Simple Mikrotik DNS cache flush script

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

Mikrotik 6.45.9 Noteables

What’s new in 6.45.9 (2020-Apr-30 10:25):
https://www.mikrotik.com/download

*) chr – added support for file system quiescing;
*) chr – enabled support for VMBus protocol version 4.1;
*) chr – improved system stability when running CHR on Hyper-V;
*) crs3xx – fixed frame forwarding after disabling/enabling bridge hardware offloading for CRS354-48G-4S+2Q+ device;
*) crs3xx – fixed interface statistics for CRS354-48G-4S+2Q+ and CRS354-48P-4S+2Q+ devices;
*) crs3xx – fixed switch rule “dst-port” parameter for IPv6 traffic on CRS305-1G-4S+, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, netPower 15FR devices;
*) crs3xx – improved SFP+ DAC cable initialization for CRS326-24S+2Q+ device;
*) defconf – added welcome note with common first steps for new users;
*) discovery – do not send CDP and LLDP packets on interfaces that does not have MAC address;
*) ipsec – improved system stability when handling fragmented packets;
*) lte – added “phy-cellid” value support for LTE-US;
*) lte – fixed IP type selection from APN on RBSXTLTE3-7;
*) lte – improved system stability when performing firmware update on R11e-LTE6;
*) ssh – added support for RSA keys with SHA256 hash (RFC8332);
*) system – correctly handle Generic Receive Offloading (GRO) for MPLS traffic;
*) system – improved system stability when forwarding traffic from switch chip to CPU (introduced in v6.43);
*) system – improved system stability when receiving/sending TCP traffic on multicore devices;

Some Mikrotik SXT photos and first thoughts.

I have been wanting to do some photos and thoughts on the Mikrotik SXTR-LTEs and other Mikrotik LTE products. I recently fired one up using dual sims. One is from Tmobile and one is from At&T.  Verizon is pretty nonexistent in my area. I am about 2.5 miles away from a Tmobile tower and about a mile from a fiber-fed AT&T monopole.

As you notice in the following photo I am pretty buried in trees.

My view of the tower. Notice the high-tech holder.

Some initial notes.  Setup of LTE is a very easy process as far as the mikrotik is concerned.  I literally had to put in some information in the APN and that was it as far as LTE goes.  I did set up standard Mikrotik stuff (DHCP server, security, etc.).

Adding the second sim card can be a huge pain due to the location of the sim card slot.  Luckily I had some tweezers that were angled to be able to slide the card in the slot.  These were part of a dental kit I picked up off Amazon for releasing stuck SFPs and the like.

Look for a more in-depth series on Mikrotik LTE coming soon.

Quick home VPN using Mikrotik and an existing router

I had a situation today where we had an office worker needing to work from home.  This user had a Housefull of devices and a router managed by the Fiber to the home provider. This user had devices attached to the wifi on the provider router and such.  Normally I would want to replace this router, but it would be an undertaking.

For this setup, we used a Mikrotik MAP lite.
https://www.ispsupplies.com/MikroTik-RBmAPL-2nD

My quick solution was to have the user install the Mikrotik mAP as an ethernet device off of the provider’s router.  We then established a VPN tunnel from this device to the ISP’s network they work for.

 

We then added routes in the Mikrotik to the 3 networks they needed to access across the L2tp tunnel.  This user runs the Dude and Winbox. Once the tunnel was established we had two issues to overcome.

1. You have to add a nat rule in order for traffic behind the Mikrotik to reach the devices on the other side of the tunnel.  I simply added a nat rule that looks like this:

add action=masquerade chain=srcnat out-interface=all-ppp src-address=\
192.168.88.0/24

We could have done this in a few different ways, but remember this was a quick setup.

2. I needed the laptop they were working on the be able to route the three prefixes to the Mikrotik, thus going out the VPN.  In our setup, the laptop only has 2 default gateways.  It does not know any other routing info.

I created a bash script with the following in it. In short, you add the text below into a notepad file and save it with the extension of .bat.

route ADD 10.2.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.3.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.4.0.0 MASK 255.255.0.0 192.168.88.1

If you need help on creating a bash script
https://www.howtogeek.com/263177/how-to-write-a-batch-script-on-windows/

Once I had the file, which I simply saved into the Dude folder on the desktop, I created a shortcut on the desktop.  You will want to right-click on the shortcut and do the following.

It is important to note you are only able to do this on a shortcut in Windows, not the actual file itself.  No idea why. The script is important because this user brings the laptop back and forth.  I did not want to create persistent routes on the computer because the office network is different.  If you do not do persistent routes they will be after a reboot.  This way the user double clicks on the script shortcut when they login to the computer and before firing up the dude.

There are many other ways to accomplish this.  This was one of the quickest and less-impacting to the user and fewer things to support. One of the downsides to this setup is the user maintains two physical connections to two physical routers.  In this instance, the user could hardwire into the Mikrotik and maintain a wireless connection to the FIOS router.

If given more time you could have the laptop wired into the Mikoritk as your desk and have the wireless on the Mikrotik become a wireless client back to the FIOS router. This would make the setup a little more mobile.

#teleworker @packetsdownrange #j2 #vpn

My Mum 2019 BGP presentation

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

Mikrotik Router OS 6.46.2 is out

Notables from the changelog of Mikrotik RouterOS 6.46.2

*) console – prevent “flash” directory from being removed (introduced in v6.46);
*) crs305 – disable optical SFP/SFP+ module Tx power after disabling SFP+ interface;
*) defconf – fixed default configuration loading on RBwAPG-60adkit (introduced in v6.46);
*) lora – fixed packet sending when using “antenna-gain” higher than 5dB;
*) lte – fixed “cell-monitor” on R11e-LTE in 3G mode;
*) lte – fixed “earfcn” reporting on R11e-LTE6 in UMTS and GSM modes;
*) lte – report only valid info parameters on R11e-LTE6;
*) qsfp – do not report bogus monitoring readouts on modules without DDMI support;
*) qsfp – improved module monitoring readouts for DAC and break-out cables;
*) security – fixed vulnerability for routers with default password (limited to Wireless Wire), admin could login on startup with empty password before default configuration script was fully loaded;
*) system – fixed “*.auto.rsc” file execution (introduced in v6.46);
*) traffic-generator – improved memory handling on CHR;
*) winbox – fixed “Default Route Distance” default value when creating new LTE APN;

Full changelog at
https://mikrotik.com/download

Mikrotik mAP for the WISP installer

One of the problems installers run into on a few networks we manage is having the right tools to properly test a new install. Sure, an installer can run a test to speedtest.net to verify customers are getting their speed.  Anyone who has done this long enough knows speedtest.net can be unreliable and produce inconsistent results. So, what then? Or what happens if you need to by-pass customer equipment easily? Most installers break out their laptop, spend a few minutes messing with settings and then authenticating themselves onto the network. Sometimes this can be easy, other times it can be challenging.

mAP with extenral battery pack

In steps the Mikrotik mAP.
What you are about to read is based on a MUM presentation by Lorenzo Busatti from http://routing.wireless.academy/ with my own spin on it. You can read his entire presentation on the mAP in PDF at : https://mum.mikrotik.com//presentations/US16/presentation_3371_1462179397.pdf . The meat of what we are talking about in this article starts on Page 50. If you want to watch the video you can do so at https://www.youtube.com/watch?v=VeZetH9uX_Y . The focus of this article starts around 21:00.

I have taken Lorenzo’s idea and have several different versions based upon the network.  In most of our scenarios, the ethernet ports are what plug into the CPE or the customer’s equipment, and the technician connects to the mAP over wifi.  This post covers using the mAP as an installer tool, not a traveling router. Lorenzo covers the travel option quite well in his presentation.

In this post, we focus on networks which use PPPoE. PPPoE networks usually are the ones who take much time to set up to diagnose.   What we have done is set up an uncapped user profile that is available on every tower.  Authentication can be done with local secrets or via radius.  Depending on your IP design the user can get the same IP across the network, or have an IP that assigned to this user on each tower/routed segment. We could do an entire article on IP design.

On our Mikrotik, we setup ether1 to have a PPPoE client running on it.  When the installer plugs this into the customers CPE the mAP will automatically “dial-out” and authenticate using the technician user we talked about earlier.  Once this connection has is established, the mAP is set to turn on the red “PoE out” light on the mAP using the following code.

/system leds
add interface=pppoe-out1 leds=user-led type=interface-status

Note. Our PPPoE interface is the default “pppoe-out1″ name. If you modify this, you will need to modify the led setup as well to match.

The red light gives the technician a visual indicator they have authenticated and should have internet. At the very least their mAP has authenticated with PPPoE. There are netwatch scripts mentioned in the above presentation which can kick on another LED indicating true internet reachability or other functions.  In our case, we can assume if the unit authenticates with the tower, then internet to the tower is up.  While this isn’t always the case if the Internet is down to the tower you quickly know or the NOC quickly knows.  At least you hope so. We chose the PoE out led because we are not using POE on this setup and a red light is noticeable.

Once the technician has a connection they can connect to an SSID set aside for testing.  In our case, we have set aside a “COMPANY_TECH” SSID. The tech connects to this on their laptop, and they are online.  Since this is a static profile, you can set it up just like a typical customer, or you can give the tech user access to routers, APs or other devices.  Our philosophy is you set up this SSID to mimic what a customer account experiences as closely as possible.  It goes through the same firewall rules and ques just like a typical customer.

To further enhance our tool we can set up a VPN.  This VPN can is accessible from the laptop with a second SSID named “COMPANY_VPN”. Once the technician switches over to this SSID they have access, over a preconfigured VPN on the mAP, to the network, from where they can access things customers can not, or at least should not be able to access. Many modern networks put APs, and infrastructure on separate VLANs not reachable from customer subnets.  The VPN comes in handy here. You can access these things without changing security. If you plan on using this router internally, the type of VPN you choose is not as important as if you plan to modify the config so you can travel as is the case with the above MUM presentation. If you plan to travel an SSTP VPN is the most compatible.  If it’s just inside your network, I would suggest an l2tp connection with IPsec.

Our third configuration on this is to set up the second ethernet port to be a DHCP client.  This setup is handy for plugging into the customer router for testing or for places where DHCP is the method of access, for example, behind a Baicells UE.  If your network does not use PPPoE, you could have one ethernet be a DHCP client, and the other be a DHCP server. We have found having the technicians connect wirelessly makes their lives easier.  They can plug the unit in and not have to worry about cables being too short, or getting behind a desk several times to plug and unplug things.

So why go through all this trouble?
One of the first things you learn in troubleshooting is to eliminate as many variables as you can. By plugging this into your CPE, you have a known baseline to do testing. You eliminate things such as customer routers, customer PCs, and premise wiring.  The mAP is plugged directly in CPE, whether it be wired or wireless. Experience has shown us many of the troubles customers experience are traced back to their router. Even if you provide the router, this can eliminate or point to that router as being a source of the problem if a technician needs to visit the customer.

Secondly, the mAP allows us to see and do more than your typical router. From the mAP we can run the Mikrotik bandwidth test tool from it to the closest router, to the next router inlines, all the way out to the internet. A while back I did an article titled “The Problem with Speedteststs“.  This article explains many of the issues testing just using speedtest.net or other sites.  Being able to do these kinds of tests is invaluable.  If there are four Mikrotik routers between the customer and the edge of your network all four of them can be tested independently. If you have a known good host outside your network, such as the one we provide to our clients, then you can also test against that. 

Having a Mikrotik test tool like this also allows you access to better logging and diagnostics.   You can easily see if the ethernet is negotiating at 100 meg or a Gig.  You can do wireless scans to see how noisy or busy 2.4GHZ is.  You have easy to understand ping and traceroute tools.  You also have a remote diagnostic tool which engineers can remote into easily to perform tests and capture readings.

Thirdly, the mAP allows the installer to establish a good known baseline at the time of install.  You are not reliant on just a CPE to AP test, or a speedtest.net test.

How do we make this portable?
You may have noticed in my above pictures I have an external battery pack hooked up to my mAP.   I am a fan of the Anker battery packs

Distributors such as ISP Supplies and CTIconnect have the mAP.

Finally, you will need a USB to MicroUSB cable

If you want you can add some double sided tape to hold the mAP to the battery pack for a neat package. I like the shorter cable referenced above in order to have a neat and manageable setup.

No matter what gear you use for delivering Internet to your customers, the mAP can be an invaluable troubleshooting tool for your field staff. I will be posting configs for Patreon and subscribers to download and configure their mAPs for this type of setup, as well as a road warrior setup. In the meantime, we do offer a setup service for $200, which includes the mAP, battery, USB cable and customized configuration for you.

Cleaning Dude Database in Version 4

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.