Category: Mikrotik


To upgrade a Miktorik’s firmware, its fairly easy. Put in the file, and reboot it. But there isn’t an way to schedule a reboot.

 

I have made a script to make it easy.

View full article »

Now that we have lots of 4G dongles providing clients a failover when their ADSL dies (crappy copper means when not if) We need to monitor the status of the routes.

For this to work you need to do a few things first.

View full article »

The default IP address on the Telstra MF823 4G router is 192.168.0.1

If you want to connect this to a router, and to a LAN that has the same IP range (but this should never happen in the real world……) you need to change the IP on the router.

 

You can call Telstra, bump your ass on the moon for a while, or follow these steps.

View full article »

After giving up on IPSEC tunnels (Not EoIP over IPSEC tho) i have created the below.

We all know how bad PPTP tunnels are, and why having them is just annoying people trying to steal your data, rather than actually protecting it.

 

View full article »

With the release of Mikrotik RouterOS 6.30 , you can now put IPSEC security over an EoIP Tunnel. Creating a secure encrypted, easy to setup VPN.

For sites with dynamic addresses, you need to keep the local and remote IPs updated.

View full article »

This method never worked as planned. The IPSEC tunnel left a hidden route in the route table, so it just got messy. Try this one instead.

 

http://blog.greypuddles.net/?p=258

 

I needed a way to fail over from an IPSEC tunnel with static IPs at each end, to a PPTP tunnel from a site with a non routable address.

The main problem is that I have the remote subnet listed as accessible Via bridge.local to allow the IPSEC traffic and to allow NetWatch to monitor the remote sites.

The solution is as follows

  • Setup and test IPSEC Tunnel
  • Setup the PPTP tunnel as needed to the remote site.
  • Add a route with a lower preference than the normal route.
  • Add a comment to the remote site route

/ip route
add check-gateway=ping comment=”over ipsec” distance=1 dst-address=10.4.44.0/24 \
gateway=bridge.Local
add distance=10 dst-address=10.4.44.0/24 gateway=pptp-out1
add distance=1 dst-address=192.168.1.1/32 gateway=”ether1-ADSL Modem”

In this setup, the local subnet is 10.4.40.0/24 and the remote subnet is 10.4.44.0/24

We put in the netwatch scripts Red below 1.2.3.4 is the STATIC IP address of the main interface.

/tool netwatch
add host=10.4.44.253
add down-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=yes” \
host=1.2.3.4 up-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=no”

The red “over ipsec” is used to identify the rule that’s going to get changes.

 

When the main interface goes down, NetWatch will disable the route Via bridge.local and allow the PPTP distance 10 route to kick in.
The PPTP interface should redial as needed to get connection over the second internet connection and all should just work. I will be testing that tomorrow.

In testing now with only one interface. When the “over IPSEC” rule is enabled, all traffic goes over the IPSECĀ tunnel, when that route gets disabled, traffic will flow over the PPTP.

If you have a dynamic WAN IP address, then you will have to get more creating running a lookup using /IP address printĀ and putting that into this NetWatch host

 

I’m sure there are much cleaner ways of doing this, as this will not fail over in the event of the IPSEC tunnel failing but the ADSL staying alive, but thats a topic for another day

I needed a way of resolving DNS Names to IPs to use in firewall rules.

 

/ip firewall address-list
add address=216.58.220.100 comment=www.google.com list=dns_list
add address=1.2.3.4 comment=www.website1.com list=dns_list
add address=157.56.242.98 comment=outlook.com list=dns_list

 

/system scheduler
add interval=9m1s name=DNSLookup on-event=DNSLookupScrip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/01/1970 start-time=00:00:01

/system script
add name=DNSLookupScrip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=”:foreach \
dnsitems in=[ /ip firewall address-list find where list=\”dns_list\” ] do={\
\r\
\n /ip firewall address-list set \$dnsitems address=[:resolve [/ip firewall \
address-list get \$dnsitems comment]];\r\
\n};”

OR

:foreach dnsitems in=[ /ip firewall address-list find where list=”dns_list” ] do={
/ip firewall address-list set $dnsitems address=[:resolve [/ip firewall address-list get $dnsitems comment]];
};