RouterBoard MikroTik

De Linuxmemo.

(Différences entre les versions)
(root menu)
(Astuces)
 
(42 versions intermédiaires masquées)
Ligne 2 : Ligne 2 :
==Manuel==
==Manuel==
http://wiki.mikrotik.com/wiki/Manual:TOC
http://wiki.mikrotik.com/wiki/Manual:TOC
-
 
-
==how to generate SSL certificate and enable HTTPS==
 
-
https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/
 
-
 
-
1. Create CA certificate first:
 
-
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign
 
-
2. Sign the CA certificate:
 
-
/certificate sign my-rtr-ca
 
-
3. Now create a regular certificate for HTTPS access:
 
-
/certificate add name=my-rtr common-name=my-rtr
 
-
4. Sign it with CA from steps 1&2:
 
-
/certificate sign ca=my-rtr-ca my-rtr
 
-
OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):
 
-
/certificate set trusted=yes my-rtr-ca
 
-
/certificate set trusted=yes my-rtr
 
-
5. And finally, assign the new certificate to HTTPS service:
 
-
/ip service set www-ssl certificate=my-rtr
 
==root menu==
==root menu==
Ligne 31 : Ligne 14 :
  metarouter -- virtualisation de routeurs (non disponible pour RS450)
  metarouter -- virtualisation de routeurs (non disponible pour RS450)
  mpls --  
  mpls --  
-
  partitions --  
+
  partitions -- (non pertinent pour RS450 car 1 seule partition est disponible)
  port -- Serial ports
  port -- Serial ports
  '''queue''' -- Bandwidth management
  '''queue''' -- Bandwidth management
Ligne 56 : Ligne 39 :
  leds --  
  leds --  
  license -- Licensing information
  license -- Licensing information
-
  logging -- Global logging configuration
+
  '''logging''' -- Global logging configuration
  note -- Login note
  note -- Login note
  ntp --  
  ntp --  
Ligne 64 : Ligne 47 :
  '''resource''' -- System resources
  '''resource''' -- System resources
  routerboard -- Routerboard options
  routerboard -- Routerboard options
-
  scheduler -- Schedule scripts to be run at times
+
  '''scheduler''' -- Schedule scripts to be run at times
-
  script -- Scripting management
+
  '''script''' -- Scripting management
  serial-terminal -- Serial Terminal
  serial-terminal -- Serial Terminal
-
  shutdown -- Shut the router down
+
  '''shutdown''' -- Shut the router down
-
  ssh -- SSH client
+
  '''ssh''' -- SSH client
  sup-output -- Create support output file
  sup-output -- Create support output file
  telnet -- Run Telnet  
  telnet -- Run Telnet  
-
  upgrade -- Router upgrading
+
  '''upgrade''' -- Router upgrading
-
  watchdog -- Watchdog
+
  '''watchdog''' -- Watchdog
-
export -- Print or save an export script that can be used to restore configuration
+
==IP==
==IP==
 +
*'''accounting''' -- Traffic accounting
 +
address -- Address management
 +
arp -- ARP entries management
 +
cloud -- ddns
 +
dhcp-client -- DHCP client settings
 +
dhcp-relay -- DHCP relay settings
 +
dhcp-server -- DHCP server settings
 +
dns -- DNS settings - This is a simple DNS cache with local items (provide fake DNS information to your network clients).
 +
'''firewall''' -- Firewall management
 +
hotspot -- HotSpot servers management
 +
ipsec -- IP security
 +
neighbor -- Neighbors
 +
packing -- Packet packing settings
 +
pool -- IP address pool
 +
'''proxy''' -- performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests.
 +
route -- Route management
 +
'''service''' -- IP services
 +
settings -- IP Settings allows to configure several IP related kernel parameters.
 +
smb --
 +
socks -- SOCKS version 4 proxy
 +
ssh -- SSH settings
 +
tftp -- TFTP
 +
*'''traffic-flow''' -- Traffic-Flow is a system that provides statistic information about packets which pass through
 +
the router to extern NTop program (for example).
 +
As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow.
 +
upnp -- Universal Plug and Play
 +
==Tools==
==Tools==
 +
bandwidth-server -- Bandwidth tester service
 +
bandwidth-test -- Run bandwidth test to remote router
 +
dns-update -- Dynamic DNS update
 +
'''e-mail''' --
 +
'''fetch''' --
 +
flood-ping -- Send a lot of ICMP Echo packets and wait for response
 +
graphing -- System resource and traffic graphing
 +
'''ip-scan''' --
 +
mac-scan -- Scan for MAC addresses
 +
mac-server -- MAC Telnet Server
 +
mac-telnet -- MAC Telnet Client
 +
'''netwatch''' -- Network watching tool (simple outil de ping sur certaines machines)
 +
ping-speed -- The ICMP bandwidth test
 +
'''profile''' -- shows CPU usage for each process running in RouterOS.
 +
*'''romon''' -- "Router Management Overlay Network"
 +
sms --
 +
*'''sniffer''' -- Packet sniffering
 +
*'''torch''' -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel)
 +
traceroute -- Trace route to host
 +
traffic-generator --
 +
traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold.
 +
wol --
 +
 +
==Astuces==
 +
*how to generate SSL certificate and enable HTTPS
 +
https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/
 +
1. Create CA certificate first:
 +
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign
 +
2. Sign the CA certificate:
 +
/certificate sign my-rtr-ca
 +
3. Now create a regular certificate for HTTPS access:
 +
/certificate add name=my-rtr common-name=my-rtr
 +
4. Sign it with CA from steps 1&2:
 +
/certificate sign ca=my-rtr-ca my-rtr
 +
OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):
 +
/certificate set trusted=yes my-rtr-ca
 +
/certificate set trusted=yes my-rtr
 +
5. And finally, assign the new certificate to HTTPS service:
 +
/ip service set www-ssl certificate=my-rtr
 +
*lister les utilisateurs actuellement logger sur le RouterBoard
 +
/user active print
 +
*Afficher la valeur d'un item (exemple "enabled")
 +
:put [/ip accounting get enabled];
 +
ou dans le contexte /ip accounting
 +
:put [get enabled];
 +
false
 +
*Avoir une idée de quels "hosts" sont les plus consommateurs de bande passante (via accounting)
 +
1) activation de l'accounting
 +
/ip accounting set account-local-traffic=yes enabled=yes
 +
/ip accounting web-access set accessible-via-web=yes address=192.168.0.0/24
 +
2) réaliser un "snapshot"
 +
/ip accounting snapshot take
 +
3) visualiser le "snapshot" réalisé
 +
/ip accounting snapshot print
 +
4) désactivation
 +
/ip accounting set account-local-traffic=no enabled=no
 +
 +
la page "web-access" est disponible a cette url (attention uniquement en http et pas https)
 +
http://IPduRouteur/accounting/ip.cgi
 +
*informations sur le routeur
 +
/system routerboard print
 +
/system routerboard settings print
 +
/system license print
 +
/system resource monitor #charge cpu en temps réel
 +
/system resource print #toutes les ressources uptime, hdd, memory...
 +
/tool profile # shows CPU usage for each process running in RouterOS.
 +
*faire une résolution DNS
 +
:put [:resolve "www.google.fr"];
 +
*faire un ping
 +
:ping 192.168.0.1
 +
*lister les connexions activent au travers du pare-feu
 +
/ip firewall connection print interval=5
 +
*Firewall Connections recherche
 +
:put [/ip firewall connection find where dst-address~"8.8.8.8"]
 +
:put [/ip firewall connection find where dst-address~":80"]
 +
:put [/ip firewall connection find where src-address~"192.168.0.10"]
 +
:put [/ip firewall connection find where src-address~"192.168.0.10:80"]
 +
*Port monitor
 +
/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3
 +
*Fermer toutes les connections pour l'adresse 192.168.0.30
 +
/ip firewall connection>
 +
:foreach r in=[find src-address~"192.168.0.30:"] do [remove $r]
 +
*sniffer TZSP stream
 +
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
 +
/tool sniffer start
 +
Wireshark filtre de capture: udp port 37008

Version actuelle en date du 21 décembre 2016 à 09:33

Sommaire

[modifier] Manuel

http://wiki.mikrotik.com/wiki/Manual:TOC

[modifier] root menu

certificate -- Certificate management
disk -- list all attached storage devices (non disponible pour RS450 car aucun usb/sd slot)
driver -- Driver management (non disponible pour RS450 car tous les drivers sont déjà chargés)
file -- Local router file storage.
interface -- Interface configuration
ip -- IP options
ipv6 --
log -- System logs
metarouter -- virtualisation de routeurs (non disponible pour RS450)
mpls -- 
partitions -- (non pertinent pour RS450 car 1 seule partition est disponible)
port -- Serial ports
queue -- Bandwidth management
radius -- Radius client settings
routing -- 
snmp -- SNMP settings
system -- 
tool -- Diagnostics tools
user --

[modifier] Commands and Scripting

http://wiki.mikrotik.com/wiki/Manual:Scripting

[modifier] System

backup -- Makes a full system backup
check-installation -- Check installed packages
clock -- Print/change system date and time
console -- Connection over serial port
default-configuration -- 
health -- Router health
history -- Command history
identity -- System identity
leds -- 
license -- Licensing information
logging -- Global logging configuration
note -- Login note
ntp -- 
package -- Software packages
reboot -- Restart the router
reset-configuration -- 
resource -- System resources
routerboard -- Routerboard options
scheduler -- Schedule scripts to be run at times
script -- Scripting management
serial-terminal -- Serial Terminal
shutdown -- Shut the router down
ssh -- SSH client
sup-output -- Create support output file
telnet -- Run Telnet 
upgrade -- Router upgrading
watchdog -- Watchdog

[modifier] IP

*accounting -- Traffic accounting
address -- Address management
arp -- ARP entries management
cloud -- ddns
dhcp-client -- DHCP client settings
dhcp-relay -- DHCP relay settings
dhcp-server -- DHCP server settings
dns -- DNS settings - This is a simple DNS cache with local items (provide fake DNS information to your network clients).
firewall -- Firewall management
hotspot -- HotSpot servers management
ipsec -- IP security
neighbor -- Neighbors
packing -- Packet packing settings
pool -- IP address pool
proxy -- performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests.
route -- Route management
service -- IP services
settings -- IP Settings allows to configure several IP related kernel parameters. 
smb -- 
socks -- SOCKS version 4 proxy
ssh -- SSH settings
tftp -- TFTP
*traffic-flow -- Traffic-Flow is a system that provides statistic information about packets which pass through
the router to extern NTop program (for example). 
As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. 
upnp -- Universal Plug and Play

[modifier] Tools

bandwidth-server -- Bandwidth tester service
bandwidth-test -- Run bandwidth test to remote router
dns-update -- Dynamic DNS update
e-mail -- 
fetch -- 
flood-ping -- Send a lot of ICMP Echo packets and wait for response
graphing -- System resource and traffic graphing
ip-scan -- 
mac-scan -- Scan for MAC addresses
mac-server -- MAC Telnet Server
mac-telnet -- MAC Telnet Client
netwatch -- Network watching tool (simple outil de ping sur certaines machines)
ping-speed -- The ICMP bandwidth test
profile -- shows CPU usage for each process running in RouterOS.
*romon -- "Router Management Overlay Network"
sms -- 
*sniffer -- Packet sniffering
*torch -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel)
traceroute -- Trace route to host
traffic-generator -- 
traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold.
wol --

[modifier] Astuces

  • how to generate SSL certificate and enable HTTPS

https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/ 

1. Create CA certificate first:
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign
2. Sign the CA certificate:
/certificate sign my-rtr-ca
3. Now create a regular certificate for HTTPS access:
/certificate add name=my-rtr common-name=my-rtr
4. Sign it with CA from steps 1&2:
/certificate sign ca=my-rtr-ca my-rtr
OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):
/certificate set trusted=yes my-rtr-ca
/certificate set trusted=yes my-rtr
5. And finally, assign the new certificate to HTTPS service:
/ip service set www-ssl certificate=my-rtr
  • lister les utilisateurs actuellement logger sur le RouterBoard 
/user active print
  • Afficher la valeur d'un item (exemple "enabled") 
:put [/ip accounting get enabled];
ou dans le contexte /ip accounting
:put [get enabled];
false
  • Avoir une idée de quels "hosts" sont les plus consommateurs de bande passante (via accounting) 
1) activation de l'accounting 
/ip accounting set account-local-traffic=yes enabled=yes
/ip accounting web-access set accessible-via-web=yes address=192.168.0.0/24
2) réaliser un "snapshot"
/ip accounting snapshot take
3) visualiser le "snapshot" réalisé
/ip accounting snapshot print
4) désactivation
/ip accounting set account-local-traffic=no enabled=no

la page "web-access" est disponible a cette url (attention uniquement en http et pas https)
http://IPduRouteur/accounting/ip.cgi
  • informations sur le routeur 
/system routerboard print
/system routerboard settings print
/system license print
/system resource monitor #charge cpu en temps réel
/system resource print #toutes les ressources uptime, hdd, memory...
/tool profile # shows CPU usage for each process running in RouterOS.
  • faire une résolution DNS 
:put [:resolve "www.google.fr"];
  • faire un ping 
:ping 192.168.0.1
  • lister les connexions activent au travers du pare-feu 
/ip firewall connection print interval=5
  • Firewall Connections recherche 
:put [/ip firewall connection find where dst-address~"8.8.8.8"]
:put [/ip firewall connection find where dst-address~":80"]
:put [/ip firewall connection find where src-address~"192.168.0.10"]
:put [/ip firewall connection find where src-address~"192.168.0.10:80"]
  • Port monitor 
/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3
  • Fermer toutes les connections pour l'adresse 192.168.0.30 
/ip firewall connection>
:foreach r in=[find src-address~"192.168.0.30:"] do [remove $r]
  • sniffer TZSP stream 
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box 
/tool sniffer start
Wireshark filtre de capture: udp port 37008
Récupérée de « http://linuxmemo.free.fr/index.php?title=RouterBoard_MikroTik »
Outils personnels