NZ Tik

The laptop at 192.168.1.10 wants to communicate with the web server on 192.168.1.10 via the external IP address of the Mikrotik router at 1.1.1.1. Say you have a service such as webmail, which has a nat rule to allow access from an external network... /ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10 This works fine of course, so users set up the shortcut to http://1.1.1.1:888 Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this. /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10 Goes something like this.. 1. Client initiates http request to 1.1.1.1:888 2. MT receives and translates destination to 192.168.1.10 as per 1st rule 3. MT then translates the...

So you don't have to troll logs when your web page doesn't display what is expected, copy and paste this to the top of your PHP code. ini_set('display_errors', 1);  ini_set('log_errors', 1);  ini_set('error_log', dirname(__FILE__) . '/error_log.txt');  error_reporting(E_ALL); You will probably want to remove it once in production.

I recently migrated a mysql database to a new debian based server, and my radius server was having issues updating the radius database with the AcctStopTime. The radius logs (/var/log/freeradius/radius.log) would say.. Wed Jun 29 15:26:10 2011 : Error: [sql] Couldn't update SQL accounting ALIVE record - Column count of mysql.proc is wrong. Expected 20, found 16. The table is probably corrupted or Thu Jun 30 03:32:01 2011 : Error: [sql] Couldn't update SQL accounting ALIVE record - Cannot load from mysql.proc. The table is probably corrupted The fix was relatively simple once I found it. On the mysql server do this: root@sql-server# mysql_upgrade --force It fixed some issues with the table and after that my freeradius server started updating the acctstoptime again.

I purchased 'ssh client' for iphone, which was $1.29 - the cheapest paid ssh app for iphone. Pretty rude looking compared to p-term, which I had used previously. ssh-client works ok for linux and cisco, but carriage return is a fail for my mikrotik gear. I found a free ssh client for iphone called zaTelnet, which works ok, although I don't like the keyboard as much as the standard one that p-term uses. Looks like I will be paying the NZD$6.49 for pterm. It also supports colour :)

In version 5 there is a new setting wireless-protocol which is fantastic! No longer do you have to change the station to reflect the access point every change you make. The idea is that you set the station to support more than 1 protocol and make the changes only on the access point.

When you have 100+ routers or servers you manage, it is a bit tedious to make a configuration change to all of them manually, especially when that change is exactly the same for all of them. There is tons of software for this scenario. I have used a few different ones in the past, but parallel-ssh (formerly pssh) is what I use for Mikrotik. Example: Need to enable and set primary and secondary ntp servers on 100 devices. First you need to create a text file with all your devices IP addresses, and optionally port and username. 10.10.10.1:22 10.10.10.2:22 10.10.10.3:22 save it as ips.txt for instance, and use the command bellow to blast commands to all listed devices. parallel-ssh -l admin -x "-o  StrictHostKeyChecking=no"  -A -h /home/sam/ips.txt -v -t 10 -o /home/sam "/system ntp client set mode=unicast enabled=yes primary-ntp=1.2.3.4 secondary-ntp=1.2.3.5" Explanation: -l      Specify the user here instead of txt file -A    ...

Mikrotik support /31 addressing across p2p links between 2 Mikrotik interfaces. This is useful for conserving address space. As you probably know, usually a subnet's network and broadcast addresses are unusable. That means for a p2p link, we need 2 x usable addresses - or a /30 which is a chunk of 4 addresses! So for every link we waste 2 valuable addresses. No good if you are using public address space and have a limited number. It's not so critical if you are using a private range obviously - but it does make it nice and tidy :) For example: In the above example, it uses 4 addresses - 10.20.20.12 (network) 10.20.20.13 (usable) 10.20.20.14 (usable) 10.20.20.15 (broadcast) We can split this into 2 x /31 by making the address of the local router the network address and the remote end the broadcast. R1 /ip address add address=10.20.20.12/31 interface=ether1 network=10.20.20.13 broadcast=10.20.20.12 R2 /ip address add address=10.20.20.13/31 interface=ether1 ...

A common way to backup routeros is to use a script on each device that saves the config and emails it to a dedicated mailbox. Although this works as advertised, I prefer this centralised approach that pulls the configuration from each device. The method I chose was to backup each device using FTP to a central server. Yes there is some configuration required on each device, but once set up, it's definitely a set and forget solution. This requires routerOS on x86 platform - the free 'demo' license will do :) No fancy-pants features, just some basic IP addressing. This works perfectly as a virtual machine. In my case, ESXi. Create a VM with enough storage for all your backups. Basically, you create a CSV file of all your devices and IP addresses. The script below will ftp to each entry and GET the backup file appropriately named 'HOSTNAME.backup'. It will just overwrite the last one, but it would be easy to change this behaviour and have it append. ...

The history of system configuration changes is held until the next router shutdown. The invoked commands can be 'undone' using the /undo command. By invoking the command several times, the configuration changes can be 'undone' in reverse order they have been invoked. Use the /system history print command to see the list of performed actions: [MikroTik] system history> print Flags: U - undoable, R - redoable, F - floating-undo    ACTION                                   BY            POLICY           U nat rule changed                         admin         write            U nat rule changed                         admin         write ...