NZ Tik

The laptop at 192.168.1.10 wants to communicate with the web server on 192.168.1.10 via the external IP address of the Mikrotik router at 1.1.1.1. Say you have a service such as webmail, which has a nat rule to allow access from an external network... /ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10 This works fine of course, so users set up the shortcut to http://1.1.1.1:888 Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this. /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10 Goes something like this.. 1. Client initiates http request to 1.1.1.1:888 2. MT receives and translates destination to 192.168.1.10 as per 1st rule 3. MT then translates the...

The following was tested on Ubuntu 11.10. This is completely insecure, make sure it is confined to a LAN environment, i.e. not publicly accessibly.  apt-get install tftpd-hpa mkdir /tftp chmod 777 /tftp nano /etc/default/tftpd-hpa # /etc/default/tftpd-hpa TFTP_USERNAME="tftp" TFTP_DIRECTORY="/tftp" TFTP_ADDRESS="0.0.0.0:69" TFTP_OPTIONS="--secure --create -v" service tftpd-hpa restart  --create is needed to allow client to create new file. Otherwise you will get error stating 'File does not exist' or similar. --secure is so that the client does not need to specify an absolute path such as /tftp/file. The root of the tftp server becomes TFTP_DIRECTORY. -v is for verbose logging in /var/syslog culv-lns1#copy run tftp Address or name of remote host []? 10.2.2.40 Destination filename [culv-lns1-confg]? !! 1446 bytes copied in 0.168 secs (8607 bytes/sec) _________________________________________________ ...

The default database location is /usr/lib/ldap It is recommended to backup to LDIF so it is transportable. Use slapcat to export. slapcat -v -l /backups/ldapbackup.ldif To restore use slapadd. cd /usr/lib/ldap rm * slapadd -l ldapbackup.ldif -v is verbose output -l specifies the ldif format

Applies to FreeBSD and Linux. /mnt       /backup1                    /server1                               /folder1                               /folder2                               /backup1.tar.gz                            /server2                    /server3 find /mnt/backup1 -maxdepth 2 -name '*.gz' -mtime +7 -exec rm {} \; This will find and remove files that are 7 days old. It will search 2 folders deep from /mnt/backup1. It will not search folder1 or folder2. The single quotes around the name search string are required at least on FreeBSD.

This will allow you to monitor HP hardware, i.e. RAID controller, degraded disk etc. This was done on Ubuntu 10.04 wget http://downloads.linux.hp.com/SDR/downloads/bootstrap.sh chmod +x bootstrap.sh ./bootstrap.sh -r ProLiantSupportPack (this adds the HP repo to apt's sources) wget http://downloads.linux.hp.com/SDR/downloads/ProLiantSupportPack/GPG-KEY-ProLiantSupportPack apt-key add GPG-KEY-ProLiantSupportPack aptitude update apt-get install  hp-snmp-agents apt-get install net-snmp (or apt-get install snmp for later versions ) /sbin/hpsnmpconfig - Follow the prompts nano /etc/default/snmpd # modify this line, replacing x.x.x.x with your public facing IP if needed SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1 x.x.x.x' ########################################## Restart snmp /etc/init.d/snmpd restart Start the agents! /etc/init.d/hp-snmp-agents start Test with snmpwalk -v 1 -c rocom loc...

VRRP example: note: the virtual IP must be a /32 address. R1 /interface vrrp add arp=enabled authentication=none disabled=no interface=ether1 interval=1s mtu=1500 name=PW-VRRP  on-backup="" on-master="" password="" preemption-mode=yes priority=100 version=2  vrid=108 /ip address add address=10.10.10.1/24 interface=ether1 /ip address add address=10.10.10.100/32 interface=PW-VRRP R2 /interface vrrp add arp=enabled authentication=none disabled=no interface=ether1 interval=1s mtu=1500 name=PW-VRRP   on-backup="" on-master="" password="" preemption-mode=no priority=90  version=2   vrid=108 /ip address add address=10.10.10.1/24 interface=ether1 /ip address add address=10.10.10.100/32 interface=PW-VRRP

Cisco PBR ( Policy Based Routing ) uses route-maps applied to the ingress interface. Suppose you have 2 ISPs,   s0/0 and s0/1. You want traffic from the LAN interface (fa4) to be routed out each gateway depending on traffic type. Here is how you would achieve that. ip access-list extended s0_traffic  permit tcp any any eq www ftp 22  end ! ip access-list extended s1_traffic  permit ip any any  end ! route-map fa4_in permit 10  match ip address s0_traffic  set ip next-hop s0/0  ! route-map fa4_in permit 20  match ip address s1_traffic  set ip next-hop s0/1 ! int fa4 ip policy route-map fa4_in Traffic that doesn't match a route map statement will use the global routing table so you could also just configure the s0/0 ACL and route map, and set up a default route for s0/1.

Here is a working set of mangle rules for a single Mikrotik router acting as a PPPoE server, and 2 internet gateways. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp1 new-connection-mark=isp1_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp2 new-connection-mark=isp2_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     dst-address-type=!local new-connection-mark=isp1_conn passthrough=yes \     per-connection-classifier=src-address-and-port:2/0 src-address=\     10.10.100.0/24 add action=mark-routing chain=prerouting connection-mark=isp1_conn disabled=no \     dst-address-type=!local new-routing-mark=to_isp1 passthrough=no \     src-address=10.10.100.0/24 add action=mark-connection chain=prerou...

To be able to log into a remote linux host without a password, you must generate a public / private key pair on the local host and copy the public key to the remote host. You would do this if you wanted to SCP some files via a script perhaps. First, generate the key pair on the host that you are connecting from. ssh-keygen -t dsa Accept defaults.. can put passphrase if you wish for extra security. Copy id_dsa.pub to the remote host somewhere. Then add it to the authorized_keys file under the home directory of the user that you are trying to log in as. For instance if you are wanting to send a file to the remote server as user 'bob'... copy the id_dsa.pub file to /tmp on the remote server log in to the remote server as bob cat /tmp/id_dsa.pub >> ~/.ssh/authorized_keys Now you should be able to ssh or scp something to the remote host and not be prompted for a password.

VPLS transports Layer2 frames and doesn't care about IP. If you try to queue or mangle traffic over a VPLS tunnel, it doesn't work. You need to use bridge-filters to mangle the traffic and queue-trees rather than simple queues. Queue-trees are more powerful than simple queues, get used to them. Simple scenario: You want to limit traffic from CustA2 to CustA1 at 256k.

The simplest way to do this would be to edit the login.htm file and replace with the following..

So you have 2 x gateways, 192.168.10.1 and 192.168.20.1, and you want traffic sourced from your voip server (10.10.10.50) to go out the 20.1 gateway, and the rest of the traffic to go out the 10.1 gateway. Here is how you would achieve that.

On certain boards, such as mipsbe (433AH etc) you can use The Dude to monitor the voltage. You will need to get the snmp oid for the voltage.. /system health print oid

Before running MPLS on your production network, make sure you have an in-depth understanding of MPLS and VPLS. It makes for a hard time troubleshooting when things screw up if you don't. For an overview of how and why MPLS http://en.wikipedia.org/wiki/Multiprotocol_Label_Switching MPLS can run alongside your existing IGP such as OSPF which will still determine the best path. Set up your LDP neighbors with targeted addresses, using a loopback address. For a basic MPLS implementation, the following configuration is needed on every Mikrotik router. The routers need to be on 4.xx, preferably the latest (4.16 at the time of writing).

This will allow you to prioritise sip traffic over other traffic both upload and download. It works well for me. This was done on a RouterBoard 1100 with RouterOS v4.15.

Playing with an RB493G and wanted to allow only a certain list of mac addresses to be able to connect. We all know this type of security is in no way fool proof. The 493G has 2 switch chips in it and ports 2-5 are on switch2 and ports 1 and 6-9 are on switch1 Much like /ip firewall filter rules, switch rules are checked chronologically (top down). And like /ip firewall filter rules, you must specify a deny rule. Although there is no 'deny' rule as such, you can just specify a redirect to null (specify no port) which achieves the same result.

Install the userspace tool sudo apt-get install vlan load the module sudo modprobe 8021q Create the vlan interface sudo vconfig add eth0 10 Assign an IP address if required sudo ifconfig eth0.10 10.1.1.1 netmask 255.255.255.0 or sudo ip address 10.1.1.1/24 dev eth0.10 label eth0.10 The label keyword is necessary for the interface to show up in ifconfig add the module 8021q to load at boot time nano /etc/modules Make IP configuration permanent nano /etc/network/interfaces and add auto eth0.10 iface eth0.10 inet static address 10.1.1.1 netmask 255.255.255.0 network 10.1.1.0 broadcast 10.1.1.255 gateway 10.1.1.254 vlan-raw-device eth0 (ignored if raw device specified in interface name as above) To bring up interface without IP address auto eth0.10 iface eth0.10 inet manual up ifconfig eth0.10 up

When you have 100+ routers or servers you manage, it is a bit tedious to make a configuration change to all of them manually, especially when that change is exactly the same for all of them. There is tons of software for this scenario. I have used a few different ones in the past, but parallel-ssh (formerly pssh) is what I use for Mikrotik. Example: Need to enable and set primary and secondary ntp servers on 100 devices. First you need to create a text file with all your devices IP addresses, and optionally port and username. 10.10.10.1:22 10.10.10.2:22 10.10.10.3:22 save it as ips.txt for instance, and use the command bellow to blast commands to all listed devices. parallel-ssh -l admin -x "-o  StrictHostKeyChecking=no"  -A -h /home/sam/ips.txt -v -t 10 -o /home/sam "/system ntp client set mode=unicast enabled=yes primary-ntp=1.2.3.4 secondary-ntp=1.2.3.5" Explanation: -l      Specify the user here instead of txt file -A    ...

Although IPSec is an industry standard, there are a few gotchas that crop up when dealing with inter-vendor set ups. Especially involving Cisco. A couple of well known snags include the use of DPD -Cisco does not support this so turn it off. Dynamic policies - I personally like to specify my ipsec policies, but if you want to be able to initiate the tunnel, then this must be done. All you need to specify is the source and destination pairs, and 'untick' or disable Generate Policy. /ip ipsec peer  add address=172.16.2.2/32:500 secret=shhhh send-initial-contact=yes nat-traversal=no hash-algorithm=md5 enc-algorithm=3des auth-method=pre-shared-key dh-group=modp1024 generate-policy=no exchange-mode=main /ip ipsec policy add src-address=10.10.10.0/24:any dst-address=10.20.20.0/24:any sa-src-address=172.16.1.1 sa-dst-address=172.16.2.1 proposal=default disabled=no tunnel=yes src-address=10.10.10.0/24:any dst-address=10.30.30.0/24:any sa-src-address=172.16.1.1 sa-dst-add...

By default when configuring OSPF on a Mikrotik router, it will be a broadcast network type. This will work for most situations, but it uses multicasting to communicate with other ospf nodes on the network segment. For this reason it is recommended to use network type NBMA or Non Broadcast Multi Access for wireless network segments. This requires more configuration, such as specifying the neighbors manually and setting priorities. The reason NBMA is recommended is because in  802.11 wireless networks multicast packets are not always reliably delivered (read   Multicast in wireless networks   for details); using multicast here can create OSPF stability problems. Neighbors are created dynamically when you specify broadcast as the network type. If you create an NBMA neighbor and add a new OSPF interface with network type NBMA, then this will take place of the broadcast neighbor configuration. Example configuration (from MikroTik wiki) ...