RouterBoard MikroTik
De Linuxmemo.
(Différences entre les versions)
(→Astuces) |
(→Astuces) |
||
| (17 versions intermédiaires masquées) | |||
| Ligne 58 : | Ligne 58 : | ||
==IP== | ==IP== | ||
| - | '''accounting''' -- Traffic accounting | + | *'''accounting''' -- Traffic accounting |
address -- Address management | address -- Address management | ||
arp -- ARP entries management | arp -- ARP entries management | ||
| Ligne 80 : | Ligne 80 : | ||
ssh -- SSH settings | ssh -- SSH settings | ||
tftp -- TFTP | tftp -- TFTP | ||
| - | '''traffic-flow''' -- Traffic-Flow is a system that provides statistic information about packets which pass through | + | *'''traffic-flow''' -- Traffic-Flow is a system that provides statistic information about packets which pass through |
the router to extern NTop program (for example). | the router to extern NTop program (for example). | ||
As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. | As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. | ||
| Ligne 89 : | Ligne 89 : | ||
bandwidth-test -- Run bandwidth test to remote router | bandwidth-test -- Run bandwidth test to remote router | ||
dns-update -- Dynamic DNS update | dns-update -- Dynamic DNS update | ||
| - | e-mail -- | + | '''e-mail''' -- |
| - | fetch -- | + | '''fetch''' -- |
flood-ping -- Send a lot of ICMP Echo packets and wait for response | flood-ping -- Send a lot of ICMP Echo packets and wait for response | ||
graphing -- System resource and traffic graphing | graphing -- System resource and traffic graphing | ||
| - | ip-scan -- | + | '''ip-scan''' -- |
mac-scan -- Scan for MAC addresses | mac-scan -- Scan for MAC addresses | ||
mac-server -- MAC Telnet Server | mac-server -- MAC Telnet Server | ||
mac-telnet -- MAC Telnet Client | mac-telnet -- MAC Telnet Client | ||
| - | netwatch -- Network watching tool | + | '''netwatch''' -- Network watching tool (simple outil de ping sur certaines machines) |
ping-speed -- The ICMP bandwidth test | ping-speed -- The ICMP bandwidth test | ||
| - | profile -- | + | '''profile''' -- shows CPU usage for each process running in RouterOS. |
| - | romon -- | + | *'''romon''' -- "Router Management Overlay Network" |
sms -- | sms -- | ||
| - | sniffer -- Packet sniffering | + | *'''sniffer''' -- Packet sniffering |
| - | torch -- Realtime traffic monitor | + | *'''torch''' -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel) |
traceroute -- Trace route to host | traceroute -- Trace route to host | ||
traffic-generator -- | traffic-generator -- | ||
| - | traffic-monitor -- The traffic monitor tool | + | traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold. |
wol -- | wol -- | ||
| - | ==how to generate SSL certificate and enable HTTPS | + | ==Astuces== |
| + | *how to generate SSL certificate and enable HTTPS | ||
https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/ | https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/ | ||
| - | |||
1. Create CA certificate first: | 1. Create CA certificate first: | ||
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign | /certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign | ||
| Ligne 125 : | Ligne 125 : | ||
5. And finally, assign the new certificate to HTTPS service: | 5. And finally, assign the new certificate to HTTPS service: | ||
/ip service set www-ssl certificate=my-rtr | /ip service set www-ssl certificate=my-rtr | ||
| - | |||
| - | |||
*lister les utilisateurs actuellement logger sur le RouterBoard | *lister les utilisateurs actuellement logger sur le RouterBoard | ||
/user active print | /user active print | ||
| Ligne 153 : | Ligne 151 : | ||
/system resource monitor #charge cpu en temps réel | /system resource monitor #charge cpu en temps réel | ||
/system resource print #toutes les ressources uptime, hdd, memory... | /system resource print #toutes les ressources uptime, hdd, memory... | ||
| + | /tool profile # shows CPU usage for each process running in RouterOS. | ||
*faire une résolution DNS | *faire une résolution DNS | ||
:put [:resolve "www.google.fr"]; | :put [:resolve "www.google.fr"]; | ||
*faire un ping | *faire un ping | ||
:ping 192.168.0.1 | :ping 192.168.0.1 | ||
| + | *lister les connexions activent au travers du pare-feu | ||
| + | /ip firewall connection print interval=5 | ||
| + | *Firewall Connections recherche | ||
| + | :put [/ip firewall connection find where dst-address~"8.8.8.8"] | ||
| + | :put [/ip firewall connection find where dst-address~":80"] | ||
| + | :put [/ip firewall connection find where src-address~"192.168.0.10"] | ||
| + | :put [/ip firewall connection find where src-address~"192.168.0.10:80"] | ||
| + | *Port monitor | ||
| + | /interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3 | ||
| + | *Fermer toutes les connections pour l'adresse 192.168.0.30 | ||
| + | /ip firewall connection> | ||
| + | :foreach r in=[find src-address~"192.168.0.30:"] do [remove $r] | ||
| + | *sniffer TZSP stream | ||
| + | /tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box | ||
| + | /tool sniffer start | ||
| + | Wireshark filtre de capture: udp port 37008 | ||
Version actuelle en date du 21 décembre 2016 à 09:33
Sommaire |
[modifier] Manuel
http://wiki.mikrotik.com/wiki/Manual:TOC
[modifier]
certificate -- Certificate management disk -- list all attached storage devices (non disponible pour RS450 car aucun usb/sd slot) driver -- Driver management (non disponible pour RS450 car tous les drivers sont déjà chargés) file -- Local router file storage. interface -- Interface configuration ip -- IP options ipv6 -- log -- System logs metarouter -- virtualisation de routeurs (non disponible pour RS450) mpls -- partitions -- (non pertinent pour RS450 car 1 seule partition est disponible) port -- Serial ports queue -- Bandwidth management radius -- Radius client settings routing -- snmp -- SNMP settings system -- tool -- Diagnostics tools user --
[modifier] Commands and Scripting
http://wiki.mikrotik.com/wiki/Manual:Scripting
[modifier] System
backup -- Makes a full system backup check-installation -- Check installed packages clock -- Print/change system date and time console -- Connection over serial port default-configuration -- health -- Router health history -- Command history identity -- System identity leds -- license -- Licensing information logging -- Global logging configuration note -- Login note ntp -- package -- Software packages reboot -- Restart the router reset-configuration -- resource -- System resources routerboard -- Routerboard options scheduler -- Schedule scripts to be run at times script -- Scripting management serial-terminal -- Serial Terminal shutdown -- Shut the router down ssh -- SSH client sup-output -- Create support output file telnet -- Run Telnet upgrade -- Router upgrading watchdog -- Watchdog
[modifier] IP
*accounting -- Traffic accounting address -- Address management arp -- ARP entries management cloud -- ddns dhcp-client -- DHCP client settings dhcp-relay -- DHCP relay settings dhcp-server -- DHCP server settings dns -- DNS settings - This is a simple DNS cache with local items (provide fake DNS information to your network clients). firewall -- Firewall management hotspot -- HotSpot servers management ipsec -- IP security neighbor -- Neighbors packing -- Packet packing settings pool -- IP address pool proxy -- performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests. route -- Route management service -- IP services settings -- IP Settings allows to configure several IP related kernel parameters. smb -- socks -- SOCKS version 4 proxy ssh -- SSH settings tftp -- TFTP *traffic-flow -- Traffic-Flow is a system that provides statistic information about packets which pass through the router to extern NTop program (for example). As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow. upnp -- Universal Plug and Play
[modifier] Tools
bandwidth-server -- Bandwidth tester service bandwidth-test -- Run bandwidth test to remote router dns-update -- Dynamic DNS update e-mail -- fetch -- flood-ping -- Send a lot of ICMP Echo packets and wait for response graphing -- System resource and traffic graphing ip-scan -- mac-scan -- Scan for MAC addresses mac-server -- MAC Telnet Server mac-telnet -- MAC Telnet Client netwatch -- Network watching tool (simple outil de ping sur certaines machines) ping-speed -- The ICMP bandwidth test profile -- shows CPU usage for each process running in RouterOS. *romon -- "Router Management Overlay Network" sms -- *sniffer -- Packet sniffering *torch -- Realtime traffic monitor (uniquement la mesure TX/RX des flux en temps réel) traceroute -- Trace route to host traffic-generator -- traffic-monitor -- The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold. wol --
[modifier] Astuces
- how to generate SSL certificate and enable HTTPS
https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/
1. Create CA certificate first: /certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign 2. Sign the CA certificate: /certificate sign my-rtr-ca 3. Now create a regular certificate for HTTPS access: /certificate add name=my-rtr common-name=my-rtr 4. Sign it with CA from steps 1&2: /certificate sign ca=my-rtr-ca my-rtr OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:): /certificate set trusted=yes my-rtr-ca /certificate set trusted=yes my-rtr 5. And finally, assign the new certificate to HTTPS service: /ip service set www-ssl certificate=my-rtr
- lister les utilisateurs actuellement logger sur le RouterBoard
/user active print
- Afficher la valeur d'un item (exemple "enabled")
:put [/ip accounting get enabled]; ou dans le contexte /ip accounting :put [get enabled]; false
- Avoir une idée de quels "hosts" sont les plus consommateurs de bande passante (via accounting)
1) activation de l'accounting /ip accounting set account-local-traffic=yes enabled=yes /ip accounting web-access set accessible-via-web=yes address=192.168.0.0/24 2) réaliser un "snapshot" /ip accounting snapshot take 3) visualiser le "snapshot" réalisé /ip accounting snapshot print 4) désactivation /ip accounting set account-local-traffic=no enabled=no
la page "web-access" est disponible a cette url (attention uniquement en http et pas https) http://IPduRouteur/accounting/ip.cgi
- informations sur le routeur
/system routerboard print /system routerboard settings print /system license print /system resource monitor #charge cpu en temps réel /system resource print #toutes les ressources uptime, hdd, memory... /tool profile # shows CPU usage for each process running in RouterOS.
- faire une résolution DNS
:put [:resolve "www.google.fr"];
- faire un ping
:ping 192.168.0.1
- lister les connexions activent au travers du pare-feu
/ip firewall connection print interval=5
- Firewall Connections recherche
:put [/ip firewall connection find where dst-address~"8.8.8.8"] :put [/ip firewall connection find where dst-address~":80"] :put [/ip firewall connection find where src-address~"192.168.0.10"] :put [/ip firewall connection find where src-address~"192.168.0.10:80"]
- Port monitor
/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3
- Fermer toutes les connections pour l'adresse 192.168.0.30
/ip firewall connection> :foreach r in=[find src-address~"192.168.0.30:"] do [remove $r]
- sniffer TZSP stream
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box /tool sniffer start Wireshark filtre de capture: udp port 37008
