MikroTik Invisible Tools

By : Haydar Fadel
2014
 E-mail Tool
A tool that allows you to send e-mail from the router.
It can be used, along with other tools, to send the network administrator
regular configuration backups, for example.

Tool CLI path

/tools e-mail
 E-mail, Example
Configuring E-mail tool parameters:

For Gmail configuration:

/tool e-mail
set address=173.194.77.108
set port=587
set from=routerid@gmail.com
set user=routerid
set password=mypassword

/tool e-mail send from=router@gmail.com server=173.194.77.108

to=youremail@domain.com subject=Host-Monitor

Above script used to verify email tool working normally

 Send Automatic Backup
Email-Tool example will end auto Backup to network administrator .
The following steps must be implement :
1. System script and name the script (export-send)

/export compact file=export

/tool e-mail send to=router@doamin.com" subject="$[/system identity get
name] " \ body="$[/system clock get date] configuration file" file=export.rsc
2. System schedule
/system scheduler
add on-event="export-send" start-time=00:00:00 interval=24h name=Email
Send Automatic Backup

1 2
 Netwatch
A tool that allows you to monitor the status of network devices
For each entry, you can specify:
IP address
Ping interval
Up and/or Down scripts
 Netwatch
VERY useful to:
Be made aware of network failures
Automate a change of default gateway, for example, should the main
router fail
Just to have a quick view of what is up
Whatever else you can come up with to simplify and speed up your job
(and make you look efficient!)
Netwatch

Host: IP address of host that Intervals: the time between

should be monitored. pings.
 Netwatch
Netwatch
Use these scripts:

/tool e-mail send from=router@gmail.com server=173.194.77.108

to=youremail@domain.com subject=Host-Monitor

Above script used to verify email tool working normally

Up
/tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node up."

Down
/tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node down."
 Netwatch

In this example the Netwatch will monitor specific host and it is will send Email to
network administrator every time where that host will goes down or up .
 Interface Traffic Monitor
The traffic monitor tool is used to run
scripts when an interface traffic
reaches a certain threshold.

Example
/tool traffic-monitor
add interface=ether1 name=TrafficMon1 on-event=script1 threshold=1500000 \
traffic=received

/system script
add name=script1 policy=ftp,read,test,winbox,api source="/tool e-mail send to=\"\
YOU@DOMAIN.CA\" subject=([/system identity get name] . \" Log \
\" . [/system clock get date]) body=\"Hello World. You're going too fast!\""
Interface Traffic Monitor

1
3
 Watchdog
This menu allows to configure system to reboot on kernel panic, when an
IP address does not respond, or in case the system has locked up.
Software watchdog timer is used to provide the last option, so in very rare
cases (caused by hardware malfunction) it can lock up by itself.
There is a hardware watchdog device available in all RouterBOARD
PowerPC and Mipsbe models, which can reboot the system in any case.
 Watchdog Properties
Property
watch-address (IP; Default: none)
watchdog-timer (yes | no; Default: yes)
no-ping-delay (time; Default: 5m)
automatic-supout (yes | no;
Default: yes)
auto-send-supout (yes | no; Default: no)
send-email-from (string; Default: )
send-email-to (string; Default: )
send-smtp-server (string; Default: )
Description
The system will reboot in case 6 sequental pings to the given IP
address (sent once per 10 seconds) will fail. If set to none this
feature is disabled.
Whether to reboot if system is unresponsive for a minute
Specifies how long after reboot not to test and ping watch-address. The
default setting means that if watch-address is set and is not reachable,
the router will reboot about every 6 minutes.
When software failure happens, a file named "autosupout.rif" is
generated automatically. The previous "autosupout.rif" file is
renamed to "autosupout.old.rif"
After the support output file is automatically generated, it can
be sent by email
e-mail address to send the support output file from. If not set,
the value set in /tool e-mail is used
e-mail address to send the support output file to.
SMTP server address to send the support output file through. If
not set, the value set in /tool e-mail is used.
Watchdog Example
 Traffic Flow
MikroTik Traffic-Flow is a system that provides statistic information about
packets which pass through the router.
Besides network monitoring and accounting, system administrators can
identify various problems that may occur in the network.
With help of Traffic-Flow, it is possible to analyze and optimize the overall
network performance.
As Traffic-Flow is compatible with Cisco NetFlow, it can be used with
various utilities which are designed for Cisco's NetFlow.
 Traffic Flow
Traffic-Flow supports the following NetFlow formats:
version 1 - the first version of NetFlow data format, do not use it, unless
you have to.
version 5 - in addition to version 1, version 5 has possibility to inlude BGP
AS and flow sequence number information. Currently RouterOS does
not include BGP AS numbers.
version 9 - a new format which can be extended with new fields and
record types thank's to its template-style design.
 Traffic Flow
Sub menu :/ ip traffic-flow
This section lists the configuration properties of Traffic-Flow.
Property
interfaces (string | all; Default: all)
cache-entries (128k | 16k | 1k | 256k | 2k |
... ; Default: 4k)
active-flow-timeout (time; Default: 30m)
inactive-flow-timeout (time; Default: 15s)
Description
Names of those interfaces which will be used to gather
statistics for traffic-flow. To specify more than one
interface, separate them with a comma.
Number of flows which can be in router's memory
simultaneously.
Maximum life-time of a flow.
How long to keep the flow active, if it is idle. If connection
does not see any packet within this timeout, then traffic-
flow will send packet out as new flow. If this timeout is too
small it can create significant amount of flows and
overflow the buffer.
 Traffic Flow

Note: Starting 6.0rc14 release setting interface will show RX and TX for the
interface.
Previously traffic-flow reported only RX fraffic for the interface and to see
bidirectional data it was required to set up more interfaces.
 Traffic Flow
Targets
Sub-menu / ip traffic-flow target
With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow
information from router.

Property
address (IP:port; Default: )
v9-template-refresh (integer; Default: 20)
v9-template-timeout (time; Default: )
version (1 | 5 | 9; Default: )
Description
IP address and port (UDP) of the host which receives Traffic-
Flow statistic packets from the router.
Number of packets after which the template is sent to the
receiving host (only for NetFlow version 9)
After how long to send the template, if it has not been sent.
Which version format of NetFlow to use
 Traffic Flow
Targets
Notes :
By looking at packet flow diagram you can see
that traffic flow is at the end of input, forward
and output chain stack.
It means that traffic flow will count only traffic
that reaches one of those chains.
For example, you set up mirror port on switch,
connect mirror port to router and set traffic flow
to count mirrored packets.
Unfortunately such setup will not work, because
mirrored packets are dropped before they reach
input chain.
Other interfaces will appear in report if traffic is
passing through them and monitored interface.
 Traffic Flow Example
This example shows how to configure Traffic-Flow on a router.
Enable Traffic-Flow on the router:

[admin@Haydar-Router] > ip traffic-flow set enabled=yes

[admin@Haydar-Router] > ip traffic-flow print
enabled: yes
interfaces: ether1
cache-entries: 256k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@Haydar-Router] >
 Traffic Flow Example
Specify IP address and port of the host, which will receive Traffic-Flow
packets:

[admin@Haydar-Router] > ip traffic-flow target print

Flags: X - disabled
# ADDRESS VERSION
0 192.168.0.13:2055 9
[admin@Haydar-Router] >
 Traffic Flow Example
Now the router starts to send packets with Traffic-Flow information.
Some screenshots from NTop program, which has gathered Traffic-Flow
information from our router and displays it in nice graphs and statistics.
Really I prefer manageengine for network programs monitoring and
management .
Please visit : http://www.manageengine.com/
For example, where what kind of traffic has flown:
Traffic Flow Example
Traffic Flow Example
Traffic Flow Example
Traffic Flow Example
 Open Flow Overview
OpenFlow is an open standard that enables researchers to run
experimental protocols in the campus networks we use every day
OpenFlow is added as a feature to commercial Ethernet switches, routers
and wireless access points and provides a standardized hook to allow
researchers to run experiments, without requiring vendors to expose the
internal workings of their network devices
OpenFlow is currently being implemented by major vendors, with
OpenFlow-enabled switches now commercially available.
 Open Flow Overview
What does this really mean, though?
You start with an OF switch and a controller. The OF switch is a
switch/router/access point that runs the OF client.
Most switches have a flow table built from TCAM. This flow table
determines which traffic moves where.
Open Flow Overview
 Open Flow Overview
OpenFlow(OF) is meant to be a means of testing new routing or
forwarding methods to build these flow tables.
It is designed to allow for layer 3 or layer 2 forwarding based on: port,
MAC, VLAN, TCP header, or IP header.
The way it accomplishes this is to establish a secure SSH tunnel between
the OF switch and the controller.
When a new flow starts, it sends the first packets to the controller.
The controller then builds an entry into the flow table to handle the
remainder of this connection.
 Open Flow Overview
They also have the ability to segregate the OF flow table from that of the
standard switch.
The idea is you can choose a handful of ports on a device and have them
participate in the OF test.
Your controller will then update all of the OF switches in the chain with the
new flow information.
Since this is a separate flow table the device will continue to process all
other traffic based on the standard flow table.
 Open Flow Overview
So long as you can maintain the SSH connectivity to the controller you can
write your own proprietary mesh algorithm and have the MTKs use it.
You could write your own algorithm that monitors all of your ISP interfaces
via SNMP and adjust routing on the fly according to congestionreally the
sky is the limit at this point.
Right now there are really only two commands in the Mikrotik
Open Flow Overview
 Open Flow Implementation
Currently RouterOS implements OpenFlow version 1.0.0 required features.
Support for newer versions, optional features and switching hardware
acceleration are to be added.
Current implementation should be considered experimental - NOT
production ready and is available for evaluation purposes.
OpenFlow support is available as standalone openflow package.
 Open Flow Implementation
Due to this care must be taken to not disable access to the device when
configuring OpenFlow.
Currently only unencrypted TCP is available as the communications
channel between RouterOS OpenFlow switch and controller.
 Open flow Implementation
RouterOS supports multiple OpenFlow switch instances, each of which can
have separate controller(s) and sets of ports.
Switch instance can be added using command:
[admin@MikroTik] > /openflow add name=ofswitch1 controllers=10.0.0.18
Open flow Implementation
 Open flow Implementation
[admin@MikroTik] > /openflow add name=ofswitch1 controllers=10.0.0.18

Switch ports can be added using command:

[admin@MikroTik] > /openflow port add switch=ofswitch1 interface=ether2
[admin@MikroTik] > /openflow port add switch=ofswitch1 interface=ether2
 Traffic Generate Overview
Traffic Generator is a tool that allows to evaluate performance of DUT
(Device Under Test) or SUT (System Under Test).
Tool can generate and send RAW packets over specific ports. It also
collects latency and jitter values, tx/rx rates, counts lost packets and
detects Out-of-Order (OOO) packets.
Traffic Generator can be used similar to bandwidth test tool as well as
generate packets that will be routed back to packet generator for
advanced status collection.
 Traffic Generate Overview
RouterOS Version 6 introduces a new tool - "traffic generator", which allows
to perform performance testing without expensive testing hardware.
Traffic is generated from one more router in the network.
This article shows necessary configuration and hardware to replicate the
tests published in routerboard.com.
Traffic Generate Implementation
Traffic Generate Implementation
Traffic Generate Implementation
Traffic Generate Implementation
Traffic Generate Implementation
Traffic Generate Implementation
Traffic Generate Implementation
 IPsec-Tunnel

IPsec Tunnel , Site-to-Site VPN

So you have multiple sites that all have internet connections.

You want to securely connect the internal subnets togetherhow would
one accomplish this?
You would use an IPSEC tunnel. Imagine it as a nice secure pipe that
connects one site to the other.
This tutorial will show you just how this configuration is accomplished.
 Site 1 MT 1
Step 1: Configuring NAT
 Site 1 MT 1
Step 1: Configuring NAT
 Site 1 MT 1
Step1: Configuring NAT Troubleshooting
The NAT Rule We created must be the first rule in the Nat configuration.
 Site 1 MT 1
Step 2: add IPsec Policy

1. src.address will be local

network address.
2. dst.address will be destination
network.
 Site 1 MT 1
Step 2: add IPsec Policy

1. SA src.address its source

public IP address.
2. SA dst.address its destination
public IP address.
 Site 1 MT 1
Step 3: add IPsec Peer

Notes :
1. Address its destination router public IP address.
2. Secret must be match between two public
routers.
3. If packet going through any natted devices
check NAT Traversal and you will be fine when
always check it.
 Site 1 MT 1
Step4: optionally you can change phase two connection of IPsec
 Site 2 MT 2
Step 1: Configuring NAT
 Site 2 MT 2
Step 1: Configuring NAT
 Site 2 MT 2
Step1: Configuring NAT Troubleshooting
The NAT Rule We created must be the first rule in the Nat configuration.
 Site 2 MT 2
Step 2: add IPsec Policy

1. src.address will be local

network address.
2. dst.address will be destination
network.
 Site 2 MT 2
Step 2: add IPsec Policy

1. SA src.address its source

public IP address.
2. SA dst.address its destination
public IP address.
 Site 2 MT 2
Step 3: add IPsec Peer

Notes :
1. Address its destination router public IP address.
2. Secret must be match between two public
routers.
3. If packet going through any natted devices
check NAT Traversal and you will be fine when
always check it.
 Site 2 MT 2
Step4: optionally you can change phase two connection of IPsec
IPsec Connectivity Check

IPsec automatic Peer from Router 1

IPsec Connectivity Check

Traceroute from Router 2 to LAN 1