Mikrotik - Part5 Consol and other PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
Contents Articles Manual:Port 1 Manual:Console 3 Manual:Console login process 11 Manual:Special Login 16 Manual:System/Serial Console 18 Manual:Scripting 22 Manual:Scripting-examples 37 Manual:Lua 47 Manual:System/SSH client 49 Manual:IP/SSH 50 Manual:System/Log 51 Manual:System/UPS 58 Manual:System/LCD 62 Manual:System/GPS 65 Manual:IP/Traffic Flow 67 Manual:SNMP 70 Manual:Tools/Graphing 75 Manual:Tools/Profiler 79 Manual:Tools/Packet Sniffer 83 Manual:Troubleshooting
Manual:Store 147 Manual:System/Watchdog 149 Manual:System/Scheduler 151 Manual:System/Time 154 Manual:API 157 Manual:IP/Proxy 172 Manual:Tools/Fetch 183 References Article Sources and Contributors 185 Image Sources, Licenses and Contributors 186
Manual:Port 1 Manual:Port Applies to RouterOS: v5+ Summary There are many ways how to use ports on the routers. Most obvious one is to use serial port for initial RouterOS configuration after installation(by default serial0 is used by serial-terminal). Serial and USB ports can also be used to: • connect 3G modems; • connect to another device through a serial cable • access device connected to serial cable remotely. General Sub-menu: /port Menu lists all available serial, usb, ...
Manual:Port 2 Property Description channels (integer) Number of channels supported by the port. inactive (yes | no) line-state () used-by (string) Shows what is using current port. For example, by default Serial0 is used by serial-console. Firmware Sub-menu: /port firmware This submenu allows to specify directory where drivers for 3g modems can be uploaded and used.
Manual:Port 3 Property Description active (yes | no) Whether remote access is active and ready to accept connection. busy (yes | no) Whether port is currently busy. inactive (yes | no) logging-active (yes | no) Whether logging to file is currently running remote-address (IP address) IP address of remote location that is currently connected. See More • Special Login • Serial Console • Serial Port Usage [ Top | Back to Content ] Manual:Console Applies to RouterOS: 2.
Manual:Console 4 ADC 10.10.10.0/24 [admin@MikroTik] > 4 10.10.10.1 0 wlan1 Instead of typing ip route path before each command, the path can be typed only once to move into this particular branch of menu hierarchy.
Manual:Console Item Names and Numbers Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such arrays are displayed in similarly looking lists. All items in the list have an item number followed by flags and parameter values. To change properties of an item, you have to use set command and specify name or number of the item. Item Names Some lists have items with specific names assigned to each of them. Examples are interface or user levels.
Manual:Console 6 Quick Typing There are two features in the console that help entering commands much quicker and easier - the [Tab] key completions, and abbreviations of command names. Completions work similarly to the bash shell in UNIX. If you press the [Tab] key after a part of a word, console tries to find the command within the current context that begins with this word.
Manual:Console • Common Parameters • copy-from - Copies an existing item. It takes default values of new item's properties from another item. If you do not want to make exact copy, you can specify new values for some properties. When copying items that have names, you will usually have to give a new name to a copy • place-before - places a new item before an existing item with specified position.
Manual:Console Modes Console line editor works either in multiline mode or in single line mode. In multiline mode line editor displays complete input line, even if it is longer than single terminal line. It also uses full screen editor for editing large text values, such as scripts. In single line mode only one terminal line is used for line editing, and long lines are shown truncated around the cursor. Full screen editor is not used in this mode. Choice of modes depends on detected terminal capabilities.
Manual:Console move cursor to the beginning of the line. If cursor is already at the beginning of the line, then go to the beginning of the first line of current input. Control-E or End move cursor to the end of line. If cursor is already at the end of line, then move it to the end of the last line of current input. Control-L or F5 reset terminal and repaint screen. up, down and split keys leave cursor at the end of line. Built-in Help The console has a built-in help, which can be accessed by typing ?.
Manual:Console 10 Message Safe Mode taken is displayed and prompt changes to reflect that session is now in safe mode. All configuration changes that are made (also from other login sessions), while router is in safe mode, are automatically undone if safe mode session terminates abnormally.
Manual:Console • [d] - leaves everything as-is. If too many changes are made while in safe mode, and there's no room in history to hold them all (currently history keeps up to 100 most recent actions), then session is automatically put out of the safe mode, no changes are automatically undone. Thus, it is best to change configuration in small steps, while in safe mode. Pressing [Ctrl]+[X] twice is an easy way to empty safe mode action list.
Manual:Console login process 12 Use up arrow to recall previous commands from command history, TAB key to automatically complete words in the command you are typing, ENTER key to execute command, and Control-C to interrupt currently running command and return to prompt.
Manual:Console login process License After logging in for the first time after installation you are asked to read software licenses. Do you want to see the software license? [Y/n]: Answer y to read licenses, n if you do not wish to read licenses (question will not be shown again). Pressing SPACE will skip this step and the same question will be asked after next login.
Manual:Console login process This is an example:
The following default configuration has been installed on your router: ------------------------------------------------------------------------------IP address 192.168.88.
Manual:Console login process [admin@MikroTik] >> It is possible to write commands that consist of multiple lines. When entered line is not a complete command and more input is expected, console shows continuation prompt that lists all open parentheses, braces, brackets and quotes, and also trailing backslash if previous line ended with backslash-whitespace. [admin@MikroTik] > { {... :put (\ {(\...
Manual:Special Login 16 Manual:Special Login Applies to RouterOS: v3, v4, v5 Description Special login can be used to access another device (like a switch, for example) that is connected through a serial cable by opening a telnet/ssh session that will get you directly on this device (without having to login to RouterOS first). Setup For demonstration we will use two RouterBoards and one PC. Routers R1 and R2 are connected with serial cable and PC is connected to R1 via ethernet.
Manual:Special Login # 17 PORT TERM 0 X serial0 vt102 Next step is to add new user, in this case serial, and bind it to the serial port [admin@MikroTik] > /user add name=serial group=full [admin@MikroTik] > /special-login add user=serial port=serial0 disabled=no [admin@MikroTik] > /special-login print Flags: X - disabled # USER PORT 0 serial serial0 Now we are ready to access R2 from our PC. maris@bumba:/$ ssh serial@10.1.101.146 [Ctrl-A is the prefix key] R2 4.
Manual:Special Login b - booter options t - call debug code l - erase license x - exit setup your choice: k - boot key Select key which will enter setup on boot: * 1 - any key 2 - key only your chaoice: 2 See More • Serial Console • Sigwatch [ Top | Back to Content ] Manual:System/Serial Console Applies to RouterOS: v3, v4, v5+ Overview Sub-menu: /system console, /system serial-terminal Standards: RS-232 The Serial Console and Terminal are tools, used to communicate with devices and other system
Manual:System/Serial Console 19 With the serial-terminal feature of the MikroTik, up to 132 (and, maybe, even more) devices can be monitored and controlled. Serial Console Configuration A special null-modem cable should be used for connecting to the serial console from another computer.
Manual:System/Serial Console 20 Property Description disabled (yes | no; Default: no) Whether serial console is enabled or not. port (string) Which port should the serial terminal listen to term (string) Terminal type Read-only properties Property Description free (yes | no) Console is ready for use. used (yes | no) Console is in use. vcno (integer) number of virtual console - [Alt]+[F1] represents '1', [Alt]+[F2] - '2', etc..
Manual:System/Serial Console 21 [admin@MikroTik] system serial-console> /port print detail 0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none 1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none [admin@MikroTik] system serial-console> Using Serial Terminal Command: /system serial-terminal The command is used to communicate with devices and other systems that are connected to the router via serial port.
Manual:System/Serial Console 22 Console Screen Sub-menu: /system console screen This facility is created to change line number per screen if you have a monitor connected to router. Property Description line count (25|40|50; Default: 25) Number of lines on monitor This parameter is applied only to a monitor, connected to the router.
Manual:Scripting Line structure RouterOS script is divided into number of command lines. Command lines are executed one by one until the end of script or until runtime error occur. Command line RouterOS console uses following command syntax: [prefix] [path] command [uparam] [param=[value]] .. [param=[value]] • • • • • [prefix] - ":" or "/" character which indicates if command is ICE or path. May or may not be required. [path] - relative path to the desired menu level. May or may not be required.
Manual:Scripting 24 Line joining Two or more physical lines may be joined into logical lines using backslash character (\). A line ending in a backslash cannot carry a comment. A backslash does not continue a comment. A backslash does not continue a token except for string literals. A backslash is illegal elsewhere on a line outside a string literal.
Manual:Scripting 25 Scopes Variables can be used only in certain regions of the script. These regions are called scopes. Scope determines visibility of the variable. There are two types of scopes - global and local. A variable declared within a block is accessible only within that block and blocks enclosed by it, and only after the point of declaration. Global scope Global scope or root scope is default scope of the script. It is created automatically and can not be turned off.
Manual:Scripting 26 Keywords The following words are keywords and cannot be used as variable and function names: and or not in Delimiters The following tokens serve as delimiters in the grammar: () [] {} : ; $ / Data types RouterOS scripting language has following data types: Type Description number - 64bit signed integer, possible hexadecimal input; boolean - values can bee true or false; string - character sequence; IP - IP address; internal ID - hexadecimal value prefixed by '*' si
Manual:Scripting 27 This is a test Operators Arithmetic Operators Usual arithmetic operators are supported in RouterOS scripting language Opearator Description Example "+" binary addition :put (3+4); "-" binary subtraction :put (1-6); "*" binary multiplication :put (4*5); "/" binary division :put (10 / 2); :put ((10)/2) "-" unary negation { :local a 1; :put (-a); } Note: for division to work you have to use braces or spaces around dividend so it is not mistaken as IP address Relational
Manual:Scripting 28 Opearator Description “!” , “not” Example logical NOT :put (!true); “&&” , “and” logical AND :put (true&&true) “||” , “or” logical OR “in” :put (true||false); :put (1.1.1.1/32 in 1.0.0.0/8); Bitwise Operators Bitwise operators are working on number and ip address data types. Opearator Description Example “~” bit inversion :put (~0.0.0.0) “|” bitwise OR. Performs logical OR operation on each pair of corresponding bits.
Manual:Scripting 29 Other Operators Opearator Description Example “[]” command substitution. Can contain only single command line :put [ :len "my test string"; ]; “()” sub expression or grouping operator :put ( "value is " . (4+5)); “$” substitution operator :global a 5; :put $a; “~” binary operator that matches value against POSIX extended regular Print all routes which gateway ends with 202 expression /ip route print where gateway~"^[0-9 \\.
Manual:Scripting 30 #valid variable name :local myVar; #invalid variable name :local my-var; #valid because double quoted :global "my-var"; If variable is initially defined without value then variable data type is set to nil, otherwise data type is determined automatically by scripting engine. Sometimes conversion from one data type to another is required. It can be achieved using data conversion commands.
Manual:Scripting 31 pick :pick [] return range of elements or substring. If end position is not specified, will return only one element from an array. :put [:pick "abcde" 1 3] log :log write message to system log.
Manual:Scripting 32 get get = get selected items parameter value print print =[] print menu items. Output depends on print parameters specified. Most common print parameters are described here export export [file=] export configuration from current menu and its sub-menus (if present). If file parameter is specified output will be written to file with extension '.rsc', otherwise output will be printed to console.
Manual:Scripting 33 Loops and conditional statements Command Syntax Description do..while :do { } while=( ); :while ( ) do={ }; execute commands until given condition is met.
Manual:Scripting 34 :global myFunc do={ :return ($a + $b)} :put [$myFunc a=6 b=2] output: 8 You can even clone existing script from script environment and use it as function.
Manual:Scripting 35 resolver failed lala Operations with Arrays Warning: Key name in array contains any character other than lowercase character, it should be put in quotes For example: [admin@ce0] > {:local a { "aX"=1 ; ay=2 }; :put ($a->"aX")} 2 Loop through keys and values foreach command can be used to loop through keys and elements: [admin@ce0] > :foreach k,v in={2; "aX"=1 ; y=2; 5} do={:put ("$k=$v")} 0=2 1=5 aX=1 y=2 Note: If array element has key then these elements are sorted in alphabetical o
Manual:Scripting 36 policy (string; Default: ) list of applicable policies: • • • • • • • • • • • • • • • api - api permissions ftp - can log on remotely via ftp and send and retrieve files from the router local - can log on locally via console password - change passwords policy - manage user policies, add and remove user read - can retrieve the configuration reboot - can reboot the router sensitive - see passwords and other sensitive information sniff - can run sniffer, torch etc ssh - can log on remot
Manual:Scripting 37 Property Description name (string) Variable name user (string) User who defined variable value () Value assigned to variable Job Sub-menu level: /system script job Contains list of all currently running scripts.
Manual:Scripting-examples Strip netmask This script is useful if you need ip address without netmask (for example to use it in firewall), but "/ip address get [id] address" returns ip address and netmask. Code: :global ipaddress 10.1.101.1/24 :for i from=( [:len $ipaddress] - 1) to=0 do={ :if ( [:pick $ipaddress $i] = "/") do={ :put [:pick $ipaddress 0 $i] } } Another much more simple way: :global ipaddress 10.1.101.
Manual:Scripting-examples Write simple queue stats in multiple files Lets consider queue namings are "some text.1" so we can search queues by last number right after the dot.
Manual:Scripting-examples Generate backup and send it by e-mail This script generates backup file and sends it to specified e-mail address. Mail subject contains router's name, current date and time. Note that smtp server must be configured before this script can be used. See /tool e-mail for configuration options. Script: /system backup save name=email_backup /tool e-mail send file=email_backup.backup to="me@test.
Manual:Scripting-examples Block access to specific websites This script is useful if you want to block certain web sites but you don't want to use web proxy. This example looks entries "rapidshare" and "youtube" in dns cache and adds IPs to address list named "restricted".
Manual:Scripting-examples Parse file to add ppp secrets This script requires that entries inside the file is in following format: username,password,local_address,remote_address,profile,service For example: janis,123,1.1.1.1,2.2.2.1,ppp_profile,myService juris,456,1.1.1.1,2.2.2.2,ppp_profile,myService aija,678,1.1.1.1,2.2.2.3,ppp_profile,myService Code: :global content [/file get [/file find name=test.
Manual:Scripting-examples 43 :global lastTime; :global currentBuf [ :toarray [ /log find buffer=pppoe ] ] ; :global currentLineCount [ :len $currentBuf ] ; :global currentTime [ :totime [/log get [ :pick $currentBuf ($currentLineCount -1) ] time ] ]; :global message ""; :if ( $lastTime = "" ) do={ :set lastTime $currentTime ; :set message [/log get [ :pick $currentBuf ($currentLineCount-1) ] message]; } else={ :if ( $lastTime < $currentTime ) do={ :set lastTime $currentTime ; :set message [/log get
Manual:Scripting-examples # Check and set NTP servers - "setntppool" # We need to use the following globals which must be defined here even # though they are also defined in the script we call to set them.
Manual:Scripting-examples :put "Sending e-mail."; /tool e-mail send \ to=$SYSsendemail \ subject=($SYSname . " NTP change") \ from=$SYSmyemail \ server=$SYSemailserver \ body=("Your NTP servers have just been changed:\n\nPrimary:\nOld: " . $ntpcura . "\nNew: " \ . $ntpipa . "\n\nSecondary\nOld: " . $ntpcurb . "\nNew: " .
Manual:Scripting-examples if ... then local targs = {...} for i,v in ipairs(targs) do strPrintResult = strPrintResult .. tostring(v) .. " end strPrintResult = strPrintResult .. "\r\n" io.write(strPrintResult) end 46 " end Now you can include this custom function to other scripts and use this cool custom print function :) You can also modify this function to write messages in RouterOS log. Read and write large files Many users requested ability to work with files. Now you can do it without limitations.
Manual:Lua Manual:Lua Summary • Version 4.0beta3 introduces preliminary support for Lua scripting language [1]. Integration with console is still in progress. • RouterOS v4 RC1 removes Lua support indefinetly Changes in console • ':' and '/' namespaces are merged. Lookup rules have been changed so as not to affect existing scripts: • • • • Without leading ':' or '/' names are looked up starting from the current path. With leading ':' and '/' names are looked up starting from the root of the hierarchy.
Manual:Lua values of non-boolean type were causing an error. • Logical 'and' and 'or' operators ('&&' and '||') now use shortcut evaluation. If left hand value is sufficient for computing the operation, it is returned and the right hand value is not computed. Otherwise, operation returns the right hand value. Example: put (9 or (1 / 0)) #prints 9, division is not computed Changes in Lua compared to the standard release • Lua base version is 5.1.4 • Number type is 64 bit signed integer.
Manual:System/SSH client Manual:System/SSH client Overview RouterOS provides SSH client that supports SSHv2 logins to SSH servers reachable from the router. Requirements For this command to be available router has to have system and security packages installed. Available features Simple log-in to remote host It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6. /system ssh 192.168.88.
Manual:System/SSH client 50 Executing remote commands To execute remote command it has to be supplied at the end of log-in line /system /system /system /system ssh ssh ssh ssh 192.168.88.1 "/ip address print" 192.168.88.
Manual:IP/SSH 51 now when user uses telnet localhost 3000" it will log in the router using telnet over encrypted tcp connection. Note: we fully support SFTP v3 as described in draft-ietf-secsh-filexfer-02.txt [1] other versions can cause problems References [1] http:/ / tools. ietf. org/ wg/ secsh/ draft-ietf-secsh-filexfer/ draft-ietf-secsh-filexfer-02. txt Manual:System/Log Applies to RouterOS: v3, v4 + Summary RouterOS is capable of logging various system events and status information.
Manual:System/Log 52 Note: print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on. For more information about parameters refer to scripting manual For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed [admin@ZalaisKapots] /log > print follow where topics~".info" 12:52:24 script,info hello from script -- Ctrl-C to quit.
Manual:System/Log 53 email-to (string; Default: ) email address where logs are sent, applicable only if action=email memory-lines (integer [1..
Manual:System/Log 54 Topic Description critical Log entries marked as critical, these log entries are printed to console each time you log in. debug Debug log entries error Error messages info Informative log entry packet Log entry that shows contents from received/sent packet raw Log entry that shows raw contents of received/sent packet warning Warning message. Topics used by various RouterOS facilities Topic Description account Log messages generated by accounting facility.
Manual:System/Log 55 pptp PPTP server/client related messages radius Log entries generated by RADIUS Client radvd IPv6 radv deamon log messages. read SMS tool messages rip RIP routing protocol messages route Routing facility log entries rsvp Resource Reservation Protocol generated messages. script Log entries generated from scripts sertcp Log messages related to facility responsible for "/ports remote-access" simulator state DHCP Client and routing state messages.
Manual:System/Log /system logging action add name=usb target=disk disk-file-name=usb1/log Example:Webproxy logging These two screenshots will show you how to configure the RouterOS logging facility to send Webrpoxy logs to a remote syslog server, in this example, located at 192.168.100.12. The syslog server can be any software that supports receiving syslogs, for example Kiwi syslog. • Add a new logging action, with "remote" and the IP of the remote server.
Manual:System/Log • Then add a new logging rule with the topic "webproxy" and then newly created action. Note that you must have webproxy running on this router already, for this to work. To test, you can temporary change the action to "memory" and see the "log" window if the webproxy visited websites are logged. If it works, change it back to your new remote action Note: it's a good idea to add another topic in the same rule: !debug.
Manual:System/UPS 58 Manual:System/UPS Applies to RouterOS: v3, v4 + Summary Sub-menu: /system ups Standards: APC Smart Protocol [1] The UPS monitor feature works with APC UPS units that support “smart” signaling over serial RS232 or USB connection. This feature enables the network administrator to monitor the UPS and set the router to ‘gracefully’ handle any power outage with no corruption or damage to the router.
Manual:System/UPS 59 Property Description alarm-setting (delayed | immediate | low-battery | none; Default: immediate) UPS sound alarm setting: min-runtime (time; Default: 5m) Minimal run time remaining. After a 'utility' failure, the router will monitor the runtime-left value. When the value reaches the min-runtime value, the router will go to hibernate mode.
Manual:System/UPS 60 serial="QS0030311640" manufacture-date="07/18/00" nominal-battery-voltage=24V [admin@MikroTik] system ups> Runtime Calibration Command: /system ups rtc The rtc command causes the UPS to start a run time calibration until less than 25% of full battery capacity is reached. This command calibrates the returned run time value. Note: The test begins only if the battery capacity is 100%.
Manual:System/UPS Example When running on utility power: [admin@MikroTik] system ups> monitor 0 on-line: yes on-battery: no RTC-running: no runtime-left: 20m battery-charge: 100% battery-voltage: 27V line-voltage: 226V output-voltage: 226V load: 45% temperature: 39C frequency: 50Hz replace-battery: no smart-boost: no smart-trim: no overload: no low-battery: no [admin@MikroTik] system ups> When running on battery: [admin@MikroTik] system ups> monitor 0 on-line: no on-battery: yes transfer-cause: "Line volta
Manual:System/UPS References [1] http:/ / www. exploits. org/ nut/ library/ protocols/ apcsmart. html Manual:System/LCD Applies to RouterOS: v3, v4, v5+ Summary Sub-menu: /system lcd Package: lcd LCDs are used to display system information. The MikroTik RouterOS supports the following LCD hardware.
Manual:System/LCD 63 • Crystalfontz (http://www.crystalfontz.com) Intelligent Serial LCD Module 632 (16x2 characters) and 634 (20x4 characters) • Powertip (http://www.powertip.com.tw) PC1602 (16x2 characters), PC1604 (16x4 characters), PC2002 (20x2 characters), PC2004 (20x4 characters), PC2402 (24x2 characters) and PC2404 (24x4 characters) • Portwell (http://www.portwell.com.tw) EZIO-100 (16x2 characters) • Townet (http://www.townet.it/prodotti/remote-control/tw-rc.
Manual:System/LCD LCD Information Display Configuration Sub-menu: /system lcd page The submenu is used to configure LCD information display: what pages and how long they will be shown. You cannot neither add your own pages (they are created dynamically depending on the configuration) nor change pages' description. Pages will be displayed for specified amount of time starting from the first one.
Manual:System/LCD 65 7 5s prism1 [admin@MikroTik] system lcd page> Troubleshooting LCD doesn't work, cannot be enabled by the '/system lcd set enabled=yes' command. Probably the selected serial port is used by PPP client or server, or by the serial console. Check the availability and use of the ports by examining the output of the /port print command.
Manual:System/GPS 66 Monitoring Status Command: /system gps monitor This command is used for monitoring the data received from a GPS receiver Parameters: Property Description date-and-time (date) Date and time received from GPS latitude (none | string) Latitude in DM (Degrees Minute decimal) format longitude (none | string) Longitude in DM (Degrees Minute decimal) format speed (none | string) Current moving speed of the GPS unit bearing (none | string) The compass direction toward which a GPS is
Manual:System/GPS 67 References [1] http:/ / www8. garmin. com/ support/ text_out. html [2] http:/ / en. wikipedia. org/ wiki/ Pulse_per_second Manual:IP/Traffic Flow Applies to RouterOS: 2.9, v3, v4 + Summary Sub-menu: /ip traffic-flow MikroTik Traffic-Flow is a system that provides statistic information about packets which pass through the router. Besides network monitoring and accounting, system administrators can identify various problems that may occur in the network.
Manual:IP/Traffic Flow 68 Note: Starting 6.0rc14 release setting interface will show RX and TX for the interface. Previously traffic-flow reported only RX fraffic for the interface and to see bidirecional data it was required to set up more interfaces. Targets Sub-menu: /ip traffic-flow target With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information from router.
Manual:IP/Traffic Flow Now the router starts to send packets with Traffic-Flow information. Some screenshots from NTop program [1], which has gathered Traffic-Flow information from our router and displays it in nice graphs and statistics.
Manual:IP/Traffic Flow See more • NetFlow Fundamentals [2] [ Top | Back to Content ] References [1] http:/ / www. ntop. org/ download. html [2] http:/ / etutorials. org/ Networking/ network+ management/ Part+ II+ Implementations+ on+ the+ Cisco+ Devices/ Chapter+ 7.
Manual:SNMP 71 You can also specify administrative contact information in the above settings. All SNMP data will be available to communities configured in community menu. General Properties Sub-menu: /snmp This sub menu allows to enable SNMP and to configure general settings. Property Description contact (string; Default: "") Contact information enabled (yes | no; Default: no) Used to disable/enable SNMP service engine-id (string; Default: "") for SNMP v3, used as part of identifier.
Manual:SNMP 72 encryption-protocol: DES authentication-password: ***** encryption-password: ***** Warning: Default settings only have one community named public without any additional security settings. These settings should be considered insecure and should be adjusted according required security profile. Properties Property Description address (IP/IPv6 address; Default: 0.0.0.
Manual:SNMP 73 Object identifiers (OID) Each OID identifies a variable that can be read via SNMP. Although the MIB file contains all the needed OID values, you can also print individual OID information in the console with the print oid command at any menu level: [admin@MikroTik] /interface> print oid Flags: D - dynamic, X - disabled, R - running, S - slave 0 R name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1 mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1 oper-status=.1.3.6.1.
Manual:SNMP Reboot It's possible to reboot the router with SNMP set commamd, you need to set value for reboot SNMP settings, which is not equal to 0, snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s 1 • 1.3.6.1.4.1.14988.1.1.7.1.
Manual:Tools/Graphing 75 Manual:Tools/Graphing Applies to RouterOS: v3, v4, v5 + Summary Graphing is a tool to monitor various RouterOS parameters over time and put collected data in nice graphs.
Manual:Tools/Graphing 76 General Sub-menu /tool graphing Common graphing configuration can be set in this submenu. Properties Property Description store-every (24hours | 5min | hour; Default: 5min) How often to write collected data to system drive. page-refresh (integer | never; Default: 300) How often graph page is refreshed Interface graphing Sub-menu /tool graphing interface Sub-menu allows to configure on which interfaces graphing will collect bandwidth usage data.
Manual:Tools/Graphing 77 Note: If simple queue has target-address set to 0.0.0.0/0 everyone will be able to access queue graphs even if allow address is set to specific address. This happens because by default queue graphs are accessible also from target address. Resource graphing Sub-menu /tool graphing resource Sub-menu allows to enable graphing of system resources.
Manual:Tools/Graphing Graphing graphics in WinBox Winbox allows to view the same collected information as in web page. Open Tools->Graphing window. Double click on entry of which you want to see graphs.
Manual:Tools/Profiler 79 Manual:Tools/Profiler Applies to RouterOS: v5beta7 + Summary Command: /tool profile Standards: Profiler tool shows CPU usage for each process running in RouterOS. It helps to identify which process is using most of the CPU resources. [admin@dzeltenais_burkaans] > /tool profile NAME USAGE sstp 9% ppp 0.5% ethernet 0% queue-mgmt 0% console 0.5% dns 0% winbox 0% logging 0% management 1.5% ospf 0% idle 87.5% profiling 0.5% queuing 0% routing 0% bridging 0% unclassified 0.
Manual:Tools/Profiler 80 • all - value sets to show cpu usages separately for every available core Example with both values on two core system: [admin@x86-test] NAME ethernet kvm kvm management management idle idle profiling profiling > /tool profile cpu=all CPU USAGE 1 0% 0 0% 1 4.5% 0 0% 1 0.5% 0 100% 1 93% 0 0% 1 2% [admin@x86-test] NAME ethernet console kvm management idle profiling bridging > /tool profile cpu=total CPU USAGE all 0% all 0% all 2.7% all 0% all 97.
Manual:Tools/Profiler Classifiers Profile classifies processes in several classifiers. Most of them are self explanatory and does not require detailed explanation. • • • • • • • • • • • • • • idle - shows unused CPU. Typically idle=100%-(sum of all process cpu usages).
Manual:Tools/Profiler • • • • • • • • • • • • • • • • • queue-mgmt e-mail fetcher backup graphing health isdn dhcp hotspot radv - IPv6 route advertisement ntp - NTP server/client ldp mpls pim - Multicast routing protocol igmp-proxy bgp ospf • • • • • • • • • rip mme synchronous - cpu usage by synchronous cards gps user-manager wireless dude supout.rif - cpu used by supout.rif file creator. management - RouterOS management processes that do not fall into any other classifier.
Manual:Tools/Packet Sniffer Manual:Tools/Packet Sniffer Applies to RouterOS: v5.8+ Summary Sub-menu: /tool sniffer Packages required: system Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip). Packet Sniffer Configuration Sub-menu: /tool sniffer Propertyfile-limit (integer 10..
Manual:Tools/Packet Sniffer • • • • • • • • • • pim - protocol independent multicast rspf - radio shortest path first rdp - reliable datagram protocol st - st datagram mode tcp - transmission control protocol udp - user datagram protocol vmtp - versatile message transport vrrp - virtual router redundancy protocol xns-idp - xerox xns idp xtp - xpress transfer protocol Up to 16 comma separated entries used as a filter.
Manual:Tools/Packet Sniffer 85 [admin@MikroTik] tool sniffer> stop Running Packet Sniffer Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used. It is also possible to use quick mode.
Manual:Tools/Packet Sniffer 86 ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) The name/number of IP protocol protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of ethernet protocol size (read-only: integer) Size of packet src-address (read-only: IP address) Source IP address src-mac (read-only: MAC addr
Manual:Tools/Packet Sniffer 87 Packet Sniffer Host Sub-menu: /tool sniffer host The submenu shows the list of hosts that were participating in data excange you've sniffed. [admin@SXT test] /tool sniffer host> print # ADDRESS RATE PEEK-RATE 0 10.5.101.3 0bps/0bps 0bps/720bps 1 10.5.101.10 0bps/0bps 175.0kbps/19.7kbps 2 10.5.101.13 0bps/0bps 0bps/608bps 3 10.5.101.14 0bps/0bps 0bps/976bps 4 10.5.101.15 0bps/0bps 19.7kbps/175.0kbps 5 224.0.0.2 0bps/0bps 608bps/0bps 6 224.0.0.
Manual:Tools/Packet Sniffer 88 Quick mode Quick mode will display results as they are filtered out with limited size buffer for packets. There are several attributes that can be set up filtering. If no attributes are set current configuration will be used.
Manual:Tools/Packet Sniffer 89 ether1 3.195 214 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.195 215 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.195 216 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.217 217 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.218 218 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.
Manual:Tools/Packet Sniffer References [1] http:/ / www. wireshark. org/ Manual:Troubleshooting tools Troubleshooting tools Before, we look at the most significant commands for connectivity checking and troubleshooting, here is little reminder on how to check host computer's network interface parameters on . The Microsoft windows have a whole set of helpful command line tools that helps testing and configuring LAN/WAN interfaces. We will look only at commonly used Windows networking tools and commands.
Manual:Troubleshooting tools 91 netstat – print network connections, including port connections, routing tables, interface statistics, masquerade connections, and more. (netstat – r, netstat - a) ip – show/manipulate routing, devices, policy routing and tunnels on linux-machine. For example, check IP address on interface using ip command: $ip addr show You can add static route using ip following command: ip route add {NETWORK address} via {next hop address} dev {DEVICE}, for example: $ip route add 192.
Manual:Troubleshooting tools 92 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.780/0.948/1.232/0.174 ms Press Ctrl-C to stop ping process. From MikroTik: [admin@MikroTik] > ping 10.255.255.4 10.255.255.4 64 byte ping: ttl=62 time=2 ms 10.255.255.4 64 byte ping: ttl=62 time=8 ms 10.255.255.4 64 byte ping: ttl=62 time=1 ms 10.255.255.4 64 byte ping: ttl=62 time=10 ms 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 1/5.
Manual:Troubleshooting tools 93 Resume: pmtu 1500 hops 4 back 61 From MikroTik: [admin@MikroTik] > tool traceroute 10.255.255.1 ADDRESS STATUS 1 10.0.1.17 2ms 1ms 1ms 2 10.255.255.1 5ms 1ms 1ms [admin@MikroTik] > Log Files System event monitoring facility allows to debug different problems using Logs. Log file is a text file created in the server/router/host capturing different kind of activity on the device. This file is the primary data analysis source.
Manual:Troubleshooting tools icmp ospf 480bps 0bps 94 480bps 192bps [admin@MikroTik] tool> In order to see what protocols are linked to a host connected to interface 10.0.0.144/32 ether1: [admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32 protocol=any PRO.. SRC-ADDRESS TX tcp 10.0.0.144 1.01kbps icmp 10.0.0.144 480bps [admin@MikroTik] tool> RX 608bps 480bps IPv6 Starting from v5RC6 torch is capable of showing IPv6 traffic. Two new parameters are introduced src-address6 and dst-address6.
Manual:Troubleshooting tools Winbox More attractive Torch interface is available from Winbox (Tool>Torch). In Winbox you can also trigger a Filter bar by hitting the F key on the keyboard. Packet Sniffer (/tool sniffer) Packet sniffer is a tool that can capture and analyze packets sent and received by specific interface. packet sniffer uses libpcap format.
Manual:Troubleshooting tools 96 running: no [admin@MikroTik] tool sniffer> start [admin@MikroTik] tool sniffer> stop Here you can specify different packet sniffer parameters, like maximum amount of used memory, file size limit in KBs. Running Packet Sniffer Tool There are three commands that are used to control runtime operation of the packet sniffer: /tool sniffer start, /tool sniffer stop, /tool sniffer save. The start command is used to start/reset sniffing, stop - stops sniffing.
Manual:Troubleshooting tools Detailed commands description can be found in the manual >> Bandwidth test The Bandwidth Tester can be used to measure the throughput (Mbps) to another MikroTik router (either wired or wireless network) and thereby help to discover network "bottlenecks"- network point with lowest throughput.
Manual:Troubleshooting tools Note: If you use UDP protocol then Bandwidth Test counts IP header+UDP header+UDP data. In case if you use TCP then Bandwidth Test counts only TCP data (TCP header and IP header are not included).
Manual:Troubleshooting tools Profiler Profiler is a tool that shows CPU usage for each process running on RouterOS. It helps to identify which process is using most of the CPU resources.
Manual:Grounding 100 Manual:Grounding Introduction The installation infrastructure (towers and masts), as well as antennas and the router itself must be properly grounded, and lightning arrestors must be installed on all external antenna cables (near the antennas or on the antennas themselves) to prevent equipment damage and human injury. Note that lightning arrestors will not have any effect if not grounded. Use 1 AWG (7mm in diameter) wire with corrosion-resistant connectors for grounding.
Manual:Grounding 101 ESD Protection on RouterBOARD devices 1. Three arrows mark the grounding inside the ethernet port, the shielded cable connects it's shield to these two grounding pins via the metallic ethernet connector. 2. The middle arrow points to the metal plate inside the port, which connects the grounding pins to the board. The board needs to be grounded at the mounting hole (put grounding wire on the screw when you mount the board inside a case).
Manual:Grounding Illustrations of the above methods Method #1 (shielded cable + grounding of the device): Method #2 (only shielded cable): 102
Manual:Grounding Note! Even if you don't ground the outdoor wireless device, and only use a shielded cable, you should still ground the device it's connected to (indoors). Ie. the switch, routerboard or PC. Manual:Wireless card diagnostics R52, R52Hn and R52H Power Amplifier damage If the cards are becoming too hot to touch, when inserted in a RouterBOARD, but are disabled - the PA might be damaged. This could be caused by user, or by manufacturing problem.
Manual:Wireless card diagnostics Testing area close-up: R52Hn card chain 0: 104
Manual:Wireless card diagnostics R52Hn chain 1: 105
Manual:Wireless card diagnostics R52n antenna circuit damage test These images show how to test for antenna circuit damage. If the resistance between shown points is lower than infinity (shown as OL on multimeter), the card is damaged by lightning, and the damage will not be repaired by warranty (don't send to RMA).
Manual:Wireless card diagnostics Close-up of testing area: 107
Manual:Wireless card diagnostics DC shorted antennas Also make sure that your antenna is DC shorted: DC shorted antenna. This antenna doesn't need a Coax lightning arrestor: NOT DC shorted antenna. This antenna needs a Coax lightning arrestor to avoid sudden wireless card damage.
Manual:Wireless card diagnostics Manual:RouterBOARD bad blocks Every once in a while, one can notice a number of bad blocks appearing in the RouterBOARD resource page. A bad block indicates a problem to write in one part of the NAND storage device, but it doesn't affect the performance of your router, and it doesn't give any indication of quality.
Manual:RouterBOARD bad blocks Important! As you can see in the screenshot above, RouterOS shows you writes per NAND TOTAL, not writes per sector. This is different than the given 100'000 write guarantee per sector. Manual:Password reset RouterOS password can only be reset by reinstalling the router, or using the reset button (or jumper hole) in case the hardware is RouterBOARD. For X86 devices, only complete reinstall will clear the password, along with other configuration.
Manual:Password reset Jumper hole reset All RouterBOARD current models are also fitted with a reset jumper hole. Some devices might need opening of the enclosure, RB750/RB951/RB751 have the jumper hole under one of the rubber feet of the enclosure. Using: Close the jumper with a metal screwdriver, and boot the board until the configuration is cleared.
Manual:Password reset Jumper reset for older models The below image shows the location of the Reset Jumper on older RouterBOARDs like RB133C: Note: Don't forget to remove the jumper after configuration has been reset, or it will be reset every time you reboot.
Manual:Flashfig Manual:Flashfig Applies to RouterOS: v4 Description Flashfig is an application for mass router configuration. It can be used by MikroTik distributors, ISPs or any other companies who need to apply RouterOS configuration to many routers in shortest possible time. Flashfig applies MikroTik RouterOS configuration to any RouterBOARD within 3 seconds. You can "flashfig" batch of routers, the only thing you need - connect RouterBOARD to network and power it.
Manual:Flashfig Flashfig Example This is a step by step example of how to use Flashfig to set typical MikroTik RouterOS configuration to RouterBOARD. Introduction Flashfig is available from Netinstall, Requirements The Windows computer must be equipped with the following ports and contain the following files: • Ethernet port; • The .
Manual:Flashfig Pre-Configuration Windows Computer • Run Flashfig; • Prepare .rsc file, .rsc file is regular/import file, it accepts valid MikroTik RouterOS CLI commands. You can create .rsc file by any text-editor program (Notepad, Texteditor, TextEdit, Microsoft Word, OpenOffice Writer); • Assign Boot Client Address, which should be address from the same subnet as configured on laptop Ethernet interface, • Browse for .
Manual:Flashfig • Activate Flashfig server, now it is ready to Flashfig.
Manual:Flashfig RouterBOARD • Flashfig mode is enabled on every RouterBOARD from factory by default, which means no configuration is required on RouterBOARD. • If Flashfig is not enabled on your router, access the RouterBOARD with Winbox/Console and set the configuration, /system routerboard settings set boot-device=flash-boot or use more preferable option, /system routerboard settigs set boot-device=flash-boot-once-then-nand Your router is now ready for Flashfig.
Manual:Flashfig References [1] http:/ / www. mikrotik. com/ download/ netinstall-4. 5b. zip [2] http:/ / www. routerboard. com [3] http:/ / www. mikrotik. com/ download. html Manual:Bootloader upgrade This page shows how to upgrade the Bootloader firmware of a RouterBOARD device. Simple Upgrade • Run command /system routerboard upgrade • Reboot your router to apply the upgrade (/system reboot)] Note! If you need to install a different version than included in your "routerboard.
Manual:System/Certificates Manual:System/Certificates Applies to RouterOS: v6.0 + Summary Sub-menu: /certificate Package required: security Standards: RFC 5280, draft-nourse-scep-22 Certificate manager is used to collect all certificates inside router, to manage and create serlf-signed certificates and to control and set SCEP related configuration. Note: Starting from v6 certificate validity is shown using local time zone offset. In previous versions it was UTF.
Manual:System/Certificates 120 Note: If CA certificate is removed then all issued certificates in chain are also removed Properties Property Description common-name (string; Default: ) country (string; Default: ) days-valid (integer [0..
Manual:System/Certificates 121 serial-number (string) smart-card-key (string) status () Commands Command Description add () Adds new certificate template. add-scep (name on-smart-card scep-url template) Add scep client.
Manual:System/Certificates 122 SCEP is using HTTP protocol and base64 encoded GET requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).
Manual:System/Certificates 123 Status Properties Property Description ca-fingerprint (string) req-fingerprint (string) status (string) Shows the current status of the client. Idle, pending, requesting etc. Commands Command Description renew (ca_client_name) Renew Ca certificate of specified CA client Name.
Manual:Create Certificates 124 Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats. And again during the process you will have to fill some entries. When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur.
Manual:Create Certificates 125 0 KR name="cert1" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=xxx@mt.lv issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xxx@mt.lv serial-number="01" email=xxx@mt.lv invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33 ca=yes Note: If you want to use server certificates for OVPN or SSTP and use client certificate verification, then CA certificate must be imported, too.
Manual:Tools/Traffic Generator 126 Property Description latency-distribution-samples (integer) latency-distribution-measure-interval (time) running (yes | no) Shows whether traffic generator tool is started. Commands Property quick () Description This command allows to quickly start packet generator and print the stats output to the terminal. Command also accept several parameters that overrides settings in packet template and stream settings.
Manual:Tools/Traffic Generator 127 Property Description comment (string; Default: ) Short description of packet you are building. data (incrementing | random | specific-byte | uninitialized; Default: uninitialized) Specifies how packet payload will be filled: data-byte (hex [0..FF]]; Default: 0) Byte that will be used to fill packet payload. interface (string; Default: ) Optional parameter of packet template. This is mutually exclusive with "port" setting.
Manual:Tools/Traffic Generator 128 vlan-id (; Default: ) vlan-priority (; Default: ) vlan-protocol (; Default: ) header-stack (list of ip | mac | raw | udp | vlan (max 16 times); Default: ip) Sequence of headers that a generated packet should have. Currently supports: • • • • • mac - Ethernet header (14 bytes) vlan - Ethernet VLAN tag (4 bytes) ip - IPv4 header (20 bytes) udp - UDP header (8 bytes) raw - arbitrary bytes specified as hex string Most header types can be present in header multiple times.
Manual:Tools/Traffic Generator 129 [admin@test-host] /tool traffic-generator stats latency-distribution> print # LATENCY COUNT SHARE GRAPH 0 0-15.5us 0 0% 1 15.5us-31us 0 0% 2 31us-46.5us 0 0% 3 46.5us-62.1us 0 0% 4 62.1us-77.6us 0 0% 5 77.6us-93.1us 0 0% 6 93.1us-109us 0 0% 7 109us-124us 0 0% 8 124us-140us 0 0% 9 140us-155us 0 0% 10 155us-171us 0 0% 11 171us-186us 4 0% * 12 186us-202us 29 0% * 13 202us-217us 90 0.001% * 14 217us-233us 302 0.
Manual:Tools/Traffic Generator 130 45 698us-714us 38 985 0.591% --------------------------------------------------* 46 714us-729us 39 061 0.592% --------------------------------------------------* 47 729us-745us 39 750 0.603% ---------------------------------------------------* 48 745us-760us 39 145 0.594% --------------------------------------------------* 49 760us-776us 39 162 0.594% --------------------------------------------------* 50 776us-791us 38 197 0.
Manual:Tools/Traffic Generator 62 21 TOT 63 TOT 64 TOT 65 TOT TOT 131 87 092 1010.2... 73 287 850.1Mbps 13 805 160.1Mbps 3 913 942 504.8Mbps 629 210 347.5Mbps 284 732 157.2Mbps 4 913 939 504.8Mbps 898 374 496.2Mbps 1 827 881 1009.6... 1 527 584 843.8Mbps 15 565 8.5Mbps 300 297 165.8Mbps [admin@test-host] /tool traffic-generator stats stre Port Stats Sub-menu /tool traffic-generator stats port This sub-menu stores statistics sorted by rx/tx ports.
Manual:Tools/Traffic Generator 132 Streams Properties Property Description disabled (yes | no; Default: no) Whether stream is disabled mbps (integer [0..4294967295]; Default: 0) Value in Mega bits per second that stream will try to generate. name (string; Default: ) Descriptive name of the stream. num (integer [0..15]; Default: 0) packet-size (integer[1..65535] [-integer[1..65535]]; Default: 0) Generated size of the packets in bytes. Can be set as the range for random packet size generation.
Manual:Tools/Traffic Generator R1 routing and ipsec setup /ip address add address=192.168.33.1/30 interface=ether1 add address=1.1.1.2/24 interface=ether2 /ip route add dst-address=2.2.2.0/24 gateway=192.168.33.2 /ip ipsec proposal set default enc-algorithms=aes-128 /ip ipsec peer add address=192.168.33.2 secret=123 /ip ipsec policy add sa-src-address=192.168.33.1 sa-dst-address=192.168.33.2 \ src-address=1.1.1.0/24 dst-address=2.2.2.0/24 tunnel=yes R2 routing and ipsec setup /ip address add address=192.
Manual:Tools/Traffic Generator 134 /tool traffic-generator packet-template add header-stack=mac,ip,udp ip-dst=2.2.2.1/32 ip-gateway=1.1.1.2 ip-src=1.1.1.1/32 \ name=routing-1 port=port0 add header-stack=mac,ip,udp ip-dst=1.1.1.1/25 ip-gateway=2.2.2.2 ip-src=2.2.2.1/32 \ name=routing-2 port=port1 Notice that mac addresses was not specified since template generator can assume next-hop mac address automatically by sending ARP messages.
Manual:Tools/Traffic Generator 135 39 4 38 815 450.2Mbps 38 642 448.2Mbps 15 110 173 2.0Mbps 39 TOT 77 631 900.5Mbps 76 535 887.8Mbps 22 417 1 096 12.7Mbps 40 3 39 779 461.4Mbps 37 415 434.0Mbps 7 136 2 364 27.4Mbps 40 4 39 780 461.4Mbps 39 567 458.9Mbps 15 908 213 2.4Mbps 40 TOT 79 559 922.8Mbps 76 982 892.9Mbps 23 044 2 577 29.8Mbps 41 3 39 218 454.9Mbps 37 089 430.2Mbps 7 075 2 129 24.6Mbps 41 4 39 218 454.9Mbps 38 663 448.4Mbps 15 752 555 6.
Manual:Tools/Bandwidth Test 136 Warning: Bandwidth Test uses all available bandwidth (by default) and may impact network usability. Note: Bandwidth Test uses a lot of resources. If you want to test real throughput of a router, you should run bandwidth test through the tested router not from or to it. To do this you need at least 3 routers connected in chain: the Bandwidth Server, the router being tested and the Bandwidth Client.
Manual:Tools/Bandwidth Test 137 max-sessions: 100 [admin@MikroTik] /tool bandwidth-server> Bandwidth Test Client Command name: /tool bandwidth-test Property address (IP address | IPv6 prefix[%interface]; Default:) Description IP address of host direction (both | receive | transmit; Direction of data flow Default: receive) duration (time; Default: ) Duration of the test interval (time: 20ms..5s; Default: 1s) Delay between reports (in seconds) local-tx-speed (integer 0..
Manual:Tools/Bandwidth Test lost-packets: random-data: direction: tx-size: rx-size: [admin@MikroTik] /tool> 138 373 no both 1000 1000 Link-local IPv6 example: [admin@dzeltenais_burkaans] > /tool bandwidth-test fe80::34:23ff:fe6a:570c%local status: duration: rx-current: rx-10-second-average: rx-total-average: lost-packets: random-data: direction: rx-size: running 5s 23.9Mbps 15.1Mbps 15.
Manual:System/Note 139 Properties Property Description note (string; Default: ) Note that will be displayed.
Manual:System/Note 140 ( ) ) ( ( ) ( ) ) ) ( ( /\ (_) / \ /\ ________[_]________ /\/ \/ \ /\ /\ ______ \ / /\/\ /\/\ / \ //_\ \ /\ \ /\/\/ \/ \ /\ / /\/\ //___\ \__/ \ \/ / \ /\/ \//_____\ \ |[]| \ /\/\/\/ //_______\ \|__| \ / \ /XXXXXXXXXX\ \ \ /_I_II I__I_\__________________\ I_I| I__I_____[]_|_[]_____I I_II I__I_____[]_|_[]_____I I II__I I XXXXXXX I ~~~~~" "~~~~~~~~~~~~~~~~~~~~~~~~ [admin@RB493G] > [ Top | Back to Content ] Manual:System/File Applies to RouterOS: v3, v4 + Summary Sub-menu leve
Manual:System/File 141 1 name="sample.txt" type=".txt file" size=5 creation-time=oct/11/2010 12:15:38 contents=Hello [admin@dzeltenais_burkaans] /file> Package example: [admin@493G] /file> print detail 0 name="multicast-5.0rc2-mipsbe.npk" type="package" size=245643 creation-time=jan/05/1970 21:44:25 package-name="multicast" package-version="5.
Manual:System/Resource 142 Manual:System/Resource Applies to RouterOS: v3, v4 + General Sub-menu level: /system resource General resource menu shows overall resource usage and router statistics like uptime, memory usage, disk usage, version etc. It also has several sub-menus for more detailed hardware statistics like PCI, IRQ and USB.
Manual:System/Resource 143 free-memory (string) Unused amount of RAM platform (string) Platform name, usually it is "MikroTik" total-hdd-space (string) Size of the hard drive or NAND total-memory (string) Amount of installed RAM uptime (time) Time interval passed since boot-up. version (string) Installed RouterOS version number. write-sect-since-reboot (integer) Number of sector writes in HDD or nand since router was last time rebooted.
Manual:System/Resource 144 Properties Property Description cpu (auto | integer; Default: ) Specifies which CPU is assigned to the IRQ. • auto - pick CPU based on number of interrupts. Uses NAPI [1] to optimize interrupts. Read-only properties Property Description active-cpu (integer) Shows active CPU in multicore systems. count (integer) Number of interrupts. On ethernet interfaces interrupt=packet.
Manual:System/Resource 145 vendor-id (hex) Hexadecimal vendor ID PCI Sub-menu level: /system resource pci PCI submenu shows the information about all PCI devices on the board [admin@RB1100test] /system resource pci> print # DEVICE VENDOR NAME 0 06:00.0 Attansic Technology Corp. unknown 1 05:00.0 Freescale Semiconductor Inc MPC8544 2 04:00.0 Attansic Technology Corp. unknown 3 03:00.0 Freescale Semiconductor Inc MPC8544 4 02:00.0 Attansic Technology Corp. unknown 5 01:00.
Manual:System/Health 146 Manual:System/Health Summary Hardware that supports monitoring will display different information about hardware status, like temperature, voltage. Warning: For feature availablity on RouterBOARD products check routerboard.com [1] Voltage Routers that support voltage monitoring will display supplied voltage value. In CLI/Winbox it will display volts.
Manual:Store 147 Manual:Store Applies to RouterOS: v3, v4+ Store manages storage devices used by RouterOS various facilities. Currently Store can be used for: • Webproxy • User Manager • the Dude This is especially useful for RouterBOARD devices with SD/CF slots - as the built-in storage is quite small, an external drive comes in very handy when you want a big User Manager database.
Manual:Store 148 This will add a new storage place for Webproxy on disk1, and will set it as inactive. Activate new store instance to save proxy cache on secondary disk (other proxy settings configured separately from /ip proxy menu), [normis@demo.mt.lv] > store activate webproxy-backup E.g.
Manual:Store 149 Property Description free-space (integer [KiB]) Shows the free space left on the disk. name (string) Name of the disk status (strung) Shows the current status of the disk, can be ready, formating etc. system (yes | no) Shows whether disk is used as system drive total-space (integer [KiB]) Shows total available disk space Menu specific commands Property Description check-drive () Check the drive for errors.
Manual:System/Watchdog 150 Property Description watch-address (IP; Default: none) The system will reboot in case 6 sequental pings to the given IP address (sent once per 10 seconds) will fail. If set to none this feature is disabled. watchdog-timer (yes | no; Default: yes) Whether to reboot if system is unresponsive for a minute no-ping-delay (time; Default: 5m) Specifies how long after reboot not to test and ping watch-address.
Manual:System/Scheduler Manual:System/Scheduler Applies to RouterOS: 2.9, v3, v4 Summary The scheduler can trigger script execution at a particular time moment, after a specified time interval, or both.
Manual:System/Scheduler # NAME ON-EVENT START-DATE START-TIME INTERVAL 0 run-1h log-test mar/30/2004 06:11:35 1h [admin@MikroTik] system scheduler> 152 RUN-COUNT 0 In another example there will be two scripts added that will change the bandwidth setting of a queue rule "Cust0". Every day at 9AM the queue will be set to 64Kb/s and at 5PM the queue will be set to 128Kb/s. The queue rule, the scripts, and the scheduler tasks are below: [admin@MikroTik] queue simple> add name=Cust0 interface=ether1 \ \...
Manual:System/Scheduler [admin@MikroTik] system scheduler> add interval=7d name="email-backup" \ \... on-event=e-backup [admin@MikroTik] system scheduler> print Flags: X - disabled # NAME ON-EVENT START-DATE START-TIME INTERVAL RUN-COUNT 0 email-... e-backup oct/30/2008 15:19:28 7d 1 [admin@MikroTik] system scheduler> Do not forget to set the e-mail settings, i.e., the SMTP server and From: address under /tool e-mail. For example: [admin@MikroTik] tool e-mail> set server=159.148.147.198 from=SysAdmin@host.
Manual:System/Time Manual:System/Time Applies to RouterOS: v3, v4 Clock and Time zone configuration RouterOS uses data from the tz database [1], Most of the time zones from this database are included, and have the same names. Because local time on the router is used mostly for timestamping and time-dependant configuration, and not for historical date calculations, time zone information about past years is not included. Currently only information starting from 2005 is included.
Manual:System/Time SNTP client SNTP client is included in the system package. RouterOS implements SNTP protocol defined in RFC4330. Manycast mode is not supported. NTP server and a NTP client is included in the separate ntp package, that is not installed by default. Client configuration is located in the /system ntp client console path, and the "System > NTP Client" WinBox window.
Manual:System/Time • kod-ABCD - Received "KoD" (Kiss-o'-Death) response. ABCD is the short "kiss code" text from the Reference Identifier field. • broadcast - Received proadcast message, but mode=unicast. • non-broadcast - Received packed was server reply, but mode=broadcast. • server-ip-mismatch - Received response from address that is not active-server. • originate-timestamp-mismatch - Originate Timestamp field in the server response message is not the same as the one included in the last request.
Manual:System/Time 157 References [1] http:/ / www. twinsun. com/ tz/ tz-link. htm Manual:API Summary Application Programmable Interface (API) allows users to create custom software solutions to communicate with RouterOS to gather information, adjust configuration and manage router. API closely follows syntax from command line interface (CLI). It can be used to create translated or custom configuration tools to aid ease of use running and managing routers with RouterOS. To use API RouterOS version 3.
Manual:API 158 Command word First word in sentence has to be command followed by attribute words and zero length word or terminating word. Name of command word should begin with '/'. Names of commands closely follow CLI, with spaces replaced with '/'.
Manual:API 159 =disable-running-check=yes Warning: Order of attribute words and API parameters is not important and should not be relied on API attribute word API attribute word structure is in strict order: • encoded length • • • • content prefix with dot . attribute name name postfixed with equals =sign attribute value Currently the only such API attribute is tag.
Manual:API 160 API sentences API sentence is main object of communication using API. • • • • • Empty sentences are ignored. Sentence is processed after receiving zero length word. There is a limit on number and size of sentences client can send before it has logged in. Order of attribute words should not be relied on. As order and count is changeable by .proplist attribute.
Manual:API 161 Tags • It is possible to run several commands simultaneously, without waiting for previous one to complete. If API client is doing this and needs to differentiate command responses, it can use 'tag' API parameter in command sentences. • If you include 'tag' parameter with non-empty value in command sentence, then 'tag' parameter with exactly the same value will be included in all responses generated by this command.
Manual:API 162 Queries print command accepts query words that limit set of returned sentences. This feature is available since RouterOS 3.21. • • • • Query words begin with '?'. Order of query words is significant. Query is evaluated starting from the first word. Query is evaluated for each item in the list. If query succeeds, item is processed, if query fails, item is ignored. Query is evaluated using a stack of boolean values. Initially stack contains infinite amount of 'true' values.
Manual:API 163 OID print command can return OID values for properties that are available in SNMP. This feature appeared in 3.23 version. In console, OID values can be seen by running 'print oid' command. In API, these properties have name that ends with ".oid", and can be retrieved by adding their name to the value of '.proplist'. An example: /system/resource/print =.proplist=uptime,cpu-load,uptime.oid,cpu-load.oid !re =uptime=01:22:53 =cpu-load=0 =uptime.oid=.1.3.6.1.2.1.1.3.0 =cpu-load.oid=.1.3.6.1.2.1.
Manual:API 164 Command examples /system/package/getall /system/package/getall !re =.id=*5802 =disabled=no =name=routeros-x86 =version=3.0beta2 =build-time=oct/18/2006 16:24:41 =scheduled= !re =.id=*5805 =disabled=no =name=system =version=3.0beta2 =build-time=oct/18/2006 17:20:46 =scheduled= ... more !re sentences ... !re =.id=*5902 =disabled=no =name=advanced-tools =version=3.
Manual:API 165 /user/active/listen !re =.id=*68 =radius=no =when=oct/24/2006 08:40:42 =name=admin =address=0.0.0.0 =via=console !re =.id=*68 =.dead=yes ... more !re sentences ... /cancel, simultaneous commands /login !done =ret=856780b7411eefd3abadee2058c149a3 /login =name=admin =response=005062f7a5ef124d34675bf3e81f56c556 !done -- first start listening for interface changes (tag is 2) /interface/listen .tag=2 -- disable interface (tag is 3) /interface/set =disabled=yes =.id=ether1 .
Manual:API 166 =.id=ether1 .tag=4 -- this update is generated by change made by first set command (tag 3) !re =.id=*1 =disabled=yes =dynamic=no =running=no =name=ether1 =mtu=1500 =type=ether .tag=2 -- this is done for enable command (tag 4) !done .tag=4 -- get interface list (tag is 5) /interface/getall .tag=5 -- this update is generated by change made by second set command (tag 4) !re =.id=*1 =disabled=no =dynamic=no =running=yes =name=ether1 =mtu=1500 =type=ether .
Manual:API 167 !re =.id=*2 =disabled=no =dynamic=no =running=yes =name=ether2 =mtu=1500 =type=ether .tag=5 -- here interface getall ends (tag 5) !done .tag=5 -- stop listening - request to cancel command with tag 2, cancel itself uses tag 7 /cancel =tag=2 .tag=7 -- listen command is interrupted (tag 2) !trap =category=2 =message=interrupted .tag=2 -- cancel command is finished (tag 7) !done .tag=7 -- listen command is finished (tag 2) !done .
Manual:API class ApiRos: "Routeros api" def __init__(self, sk): self.sk = sk self.currenttag = 0 def login(self, username, pwd): for repl, attrs in self.talk(["/login"]): chal = binascii.unhexlify(attrs['=ret']) md = md5.new() md.update('\x00') md.update(pwd) md.update(chal) self.talk(["/login", "=name=" + username, "=response=00" + binascii.hexlify(md.digest())]) def talk(self, words): if self.writeSentence(words) == 0: return r = [] while 1: i = self.
Manual:API 169 r.append(w) def writeWord(self, w): print "<<< " + w self.writeLen(len(w)) self.writeStr(w) def readWord(self): ret = self.readStr(self.readLen()) print ">>> " + ret return ret def writeLen(self, l): if l < 0x80: self.writeStr(chr(l)) elif l < 0x4000: l |= 0x8000 self.writeStr(chr((l >> 8) & 0xFF)) self.writeStr(chr(l & 0xFF)) elif l < 0x200000: l |= 0xC00000 self.writeStr(chr((l >> 16) & 0xFF)) self.writeStr(chr((l >> 8) & 0xFF)) self.
Manual:API 170 c c c c <<= 8 += ord(self.readStr(1)) <<= 8 += ord(self.readStr(1)) elif (c & 0xF0) == 0xE0: c &= ~0xF0 c <<= 8 c += ord(self.readStr(1)) c <<= 8 c += ord(self.readStr(1)) c <<= 8 c += ord(self.readStr(1)) elif (c & 0xF8) == 0xF0: c = ord(self.readStr(1)) c <<= 8 c += ord(self.readStr(1)) c <<= 8 c += ord(self.readStr(1)) c <<= 8 c += ord(self.readStr(1)) return c def writeStr(self, str): n = 0; while n < len(str): r = self.sk.
Manual:API 171 if s in r[0]: # something to read in socket, read sentence x = apiros.readSentence() if sys.stdin in r[0]: # read line from input and strip off newline l = sys.stdin.readline() l = l[:-1] # if empty line, send sentence and start with new # otherwise append to input sentence if l == '': apiros.writeSentence(inputsentence) inputsentence = [] else: inputsentence.append(l) if __name__ == '__main__': main() Example run: debian@localhost:~/api-test$ ./api.py 10.0.0.
Manual:API References [1] http:/ / forum. mikrotik. com/ viewtopic. php?f=2& t=72298 Manual:IP/Proxy Applies to RouterOS: v3, v4 Summary Sub-menu: /ip proxy Standards: RFC 1945, RFC 2616 MikroTik RouterOS performs proxying of HTTP and HTTP-proxy (for FTP, HTTP and HTTPS protocols) requests. Proxy server performs Internet object cache function by storing requested Internet objects, i.e.
Manual:IP/Proxy 173 A Web proxy (cache) watches requests coming from client, saving copies of the responses for itself. Then, if there is another request for the same URL, it can use the response that it has, instead of asking the origin server for it again. If proxy has not requested file, it downloads that from the original server. There can be many potential purpose of proxy server: • To decrease access speed to resources (it takes less time for the client to get the object).
Manual:IP/Proxy 174 Proxy configuration example In MikroTik RouterOS proxy configuration is performed in /ip proxy menu. See below how to enable the proxy on port 8080 and set up 195.10.10.1 as proxy source address: [admin@MikroTik] ip proxy> set enabled=yes port=8080 src-address=195.10.10.1 [admin@MikroTik] ip proxy> print enabled: yes src-address: 195.10.10.1 port: 8080 parent-proxy: 0.0.0.0:0 cache-drive: system cache-administrator: "admin@mikrotik.
Manual:IP/Proxy 0 175 chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000 [admin@MikroTik] ip firewall nat> The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which are accessed transparently.
Manual:IP/Proxy 176 Reference List of all available parameters and commands per menu. General Sub-menu: /ip proxy Property Description always-from-cache (yes | no; Default: no) cache-administrator (string; Default: webmaster) Administrator's e-mail displayed on proxy error page cache-hit-dscp (integer: 0..63; Default: 4) cache-on-disk (yes | no; Default: no) max-cache-size (none | unlimited | integer: 0..
Manual:IP/Proxy 177 Property Description action (allow | deny; Default: allow) Specifies whether to pass or deny matched packets dst-address (Ip4[-Ip4 | /0..32] | Ip6/0..128; Default: Destination address of the target server. ) dst-host (string; Default: ) IP address or DNS name used to make connection the target server (this is the string user wrote in browser before specifying port and path to a particular web page dst-port (integer[-integer[,integer[,...]]]: 0..
Manual:IP/Proxy 178 Direct Access Sub-menu: /ip proxy direct If parent-proxy property is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly. Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument. Unlike the access list, the direct proxy access list has default action equal to deny.
Manual:IP/Proxy 179 Property Description action (allow | deny; Default: allow) Specifies the action to perform on matched packets: • • allow - cache objects from matched request deny - do not cache objects from matched request dst-address (Ip4[-Ip4 | /0..32] | Ip6/0..
Manual:IP/Proxy 180 state (closing | connecting | converting | hotspot | idle | resolving | rx-header | tx-body | tx-eof | tx-header | waiting) Connection state: • • • • • • • • • • • tx-bytes (integer) closing - the data transfer is finished, and the connection is being finalized connecting - establishing toe connection converting - replacing header and footer fields in response or request paket hotspot - check if hotspot authentication allows to continue (for hotspot proxy) idle - staying idle resolv
Manual:IP/Proxy 181 Cache Contents Sub-menu: /ip proxy cache-contents This menu shows cached contents. Read only properties: Property file-size (integer) Description Cached object size last-accessed (time) last-accessed-time (time) last-modified (time) last-modified-time (time) uri (string) HTTP Methods Options This method is a request of information about the communication options available on the chain between the client and the server identified by the Request-URI.
Manual:IP/Proxy POST This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI. The actual action performed by the POST method is determined by the origin server and usually is Request-URI dependent. Responses to POST method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. PUT This method requests that the enclosed entity be stored under the supplied Request-URI.
Manual:Tools/Fetch 183 Manual:Tools/Fetch Applies to RouterOS: v3, v4 + Summary Sub-menu: /tool fetch Standards: Fetch is one of the console tools in Mikrotik RouterOS. It is used to copy files from any network device to a Mikrotik router via HTTP or FTP. In latest v5 versions it is possible also to upload files to remote locations. Fetch now supports HTTPS protocol.
Manual:Tools/Fetch 184 Examples The following example shows how to copy the file with filename "conf.rsc" from device with ip address 192.168.88.2 by FTP protocol and save it as file with filename "123.rsc". User and password are needed to login into the device. [admin@mt-test] /tool> fetch address=192.168.88.2 src-path=conf.rsc \ user=admin mode=ftp password=123 dst-path=123.rsc port=21 \ host="" keep-result=yes Example to upload file to other router: [admin@mt-test] /tool> fetch address=192.168.88.
Article Sources and Contributors Article Sources and Contributors Manual:Port Source: http://wiki.mikrotik.com/index.php?oldid=25747 Contributors: Becs, Marisb Manual:Console Source: http://wiki.mikrotik.com/index.php?oldid=22857 Contributors: Eep, Janisk, Marisb, Normis Manual:Console login process Source: http://wiki.mikrotik.com/index.php?oldid=21955 Contributors: Eep, Janisk, Marisb, Normis Manual:Special Login Source: http://wiki.mikrotik.com/index.
Image Sources, Licenses and Contributors Image Sources, Licenses and Contributors Image:Version.png Source: http://wiki.mikrotik.com/index.php?title=File:Version.png License: unknown Contributors: Normis Image:Icon-note.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-note.png License: unknown Contributors: Marisb, Route Image:2009-04-06 1317.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-06_1317.png License: unknown Contributors: Normis Image:special-login-setup.
