MikroTik

How to fix MikroTik RouterOS v7 SSH port forwarding not working: Connection refused

In multiple models of MikroTik routers running RouterOS v7.5 I got Error: Connection refused when running simple SSH port forwarding commands such as

ssh [email protected] -L 8080:192.168.178.1:80

but in the RouterLS log I could see multiple local forwarding forbidden error messages:

Solution

In this case, the solution was simple: Go to IP -> SSH in WebFig or Winbox and set Forwarding Enabled to Both and click Apply.

If you have already set Forwarding Enabled to Both or Localon one of my routers this setting wasn’t properly activated – possibly after a RoutreOS upgrade. In order to fix this, set Forwarding Enabled to no, click Apply, then  set Forwarding Enabled to Both and click Apply again. For me, this fixed the issue of being unable to do SSH port forwarding.

Posted by Uli Köhler in MikroTik, Networking

How to import certificate and private key (.pem) in MikroTik RouterOS

In RouterOS, you can simply import .pem files using /certificate import no matter if the file contains a certificate and/or a private key.

First, upload them either via WebFig (Files) or via SCP to the filesystem of the Router.

We will assume the certificate is called cert.pem while the private key is called privkey.pem

After that, import the certificate and the private key, one after another:

/certificate/import file-name="cert.pem" passphrase="" name="mikrotik.mydomain.net"
/certificate/import file-name="privkey.pem" passphrase="" name="mikrotik.mydomain.net"

This will tell you that first the certificate and then the private key have been successfully imported:

[[email protected]] > /certificate/import file-name=cert.pem passphrase="" name="mikrotik.mydomain.com"
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[[email protected]] > /certificate/import file-name=privkey.pem passphrase="" name="mikrotik.mydomain.com"
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

 

Posted by Uli Köhler in MikroTik, Networking

How to get current time in MikroTik RouterOS script

In order to get the current time in RouterOS, use

/system clock get time

The time returned will be in hh:mm:dd format and local time

For example, the following command will print the current time:

:put [/system clock get time]

 

Posted by Uli Köhler in MikroTik, Networking

How to print in MikroTik RouterOS script

In order to print from within a RouterOS script on a MikroTik router, use

:put

For example,

:put [/system clock get time]

will print, for example

[[email protected]] > :put [/system clock get time]
22:55:11

 

Posted by Uli Köhler in MikroTik, Networking

How to make MikroTik router boot using PXE (netboot) / BOOTP

My experience is that PXE on MikroTik devices only works properly when you trigger it using the hardware reset button. You can also trigger it using System -> RouterBOARD -> Settings but this reproducibly didn’t work for me.

This method was tested on the hEX PoE Lite (i.e. RB750UPr2)

Method of triggering Netboot using the RESET button

  1. Unplug all (!) power supplies from your router. This includes PoE if used. Check if all LEDs are off.
  2. Press the reset button, you should hear a small click sound. Sometimes these are a little bit hard to press, sometimes you think you’ve pressed it but you didn’t since the button is sometimes smaller than the hole. I use tweezers to press it. Keep the reset button pressed until you’ve finished the procedure.
  3. Keep pressing the reset button while plugging in the power supply
  4. While still keeping the reset button pressed, wait for the following phases of reset:
    1. After ~5 seconds one of the LEDs will start to blink
    2. After a further 5 seconds, the LED will stop blinking and turn on permanently
    3. After a further 5 seconds, the LED will turn off permanently.
  5. Only after you see the LED go dark after these three phases (approximately 15 seconds), release the reset button
  6. The router should now boot using PXE
Posted by Uli Köhler in MikroTik

How to flash OpenWRT on hEX PoE Lite (RB750UPr2)

Important note: Flashing OpenWRT permanently breaks PoE out functionality (I have not tested) even after reinstalling RouterOS! PoE does not work on OpenWRT either!

I had significant problem with the official instructions of flashing OpenWRT on the MikroTik hEX PoE Lite as described on the OpenWRT wiki. I used RouterOS 7.4.1 and a Linux host for the flash process.

Specificially, starting the flash process from within RouterOS via System -> RouterBoard -> Settings did not work, neither with the backup bootloader nor without it, neither with DHCP nor with BOOTP. This caused a boot-and-DHCP-request loop with the log shown blow

Steps to flash OpenWRT on the RB750UPr2

… and probably most other RouterOS boards. There is no specific requirement  for the firmware version. RouterOS 6.47 works. RouterOS 7.4.1 works. I didn’t check any one beside that, but most likely it won’t make a difference. Specifically, there is no need to downgrade if using this method! The RouterOS downgrade is only neccessary for some old-ish Windows based flash method.

1 – Connect a ethernet cable from your flashing computer to the first Ethernet connector of the router.

PXE will only work on this specific port and will not work on other ports!

2 – Setup your flashing computer’s IP interface config.

We’ll use eth0 in this example. Be sure to use the correct interface

sudo ifconfig eth0 192.168.1.10 netmask 255.255.255.0

I read somewhere that MikroTiks expect the PXE host to be at IP 192.168.1.10 – this definitively works. Other IP addresses might or might not also work, I didn’t check. Just use that one.

3 – Setup dnsmasq

sudo apt -y install dnsmasq

and then do not forget to stop dnsmasq and remove the default config

sudo systemctl disable --now dnsmasq
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.default.conf

4 – Download the correct image from OpenWRT

Google for OpenWRT + your RouterBoard type, e.g. OpenWRT RB750UPr2. This will lead you to a site like this one. Scroll down and download both the Firmware OpenWrt Install URL and the Firmware OpenWrt Upgrade URLIn the end you will need both anyway, but for now we need the one ending with ...-initramfs-kernel.img!

Save that file with the original name. The name does not matter – what matters is only that you use the correct image, not the ...-sysupgrade.bin for PXE boot! There is absolutely no need to name the file vmlinux etc.

5 – Startup dnsmasq server

In the following command, be sure to set the correct image name in the --dhcp-boot line

sudo /usr/sbin/dnsmasq \
--no-daemon \
--listen-address 192.168.1.10 \
--bind-interfaces \
-p0 \
--dhcp-authoritative \
--dhcp-range=192.168.1.100,192.168.1.200 \
--bootp-dynamic \
--dhcp-boot=openwrt-19.07.10-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin \
--log-dhcp \
--enable-tftp \
--tftp-root=$(pwd)

6 – Reset the router into PXE boot mode

As noted above, resetting via RouterOS did not work for me at all. I can only recommend this method, which I also described in my blogpost How to make MikroTik router boot using PXE (netboot) / BOOTP

  1. Unplug all (!) power supplies from your router. This includes PoE if used. Check if all LEDs are off.
  2. Press the reset button, you should hear a small click sound. Sometimes these are a little bit hard to press, sometimes you think you’ve pressed it but you didn’t since the button is sometimes smaller than the hole. I use tweezers to press it. Keep the reset button pressed until you’ve finished the procedure.
  3. Keep pressing the reset button while plugging in the power supply
  4. While still keeping the reset button pressed, wait for the following phases of reset:
    1. After ~5 seconds one of the LEDs will start to blink
    2. After a further 5 seconds, the LED will stop blinking and turn on permanently
    3. After a further 5 seconds, the LED will turn off permanently.
  5. Only after you see the LED go dark after these three phases (approximately 15 seconds), release the reset button
  6. The router should now boot using PXE

7 – Proceed with OpenWRT

If the reset & PXE boot worked, OpenWRT is running on 192.168.1.1On most MikroTik devices, you need to plugin the Ethernet to one of the LAN ports (typically every port except the first port) in order to access OpenWRT. Note that DHCP is not active by default.

The next step is basically to check if OpenWRT works properly and then install it to the flash using the ...-sysupgrade.bin image which we have downloaded before. This is rather easy and performed using the Web UI, it’s best to check the OpenWRT wiki page for more details.

Error log when starting the PXE flash via RouterOS

See above for the procedure that works. This error occured when I didn’t start the PXE process via the Reset button

dnsmasq-dhcp: 1534706347 vendor class: Mips_boot
dnsmasq-dhcp: 1534706347 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 1534706347 tags: eth1
dnsmasq-dhcp: 1534706347 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 1534706347 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 1534706347 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 1534706347 next server: 192.168.1.10
dnsmasq-dhcp: 1534706347 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 1534706347 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 1534706347 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 1534706347 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 1534706347 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 1534706347 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 1534706347 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 1534706347 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 4257818828 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 4257818828 vendor class: Mips_boot
dnsmasq-dhcp: 4257818828 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 4257818828 tags: eth1
dnsmasq-dhcp: 4257818828 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 4257818828 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 4257818828 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 4257818828 next server: 192.168.1.10
dnsmasq-dhcp: 4257818828 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 4257818828 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 4257818828 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 4257818828 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 4257818828 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 4257818828 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 4257818828 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 4257818828 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 1683968382 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 1683968382 vendor class: Mips_boot
dnsmasq-dhcp: 1683968382 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 1683968382 tags: eth1
dnsmasq-dhcp: 1683968382 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 1683968382 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 1683968382 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 1683968382 next server: 192.168.1.10
dnsmasq-dhcp: 1683968382 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 1683968382 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 1683968382 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 1683968382 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 1683968382 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 1683968382 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 1683968382 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 1683968382 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 424531201 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 424531201 vendor class: Mips_boot
dnsmasq-dhcp: 424531201 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 424531201 tags: eth1
dnsmasq-dhcp: 424531201 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 424531201 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 424531201 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 424531201 next server: 192.168.1.10
dnsmasq-dhcp: 424531201 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 424531201 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 424531201 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 424531201 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 424531201 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 424531201 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 424531201 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 424531201 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 3459997603 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3459997603 vendor class: Mips_boot
dnsmasq-dhcp: 3459997603 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 3459997603 tags: eth1
dnsmasq-dhcp: 3459997603 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 3459997603 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 3459997603 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 3459997603 next server: 192.168.1.10
dnsmasq-dhcp: 3459997603 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 3459997603 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 3459997603 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 3459997603 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 3459997603 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 3459997603 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 3459997603 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 3459997603 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 657189184 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 657189184 vendor class: Mips_boot
dnsmasq-dhcp: 657189184 DHCPDISCOVER(eth1) dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 657189184 tags: eth1
dnsmasq-dhcp: 657189184 DHCPOFFER(eth1) 192.168.1.100 dc:2c:6e:d7:60:9d 
dnsmasq-dhcp: 657189184 requested options: 1:netmask, 3:router
dnsmasq-dhcp: 657189184 bootfile name: rb-nor-flash-16M-initramfs-kernel.bin
dnsmasq-dhcp: 657189184 next server: 192.168.1.10
dnsmasq-dhcp: 657189184 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 657189184 sent size:  4 option: 54 server-identifier  192.168.1.10
dnsmasq-dhcp: 657189184 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 657189184 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 657189184 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 657189184 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 657189184 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 657189184 sent size:  4 option:  3 router  192.168.1.10
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot
dnsmasq-dhcp: 3031796432 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3031796432 vendor class: Mips_boot

 

Posted by Uli Köhler in MikroTik, Networking, OpenWRT

How to check how much flash space is available on MikroTik RouterOS

Using WebFig (Web UI)

Click on System on the left, then click on Resources. You can see the free space on the flash as Free HDD Space:

Using the command line

Enter the following command:

/system resource print

and look for the free-hdd-space line – for example:

[[email protected]] > /system resource print
                   uptime: 4d19h26m41s
                  version: 7.4.1 (stable)
               build-time: Aug/04/2022 11:48:11
         factory-software: 6.44.6
              free-memory: 408.7MiB
             total-memory: 512.0MiB
                      cpu: ARM
                cpu-count: 2
                 cpu-load: 26%
           free-hdd-space: 44.0KiB
          total-hdd-space: 15.9MiB
  write-sect-since-reboot: 35547
         write-sect-total: 520339
               bad-blocks: 0%
        architecture-name: arm
               board-name: CRS309-1G-8S+
                 platform: MikroTik

 

Posted by Uli Köhler in MikroTik, Networking

How to backup MikroTik RouterOS license to a file

On the terminal (or via SSH / Telnet), run the following command:

/system license print file="License.txt"

Now you can find the file under Files in WebFig:

Posted by Uli Köhler in MikroTik, Networking

Which MikroTik devices support ZeroTier?

MikroTik published an official ZeroTier package for MikroTik routers. But not all Routers support

Devices which only support SwOS (SwitchOS) do not support ZeroTier. You need a device running RouterOS.

But even among the RouterOS devices, not all devices support ZeroTier. The first requirement is that you are running a recent version of RouterOS such as RouterOS 7.4.1

At the time of writing this post (2022-08-22), only devices with the ARM and ARM64 architecture support ZeroTier. For other devices, you can’t even download the package. This include CHR (cloud hosted router) running on x86 or x86_64 for which ZeroTier is currently not available.

More specifically, for RouterOS version 7.4.1 and 7.5beta11, neither x86/x86_64 nor the  SMIPS/MMIPS/MIPSBE or Tile architecture support ZeroTier.

Before buying a device or commiting to ZeroTier, download the Extra packages for your architecture from the MikroTik download page and check if there’s a zerotier-....npk in the ZIP archive. If it isn’t available there, you currently can’t use ZeroTier on that device – but possibly it will be supported in the future.

Posted by Uli Köhler in MikroTik, Networking, ZeroTier

What is the Reset Configuration PIN default for MikroTik RB2011UiAS-2HnD-IN?

When you try to reset the configuration of the MikroTik RB2011UiAS-2HnD-IN router via the integrated display, you will be asked for a PIN code for confirmation.

By default, this PIN code is 1234.

Posted by Uli Köhler in MikroTik, Networking

How to check MikroTik RouterOS license level

How to find RouterOS license using the web interface

In the WebFig web UI, you can check the license level by clicking on System -> License

How to find RouterOS license level using the Terminal

Run the following command:

/system license print

Look for the nlevel line. In the following example, the MikroTik RouterOS license level is Level 5:

[[email protected]] > /system license print
  software-id: 5ABC-DEF0
       nlevel: 5
     features: 
Posted by Uli Köhler in MikroTik, Networking

How to find out architecture of your Mikrotik RouterOS router

Find out the CPU architecture using the webinterface (WebFig)

In the WebFig Web UI you can go to System -> Resources where you can see the architecture listed as Architecture name:

Find out the CPU architecture using the terminal

On the terminal, run

/system resource print

and look for the architecture-name line. In the following example, the architecutre is arm:

[[email protected]] > /system resource print
                   uptime: 10m24s
                  version: 7.3.1 (stable)
               build-time: Jun/09/2022 08:58:15
         factory-software: 6.44.6
              free-memory: 446.0MiB
             total-memory: 512.0MiB
                      cpu: ARM
                cpu-count: 2
                 cpu-load: 0%
           free-hdd-space: 1148.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 595
         write-sect-total: 139871
               bad-blocks: 0%
        architecture-name: arm
               board-name: CRS326-24G-2S+
                 platform: MikroTik

 

Posted by Uli Köhler in MikroTik, Networking

Which MikroTik switch can you use with 100M SFP modules?

Generally, 100M SFP modules can not be used with SFP+ ports. They sometimes can be used with SFP ports, however there is no guarantee it will work properly until you’ve actually tested the compatibility of the hardware!

Besides using a 100M SFP Module with a 100M-compatible SFP port, there is also the possibility of using a SFP Module with integrated converter. FS offers such a device for ~55€ but at the moment I do not know if it is compatible with an Mikrostil device.

Compatible devices

The MikroTik help page lists the CRS106-5S-1C as being compatible with both 100M and 1G SFP modules:

This unit is compatible with 100Mbit and 1.25G SFP modules

It has 5 SFP ports and 1 Combo SFP or GigE port.

Furthermore, the MikroTik wiki has a list of devices compatible with 100M fiberoptic transceivers – at the time of writing this post:

  • CCR1009-7G-1C
  • CCR1009-7G-1C-1S+
  • CRS106-1C-5S
  • CRS328-4C-20S-4S+
  • LHG XL 52 ac
  • RBD22/D23/mANTBox 52 15s/NetMetal ac²

Besides manually searching the MikroTik site for other compatible devices, I also used Google to search for similar sentences on the MikroTik site. I could not find any other MikroTik device for which any statement about 100Mbit SFP compatibility is being explicitly made.

Incompatible devices

For the following devices I have checked the respective MikroTik help page and it does not list compatibility with 100M SFP modules. This does not automatically mean they aren’t compatible but it’s much less likely. Possibly the help page will be updated in the future to indicate compatibility. I have not physically tested any of those devices with 100M transceivers.

  • CRS310-1G-5S-4S+IN
  • CRS112-8P-4S-IN
  • hEX S
  • CRS109-8G-1S-2HnD-IN
  • CRS212-1G-10S-1S+IN

Often, the help pages with read something like Compatible with 1.25G SFP modules. This means that standard 100Mbit SFP modules are incompatible.

Posted by Uli Köhler in Electronics, MikroTik, Networking

How to get router identity (name) in MikroTik RouterOS scripting

Use

[/system identity get name]

For example, you can use it like this:

/tool e-mail send [email protected] subject="My identity is $[/system identity get name]"

 

Posted by Uli Köhler in MikroTik, Networking

How to insert output of command into string in MikroTik RouterOS (scripting)

If you have a MikroTik RouterOS command such as

/tool e-mail send [email protected] subject="MikroTik test E-Mail"

you can insert the output of a command such as

/system identity get name

into it by using the $[...] syntax:

/tool e-mail send [email protected] subject="My identity is $[/system identity get name]"

 

Posted by Uli Köhler in MikroTik, Networking

How to setup Cloudflare DNS-over-HTTPS (DoH) cache on MikroTik RouterOS router

Compared to standard UDP DNS, DNS-over-HTTPS (DoH) provides the huge advantage that – due to it being encrypted, someone able to sniff the traffic will not be able to determine what domain names are being used.

However, consider the disadvantage that the latency of resolving a domain name is significantly larger with DoH – however, setting up the MikroTik router as DNS cache will significantly reduce the overall DNS latency, at least for cached domain names.

The following list of RouterOS commands will setup the internal DNS server as a DNS cache running on DNS-over-HTTPS.

First, download CA certificates onto the router in order to be able to verify CloudFlare’s HTTPS certificates:

/tool fetch url=https://curl.se/ca/cacert.pem

Wait for it to finish downloading, e.g.

[[email protected]] > /tool fetch url=https://curl.se/ca/cacert.pem
      status: finished
  downloaded: 210KiBz pause]
       total: 210KiB
    duration: 1s

Now import the file and setup the DNS server:

/certificate import file-name=cacert.pem passphrase=""
/ip dns set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

 

Posted by Uli Köhler in MikroTik, Networking

MikroTik webinterface reverse proxy using Traefik

The following Traefik .toml file which reverse proxies a MikroTik router’s WebFig webinterface is based on our Traefik setup from Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges. It assumes that the MikroTik router is reachable at 10.1.2.3 via HTTP.

No Authentication beyond the MikroTik router’s WebFig internal authentication is performed. However – at least when using our Traefik config from our previous post it enforces HTTPS i.e. encrypted access.

Save the following file under config/mikrotik01.toml. Traefik will automatically reload, no restart will be required.

[http.routers.mikrotik01]
rule = "Host(`mikrotik01.mydomain.com`)"
service = "mikrotik01"

[http.routers.mikrotik01.tls]
certresolver = "cloudflare"

[[http.routers.mikrotik01.tls.domains]]
main = "mydomain.com"
sans = ["*.mydomain.com"]

[http.services]
[http.services.mikrotik01.loadBalancer]
[[http.services.mikrotik01.loadBalancer.servers]]
url = "http://10.1.2.3.4/"

 

Posted by Uli Köhler in MikroTik, Networking, Traefik

XenOrchestra docker-compose setup with Traefik labels

Based on Simple XenOrchestra setup using docker-compose, this extension of our config from that post features Traefik container labels. For the Traefik configuration, see for example our previous post Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges

This setup uses a Wildcard certificate but you can also use a non-wildcard cert (e.g. if you don’t have access to the DNS for the DNS01 challenge) by just deleting both traefik.http.routers.xenorchestra.tls.domains... lines and selecting a suitable resolver.

version: '3'
services:
    xen-orchestra:
        restart: unless-stopped
        image: ronivay/xen-orchestra:latest
        container_name: xen-orchestra
        network_mode: host
        stop_grace_period: 1m
        environment:
            - HTTP_PORT=1780
        cap_add:
          - SYS_ADMIN
        security_opt:
          - apparmor:unconfined
        volumes:
          - ./xo-data:/var/lib/xo-server
          - ./redis-data:/var/lib/redis
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.xenorchestra.rule=Host(`xenorchestra.mydomain.com`)"
          - "traefik.http.routers.xenorchestra.entrypoints=websecure"
          - "traefik.http.routers.xenorchestra.tls.certresolver=cloudflare"
          - "traefik.http.routers.xenorchestra.tls.domains[0].main=mydomain.com"
          - "traefik.http.routers.xenorchestra.tls.domains[0].sans=*.mydomain.com"
          - "traefik.http.services.xenorchestra.loadbalancer.server.port=1780"

 

Posted by Uli Köhler in MikroTik, Networking, Virtualization

How to enable/disable WireGuard peer by comment on MikroTik

To enable the WireGuard peer called MyPeer:

/interface/wireguard/peers/enable [find comment="MyPeer"]

To disable the WireGuard peer called MyPeer:

/interface/wireguard/peers/disable [find comment="MyPeer"]

 

Posted by Uli Köhler in MikroTik, Networking