26 August 2010

Centralised backup of Mikrotik RouterOS configuration

A common way to backup routeros is to use a script on each device that saves the config and emails it to a dedicated mailbox. Although this works as advertised, I prefer this centralised approach that pulls the configuration from each device. The method I chose was to backup each device using FTP to a central server. Yes there is some configuration required on each device, but once set up, it's definitely a set and forget solution.

This requires routerOS on x86 platform - the free 'demo' license will do :) No fancy-pants features, just some basic IP addressing. This works perfectly as a virtual machine. In my case, ESXi. Create a VM with enough storage for all your backups.

Basically, you create a CSV file of all your devices and IP addresses. The script below will ftp to each entry and GET the backup file appropriately named 'HOSTNAME.backup'. It will just overwrite the last one, but it would be easy to change this behaviour and have it append.

First, enable FTP and set up a dedicated user for the backups. You could just use the default admin account but this is not best practise.

/ip service
set ftp enable

/user
add name=backmeup password=PassW0rd Don't use this password!!!

Create a script to backup locally on each device. This will create a backup file with the name of the device.

/system script
add name=backup source=\
    "/system backup save name=[/system identity get name]"

Then schedule the above script. Change the interval and start date/time to suit.

/system scheduler
add comment="Daily Backup" disabled=no interval=1w name=weekly-backup on-event=backup \
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff \
     start-date=jul/07/2010 start-time=20:05:00

Download and install the x86 version of routerOS on your server (virtual or otherwise). Set it up on your network and make sure it can access all devices you wish to backup.

Create a CSV file called ipaddress.txt and have your devices in the following format.The dummy entry at the end is because that's the only way I could get it to work!

    HOST2.backup,192.168.33.5
    HOST2.backup,192.168.33.5
    DUMMY,DUMMY

The following script I pieced together and modified it to suit my needs. I won't take full credit. Make sure you change the username and password, and you can change the name of the CSV file if you wish.

add name=fetch policy=\
     ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
     :global content [/file get [/file find name=ipaddresses.txt] contents] ;\r\
     \n:global contentLen [:len \$content] ;\r\
     \n\r\
     \n:global lineEnd 0;\r\
     \n:global line \"\";\r\
     \n:global lastEnd 0;\r\
     \n:global addr \"\";\r\
     \n:global file \"\";\r\
     \n\r\
     \n\r\
     \n:do {\r\
    \n       :set lineEnd [:find \$content \"\\r\\n\" \$lastEnd ] ;\r\
    \n       :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
    \n       :set lastEnd ( \$lineEnd + 2 ) ;\r\
    \n#:put \$lastEnd;\r\
    \n#:put (lineEnd . \$lineEnd);\r\
    \n       :local tmpArray [:toarray \$line] ;\r\
     \n\t:if ( [:pick \$tmpArray 1] != \"\" ) do={\r\
    \n\t:set file ([:pick \$tmpArray 0] . \".backup\");\r\
     \n:set addr [:pick \$tmpArray 1];\r\
    \n:put (\"Backing up \" . \$file . \" from \" . \$addr);\r\
     \n\r\
    \n /tool fetch address=\$addr user=backmeup password=Passw0rd src-path=\$\
     file mode=ftp;\r\
     \n}\r\
     \n} while (\$lineEnd < \$contentLen)"


And of course schedule it... choose your own schedule to suit your needs. Doing daily backups suits me because I frequently make configuration changes.

/system scheduler
add comment="" disabled=no interval=1d name=fetch on-event=fetch policy=\
     ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
     start-date=jul/15/2010 start-time=01:00:00

Verify your scripts by running them with /system script run scriptname

This of course isn't perfect and requires some tweaking. For instance. If there is a connection error to one of the devices, the whole script will fail. I will be updating this post as I go.

Cheers.  

No comments:

Post a Comment