The Mikrotik RouterOS config, tips and tricks thread

PogMoThoin · 04-08-2012 11:40am #1

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 5.18 (c) 1999-2012       [url]http://www.mikrotik.com/[/url]

I've been recommending Mikrotik products for ages, so I decided to put up a thread where we can post some config, tips and tricks. This code can be pasted straight into a terminal in Winbox and is effective immediately, no reboot required

This is a basic firewall that covers everything, it also blacklists IP's for 10 days after a few ssh attempts and logs all login attempts. You can see the logged and blacklisted IP addresses in ip-->firewall-->address lists

/ip firewall filter
add action=accept chain=input comment="allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="allow winbox" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow api" disabled=no dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" disabled=no dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="allow ssh" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="accept vpn" disabled=no dst-port=1723 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="accept vpn gre" disabled=no in-interface=ether1-gateway protocol=gre
add action=drop chain=input comment="drop ftp" disabled=no dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="allow already established connections" connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=input comment="drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="allow established connections" connection-state=established disabled=no
add action=accept chain=input comment="acccept lan" disabled=no in-interface=!ether1-gateway src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else" disabled=no

Here's 2 sample portforwards (disabled), a UDP and a TCP from port 5000 to lan ip 192.168.88.254 on port 5000. Add them, you can click copy and edit the copy and enable them

/ip firewall nat
add action=dst-nat chain=dstnat comment="sample udp from port 5000 to 5000 (lan ip 192.168.1.254)" disabled=yes dst-port=5000 protocol=udp to-addresses=192.168.88.254 to-ports=5000
add action=dst-nat chain=dstnat comment="sample tcp from port 5000 to 5000 (lan ip 192.168.1.254)" disabled=yes dst-port=5000 protocol=tcp to-addresses=192.168.88.254 to-ports=5000

This adds NTP so you never need to set time after rebooting

/system ntp client
set enabled=yes mode=unicast primary-ntp=140.203.204.77 secondary-ntp=0.0.0.0

This sets the DNS cache, change the servers to whatever DNS you use. You can check the cache in ip-->dns

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB max-udp-packet-size=512 servers=88.81.100.2,88.81.98.4

If you set the DNS cache you're going to need to make the DHCP server give out the router IP as the DNS

/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.88.1 \
    gateway=192.168.88.1 ntp-server="" wins-server=""

I'll post more and get some scripts up later.

PogMoThoin · 04-08-2012 12:25pm

This adds the DynDNS script that checks and updates your public IP to DynDNS, edit it with your own username, password and hostname

/system script
add name=dynDns policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="# Set needed variables\r\
    \n:local username \"[COLOR="Red"]username[/COLOR]\"\r\
    \n:local password \"[COLOR="Red"]password[/COLOR]\"\r\
    \n:local hostname \"[COLOR="Red"]hostname.dyndns.org[/COLOR]\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n:log info (\"UpdateDynDNS: username = \$username\")\r\
    \n:log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-path=\"/dyndns.checkip.html\"\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - useful for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"members.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$currentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n}"

This adds the schedule to run the script every 5 minutes

/system scheduler
add disabled=no interval=5m name=dynDNS on-event="/system script run dynDns\r\
    \n" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-time=startup

PogMoThoin · 04-08-2012 12:50pm

This script emails you the router config. You can schedule it however you like, once a week, once a month etc. Edit it with your own email.

/system script
add name=backup policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="/export file=([/system identity get name] . \"-\" . \\\
    \n[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); \\\
    \n/tool e-mail send to=\"[COLOR="Red"]you@yourdomain.com[/COLOR]\" subject=([/system identity get name] . \" Backup \" . \\\
    \n[/system clock get date]) file=([/system identity get name] . \"-\" . [:pick [/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\"); :delay 10; \\\
    \n/file rem [/file find name=([/system identity get name] . \"-\" . [:pick [/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\")]; \\\
    \n:log info (\"System Backup emailed at \" . [/sys cl get time] . \" \" . [/sys cl get date])"

This adds the script on a 30 day schedule

/system scheduler
add disabled=no interval=4w2d name="backup config" on-event="/system script run backup\r\
    \n" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-time=startup

You need to set the from email address and your providers SMTP server, do an nslookup on it and add it as an IP

/tool e-mail
set address=159.134.198.135 from=<>[COLOR="Red"]routername@yourdomain.com[/COLOR] password="" port=25 starttls=no user=""

PogMoThoin · 04-08-2012 1:27pm

To setup a Vpn first you need to create a pool of local addresses to use so I reduced the dhcp pool and gave the vpn from 90-99

/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
add name=VPN-Pool ranges=192.168.88.90-192.168.88.99

Then you need to create a user

/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=[COLOR="Red"]username[/COLOR] password=[COLOR="Red"]password[/COLOR] profile=default-encryption routes="" service=pptp

Then we need to turn on the PPTP server

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

And set a profile to assign IP's from this vpn pool and add it to the bridge (you will already have a bridge-local if you're using the default config on a wireless RB751 but not on the RB750 without wireless)

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 1 bridge=bridge-local change-tcp-mss=yes local-address=VPN-Pool name=default-encryption only-one=default remote-address=VPN-Pool use-compression=default \
    use-encryption=yes use-mpls=default use-vj-compression=default

Don't forget you need to have the firewall rules enabled to accept tcp on port 1723 and accept the gre protocol from the wan interface

PogMoThoin · 04-08-2012 1:58pm

This is an issue I came across that took a lot of head scratching to sort, it's known as hairpin NAT, where you're trying to come back inbound on the Wan interface you went out on. I have lots of web sevices running on my home server and wished to access them using my DynDNS hostname (public ip) when out and about and when connected to my lan. Some routers with a loose firewall cope allow this, the last Linksys with DD-WRT handled it just fine, but the Mikrotik needs an extra Nat rule to allow lan Ip's back in to this server from the Wan. The first line is the default masquerade rule, second is the added hairpin nat rule to allow local lan IP's access to this server on 192.168.88.252.

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade disabled=no out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" disabled=no dst-address=192.168.88.252 src-address=192.168.88.0/24

rmacm · 05-08-2012 5:08pm

Cool thread, I have an RB1200 that I want to start playing with.

PogMoThoin · 06-08-2012 2:49pm

Yeah, the posibilities with these things are endless. I used have an RB750GL with a separate Linksys AP behind TV. I ended up adding a second AP to cover the office at the back of the house as the wireless signal on my phone was weak. I have now invested in a RB751G for wireless "n". Amazing wireless performance from it, it gives perfect coverage throughout the house. They have 1Watt output power. To put that in context a standard Linksys WRT54G is only 28mW. I read somewhere that Mikrotik are having difficulty getting them certified in the USA for this reason.

Alun · 06-08-2012 3:11pm

PogMoThoin wrote: »

They have 1Watt output power. To put that in context a standard Linksys WRT54G is only 28mW. I read somewhere that Mikrotik are having difficulty getting them certified in the USA for this reason.

If that is the case, are they legal here? I thought the maximum EIRP in Europe was 100mW.

PogMoThoin · 06-08-2012 3:32pm

Alun wrote: »

If that is the case, are they legal here? I thought the maximum EIRP in Europe was 100mW.

It's CE certified. USA customers can get them on Ebay, just not allowed be sold there.

zappb · 06-08-2012 5:01pm

subscribed to thread

witnessmenow · 08-08-2012 11:57am

Cheers pog, mine should be arriving this week

toddunctious · 13-08-2012 8:15pm

you convinced me to get one too, cheers

witnessmenow · 14-08-2012 11:12am

I set mine up (mostly) at the weekend there.

I used to be reasonably knowledgeable at networking, but I went to go at on Sunday and mind drew a blank

So a high level of what i did was (I'll through up details later):

I put my modem into bridge mode ("modem only" is what my modem was calling it). I assigned the modem a static IP within the same address range as i was using with the mikrotik

I set up a PPPOE interface on ethernet port1 on the mikrotik and configured it for Eircom (eircom, broadband1)

after that I pretty much did what pog has put up. Havent got a chance to do anything fancy with it yet though

PogMoThoin · 14-08-2012 11:41am

More info needed. Where is it getting stuck? Is it getting an IP or even attempting to dial? Can you ping out? Is the default route out being added? Is add default route ticked in ppp->interface?

The modem bridge shouldn't be in the same subnet as the lan BTW.

witnessmenow · 14-08-2012 1:52pm

PogMoThoin wrote: »

More info needed. Where is it getting stuck? Is it getting an IP or even attempting to dial? Can you ping out? Is the default route out being added? Is add default route ticked in ppp->interface?

The modem bridge shouldn't be in the same subnet as the lan BTW.

Sorry, when i say i couldn't remember anything, i did get it done in the end but it took about 4 hours.

One genius thing I did was add the pppoe interface and then disable the ethernet port!

When i say its half done, It is my functional router but I havent opened any ports or set up Dynamic DNS stuff.

Also you are right re modem ip. It cant be reached from the lan but it doesnt matter what its lan ip is. I set it to be in the same subnet as the lan so I could just move the laptop from one to the other with the same static IP.

PogMoThoin · 14-08-2012 2:01pm

What's the rush, you'll be playing for weeks

witnessmenow · 14-08-2012 2:09pm

PogMoThoin wrote: »

What's the rush, you'll be playing for weeks

That's my fear!

In another note, they have completely changed the web interface since I was using the 750(g). The web interface used to be more similar to a regular routers interface with very limited options. Now its basically a second winbox (it is a very impressive interface, to cram that much functionality into a web app)

The wireless signal seems to be really good from it too.

PogMoThoin · 14-08-2012 2:26pm

Yeah, the web GUI is something they've been concentrating on. Every RouterOS version changelog has entries relating to web gui bugs. I tend to avoid it as Winbox is so stable, I've web login disabled as I use the default port for a web service I've running on my server.

Be sure to update to the latest version software 5.19 (paste it into files) and also do a "> system routerboard upgrade" and reboot.

Panrich · 30-08-2012 1:59pm

Thanks to PogMoThoin, I have ordered the 751G. This is to replace the Zyxel POS that I have from Magnet.
I have had numerous wireless disconnects from my Apple devices (disconnect after 5 minutes) and my laptop that I hope will be a thing of the past once I get this up and running.

lotas · 30-08-2012 4:53pm

I got a RB750 a while back, and i am using it with 2 cable modems, one at 60Mb, the other at 120Mb. If anyone is interested in how its done, and can tell me how to print out the config, please reply... Someone might be able to point out issues with my setup too... Thanks!

PogMoThoin · 02-09-2012 10:35am

lotas wrote: »

I got a RB750 a while back, and i am using it with 2 cable modems, one at 60Mb, the other at 120Mb. If anyone is interested in how its done, and can tell me how to print out the config, please reply... Someone might be able to point out issues with my setup too... Thanks!

I'm curious as to how you did this. Print just prints the settings as they are, but it is not pastable into a new router, for this you need to export as a command line. To export the full config just type "export" into the terminal in winbox, You can export individal sections like "ip firewall filter export" will print your firewall filters. Winbox is laid out in the order of these commands which makes it easy to figure.

lotas · 02-09-2012 6:25pm

Ok, so here are some of the "interesting" things you may need:

NAT Rules:

add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2 to-addresses=0.0.0.0

Mangle rules:

add action=accept chain=prerouting disabled=no dst-address=192.168.55.0/24 in-interface=LAN
add action=accept chain=prerouting disabled=no dst-address=192.168.56.0/24 in-interface=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN1 new-connection-mark=WAN1 passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN2 new-connection-mark=WAN2 passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1 disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 disabled=no new-routing-mark=to_WAN2 passthrough=yes

Routes info

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.55.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.56.1 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.55.1 scope=255 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.56.1 scope=30 target-scope=10

The Idea is that i have 2 cable modems, each setup in "fake briding" mode (both have DHCP off, firewall off, and DMZ to the RB750). the RB750 has 2 interfaces for WAN (1 and 2) and 1 LAN. The mangling section is what does the magic... Each connection that is opened is looked at 2 of ever 3 connects goes to WAN 1 (the 120MB Cable modem) and the other goes to WAN2. This works well on BitTorrent downloads or HTTP downloads from multiple servers, but from one server, its not as good since which ever way i have it setup, it seems to only use one pipe...

Any questions, shout!

Panrich · 13-09-2012 9:48am

I have had an entertaining few days configuring the new box to work with my Magnet broadband and getting all the accesses and firewall rules set up.

It certainly is a steep learning curve (especially when winbox decides to stop functioning on a working day and you are back to entering commands via the cli - a router reboot required to fix).

Last night I got the remote access rules to access my WHS2011 and CCTV set up so happy days.

Really impressed with the wireless coverage but not too sure that the neighbours will share that enthusiasm.

lotas · 20-09-2012 12:43pm

which type of routerbox do you have? looking at upgrading my aging RB750 since i now have 250Mb/s connections into it... and Wifi would be a handy feature... my Apple Airport Extream is a bit on the old side...

PogMoThoin · 20-11-2012 11:14am

I was encountering a bug where as Mikrotik isn't automatically renewing it's dhcp lease after it expires. My Linksys modem is in half bridge mode, where it dials PPPoE and provides the public IP to the connected router. The solution is this script, it pings an external IP 6 times and if they all drop, it performs a renew on the interface. I've it on a 5 minute schedule.

:if ( [/ping 8.8.8.8 interface=ether1-gateway count=6 ] = 0 ) do={/ip dhcp-client renew ether1-gateway}

liamo · 18-01-2013 6:22pm

Hi

Great thread and great scripts. Thanks, PogMoThoin.

I got my 751G-2HnD yesterday and was up till 1am learning and configuring. With ssh and PPTP set up (thanks to the supplied scripts) I was able to continue my playing learning experience today from work.

I was completely blown away by the features and configurability of the device. I work in IT and am familiar with a number of business-class routers. I'd say this device has a feature set comparable with devices selling for €600 and more.

I'm definitely going to have to schedule a device backup on a regular basis as I intend to have a lot of fun with this device and it's not a matter of if, but when, I do something silly and kill my connectivity. Fortunately, there's a script for that too

I'm not in a position to submit anything new or useful yet, but I hope to return the favour at some point.

Regards

Liam

PogMoThoin · 18-01-2013 6:56pm

The DynDns updater script has stopped working for me but the same script is working for a friend. I have the free sub, he has paid. I've enabled the 2 week trial but it's still not working.

liamo · 18-01-2013 8:06pm

Hi

Although it doesn't help your specific predicament, I can confirm that the script is working for me. I also have a paid account.

Regards

Liam

Xantia · 19-01-2013 12:15am

V6.0rc7 just released
have it working on RB751G-2HnD (mipsbe)

PogMoThoin · 05-02-2013 8:55pm

I'm using the RC firmware, it's working well. I've replaced the DynDNS script I was using with a new one and it's working http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS_behind_NAT

witnessmenow · 02-03-2013 12:05pm

I set up an old 3g modem I had lying about on the 751G this morning. I was using a meteor branded E173 Huawei modem

Check is your device supported

When I eventually did get it set up I actually didnt do too much, but it didnt stop it taking me the entire morning!

If anyone has any questions about feel free to give me a shout.

PogMoThoin · 02-03-2013 2:26pm

I'm getting amazing wireless performance with the latest release candidate firmwares (v6.0rc11). I can now sustain 100Mbit SMB transfer over wireless, samba isn't the most efficient protocol therefore the limit here is most likely the hard drive speed. Make sure you have channel width set to 20/40 HT above and under advanced set your distance to indoors.

witnessmenow · 24-03-2013 10:58pm

So currently 3G is my only option for internet at the moment (Not what I envisioned when I bought this Mikrotik!) but in fairness its doing a pretty bang up job. Speeds are actually pretty decent and my biggest issue with 3g at the moment is the 20gb download cap. I have written a script to get the mikrotik to check the balance on the stick and email me the result

Its specifically for Meteor, but if your provide provides a service where you can text for a balance you can easily change it.

Will try make it a bit more clever over time (maybe parse out value and stop traffic when limit is hit) but this is what I have so far

Note: Make sure you have email and SMS set up first.

#Script for checking 3G Balance#
#This Script will:#
# - Remove all SMSs from inbox #
# - Send SMS to check Balance #
# - Email Contents of SMS #

:log info "Script for Checking 3G Balance has started";

#----------------#
#Values#
#----------------#

#Meteors BroadBand to Go Check balance Via text command is text "MMB balance" to 50104#
:local SMSNumber "50104";
:local SMSCommand "MMB balance";

#Email#
:local EmailAddr "YOUREMAIL@gmail.com";
:local EmailSubject;

:set EmailSubject "3G Balance at $[/system clock get time]";

#----------------#
#Remove All SMSs from inbox#
#This ensures that only the status SMS gets emailed to you#
#----------------#

:log info "Deleting All current SMSs from Inbox";

# Looping to Delete all existing SMS #
:foreach i in=[/tool sms inbox find] do={

# Remove SMS from Inbox #
/tool sms inbox remove $i;

delay 2;
}
:log info "Finished Deleting SMSs";

#----------------#
#Send SMS to Check Balance#
#----------------#

:log info "Sending SMS to Check Balance";

# Set Receive Enabled, in case it was cleared by a router reboot #
/tool sms set receive-enabled=yes;

delay 2;

#Send SMS to check Credit - NOTE: Change Port (usb1) and channel as required#
/tool sms send usb1 $SMSNumber channel=3 message="$SMSCommand";

:log info "SMS for checking Balance Sent. Now waiting 10 seconds for reponse";
delay 10;

#----------------#
#Sending SMS response on Via Email#
#----------------#

:local smsMessage;
:local smsTimeStamp;
:local emailContent;


:log info "Checking Inbox for Balance SMS";

# loop through all the messages in the inbox #
:foreach i in=[/tool sms inbox find] do={

:set smsTimeStamp [/tool sms inbox get $i timestamp];
:set smsMessage [/tool sms inbox get $i message];

#Build Email Body#
:set emailContent "Response from balance check, recieved at $smsTimeStamp:\n\n$smsMessage";


:log info "Sending Email containing: $emailContent";
#Send Email#
/tool e-mail send tls=yes subject="$EmailSubject" to=$EmailAddr body="$emailContent";

delay 10;

}

:log info "Script for Checking 3G Balance has finished";

Anyone know if I can use regular expression on the SMS response to extract the actual limit? It comes in a nice east to extract format:

You have 19.36 GB of your monthly allowance remaining. This months allowance will be available until 04-04-13

in something like PHP I would use the following regex to extract it:

/([0-9]{1,2}\.{1}[0-9]{1,2}) GB/

lotas · 15-04-2013 8:30am

Morning all.

Just realized that there is a tweak to be made to @pogmothoin's post. I have 2 WAN connections, and if an SSH connections comes from one, i forward it to a particular server (using the NAT section). if its from WAN2, it goes to a different machine... this causes some interesting problems with the following block of code:

add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" disabled=no dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="allow ssh" disabled=no dst-port=22 protocol=tcp

because the chain is set to input, it ignores it. I noticed this morning that a lot of SSH requests where hitting both my servers, and not getting blocked by the firewall. the solution? set the chain to forward. so far so good!

witnessmenow · 15-04-2013 11:39am

There is a bug in my above script, it doesnt delete the SMSs.

If receive is not enabled it will not delete the SMSs. Updated below:

witnessmenow wrote: »

#Script for checking 3G Balance#
#This Script will:#
# - Remove all SMSs from inbox #
# - Send SMS to check Balance #
# - Email Contents of SMS #

:log info "Script for Checking 3G Balance has started";

#----------------#
#Values#
#----------------#

#Meteors BroadBand to Go Check balance Via text command is text "MMB balance" to 50104#
:local SMSNumber "50104";
:local SMSCommand "MMB balance";

#Email#
:local EmailAddr "YOUREMAIL@gmail.com";
:local EmailSubject;

:set EmailSubject "3G Balance at $[/system clock get time]";

#----------------#
#Remove All SMSs from inbox#
#This ensures that only the status SMS gets emailed to you#
#----------------#

:log info "Deleting All current SMSs from Inbox";

# Set Receive Enabled, in case it was cleared by a router reboot #
/tool sms set receive-enabled=yes;

# Looping to Delete all existing SMS #
:foreach i in=[/tool sms inbox find] do={

# Remove SMS from Inbox #
/tool sms inbox remove $i;

delay 2;
}
:log info "Finished Deleting SMSs";

#----------------#
#Send SMS to Check Balance#
#----------------#

:log info "Sending SMS to Check Balance";

delay 2;

#Send SMS to check Credit - NOTE: Change Port (usb1) and channel as required#
/tool sms send usb1 $SMSNumber channel=3 message="$SMSCommand";

:log info "SMS for checking Balance Sent. Now waiting 10 seconds for reponse";
delay 10;

#----------------#
#Sending SMS response on Via Email#
#----------------#

:local smsMessage;
:local smsTimeStamp;
:local emailContent;


:log info "Checking Inbox for Balance SMS";

# loop through all the messages in the inbox #
:foreach i in=[/tool sms inbox find] do={

:set smsTimeStamp [/tool sms inbox get $i timestamp];
:set smsMessage [/tool sms inbox get $i message];

#Build Email Body#
:set emailContent "Response from balance check, recieved at $smsTimeStamp:\n\n$smsMessage";


:log info "Sending Email containing: $emailContent";
#Send Email#
/tool e-mail send tls=yes subject="$EmailSubject" to=$EmailAddr body="$emailContent";

delay 10;

}

:log info "Script for Checking 3G Balance has finished";

Xantia · 15-04-2013 3:24pm

witnessmenow wrote: »

I set up an old 3g modem I had lying about on the 751G this morning. I was using a meteor branded E173 Huawei modem

Check is your device supported

When I eventually did get it set up I actually didnt do too much, but it didnt stop it taking me the entire morning!

If anyone has any questions about feel free to give me a shout.

Hi,
Would you have any info on this setup?
I am hoping to use it soon, I have a compatible USB 3G
Thanks

witnessmenow · 16-04-2013 11:08am

Xantia wrote: »

Hi,
Would you have any info on this setup?
I am hoping to use it soon, I have a compatible USB 3G
Thanks

I will try help out later when Im at home and have access to winbox

Is it a Huawei modem?

I'm having some issues myself! I bought a new dongle of meteor (one that had a external antenna port) and it seemed to be working fine. But last night and this morning the mikrotik got left in a weird state where no connections were set up. Rebooting the mikrotik brought everything back, but I cant imagine its a coincidence that this happened after installing the new dongle. Will investigate later, hopefully it can be resolved!

Xantia · 18-04-2013 2:05am

Thanks for coming back to me.

No Rush on this.

I hope to setup a 3G and then a WiFi in the car - I know, I know, but it would be handy for me on the road.

(In my day it was - I am sitting on the wheel arch back here, nowadays it's I cant get 3G)

So Mikrotik with a 3G USB Stick with an external antenna, WiFi with external antenna(s)

witnessmenow · 18-04-2013 10:55am

There is probably cheaper lower powered solutions for doing that though. A Mi-Fi Dongle would probably suit best. Something like this It probably has limited range, but surely covers a car

EDIT: Actually how far from the car do you want to be? Didnt notice you were talking about adding external wireless antennas too

Sorry I didnt get back to you will def over the next couple of days!

VenomIreland · 31-05-2013 9:24pm

I'm looking at getting one of these, both as a replacement for my current router (DIR-655, not strong enough output to cover the house and we can't wire everything unfortunately), but which one is the most recent model that would be suitable for a home? I'd appreciate a GUI interface for inital setup, but if it's all CLI then that's okay too.

Xantia · 01-06-2013 12:02am

I think that this is the latest Home one with a faster 600MHz processor
I have the previous one RB751G-2HnD and it works fine
but there is a bit of a learning curve to them

VenomIreland · 01-06-2013 12:09am

Xantia wrote: »

I think that this is the latest Home one with a faster 600MHz processor
I have the previous one RB751G-2HnD and it works fine
but there is a bit of a learning curve to them

Thanks, they are actually much cheaper than I expected them to be.

Xantia · 01-06-2013 1:40pm

There is a GUI (Winbox) or you can web to the default address 192.168.88.1 as well.
The one I have does cover the whole house but that might be because it's in the middle of the house and I have not specified a country which gives the higher WiFi power output.
The RB951G-2HnD is 2.4Ghz WiFi - others are available if you prefer the 5 Gig WiFi

VenomIreland · 01-06-2013 1:43pm

Xantia wrote: »

There is a GUI (Winbox) or you can web to the default address 192.168.88.1 as well.
The one I have does cover the whole house but that might be because it's in the middle of the house and I have not specified a country which gives the higher WiFi power output.
The RB951G-2HnD is 2.4Ghz WiFi - others are available if you prefer the 5 Gig WiFi

I'm not sure if I have anything that is 5GHz, the media server and the PCs are all connected via Cat5e, so I don't really need it for the important things, the wifi is just for the devices that can't realistically be wired (e.g. phones).

I'll probably place an order soon, it should be fun learning to configure it.

privilegue · 19-06-2013 5:03pm

Hi all - i found this thread while researching an issue I am having with my current setup and the things I would like to do. So here goes nothing

I have the following setup::

1) OpenVPN Server running on Linux on 10.8.0.0 (WAN1)
2) RouterOS RouterBoard 2011IN connecting to that server (WAN2)

my config on routerOS is working fine and I can see the routerOS device connected on the OVPN Server active clients list with an IP of 10.8.0.3

so that vpn part works. Now what I would like to do is, set everything up so that when I login to that VPN network with my laptop lets say, i am then able to connect to the routerOS config interface using any of the available services (ssh - sftp - www - winbox)... But so far it seems I am out of luck.

If anyone could help I would appreciate this. Thanks.

lotas · 20-06-2013 1:27pm

you will need to set your firewall to allow devices from the 10.8.0.0/24 network to be able to connect to your WinBox, http, etc. I dont have access to my mikrotik at the moment, but i think you are looking for something like:

/ip firewall filder
add action=accept chain=input comment="allow winbox" disabled=no dst-port=8291 protocol=tcp src-address=10.8.0.0/24

Good luck!

privilegue · 21-06-2013 12:33am

lotas wrote: »

you will need to set your firewall to allow devices from the 10.8.0.0/24 network to be able to connect to your WinBox, http, etc. I dont have access to my mikrotik at the moment, but i think you are looking for something like:

/ip firewall filder
add action=accept chain=input comment="allow winbox" disabled=no dst-port=8291 protocol=tcp src-address=10.8.0.0/24

Good luck!

Thanks man, i did that but that didnt work unfortunately. I have been fighting with this issue for 2 days now and still no solution. I have tun0 traffic allowed on OVPN Server as well as Filter FORWARD has ports 80 / 8921 accept in forward.

From the ovpn-server (ssh in) i can ping any client including the routeros board. I can even ssh into that from the ovpn-server but not from my windows client. Its really weird...

SERVER 10.8.0.1
RouterOS 10.8.0.2
WIN 10.8.0.3

i can access the server from WIN just fine (http / ssh whatever configured) using the VPN connection, no problems there. I can not access the routerOS, even with empty iptables.

So my config would look like this: (example)
-- Debian eth0:192.168.1.220 tun0:10.8.0.1
--- can access all other clients on network
--- has INPUT filter but accepts all traffic from internal networks and from tun0

-- RouterOS ether1:192.168.1.175 ovpn-client:10.8.0.2
--- can ping and reach server fine x.0.1
--- can ping and reach WIN machine fine (http setup for testing)

-- WIN eth0:outside ovpn:10.8.0.3
--- can access all services on server 10.8.0.1
--- cant access / ping anything on routerOS

So i am thinking -- (since i kinda suck at fwalls) -- do i need to accept on INPUT chain of server ports for the routerOS unit? i dont think so since FORWARD would deal with traffic going through the server.

I am getting bald here, so any help is appreciated

privilegue · 26-06-2013 3:10pm

After a couple more tests and runthroughs here is the solution:::

ON the config of your OVPN server you have to add the following to your server.conf

push "route <IPofOVPNNETWORK> <SUBNET>"

this fixed it all.

lotas · 26-06-2013 4:41pm

ahhh, so its not a RouterBoard issue, but OpenVPN issue... cool!

privilegue · 26-06-2013 4:44pm

lotas wrote: »

ahhh, so its not a RouterBoard issue, but OpenVPN issue... cool!

indeed and i was real puzzled by the fact that router received SYN but no ACK could be transmitted... if OpenWRT is being used then you dont have this issue at all

Xantia · 02-08-2013 4:45pm

RouterOS v6.2 released today.
Seems to work OK

The Mikrotik RouterOS config, tips and tricks thread

Comments