Tr069-best-practices: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
mNo edit summary
m (→‎Example script: script line length)
(One intermediate revision by the same user not shown)
Line 55: Line 55:
  # Set as secure settings as possible for tr069-client to work
  # Set as secure settings as possible for tr069-client to work
  /ip firewall {
  /ip firewall {
     filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"
     filter add chain=input action=accept connection-state=established,related \
     filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN"
comment="defconf: accept established,related"
     filter add chain=input action=drop in-interface=ether1 \
comment="defconf: drop all from WAN"
  }
  }
  /ip neighbor discovery set [find name="ether1"] discover=no
  /ip neighbor discovery set [find name="ether1"] discover=no
Line 63: Line 65:
  # Cofigure IP level, so that tr069-client can work
  # Cofigure IP level, so that tr069-client can work
  /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
  /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
  /tr069-client set acs-url="https://example.com:7777/" enabled=yes username=myusername password=mypassword
  /tr069-client set acs-url="https://example.com:7777/" enabled=yes \
username=exampleusername password=examplesecurepassword

Revision as of 10:50, 19 December 2016

Get the router ready for use with TR069

This Best Practices Guide shows an example of RouterOS initial setup if it needs safe/preconfigured factory-reset with custom configuration, especially when tr069 is used. It can be useful in cases when the user (or provider unknowingly) has misconfigured device in a non-reversible state. Then factory-reset configuration can be applied using TR069 FactoryReset RPC or through RouterOS /system reset-configuration or by using the reset button on the router.

Overriding factory default-configurations on Netinstall

When performing Netinstall, then the default-configuration script can be adapted to specific needs and installed by overwriting the MikroTik's default one. It should be done by providers who want to have FactoryReset as a backup which could make device "reachable" again in case of some unresolvable misconfiguration. In TR069 case the default-configuration script should at minimum import certificates, setup the IP layer connectivity, enable and configure tr069-client, configure the firewall. After that other configurations can be performed by the ACS.

Icon-warn.png

Warning: On factory-reset all certificates are removed too, so if they are needed after reset, then default-confiugration script must import them


Example script

The example default-configuration script, which assumes that board is using ether1 as WAN port for reaching ACS, a dummy CA certificate and the initial IP configuration is received by DHCP client.

Icon-note.png

Note: Of course values of certificate, acs-url, username, password must be replaced and extra configurations most probably added




# Install certificate
:global acsCaCertTxt "-----BEGIN CERTIFICATE-----
MIIDCDCCAfCgAwIBAgIIBQ68Phid9+owDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
AwwEbXlDYTAeFw03MDAxMDIwMDM0MDZaFw03MTAxMDIwMDM0MDZaMA8xDTALBgNV
BAMMBG15Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDILvvnEc/8
53jevX3MW4qjn9CNdHLexUZSL8qSXzE5sik1kaNOdckOXC8/Ku0qO95elaBaXmLe
QsIQbVtZ768SBQc7q4RaG3AEauLfNl0BS3kl91/nSvYKp20Nvn7LP7CVZj8D81S+
z4lYgab00X6hT65r8cOI4idaJNWkB9+vFujiPpg0H4IEthgslvCu0i2C7VMrZps/
lTI4xD7kUU4ySzpMUDD3SiA1cEtR8SC5gspYFqtUB2Chk4DTeqWzPCT9eIKclIKM
eh/5w7eLCKyjqIBDwWixuHGW7uFffHjmkgtmzG35W/qmgXGXG+BC8NomxmKxdxCT
ZpQCbisMKieTAgMBAAGjaDBmMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBR5poVfi8tXHrD3sEidlLLzm1k3xzAkBglghkgBhvhCAQ0E
FxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9TMA0GCSqGSIb3DQEBCwUAA4IBAQChVt7s
YNL+U7p0OoxdKgCqP3JyrVOAYDs51243IR83BM3WQybWaDcEv50/R668icnnNHgN
GKQ6OjgQbia7ZW38JWlD/n59WDjk9T63lHh5RHmrhPlIDUN8Wh89v6N2q8YQy+rj
o2lOcbZOJTSIirSBcokMRw45yJNO9HU02E9Bl5nb1hq6/xP4pbTS3t8bL+Xpg0eJ
herz/Ap62k/ToRP+yFYN90z8sDHHvKWnq1W60xreLQ95D5IOego0dIWDC8J/a551
Z2AklvEhKfJTQ6zylrhPDy5bySadxy8lAV82+gEZ1AQyS2UXzRAUgCCCzdEmgiWE
6Du6ubASPAEmYfhC
-----END CERTIFICATE-----";

/file print file=tmp_acs_ca_cert.txt;
delay 2;
/file set tmp_acs_ca_cert.txt contents=$acsCaCertTxt;
/certificate import file-name=tmp_acs_ca_cert.txt passphrase="";
/file remove tmp_acs_ca_cert.txt; 

 
# Wait while ehter ifaces show up
:local count 0;
:while ([/interface ethernet find] = "") do={
    :if ($count = 30) do={
        /quit;
    }
    :delay 1s; :set count ($count +1);
};


# Set as secure settings as possible for tr069-client to work
/ip firewall {
    filter add chain=input action=accept connection-state=established,related \
comment="defconf: accept established,related"
    filter add chain=input action=drop in-interface=ether1 \
comment="defconf: drop all from WAN"
}
/ip neighbor discovery set [find name="ether1"] discover=no


# Cofigure IP level, so that tr069-client can work
/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/tr069-client set acs-url="https://example.com:7777/" enabled=yes \
username=exampleusername password=examplesecurepassword