RouterBoard MikroTik
De Linuxmemo.
(Différences entre les versions)
(→System) |
(→Astuces) |
||
| (48 versions intermédiaires masquées) | |||
| Ligne 2 : | Ligne 2 : | ||
==Manuel== | ==Manuel== | ||
http://wiki.mikrotik.com/wiki/Manual:TOC | http://wiki.mikrotik.com/wiki/Manual:TOC | ||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
==root menu== | ==root menu== | ||
| - | certificate -- Certificate management | + | '''certificate''' -- Certificate management |
| - | disk -- | + | disk -- list all attached storage devices (non disponible pour RS450 car aucun usb/sd slot) |
| - | driver -- Driver management | + | driver -- Driver management (non disponible pour RS450 car tous les drivers sont déjà chargés) |
| - | file -- Local router file storage. | + | '''file''' -- Local router file storage. |
| - | interface -- Interface configuration | + | '''interface''' -- Interface configuration |
| - | ip -- IP options | + | '''ip''' -- IP options |
ipv6 -- | ipv6 -- | ||
| - | log -- System logs | + | '''log''' -- System logs |
| - | metarouter -- | + | metarouter -- virtualisation de routeurs (non disponible pour RS450) |
mpls -- | mpls -- | ||
| - | partitions -- | + | partitions -- (non pertinent pour RS450 car 1 seule partition est disponible) |
port -- Serial ports | port -- Serial ports | ||
| - | queue -- Bandwidth management | + | '''queue''' -- Bandwidth management |
radius -- Radius client settings | radius -- Radius client settings | ||
routing -- | routing -- | ||
snmp -- SNMP settings | snmp -- SNMP settings | ||
| - | system -- | + | '''system''' -- |
| - | tool -- Diagnostics tools | + | '''tool''' -- Diagnostics tools |
| - | user -- | + | '''user''' -- |
| + | |||
| + | ==Commands and Scripting== | ||
| + | |||
| + | http://wiki.mikrotik.com/wiki/Manual:Scripting | ||
==System== | ==System== | ||
| Ligne 52 : | Ligne 39 : | ||
leds -- | leds -- | ||
license -- Licensing information | license -- Licensing information | ||
| - | logging -- Global logging configuration | + | '''logging''' -- Global logging configuration |
note -- Login note | note -- Login note | ||
ntp -- | ntp -- | ||
| Ligne 60 : | Ligne 47 : | ||
'''resource''' -- System resources | '''resource''' -- System resources | ||
routerboard -- Routerboard options | routerboard -- Routerboard options | ||
| - | scheduler -- Schedule scripts to be run at times | + | '''scheduler''' -- Schedule scripts to be run at times |
| - | script -- Scripting management | + | '''script''' -- Scripting management |
serial-terminal -- Serial Terminal | serial-terminal -- Serial Terminal | ||
| - | shutdown -- Shut the router down | + | '''shutdown''' -- Shut the router down |
| - | ssh -- SSH client | + | '''ssh''' -- SSH client |
sup-output -- Create support output file | sup-output -- Create support output file | ||
telnet -- Run Telnet | telnet -- Run Telnet | ||
| - | upgrade -- Router upgrading | + | '''upgrade''' -- Router upgrading |
| - | watchdog -- Watchdog | + | '''watchdog''' -- Watchdog |
| - | + | ||
==IP== | ==IP== | ||
| + | *'''accounting''' -- Traffic accounting | ||
| + | address -- Address management | ||
| + | arp -- ARP entries management | ||
| + | cloud -- ddns | ||
| + | dhcp-client -- DHCP client settings | ||
| + | dhcp-relay -- DHCP relay settings | ||
| + | dhcp-server -- DHCP server settings | ||
| + | dns -- DNS settings - This is a simple DNS cache with local items (provide fake DNS information to your network clients). | ||
| + | '''firewall''' -- Firewall management | ||
| + | hotspot -- HotSpot servers management | ||
| + | ipsec -- IP security | ||
| + | neighbor -- Neighbors | ||
| + | packing -- Packet packing settings | ||
| + | pool -- IP address pool | ||
| + | '''proxy''' -- performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests. | ||
| + | route -- Route management | ||
| + | '''service''' -- IP services | ||
| + | settings -- IP Settings allows to configure several IP related kernel parameters. | ||
| + | smb -- | ||
| + | socks -- SOCKS version 4 proxy | ||
| + | ssh -- SSH settings | ||
| + | tftp -- TFTP | ||
| + | *'''traffic-flow''' -- Traffic-Flow is a system that provides statistic information about packets which pass through | ||
| + | the router to extern NTop program (for example). | ||
| + | As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. | ||
| + | upnp -- Universal Plug and Play | ||
| + | |||
==Tools== | ==Tools== | ||
| + | bandwidth-server -- Bandwidth tester service | ||
| + | bandwidth-test -- Run bandwidth test to remote router | ||
| + | dns-update -- Dynamic DNS update | ||
| + | '''e-mail''' -- | ||
| + | '''fetch''' -- | ||
| + | flood-ping -- Send a lot of ICMP Echo packets and wait for response | ||
| + | graphing -- System resource and traffic graphing | ||
| + | '''ip-scan''' -- | ||
| + | mac-scan -- Scan for MAC addresses | ||
| + | mac-server -- MAC Telnet Server | ||
| + | mac-telnet -- MAC Telnet Client | ||
| + | '''netwatch''' -- Network watching tool (simple outil de ping sur certaines machines) | ||
| + | ping-speed -- The ICMP bandwidth test | ||
| + | '''profile''' -- shows CPU usage for each process running in RouterOS. | ||
| + | *'''romon''' -- "Router Management Overlay Network" | ||
| + | sms -- | ||
| + | *'''sniffer''' -- Packet sniffering | ||
| + | *'''torch''' -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel) | ||
| + | traceroute -- Trace route to host | ||
| + | traffic-generator -- | ||
| + | traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold. | ||
| + | wol -- | ||
| + | |||
| + | ==Astuces== | ||
| + | *how to generate SSL certificate and enable HTTPS | ||
| + | https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/ | ||
| + | 1. Create CA certificate first: | ||
| + | /certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign | ||
| + | 2. Sign the CA certificate: | ||
| + | /certificate sign my-rtr-ca | ||
| + | 3. Now create a regular certificate for HTTPS access: | ||
| + | /certificate add name=my-rtr common-name=my-rtr | ||
| + | 4. Sign it with CA from steps 1&2: | ||
| + | /certificate sign ca=my-rtr-ca my-rtr | ||
| + | OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:): | ||
| + | /certificate set trusted=yes my-rtr-ca | ||
| + | /certificate set trusted=yes my-rtr | ||
| + | 5. And finally, assign the new certificate to HTTPS service: | ||
| + | /ip service set www-ssl certificate=my-rtr | ||
| + | *lister les utilisateurs actuellement logger sur le RouterBoard | ||
| + | /user active print | ||
| + | *Afficher la valeur d'un item (exemple "enabled") | ||
| + | :put [/ip accounting get enabled]; | ||
| + | ou dans le contexte /ip accounting | ||
| + | :put [get enabled]; | ||
| + | false | ||
| + | *Avoir une idée de quels "hosts" sont les plus consommateurs de bande passante (via accounting) | ||
| + | 1) activation de l'accounting | ||
| + | /ip accounting set account-local-traffic=yes enabled=yes | ||
| + | /ip accounting web-access set accessible-via-web=yes address=192.168.0.0/24 | ||
| + | 2) réaliser un "snapshot" | ||
| + | /ip accounting snapshot take | ||
| + | 3) visualiser le "snapshot" réalisé | ||
| + | /ip accounting snapshot print | ||
| + | 4) désactivation | ||
| + | /ip accounting set account-local-traffic=no enabled=no | ||
| + | |||
| + | la page "web-access" est disponible a cette url (attention uniquement en http et pas https) | ||
| + | http://IPduRouteur/accounting/ip.cgi | ||
| + | *informations sur le routeur | ||
| + | /system routerboard print | ||
| + | /system routerboard settings print | ||
| + | /system license print | ||
| + | /system resource monitor #charge cpu en temps réel | ||
| + | /system resource print #toutes les ressources uptime, hdd, memory... | ||
| + | /tool profile # shows CPU usage for each process running in RouterOS. | ||
| + | *faire une résolution DNS | ||
| + | :put [:resolve "www.google.fr"]; | ||
| + | *faire un ping | ||
| + | :ping 192.168.0.1 | ||
| + | *lister les connexions activent au travers du pare-feu | ||
| + | /ip firewall connection print interval=5 | ||
| + | *Firewall Connections recherche | ||
| + | :put [/ip firewall connection find where dst-address~"8.8.8.8"] | ||
| + | :put [/ip firewall connection find where dst-address~":80"] | ||
| + | :put [/ip firewall connection find where src-address~"192.168.0.10"] | ||
| + | :put [/ip firewall connection find where src-address~"192.168.0.10:80"] | ||
| + | *Port monitor | ||
| + | /interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3 | ||
| + | *Fermer toutes les connections pour l'adresse 192.168.0.30 | ||
| + | /ip firewall connection> | ||
| + | :foreach r in=[find src-address~"192.168.0.30:"] do [remove $r] | ||
| + | *sniffer TZSP stream | ||
| + | /tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box | ||
| + | /tool sniffer start | ||
| + | Wireshark filtre de capture: udp port 37008 | ||
Version actuelle en date du 21 décembre 2016 à 09:33
Sommaire |
[modifier] Manuel
http://wiki.mikrotik.com/wiki/Manual:TOC
[modifier]
certificate -- Certificate management disk -- list all attached storage devices (non disponible pour RS450 car aucun usb/sd slot) driver -- Driver management (non disponible pour RS450 car tous les drivers sont déjà chargés) file -- Local router file storage. interface -- Interface configuration ip -- IP options ipv6 -- log -- System logs metarouter -- virtualisation de routeurs (non disponible pour RS450) mpls -- partitions -- (non pertinent pour RS450 car 1 seule partition est disponible) port -- Serial ports queue -- Bandwidth management radius -- Radius client settings routing -- snmp -- SNMP settings system -- tool -- Diagnostics tools user --
[modifier] Commands and Scripting
http://wiki.mikrotik.com/wiki/Manual:Scripting
[modifier] System
backup -- Makes a full system backup check-installation -- Check installed packages clock -- Print/change system date and time console -- Connection over serial port default-configuration -- health -- Router health history -- Command history identity -- System identity leds -- license -- Licensing information logging -- Global logging configuration note -- Login note ntp -- package -- Software packages reboot -- Restart the router reset-configuration -- resource -- System resources routerboard -- Routerboard options scheduler -- Schedule scripts to be run at times script -- Scripting management serial-terminal -- Serial Terminal shutdown -- Shut the router down ssh -- SSH client sup-output -- Create support output file telnet -- Run Telnet upgrade -- Router upgrading watchdog -- Watchdog
[modifier] IP
*accounting -- Traffic accounting address -- Address management arp -- ARP entries management cloud -- ddns dhcp-client -- DHCP client settings dhcp-relay -- DHCP relay settings dhcp-server -- DHCP server settings dns -- DNS settings - This is a simple DNS cache with local items (provide fake DNS information to your network clients). firewall -- Firewall management hotspot -- HotSpot servers management ipsec -- IP security neighbor -- Neighbors packing -- Packet packing settings pool -- IP address pool proxy -- performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests. route -- Route management service -- IP services settings -- IP Settings allows to configure several IP related kernel parameters. smb -- socks -- SOCKS version 4 proxy ssh -- SSH settings tftp -- TFTP *traffic-flow -- Traffic-Flow is a system that provides statistic information about packets which pass through the router to extern NTop program (for example). As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. upnp -- Universal Plug and Play
[modifier] Tools
bandwidth-server -- Bandwidth tester service bandwidth-test -- Run bandwidth test to remote router dns-update -- Dynamic DNS update e-mail -- fetch -- flood-ping -- Send a lot of ICMP Echo packets and wait for response graphing -- System resource and traffic graphing ip-scan -- mac-scan -- Scan for MAC addresses mac-server -- MAC Telnet Server mac-telnet -- MAC Telnet Client netwatch -- Network watching tool (simple outil de ping sur certaines machines) ping-speed -- The ICMP bandwidth test profile -- shows CPU usage for each process running in RouterOS. *romon -- "Router Management Overlay Network" sms -- *sniffer -- Packet sniffering *torch -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel) traceroute -- Trace route to host traffic-generator -- traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold. wol --
[modifier] Astuces
- how to generate SSL certificate and enable HTTPS
https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/
1. Create CA certificate first: /certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign 2. Sign the CA certificate: /certificate sign my-rtr-ca 3. Now create a regular certificate for HTTPS access: /certificate add name=my-rtr common-name=my-rtr 4. Sign it with CA from steps 1&2: /certificate sign ca=my-rtr-ca my-rtr OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:): /certificate set trusted=yes my-rtr-ca /certificate set trusted=yes my-rtr 5. And finally, assign the new certificate to HTTPS service: /ip service set www-ssl certificate=my-rtr
- lister les utilisateurs actuellement logger sur le RouterBoard
/user active print
- Afficher la valeur d'un item (exemple "enabled")
:put [/ip accounting get enabled]; ou dans le contexte /ip accounting :put [get enabled]; false
- Avoir une idée de quels "hosts" sont les plus consommateurs de bande passante (via accounting)
1) activation de l'accounting /ip accounting set account-local-traffic=yes enabled=yes /ip accounting web-access set accessible-via-web=yes address=192.168.0.0/24 2) réaliser un "snapshot" /ip accounting snapshot take 3) visualiser le "snapshot" réalisé /ip accounting snapshot print 4) désactivation /ip accounting set account-local-traffic=no enabled=no
la page "web-access" est disponible a cette url (attention uniquement en http et pas https) http://IPduRouteur/accounting/ip.cgi
- informations sur le routeur
/system routerboard print /system routerboard settings print /system license print /system resource monitor #charge cpu en temps réel /system resource print #toutes les ressources uptime, hdd, memory... /tool profile # shows CPU usage for each process running in RouterOS.
- faire une résolution DNS
:put [:resolve "www.google.fr"];
- faire un ping
:ping 192.168.0.1
- lister les connexions activent au travers du pare-feu
/ip firewall connection print interval=5
- Firewall Connections recherche
:put [/ip firewall connection find where dst-address~"8.8.8.8"] :put [/ip firewall connection find where dst-address~":80"] :put [/ip firewall connection find where src-address~"192.168.0.10"] :put [/ip firewall connection find where src-address~"192.168.0.10:80"]
- Port monitor
/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3
- Fermer toutes les connections pour l'adresse 192.168.0.30
/ip firewall connection> :foreach r in=[find src-address~"192.168.0.30:"] do [remove $r]
- sniffer TZSP stream
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box /tool sniffer start Wireshark filtre de capture: udp port 37008
