MikroTik

Jun

2022

How to find out architecture of your Mikrotik RouterOS router

Find out the CPU architecture using the webinterface (WebFig)

In the WebFig Web UI you can go to System -> Resources where you can see the architecture listed as Architecture name:

Find out the CPU architecture using the terminal

On the terminal, run

/system resource print

and look for the architecture-name line. In the following example, the architecutre is arm:

[admin@MyRouter] > /system resource print
                   uptime: 10m24s
                  version: 7.3.1 (stable)
               build-time: Jun/09/2022 08:58:15
         factory-software: 6.44.6
              free-memory: 446.0MiB
             total-memory: 512.0MiB
                      cpu: ARM
                cpu-count: 2
                 cpu-load: 0%
           free-hdd-space: 1148.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 595
         write-sect-total: 139871
               bad-blocks: 0%
        architecture-name: arm
               board-name: CRS326-24G-2S+
                 platform: MikroTik

Jun

2022

Which MikroTik switch can you use with 100M SFP modules?

Generally, 100M SFP modules can not be used with SFP+ ports. They sometimes can be used with SFP ports, however there is no guarantee it will work properly until you’ve actually tested the compatibility of the hardware!

Besides using a 100M SFP Module with a 100M-compatible SFP port, there is also the possibility of using a SFP Module with integrated converter. FS offers such a device for ~55€ but at the moment I do not know if it is compatible with an Mikrostil device.

Compatible devices

The MikroTik help page lists the CRS106-5S-1C as being compatible with both 100M and 1G SFP modules:

This unit is compatible with 100Mbit and 1.25G SFP modules

It has 5 SFP ports and 1 Combo SFP or GigE port.

Furthermore, the MikroTik wiki has a list of devices compatible with 100M fiberoptic transceivers – at the time of writing this post:

CCR1009-7G-1C
CCR1009-7G-1C-1S+
CRS106-1C-5S
CRS328-4C-20S-4S+
LHG XL 52 ac
RBD22/D23/mANTBox 52 15s/NetMetal ac²

Besides manually searching the MikroTik site for other compatible devices, I also used Google to search for similar sentences on the MikroTik site. I could not find any other MikroTik device for which any statement about 100Mbit SFP compatibility is being explicitly made.

Incompatible devices

For the following devices I have checked the respective MikroTik help page and it does not list compatibility with 100M SFP modules. This does not automatically mean they aren’t compatible but it’s much less likely. Possibly the help page will be updated in the future to indicate compatibility. I have not physically tested any of those devices with 100M transceivers.

CRS310-1G-5S-4S+IN
CRS112-8P-4S-IN
hEX S
CRS109-8G-1S-2HnD-IN
CRS212-1G-10S-1S+IN

Often, the help pages with read something like Compatible with 1.25G SFP modules. This means that standard 100Mbit SFP modules are incompatible.

Jun

2022

How to get router identity (name) in MikroTik RouterOS scripting

Use

[/system identity get name]

For example, you can use it like this:

/tool e-mail send [email protected] subject="My identity is $[/system identity get name]"

Jun

2022

How to insert output of command into string in MikroTik RouterOS (scripting)

If you have a MikroTik RouterOS command such as

/tool e-mail send [email protected] subject="MikroTik test E-Mail"

you can insert the output of a command such as

/system identity get name

into it by using the $[...] syntax:

/tool e-mail send [email protected] subject="My identity is $[/system identity get name]"

Jun

2022

How to send test email on MikroTik RouterOS

First configure a SMTP server – see How to configure SMTP server on MikroTik RouterOS:

Now you can send a test email to your E-Mail address ([email protected]) using

/tool e-mail send [email protected] subject="MikroTik test E-Mail"

Jun

2022

How to setup Cloudflare DNS-over-HTTPS (DoH) cache on MikroTik RouterOS router

Compared to standard UDP DNS, DNS-over-HTTPS (DoH) provides the huge advantage that – due to it being encrypted, someone able to sniff the traffic will not be able to determine what domain names are being used.

However, consider the disadvantage that the latency of resolving a domain name is significantly larger with DoH – however, setting up the MikroTik router as DNS cache will significantly reduce the overall DNS latency, at least for cached domain names.

The following list of RouterOS commands will setup the internal DNS server as a DNS cache running on DNS-over-HTTPS.

First, download CA certificates onto the router in order to be able to verify CloudFlare’s HTTPS certificates:

/tool fetch url=https://curl.se/ca/cacert.pem

Wait for it to finish downloading, e.g.

[admin@MikroTik] > /tool fetch url=https://curl.se/ca/cacert.pem
      status: finished
  downloaded: 210KiBz pause]
       total: 210KiB
    duration: 1s

Now import the file and setup the DNS server:

/certificate import file-name=cacert.pem passphrase=""
/ip dns set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Jun

2022

MikroTik webinterface reverse proxy using Traefik

The following Traefik .toml file which reverse proxies a MikroTik router’s WebFig webinterface is based on our Traefik setup from Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges. It assumes that the MikroTik router is reachable at 10.1.2.3 via HTTP.

No Authentication beyond the MikroTik router’s WebFig internal authentication is performed. However – at least when using our Traefik config from our previous post it enforces HTTPS i.e. encrypted access.

Save the following file under config/mikrotik01.toml. Traefik will automatically reload, no restart will be required.

[http.routers.mikrotik01]
rule = "Host(`mikrotik01.mydomain.com`)"
service = "mikrotik01"

[http.routers.mikrotik01.tls]
certresolver = "cloudflare"

[[http.routers.mikrotik01.tls.domains]]
main = "mydomain.com"
sans = ["*.mydomain.com"]

[http.services]
[http.services.mikrotik01.loadBalancer]
[[http.services.mikrotik01.loadBalancer.servers]]
url = "http://10.1.2.3.4/"

Apr

2022

How to enable/disable WireGuard peer by comment on MikroTik

To enable the WireGuard peer called MyPeer:

/interface/wireguard/peers/enable [find comment="MyPeer"]

To disable the WireGuard peer called MyPeer:

/interface/wireguard/peers/disable [find comment="MyPeer"]

Dec

2021

How to update WireGuard peer endpoint address using DNS on MikroTik RouterOS

Update 2022-12-30: Updated code, now uses variables

Assuming your peer comment is peer1 and the correct endpoint DNS record is peer1.mydomain.com, you can use this RouterOS script to update the endpoint based on the DNS record:

:local PEERCOMMENT 
:local DOMAIN 

:set PEERCOMMENT "peer1"
:set DOMAIN "peer1.mydomain.com"

:if ([interface wireguard peers get number=[find comment=$PEERCOMMENT] value-name=endpoint-address] != [/resolve $DOMAIN]) do={
    interface wireguard peers set number=[find comment=$PEERCOMMENT] endpoint-address=[/resolve $DOMAIN]
}

Modify the variables to suit your Wireguard config: Set PEERCOMMENT to the comment of the peer that should be updated and set DOMAIN to the DNS domain name that should be used to update the peer’s IP address

After that, add it as a new script in System -> Scripts, then add a Scheduler to run the script e.g. every 30 seconds under System -> Scheduler

Script settings

Scheduler settings

Related posts which might make the process easier to understand:

Dec

2021

How to check if WireGuard Peer endpoint address equals DNS record using RouterOS scripting on MikroTik

Assuming your peer comment is peer1 and the correct endpoint DNS record is peer1.mydomain.com:

([interface wireguard peers get number=[find comment=peer1] value-name=endpoint-address] = [resolve peer1.mydomain.com])

This will return true if the peer endpoint is the same as the DNS record.

Example

[admin@CoreSwitch01] > :put ([interface wireguard peers get number=[find comment=peer1] value-name=endpoint-address] = [resolve peer1.mydomain.com])
true

Dec

2021

RouterOS scripting: How to get Wireguard peer endpoint address on MikroTik

We assume that the peer you want to find info about has comment=peer1.mydomain.com. Use

Use

interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address

or use :put [...] to print the value:

:put [interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address]

Example

[admin@CoreSwitch01] > :put [interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address]
12.245.102.141

Dec

2021

How to resolve DNS name in MikroTik RouterOS scripting/command line

In order to resolve a DNS name use

resolve <domain name>

Use

:put [resolve <domain name>]

to resolve a domain name and print the IP address.

Example

:put [resolve techoverflow.net]

Output:

[admin@CoreSwitch01] > :put [resolve techoverflow.net]
172.67.166.211

Jul

2021

What is MikroTik RouterOS WebFig?

WebFig is the Web UI for MikroTik RouterOS routers. When people say to use WebFig for a given task, this typically means to not use the MikroTik terminal.

Jul

2021

How to add RFC1918 address list to MikroTik using terminal

Use these commands to add all RFC1918 networks to a MikroTik RouterOS IP address list:

/ip firewall address-list add address=10.0.0.0/8 list=RFC1918
/ip firewall address-list add address=172.16.0.0/12 list=RFC1918
/ip firewall address-list add address=192.168.0.0/16 list=RFC1918

Jul

2021

How to fix MikroTik RouterOS Couldn’t add New Firewall Address List – … is not a valid dns name (6)

Problem:

If you want to add a MikroTik Address List e.g. for use in firewall rules like this:

you see an error message like

Couldn't add New Firewall Address List - 192.168.0.0/24,10.0.0.0/8 is not a valid dns name (6)

Solution:

You can’t add multiple addresses to an address list at once. The way to add multiple addresses to an address list is to create multiple entries with the same Name.

See our detailed guide on How to add multiple addresses to MikroTik RouterOS address list using WebFig for more details on how to achieve that in WebFig.

Jul

2021

How to add multiple addresses to MikroTik RouterOS address list using WebFig

If you are trying to create a MikroTik firewall address list using WebFig (in IP/Firewall), you will see that you can’t just add multiple addresses in the Address field:

How to add multiple addresses

First, add the first address like this:

This will look like this in the Address List view:

Then, add another address with the same name (the comment can be different if you want). You can also select the name using the dropdown for the Name field.

This will look like this in the Address List view:

Our RFC1918 list will now identify both networks 10.0.0.0/8 and 192.168.0.0/16.

Jun

2021

Real-world data on CRS309-1G-8S+ RouterOS Wireguard throughput

Also see Wireguard bandwidth performance of the MikroTik CRS326-24G-2S+

We tested the throughput of the new Wireguard functionality MikroTik CRS309-1G-8S+ running on RouterOS 7.1beta6.

Our test setup consists of a Desktop PC with 1GBase-T connection and a virtualized server on XCP-NG, attached with a 10GB shared connection, both running Ubuntu. Note that the L2 switching infrastructure (consisting only of MikroTik CRS3xx and CRS610 switching with complete hardware offloading) is ignored here because due to 100% hardware offloading to the marvelous Marvell switch chips it has orders of magnitude higher performance compared to any L3 function, hence it will only have minimal impact only the overall performance.

Wireguard was being used without preshared keys. Hitherto, it is unknown to us whether PSKs will have an impact on throughput.

The command on the Desktop was

dd if=/dev/urandom bs=100M | netcat -v 10.185.244.199 2222

whereas the command on the server was

netcat -vvnlp 2222 > /dev/null

As we expected with an uncompressed protocol like Wireguard, there is no difference if you pipe the data from /dev/urandom as opposed to /dev/zero.

Scenario: Routing from Wireguard to local routed VLAN

With IP firewall

The Desktop was connected to the CRS309-1G-8S+ using Wireguard. The virtual server was connected to the CRS309 as default gateway within a separate VLAN that was designed to be routed. The CRS309 L3 hardware offloading capability was disabled.

The IP firewall contained 8 simple accept and fasttrack rules. All the WireGuard traffic only matched the last (8th) rule and was accepted. It has not been tested whether fasttracking the Wireguard connection would increase performance

The throughput results showed a steady rate of 131 Mbit/s (unidirectional, bidirectional not tested), but up to 160 Mbit/s. It is unknown what caused the increase in speed, but it’s possible that additional traffic was L3-forwarded over the switch during the test.

Without IP firewall

The same test was repeated with the IP firewall being disabled in the Bridge Settings.

As expected, disabling additional IP firewall processing caused the throughput to increase, but only by a small margin. The typical speed was around 160 Mbit/s (unidirectional), with peaks up to 185 Mbit/s.

Conclusion

It should be pretty obvious that the CRS309-1G-S+ outperforms most conventional VPN solutions when using Wireguard. For a street price of ~175€, it is not only an awesome switch, but also doubles as a more than adequate Wireguard router for most practical applications.

Reliablity considerations

Note that at the moment of writing this article, Wireguard is only available in the RouterOS 7.1beta6 firmware, which is not yet considered stable. While I have not experienced any problems that have affected reliability in any way, if you run a network where it hurts if it fails, you should consider using alternative solutions in the meantime.

Jun

2021

Wireguard bandwidth performance of the MikroTik CRS326-24G-2S+

Also see Real-world data on CRS309-1G-8S+ RouterOS Wireguard throughput

We tested the new Wireguard functionality MikroTik CRS326-24G-2S+ running on RouterOS 7.1beta6.

Wireguard was being used without preshared keys. Hitherto, it is unknown to us whether PSKs will have an impact on throughput.

Scenario: Routing between two wireguard VPNs

Both the Desktop and the server were connected to two different Wireguard interfaces on the CRS326-24G-2S+.

The CRS326 routed between those interfaces. The virtualized server ran a netcat server while the Desktop ran the wireguard client. IP firewall was disabled during this test, but the switch still had to L3 forward the packets.

Throughput results

The effective throughput of L3 forwarding, doing one Wireguard decryption and one WireGuard encryption operation (both without PSK) is 108.1 Mbit/s (unidirectional. Bidirectional has not been tested)

This is an awesome result, considering that the CRS326-24G-2S+ is only ~120€ street price and is an awesome switch. But it seems like Wireguard is capable of making a high performance VPN router from just a managed MikroTik switch.

Reliablity considerations

Jun

2021

How to import standard CA certificates into MikroTik RouterOS

You can use the following commands to download the standard CA certificates from the Curl webpage and import them:

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""

This will typically take a couple of minutes.

I recommend to connect to your MikroTik router using SSH, e.g.

ssh [email protected]

so you’re able to copy and paste commands more easily.

Find out the CPU architecture using the webinterface (WebFig)

Find out the CPU architecture using the terminal

Compatible devices

Incompatible devices

Script settings

Scheduler settings

Example

Example

Example

Problem:

Solution:

How to add multiple addresses

Scenario: Routing from Wireguard to local routed VLAN

With IP firewall

Without IP firewall

Conclusion

Reliablity considerations

Scenario: Routing between two wireguard VPNs

Throughput results

Reliablity considerations

Search

Categories