This page contains information about RoMON feature in RouterOS. RoMON stands for "Router Management Overlay Network". RoMON works by establishing independent MAC layer peer discovery and data forwarding network. RoMON packets are encapsulated with EtherType 0x88bf and dst-MAC 01:80:c2:00:88:bf and its network operates independently from L2 or L3 forwarding configuration. When RoMON is enabled, any received RoMON packets will not be displayed by sniffer or torch tools.
Each router on RoMON network is assigned its RoMON ID. RoMON ID can be selected from port MAC address or specified by user.
RoMON protocol does not provide encryption services. Encryption is provided at "application" level, by e.g. using ssh or by using secure winbox.
In order for device to participate in RoMON network RoMON feature must be enabled and ports that participate in RoMON network must be specified.
RoMON feature is configured in /romon menu at version 6.28 and under /tool romon menu after version 6.28. It contains the following settings:
|enabled (yes | no; Default: no)||Disable or enable RoMON feature|
|id (MAC address; Default: 00:00:00:00:00:00)||MAC address to use as ID of this router|
When RoMON is enabled and ID is automatically selected, ID is reported in menu info:
Version 6.28: [admin@R3] > romon print ;;; RoMON running, ID 00:33:00:00:00:02 enabled: yes id: 00:00:00:00:00:00 After version 6.28: [admin@R3] > tool romon print enabled: yes id: 00:00:00:00:00:00 secrets: current-id: 00:33:00:00:00:02
Ports that participate in RoMON network are configured in romon port menu. Port list is a list of entries that match either specific port or all ports and specifies if matching port(s) is forbidden to participate in RoMON network and in case port is allowed to participate in RoMON network entry also specifies port cost. Note that all specific port entries have higher priority than the wildcard entry with interface=all.
For example, the following list specifies that all ports except ether1 participate in RoMON network with cost 100:
Version 6.28: [admin@R1] /romon port print Flags: X - disabled, D - dynamic # INTERFACE FORBID COST 0 ether1 yes 100 1 all no 100 After version 6.28: [admin@R1] /tool romon port print Flags: X - disabled, D - dynamic # INTERFACE FORBID COST 0 ether1 yes 100 1 all no 100
By default one wildcard entry with forbid=no and cost=100 is created.
RoMON protocol secrets are used for message authentication, integrity check and replay prevention by means of hashing message contents with MD5.
For each interface, if interface specific secret list is empty, global secret list is used.
When sending out, messages are hashed with first secret in list if list is not empty and first is not "empty secret" (empty string = ""), otherwise messages are sent unhashed.
When received, unhashed messages are only accepted if secret list is empty or contains "empty secret", hashed messages are accepted if they are hashed with any of secrets in list.
This design allows for incremental introduction and/or change of secrets in network without RoMON service interruption and can happen over RoMON itself, e.g.:
- initially all routers are without secrets
- configure each router one by one with secrets="","mysecret" - this will make all routers still send unprotected frames, but they all will be ready to accept frames protected with secret "mysecret".
- configure each router one by one with secrets="mysecret","" - this will make all routers use secret "mysecret", but also still accept unprotected frames (from routers that have not yet been changed)
- configure each router with secrets="mysecret" - this will make all routers use secret "mysecret" and also only accept frames protected with "mysecret".
Changing of secret in network should be performed in similar fashion where for some time both secrets are in use in network.
In order to discover all routers on RoMON network romon discover command must be used:
Version 6.28: [admin@R1] romon discover ADDRESS COST HOPS PATH L2MTU 00:22:00:00:00:02 200 1 00:22:00:00:00:02 1500 00:02:03:04:05:06 400 2 00:22:00:00:00:02 1500 00:02:03:04:05:06 After version 6.28: [admin@R1] tool romon discover ADDRESS COST HOPS PATH L2MTU 00:22:00:00:00:02 200 1 00:22:00:00:00:02 1500 00:02:03:04:05:06 400 2 00:22:00:00:00:02 1500 00:02:03:04:05:06
Multiple applications can be run over RoMON network.
In order to test reachability of specific router on RoMON network romon ping command can be used:
Version 6.28: [admin@R1] romon ping 00:22:00:00:00:02 SEQ HOST TIME STATUS 0 00:22:00:00:00:02 0ms 1 00:22:00:00:00:02 1ms 2 00:22:00:00:00:02 1ms sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms After version 6.28: [admin@R1] tool romon ping 00:22:00:00:00:02 SEQ HOST TIME STATUS 0 00:22:00:00:00:02 0ms 1 00:22:00:00:00:02 1ms 2 00:22:00:00:00:02 1ms sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms
In order to establish secure terminal connection to router on RoMON network romon ssh command can be used, provided that security package is installed:
Version 6.28: [admin@R1] romon ssh 00:22:00:00:00:02 After version 6.28: [admin@R1] tool romon ssh 00:22:00:00:00:02
Run RoMON in Winbox by using CLI
In order to establish RoMON session directly by using command line on computer, you must specify RoMON agents and desired routers addresses. RoMON agent must be saved on Managed routers list in Winbox in order to make successful connection:
winbox.exe --romon 192.168.88.1 D4:CA:6D:E1:B5:7D admin ""