MikroTik

How to create directory on RouterOS using the terminal

As of RouterOS 7.6 there is no official command to create a directory on a RouterOS filesystem. However, there’s a trick involving a SMB share. By creating the SMB share, RouterOS will create the directory. After that, you can delete the SMB share.

The following script will create the backups directory:

/ip smb shares add name=deleteme directory=backups ; /ip smb shares remove [find name=deleteme]')
Posted by Uli Köhler in MikroTik, Networking

How to delete file(s) by regex filename on RouterOS

The following RouterOS command will delete all files starting with backup-:

/file/remove [/file find where name~"^backup-.*\$"]

 

Posted by Uli Köhler in MikroTik, Networking

How to delete file on RouterOS by filename using terminal or SSH (minimal example)

In order to delete a file named mybackup.backup on a RouterOS device using the terminal, use the following command:

/file/remove [find name="mybackup.backup"]

 

Posted by Uli Köhler in MikroTik, Networking

Netmiko MikroTik RouterOS minimal example

This example prints the identity (i.e. user-defined name) of the switch/router at IP address 10.0.0.1 with password abc123abc.

from netmiko import ConnectHandler
mikrotik = {
    'device_type': 'mikrotik_routeros',
    'host':   '10.0.0.1',
    'username': 'admin',
    'password': 'abc123abc'
}

mikrotik_connection = ConnectHandler(**mikrotik)
print(mikrotik_connect.send_command(f'/system/identity/print', cmd_verify=False))

Example output:

name: MySwitch01

 

Posted by Uli Köhler in MikroTik, Networking, Python

MikroTik User Manager (RADIUS): Add user with VLAN

The following RouterOS terminal command adds a User Manager user assigned to a VLAN with ID 998. This setup is compatible with Unifi access points.

/user-manager user add attributes=Tunnel-Type:13,Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:998 name=myuser password=uNah2ieghi

Note that Tunnel-Type:13,Tunnel-Medium-Type:6 will always stay the same, they will tell RADIUS to assign a VLAN.

In WebFig, the same config looks like this:

In WinBox, these settings look like this:

Posted by Uli Köhler in MikroTik, Networking

MikroTik RouterOS Wake-on-LAN (magic packet) script example

On RouterOS, we can create a simple Wake-on-LAN script using a MAC address using

/tool/wol mac=DC:4A:3E:7A:87:12 interface=bridge

 

Posted by Uli Köhler in MikroTik, Networking

MikroTik scripting: simple foreach example

The following example uses MikroTik scripting to iterate over all ethernet interfaces and print the name of the interface:

foreach v in=[/interface/ethernet find] do={
    :put [/interface/ethernet get $v value-name=name]
}

Example output:

[[email protected]] > foreach v in=[/interface/ethernet find] do={:put [/interface/ethernet get $v value-name=name]}
ether1
sfp-CoreSwitch-Uplink
sfp-sfpplus3
sfp-NAS
sfp-Virtualization
sfp-WAN
sfp-sfpplus4
sfp-sfpplus7
sfp-sfpplus8

 

Posted by Uli Köhler in MikroTik

How to snmpwalk MikroTik RB260GS(P) (SwOS)

In the default configuration, you can use snmpwalk using SNMPv1 to query information from the MikroTik RB260GS or RB260GSP.

snmpwalk -v1 -c public IPADDRESS

for example:

snmpwalk -v1 -c public 192.168.88.1

 

Posted by Uli Köhler in MikroTik, SNMP

How to fix MikroTik SSH unable to load key file (wrong format or bad passphrase)!

Problem:

You want to import your SSH public key for passwordless login to your MikroTik router using either the terminal or WebFig/WinBox (as described in our previous post How to import SSH key to MikroTik RouterOS for passwordless login).

However, during import you see the following error message in the terminal:

unable to load key file (wrong format or bad passphrase)!

or in WebFig:

Couldn't perform action - unable to load key file (wrong format or bad passphrase)! (6)

Solution:

Either you are using an elliptic curve key (which is not supported by RouterOS at the moment) or you are using a file which is not an SSH key.

The file you are uploading should look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6EyAUma+shOkTZ0a6WcipSb552WmQb8hTKvDOMxQ234HXAeuJg3KeJ8WdkbOIdYuNq08xBrpjinaRGSZwDqhAiQMMz6O3yfkGpWZNO26lBQkngspJU1w6HLXR9tRtRaqbXwc1kV0KS6quj4sRaGLHKMciTjx0cVbEQrLxBXIJvRl7a6w/VukE+c9LhcRBZTrYB6Er7vGMM7VtgThzq+reFnql4kicG83NuPHjC/9Z78ehxpSekSrBYTYMuqiC1m8RW/l0mI8TtkUAU/qnTuwMXqVh0oOPGSWe4qvnbjCThRkDIEuK19CyCr5uyvZTV268SftEKaKOB7wcjevZlR11 [email protected]

The most important aspect is that it needs to start with ssh-rsa, else RouterOS won’t import it – RouterOS supports ed25519 keys since RouterOS 7.7, which is in beta at the time of writing this post.

You can generate a new keypair and save it to id_mikrotik and id_mikrotik.pub using

ssh-keygen -t rsa -b 8192 -f id_mikrotik

 

Posted by Uli Köhler in MikroTik

How to import SSH key to MikroTik RouterOS for passwordless login

Important: You can not use elliptic curve keys (tested with ed25519) as of RouterOS 7.6 – RSA keys will work!

First, upload the public key to the filesystem of the router using Files – in the following image, the SSH key is listed at the bottom:

Using the terminal:

/user/ssh-keys/import user=admin public-key-file=id_mikrotik.pub

Using WebFig or WinBox:

Now go to System -> Users, open the SSH keys tab:

There, click Import SSH Key

open the user you want to add the public key for (typically admin if you didn’t create other users before):

then click Import SSH Key and the key will be active immediately

Posted by Uli Köhler in MikroTik, Networking

How to fix MikroTik RouterOS NTP client: using local clock

Problem:

in System -> NTP client in your MikroTik router, the Status always tells you using local clock and it won’t synchronize with any NTP server.

Solution:

You can’t disable the local clock in System -> NTP client. Instead, you’ll be able to find the relevant setting in System -> NTP server.

Ensure that Use Local Clock is unchecked and click Apply

 

After that, your NTP client will be active and able to synchronize:

 

Posted by Uli Köhler in MikroTik, Networking

How to fix MikroTik RouterOS DoH server connection error: SSL: ssl: certificate not yet valid (6)

Problem:

The DNS server integrated into your MikroTik router doesn’t work and the log shows a lot of

DoH server connection error: SSL: ssl: certificate not yet valid (6)

messages:

Reason for the error:

The issue here is that the clock in your MikroTik router does not (yet) know the correct time.

For example, the clock might be set to 1st of January, 1970 – however, the TLS certificate of the DNS-over-HTTPS server is only valid from, for example, 1st of November, 2022. This is why the MikroTik router tells you that the certificate isn’t valid.

Preferred solution: Fix the time using NTP

Just tell the MikroTik server to get the time from a public NTP server.

Open System -> NTP client in WebFig or Winbox. Typically, you want to use the upstream router as an NTP server. In my case, that is 192.168.178.1.

Ensure that Enabled is checked, add the NTP server and click Apply.

After waiting a few seconds, you should see synchronized under Status. This means that the clock of the MikroTik router has been set correctly and the issue should be fixed.

Alternate solution: Disable DNS-over-HTTPs

This solution decreases the security of your system and is hence not preferred. You should always set the time of your router correctly, not doing so will lead to a bunch of issues.

If you, however, still intend to disable DNS-over-HTTPS, open IP -> DNS and remove all servers under Use DoH servers, then click Apply.

After that, your router will use the normal DNS servers – 1.1.1.1 in my case. Ensure to enter some server there to make sure DNS requests work – if in doubt, you can always use 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google).

Note that requests to those servers will neither be encrypted nor authenticated, so requests can be sniffed and/or manipulated by anyone capable of manipulating traffic to your device. Even though DNS-over-HTTPS is slighly slower (which, in turn is alleviated by the caching feature of the MikroTik router’s DNS server), it provides a huge security benefit.

Posted by Uli Köhler in MikroTik, Networking

How to remote packet capture DNS requests / responses on MikroTik RouterOS

In order to packet capture just DNS packets using Tools -> Packet Sniffer, use the following settings:

  • IP protocol: Select udp (17 (udp))
  • Port: Enter 53 (53 (dns))

Note that this does not capture DNS-over-HTTPS traffic, but at the time of writing this article, this type of traffic is rare.

Example:

Posted by Uli Köhler in MikroTik, Networking

How to capture/sniff ICMPv6 traffic on MikroTik RouterOS

Problem:

On RouterOS up to at least v7.4.1 you can’t select ICMPv6 as IP protocol in the Tools -> Packet Sniffer

If you select icmp, you will not sniff any ICMPv6 traffic.

Solution:

The solution is to enter the ICMPv6 IP protocol ID58 – into the IP protocol field manually:

After that, ensure that you apply the settings. You can start sniffing ICMPv6 traffic immediately.

Posted by Uli Köhler in MikroTik, Networking

How to test MikroTik UserManager (RADIUS) using radtest

On Ubuntu or other Linux distribution, you can easily install radtest using

sudo apt -y install freeradius-utils

After that, you need to create a Router representing your test PC on the MikroTik device so that RADIUS requests will be accepted.

Now you can run radtest like this:

radtest -t mschap [Username of the user to authenticate] [Password of the user to authenticate] [MikroTik IP] 1812 [Router shared secret]

Note the Router shared secret is the password that you used when setting up the Router instance for radtest in User manager -> Routers before and not the router’s admin password etc.

1812 is the default (and recommended) port for RADIUS.

Posted by Uli Köhler in MikroTik, Networking

How to fix MikroTik RouterOS User Manager error: Database disk not yet usable

Problem:

When trying to add for example a router to MikroTik’s User Manager, you see the following error popup:

Solution:

Initialize the database by using the following command in the terminal:

/user-manager/database save name=""

After that, the database is initialized and you will be able to use it.

Posted by Uli Köhler in MikroTik, Networking

How to fix MikroTik RouterOS v7 SSH port forwarding not working: Connection refused

In multiple models of MikroTik routers running RouterOS v7.5 I got Error: Connection refused when running simple SSH port forwarding commands such as

ssh [email protected] -L 8080:192.168.178.1:80

but in the RouterLS log I could see multiple local forwarding forbidden error messages:

Solution

In this case, the solution was simple: Go to IP -> SSH in WebFig or Winbox and set Forwarding Enabled to Both and click Apply.

If you have already set Forwarding Enabled to Both or Localon one of my routers this setting wasn’t properly activated – possibly after a RoutreOS upgrade. In order to fix this, set Forwarding Enabled to no, click Apply, then  set Forwarding Enabled to Both and click Apply again. For me, this fixed the issue of being unable to do SSH port forwarding.

Posted by Uli Köhler in MikroTik, Networking

How to import certificate and private key (.pem) in MikroTik RouterOS

In RouterOS, you can simply import .pem files using /certificate import no matter if the file contains a certificate and/or a private key.

First, upload them either via WebFig (Files) or via SCP to the filesystem of the Router.

We will assume the certificate is called cert.pem while the private key is called privkey.pem

After that, import the certificate and the private key, one after another:

/certificate/import file-name="cert.pem" passphrase="" name="mikrotik.mydomain.net"
/certificate/import file-name="privkey.pem" passphrase="" name="mikrotik.mydomain.net"

This will tell you that first the certificate and then the private key have been successfully imported:

[[email protected]] > /certificate/import file-name=cert.pem passphrase="" name="mikrotik.mydomain.com"
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[[email protected]] > /certificate/import file-name=privkey.pem passphrase="" name="mikrotik.mydomain.com"
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

 

Posted by Uli Köhler in MikroTik, Networking

How to get current time in MikroTik RouterOS script

In order to get the current time in RouterOS, use

/system clock get time

The time returned will be in hh:mm:dd format and local time

For example, the following command will print the current time:

:put [/system clock get time]

 

Posted by Uli Köhler in MikroTik, Networking

How to print in MikroTik RouterOS script

In order to print from within a RouterOS script on a MikroTik router, use

:put

For example,

:put [/system clock get time]

will print, for example

[[email protected]] > :put [/system clock get time]
22:55:11

 

Posted by Uli Köhler in MikroTik, Networking