How to restore the standard mac-addresses of MikroTik interfaces

Recently, I had to copy the settings of one MikroTik router to another one and after I saved the settings to a file and populated them on the second, I noticed that mac addresses were also copied.

Therefore, we had to reset them to standard ones.
First, let’s see what the interface numbers are (I have ether1 for 0, ether2 for 1, etc.):

interface ethernet print

And reset their mac-addresses:

interface ethernet reset-mac-address 0
interface ethernet reset-mac-address 1
interface ethernet reset-mac-address 2
interface ethernet reset-mac-address 3
interface ethernet reset-mac-address 4

If you need to reset the mac of the wireless interface, then save the wireless settings to the file:

interface wireless export file wifibackup

Look at the wireless interfaces (I have one at number 0):

interface wireless print

Reset all settings including the mac address:

interface wireless reset-configuration 0

Restore the settings from the previously saved file (mac-address in this case will remain standard):

import wifibackup.rsc

Done.

SNMP MIBs and OIDs for MikroTik

Today I made Zabbix templates, I started doing first under MikroTik RouterBOARD SXT-Lite2 (2nDr2).

Some OIDs can be found by running the following commands on the device:

system resource print oid
system resource cpu print oid
system health print oid
interface print oid

SNMP should be enabled on the device, in IPSNMPCommunities added community and should check IPSNMP to Enable.

From Linux, you can check the OID command:

snmpwalk -v 2c -c public 192.168.1.1 .1

I will describe below a few OIDs that I used.
SSID:

SNMPv2-SMI::enterprises.14988.1.1.1.3.1.4.2

Signal:

.1.3.6.1.4.1.14988.1.1.1.2.1.3

Uptime:

.1.3.6.1.2.1.1.3.0

CPU load:

.1.3.6.1.2.1.25.3.3.1.2.1

Define the index of interfaces by looking at their description:

.1.3.6.1.2.1.2.2.1.2
ifDescr

LAN traffic (I have an index of 1):

ifInOctets.1
ifOutOctets.1
1.3.6.1.2.1.2.2.1.10.1
1.3.6.1.2.1.2.2.1.16.1

WLAN traffic (I have an index of 2):

ifInOctets.2
ifOutOctets.2
1.3.6.1.2.1.2.2.1.10.2
1.3.6.1.2.1.2.2.1.16.2

Total memory and how many are used:

.1.3.6.1.2.1.25.2.3.1.5.65536
.1.3.6.1.2.1.25.2.3.1.6.65536

CPU frequency:

.1.3.6.1.4.1.14988.1.1.3.14.0

mac addresses of LAN and WLAN:

.1.3.6.1.2.1.2.2.1.6.1
.1.3.6.1.2.1.2.2.1.6.2

Packages with errors in/out on the WLAN interface (I have WLAN under index 2):

.1.3.6.1.2.1.2.2.1.14.2
.1.3.6.1.2.1.2.2.1.20.2

See also:
SNMP OID and MIB for interfaces

How to view the configuration of MikroTik

Recently I configured the next MikroTik and I had to share the configuration, so, to see it in the terminal, execute the command:

/export compact

To save the configuration to a file, execute the command:

/export compact file=config

After saving the file will be in the device’s memory, you can see it and download it from the Files menu via the web interface or winbox, ftp, smb, sftp.

Backup configuration of MikroTik

You can make a backup copy of the configuration of MikroTik devices in several ways:

1) Via the web interface or WinBox on the left in the menu select Files and press the Backup key and once again Backup, after which a file with a backup copy of the settings will be created in the device memory. For example, after resetting the device’s settings, you can restore them from this file, open Files there, select the desired file and click the Restore button, the device will reboot.
From the terminal, look at the list of files in memory, make a backup and recover from it like this:

file print
system backup save name=file
system backup load name=file

From this file, you can restore only on the device where it was made, because the mac addresses of the interfaces are also restored.

2) The next option is to export the configuration (the list of commands) to a file, which you can then execute on other devices, thereby transferring the configuration.
I wrote about this in the next article How to view the configuration of MikroTik

Configuring the VPN IPSec / L2TP server on Mikrotik

Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.

1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:

ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15

2) Add a profile to “PPP” – “Profiles
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:

ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool

3) Add a user to “PPP” – “Secrets
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:

ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp

4) Enable the server in “PPP” – “Interface” – “L2TP Server
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:

interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes

5)IP” – “IPSec” – “Peers
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:

ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY

6)IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:

ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des

7)Firewall” – “Add New
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:

ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
ip firewall filter add chain=input action=accept protocol=ipsec-esp

The rules should be at the top of the list.

This completes the configuration, you can connect.

See also:
Configuring Remote Access in Mikrotik Router

Configuring Remote Access in Mikrotik Router

Open “IP”“Firewall” – the tab “Filter Rules”.
Click “Add new” to add a new rule.

Then set the following parameters:

Chain: input
Src. Address: here you can specify the IP address or network with which it is allowed to connect, if everyone is allowed, then we do not specify.
Protocol: tcp
Dst. Port: 80 (or 8291 for Winbox, 21 for ftp, 22 for ssh, 23 for telnet, udp 161 for snmp)
Action: accept

Click “OK” to add a rule.

After that, in the firewall, a rule will be created at the end of the list. Since it will be the last, and before it there is a rule prohibiting everything, then it must be dragged to the very top with the mouse, otherwise it will not be of use.

Through the command line, the rules will look like this:

/ip firewall filter add chain=input protocol=tcp dst-port=80 disabled=no action=accept

To pick up the list, you can do this (where 30 is the ID of the rule added):

/ip firewall filter print
/ip firewall filter move 30 destination=1

Or in the command itself, we indicate that you need to place the rule at the very beginning of the list:

/ip firewall filter add chain=input protocol=tcp dst-port=80 disabled=no action=accept place-before 0

Also in the menu “IP” – “Services” in the parameters of the desired service, you can add “Available From” the list of IP addresses from which you want to allow access. Access is restricted to both local and external addresses, so first of all you need to add the IP or subnet with which you are currently connected.

I’ll give an example of specifying IP through a terminal for example for telnet (similar to ftp, www, ssh, winbox):

/ip service set telnet address=192.168.1.0/24,172.16.205.50/32,192.168.3.24/32

See also my article:
Configure Hairpin NAT on RouterOS (Mikrotik)

Configuring UPnP in MikroTik

UPnP (Universal Plug and Play) – universal automatic configuration of network devices, automatically opens ports for p2p applications, games, etc.

In the Winbox settings you can find the “IP” – “UPnP“.

To enable it, check Enabled.

Now you need to specify interfaces, click “Interfaces” and “Add New“.
We’ll add an external WAN port, usually ether1-gateway.
Add an internal port or bridge, such as a bridge.
This completes the configuration.

I’ll give an example of how this will look through the console:

ip upnp set enabled=yes
ip upnp interfaces add interface=ether1-gateway type=external
ip upnp interfaces add interface=bridge type=internal