_cert.txt; 

 
# Wait while ehter ifaces show up
:local count 0;
:while ([/interface ethernet find] = "") do={
    :if ($count = 30) do={
        /quit;
    }
    :delay 1s; :set count ($count +1);
};


# Set as secure settings as possible for tr069-client to work
/ip firewall {
    filter add chain=input action=accept connection-state=established,related \
comment="defconf: accept established,related"
    filter add chain=input action=drop in-interface=ether1 \
comment="defconf: drop all from WAN"
}
/ip neighbor discovery-settings set discover-interface-list=none


# Cofigure IP level, so that tr069-client can work
/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/tr069-client set acs-url="https://example.com:7777/" enabled=yes \
username=exampleusername password=examplesecurepassword