Testwiki/Managing MikroTik devices
- 1 Managing MikroTik devices
- 1.1 RouterOS
- 1.2 How get access to MikroTik router
- 1.3 User interfaces
- 1.4 Users access control on MikroTik router
- 1.5 Upgrading RouterOS package
- 1.6 Backing up the MikroTik router configuration
- 1.7 Configuring an IP address on router interface
- 1.8 Configuring DHCP
Managing MikroTik devices
The RouterOS is MikroTik’s stand-alone operating system based on linux 2.6 kernel. That runs on all MikroTik’s RouterBOARD devices and can also be installed on a PC. RouterOS software provides all necessary features for router: routing, firewall, bandwidth management, wireless access point, user management and more.
RouterOS supports multi-core and multi-CPU computers (SMP). You can run it on the latest Intel motherboards and use the newest multicore CPUs as well as RouterOS support installation on IDE, SATA and USB storage devices, this includes HDDs, CF and SD cards, SDD disks and more. You need at least 64MB of space to install RouterOS, which will format your partition and become the default operating system of the device. RouterOS has licensed and license can be used only in one system. You can read more about MikroTik licenses here.
How get access to MikroTik router
The console is used for accessing the MikroTik Router's configuration and management features using text terminals. When you connect to MikroTik router you can to configure it, change and verify configuration, get statistics and other useful information. There are different ways to do this, routers that have consol port can set up configuration using this port. RouterBOARDs whom haven’t serial consol, usually comes from factory with pre-configured IP address on one of interface therefore can be configured through a network. Many of routerBOARDs have serial console port available, so quite often, first configuration is installed using this interface. For connecting through consol port can be used various terminal emulation programs, for example HyperTerminal for windows OS and minicom for Unix-like OS. The serial port configuration is set by default to:
- Bits per second = 115200 bit/s
- Data bits = 8
- Parity = None
- Stop bits = 1 stop bits
- Flow control = None
By default, MikroTik routers use “admin” as the username (login) and password doesn’t set. There may be also available other ways to log into console, not only serial console port:
- console (screen and keyboard) – in case when RouterOS is installed on PC
- telnet, SSH protocols – in case when connect to MikroTik router through network interface, using specific programs that support these protocols, for example PuTTY.
- mac-telnet – connect to router using Ethernet (MAC) address of interface, in case when network interface doesn’t pre-configured (IP address isn’t sets up).
- winbox terminal – GUI tool for configuring MikroTik routers
RouterOS supports various methods how to configure MikroTik router using serial console with a terminal application, telnet and ssh access over network, simple web interface as well as GUI tool called Winbox.
The console support CLI (Command Line Interface) to allowing configure of the router's settings using text commands. It’s really important to understand command prompt of MikroTik router. Since there are a lot of available commands, they are split into groups organized in a way of hierarchical menu levels. The name of a menu level reflects the configuration information accessible in the relevant section, eg. /ip; /ip route; /ip address.
You can to find list of all available sub-commands at any prompt using question mark “?”(similarly to pressing [Tab] key twice, but in verbose form and with explanations):
For example: Press Enter to execute command any command on command prompt.
[admin@MikroTik] > routing ? . .. ... [admin@MikroTik] > routing ospf ? . .. ... [admin@MikroTik] > routing ospf network ?
Instead of typing command path step by step, the command path can be typed only once to move into this particular branch of menu hierarchy. Thus, the example above could also be executed like this:
[admin@MikroTik]> routing ospf network [admin@MikroTik] /routing ospf network>
To move back to one command level, type “..”
[admin@MikroTik] /ip route rule> .. [admin@MikroTik] /ip route> .. [admin@MikroTik] /ip> .. [admin@MikroTik] >
Exit to the top level of command prompt, type ”/”
[admin@MikroTik] ip route rule > / [admin@MikroTik]>
You can execute commands from other menu levels without changing the current level using “/” mark before the input full command from another menu level. For example:
[admin@MikroTik] /ip route> /ip address add address=10.1.1.1 netmask=255.255.255.0 interface=ether1
Many of the command levels operate with arrays of items: interfaces, routes, users etc.
[admin@MikroTik] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500
All items in the list have an item number followed by flags and appropriate parameter values. To change properties of an item, you have to use [file:///D:\Mikrotik\Console%20hierarhija.htm#set set'] command and specify name or number of the item. Set – this command change some of existing configuration item whereas add' – command is used for adding a new items.
[admin@MikroTik] /interface> set 0 name=ethernetLAN [admin@MikroTik] /interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ethernetLAN ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500
Commonly used commands
There are some commands that are common to nearly all menu levels, namely: print, set, remove, add, find, export, enable, disable, comment, move. These commands have similar behavior throughout different menu levels.
Add – this command adds a new item with the values you have specified. There are some required properties that you have to supply, such as the interface for a new address, while other properties are set to defaults unless you explicitly specify them.
Disabled – control disabled/enabled state of the newly added item(-s)
Comment – hold the description of a newly created item(-s)
Set – allows change configuration values of existing item. If there is a list of items in this command level, you need to indicate number of item you exactly want to change.
Enable – enable specific item from list
Disable – disable specific item from list
Move – changes the order of items in list.
Find – returns internal numbers of all items that have the same values of arguments as specified.
Print – shows all information that's accessible from particular command level. For example, ip address print shows ip addresses of all interface, ip route print shows routing table on MikroTik router. Print command also include additional parameters, some of these are:
where - show only items that match specified criteria. The syntax of where property is similar to the [file:///D:\Mikrotik\Console%20hierarhija.htm#find find] command.
brief - forces the print command to use tabular output form
detail - forces the print command to use property=value output form
file - prints the contents of the specific submenu into a file on the router.
oid - prints the OID value for properties that are accessible from SNMP
Remove – removes specified item(-s) from a list.
Winbox tool is graphical user interface (GUI) for MikroTik router configuration. All RouterOS functionality can be controlled with this application. It provides huge of configuration, status checking, monitoring, user accounting and other router commands that can be configured through GUI. Winbox tool (winbox.exe can be downloaded from http://www.mikrotik.com/download.html.
This is a web based configuration interface for RouterOS. This is used to help you configure a router from an HTTP interface. It is designed to ensure the user a simple way to configure router through network interface. Some of the most important RouterOS features can be controlled within this interface for advanced configuration you have use terminal console (CLI) or Winbox (GUI). Network interface must be preconfigured (IP address is set up) before you can to connect to Webbox. Use your web browser to make http connection to router, for example http://10.255.255.5, enter your router username and password the upper right corner of page.
When you’ve completed the login process, new page with Webbox interface is opened.
Soon will be available a new web interface for RouterOS, with much wider configurability as Webbox applies to RouterOS v5.x.
Connect to router where RouterOS version 5.x or newer is installed. Open web browser and enter router’s IP address, RouterOS welcome page will be displayed, like given below and choose Webfig:
Webfig beta version:
Users access control on MikroTik router
MikroTik RouterOS allows to manage router’s user access facility connecting on router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
User group – provides to define specific, different users permissions profiles.
[admin@MikroTik_CE1] /user group> print 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web, sniff,sensitive,!ftp,!write,!policy 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password, web,sniff,sensitive,!ftp,!policy 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox, password,web,sniff,sensitive [admin@MikroTik_CE1] /user group>
Exclamation sign '!' just before policy item name means NOT.
Example how to add new user group:
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
[admin@ MikroTik_CE1] user group> add name=reboot policy=telnet,reboot,read,local
Router user database stores the information such as user name, allowed access addresses password, and group about router management personnel.
[admin@MikroTik_CE1] /user> print Flags: X - disabled # NAME GROUP ADDRESS 0 ;;; system default user admin full 0.0.0.0/0
There we can to see one predefined user “admin” with attached group – “full” and address 0.0.0.0/0 means that user can login from any network.
Example how to add new user with previous defined user group ‘reboot’:
[admin@MikroTik_CE1] /user> add name=user2 group=reboot address=0.0.0.0/0 password=12345 [admin@MikroTik_CE1] /user> print Flags: X - disabled # NAME GROUP ADDRESS 0 ;;; system default user admin full 0.0.0.0/0 1 user2 reboot 0.0.0.0/0 [admin@MikroTik_CE1] /user>
Using Winbox this can be configured through System/Users>User List
More information can be found here.
Upgrading RouterOS package
To do this process here are two prerequisite:
- you have a license that allows upgrading
- you have installed an some of FTP programs that can transfer files (in this case new version of RouterOS) to your router.
Whereas RouterOS is licensed so upgrading process is depends on these licenses. Licenses determine version of RouterOS until the RouterOS may be updated without purchase of the new licenses. You can check your upgrading level as follows:
[admin@MikroTik_CE1] /system license> print software-id: "X3ZQ-AJUJ" upgradable-to: v5.x nlevel: 4 features:
In this example I can upgrade RouterOS only until to the last version of RouterOS v5. . More about licenses can be read here.
Step by step upgrade process using Winbox, as well as using FTP programs are explained here. One of potential FTP program for linux like machines may be Filezilla and for Windows may to use WinSCP.
Backing up the MikroTik router configuration
To make copies of configuration data (called “backups”) is one of important features when we think of the original router’s configuration security. There are a number of functions that are associated with the router configuration creation, storage, restoring and resetting.
Create backup - configuration backup is a binary file of MikroTik RouterOS configuration, which can be stored on the router or downloaded from it using FTP for future use.
Reload system from backup - configuration restore can be used for restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file.
Reset system configuration – System reset command is used to erase all configuration on the router. Before doing that, it might be useful to backup the router's configuration.
Configuration export - The configuration export can be used for dumping out complete or partial MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using FTP protocol.
Configuration import - The configuration import facility executes a batch of console commands from export (script) file.
Create and restore backup configuration
You can create configuration backup with backup save command that store the entire router configuration in a backup file. By default backup file is stored within File directory by router, looks up router’s file directory can using file print command.
To restore the system configuration using backup file that can be uploaded to router via FTP with backup load command.
To save configuration’s backup file – testbackup to file directory:
[admin@MikroTik_CE1] system backup> save name=testbackup Configuration backup saved [admin@MikroTik_CE1] system backup>
To see this backup file on the router:
[admin@MikroTik_CE1] > file print # NAME TYPE SIZE CREATION-TIME 0 testbackup.backup backup 10524 feb/02/2102 17:07:50 [admin@MikroTik_CE1] >
To reload router with backup configuration file:
[admin@MikroTik_CE1] > system backup load name=testbackup Restore and reboot? [y/N]: y Restoring system configuration System configuration restored, rebooting now
Reset router configuration
It can be done using command system reset-configuration. This command clear all configuration of the router and sets it to default also login name and password, IP address, firewall, is erased and all interface will become disabled.
If system backup file include all router configuration and this is binary file (in human unreadable way), then export command provides to store complete or partial router configuration as text script file (in human readable way) that can be used to restore configuration. The command can be invoked at any menu level, and it acts for that menu level and all menu levels below it. The output can be saved into a file, available for download using FTP.
For example, to save ip address configuration for all interface, can be done as follows:
[admin@MikroTik_CE1] > ip address print [admin@MikroTik_CE1]ip address > export file=ipAddresses [admin@MikroTik_CE1] > file print [admin@MikroTik_CE1] >
Command that executes export a (script) file, and allows to add the configuration from the specified file to the existing router’s configuration. For example, to load the saved export file use the following command:
[admin@MikroTik_CE1] > import ipAddresses.rsc Opening script file address.rsc Script file loaded and executed successfully [admin@MikroTik_CE1] >
Configuring an IP address on router interface
IP addresses serve for a general host identification purposes in IP networks. For proper addressing the router also needs the network mask value, id set which bits of the complete IP address refer to the address of the host, and which - to the address of the network. The network address value is calculated by binary AND operation from network mask and IP address values.
MikroTik RouterOS has following types of addresses:
- Static - manually assigned to the interface by a user
- Dynamic - automatically assigned to the interface by DHCP protocol (how to configure DHCP will be explained a little later in this section)
Here’s an example of how to configure IP address on router interface:
[admin@MikroTik_CE1] ip address> add address=10.10.10.1/24 interface=ether2
In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network prefix and the broadcast address are calculated automatically.
Show ip addresses configured on router:
[admin@MikroTik_CE1] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 220.127.116.11/24 18.104.22.168 22.214.171.124 ether2 1 10.5.7.244/24 10.5.7.0 10.5.7.255 ether1 2 10.10.10.1/24 10.10.10.0 10.10.10.255 ether2 [admin@MikroTik_CE1] ip address>
NOTE Use addresses from different networks on different interfaces. For example, the combination of IP address 172.16.0.1/24 on the ether1 interface and IP address 172.16.0.126/24 on the ether2 interface is invalid, because both addresses belong to the same network 172.16.0.0/24 which includes IP address range from 172.16.0.1 – 172.16.0.255.
Dynamic Host Configuration Protocol (DHCP) is a standard protocol defined by RFC 2131 that allows a server to dynamically distribute IP addressing and network configuration information to clients. Normally the DHCP server provides the client with at least this basic information:
- IP Address
- Subnet Mask
- Default Gateway
There can be provided also other information, such as Domain Name Service (DNS) server addresses and Windows Internet Name Service (WINS) server addresses and etc. The network administrator configures the DHCP server with the options that are parsed out to the client.
Basic operation of DHCP
DHCP is basically insecure and should only be used in trusted networks. Uses a client-server model where one or more servers DHCP servers allocate IP addresses and other network configuration parameters to clients. DHCP server always listens on UDP 67 port, DHCP client - on UDP 68 port. Figure 4.4. shows the basic steps that occur when a DHCP client requests an IP address from a DHCP Server.
- The client is looking for available DHCP servers. When a DHCP client boots up for the first time, it send a broadcast DHCPDISCOVER message on its local physical subnet over User Datagram Protocol (UDP) port 67. The DHCPDISCOVER massage includes 255.255.255.255 as destination IP address (massage is intended for all subnets) and 0.0.0.0 as source IP address, indicating the client does not currently have an IP address.
- The server response to the client DHCPDISCOVER massage. A DHCP Server offers configuration parameters (such as an IP address, a subnet mask, default gateway and a lease time for the IP address) by sending DHCPOFFER unicast message to the client.
- The client returns a formal request for the offered IP address to the DHCP Server, indicating its intent to accept the parameters in a DHCPREQUEST broadcast message.
- After the DHCP server receives the DHCPREQUEST, it acknowledges the request with a DHCPACK message, thus completing the initialization process.
There are also other DHCP massages used for specific purpose.
Configuring DHCP client
The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a time. The client will accept an address, netmask, default gateway, and two dns server addresses. The received IP address will be added to the interface with the respective netmask. The default gateway will be added to the routing table as a dynamic entry. Should the DHCP client be disabled or not renew an address, the dynamic default route will be removed. If there is already a default route installed prior the DHCP client obtains one, the route obtained by the DHCP client would be shown as invalid.
Basic DHCP client configuration example on ethernet1 interface:
[admin@MikroTik_CE1] /ip dhcp-client> add interface=ether1 disabled=no [admin@MikroTik_CE1] ip dhcp-client> print detail Flags: X - disabled, I - invalid 0 interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes status=bound address=192.168.0.65/24 gateway=192.168.0.1 dhcp-server=192.168.0.1 primary-dns=192.168.0.1 primary-ntp=192.168.0.1 expires-after=9m44s [admin@MikroTik_CE1] ip dhcp-client>
In this case Ethernet interface is ready to get IP address and other information by sending request massage to the DHCP server by executing this process, "ether1" interface has obtained an IP address, information about default gateway and DNS server.
Configuring DHCP server
The router supports an individual server for each Ethernet-like interface. The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address/netmask lease, default gateway, domain name, DNS-server(s) and WINS-server(s) (for Windows clients) information (set up in the DHCP networks submenu).
In order DHCP server to work, you must set up also IP address pool(-s). The DHCP server must have an appropriate IP pool scope configured for the specific subnet from where the DHCP request came. The server takes appropriate IP addresses from this pool and assign its to the requesting client. For example, if the DHCP client subnet is 192.168.10.0/24, then DHCP server must have an IP pool configured to assign addresses within the range 192.168.10.0/24.
Example of DHCP server setup:
1. Create IP address pool:
[admin@MikroTik_CE1]/ip pool> add name=test-pool ranges=192.168.10.2-192.168.10.254
2. Define the network on which operate a DHCP server and indicate network parameters that can be distributed to clients:
[admin@MikroTik_CE1] /ip dhcp-server network> add address=192.168.10.0/24 /gateway=192.168.10.1 dns-server=126.96.36.199
3. Finally, add a DHCP server to specific interface:
[admin@MikroTik_CE1] /ip dhcp-server add interface=ether1 address-pool=test-pool
There are also available configuration wizard of DHCP server that provides question-answer based configuration.
Example of wizard:
[admin@MikroTik_CE1] /ip dhcp-server> setup Select interface to run DHCP server on dhcp server interface: ether2 Select network for DHCP addresses dhcp address space: 192.168.10.0/24 Select gateway for given network gateway for dhcp network: 192.168.10.1 Select pool of ip addresses given out by DHCP server addresses to give out: 192.168.10.2-192.168.10.254 Select DNS servers dns servers: 188.8.131.52 Select lease time lease time: 3d
This wizard configures DHCP server on ether2 interface to lend addresses from 192.168.10.2 to 192.168.10.254 which belongs to the 192.168.10.0/24 network with 192.168.10.1 gateway and 184.108.40.206 DNS server for the time of 3 days.
More information about configuring the DHCP server is available here.