Vyacheslav Gapon – personal blog, manuals, articles, notes, development
Recently I configured the next MikroTik and I had to share the configuration, so, to see it in the terminal, execute the command:
/export compact
To save the configuration to a file, execute the command:
/export compact file=config
After saving the file will be in the device’s memory, you can see it and download it from the Files menu via the web interface or winbox, ftp, smb, sftp.
You can make a backup copy of the configuration of MikroTik devices in several ways:
Continue reading “Backup configuration of MikroTik”Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.
1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:
ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15
2) Add a profile to “PPP” – “Profiles”
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:
ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool
3) Add a user to “PPP” – “Secrets”
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:
ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp
4) Enable the server in “PPP” – “Interface” – “L2TP Server”
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:
interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes
5) “IP” – “IPSec” – “Peers”
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:
ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY
6) “IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:
ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
7) “Firewall” – “Add New”
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:
ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500 ip firewall filter add chain=input action=accept protocol=ipsec-esp
The rules should be at the top of the list.
This completes the configuration, you can connect.
On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.
First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.
And create an extended ACL for example with the name BLOCKSOCIAL:
ip access-list extended BLOCKSOCIAL deny ip any 87.240.128.0 0.0.63.255 deny ip any 93.186.224.0 0.0.7.255 deny ip any 93.186.232.0 0.0.7.255 deny ip any 95.142.192.0 0.0.15.255 deny ip any 95.213.0.0 0.0.63.255 deny ip any 185.29.130.0 0.0.0.255 deny ip any 185.32.248.0 0.0.3.255 permit ip any any exit
The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:
deny ip host 192.168.5.1 host 192.168.11.54
The line “permit ip any any” should be necessary at the end.
Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255
If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.
Apply the created ACL to the port looking towards the clients:
interface GigabitEthernet1/1 ip access-group BLOCKSOCIAL in
Or, to write less only to the server’s server port on the Internet, if there is one:
interface TenGigabitEthernet3/2 ip access-group BLOCKSOCIAL in
You can cancel the ACL interface as follows:
no ip access-group BLOCKSOCIAL in
Delete the ACL like this:
no ip access-list extended BLOCKSOCIAL
If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:
ip access-list extended BLOCKSOCIAL deny ip 87.240.128.0 0.0.63.255 any deny ip 93.186.224.0 0.0.7.255 any deny ip 93.186.232.0 0.0.7.255 any deny ip 95.142.192.0 0.0.15.255 any deny ip 95.213.0.0 0.0.63.255 any deny ip 185.29.130.0 0.0.0.255 any deny ip 185.32.248.0 0.0.3.255 any deny ip host 192.168.5.1 any permit ip any any exit
See also my articles:
Blocking social networks on Mikrotik routers
Blocking social networks using iptables
On the test, I will configure aggregation on two ports of Huawei SmartAX MA5683T and Cisco Catalyst 6509-E.
Continue reading “Configuring link aggregation on Huawei SmartAX MA5600”For the test, I will configure the aggregation on the Cisco Catalyst 6509-E.
Continue reading “Configuring link aggregation on the Cisco Catalyst 6500”Below I list the standard OID and MIB with a description for obtaining SNMP different statistics for the network interfaces of switches, routers, access points, network cards in servers, etc.
Continue reading “SNMP OID and MIB for interfaces”I wrote a script for backup configuration of TP-Link switches.
The script runs on Linux where the TFTP server is running, it is connected via telnet to the switch and the configuration command is sent to the specified TFTP, when the telnet connection is closed, the file is moved to the desired directory, and the last command deletes files longer than 30 days, as more of them I do not need to store.
You can also make a copy of all the files in the cloud every month.
As you can see, before entering a password in the script, you can not pause.
#!/bin/bash
{
echo "PASSWORD";
echo "enable";
echo "PASSWORD";
echo "copy startup-config tftp ip-address 192.168.0.5 filename tplink";
sleep 2;
echo "exit";
sleep 1;
echo "exit";
} | telnet 192.168.0.110
mv /srv/tftp/tplink.cfg /backups/devices/tplink/`date +%Y-%m-%d`_tplink.cfg
find /backups/devices/tplink/ -type f -mtime +30 -exec rm {} \;
Below is an example of the TP-Link router reboot script, I will test it on TL-WR720N 2.0 from Ubuntu Server.
#!/bin/sh ROUTER_IP="192.168.24.174" USERNAME="admin" PASSWORD="admin" # exit if router is down ping -q -c 1 "$ROUTER_IP" > /dev/null || exit curl --basic --user "$USERNAME:$PASSWORD" -A "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" --refer "http://$ROUTER_IP" "$ROUTER_IP/userRpm/SysRebootRpm.htm?Reboot=reboot"
The contents of the script will be placed in a new file, for example, using the nano editor (“CTRL+X” to exit and “y” to save the changes):
nano file.sh
And make it executable:
chmod 777 file.sh
After this, we execute:
./file.sh
Similarly, you can perform other functions instead of rebooting.
Noticed recently the appearance of a white screen at the time of work on the laptop HP Pavilion dv7.
When switching to an external monitor and back by a combination with the Fn key, the image was displayed normally, but after a while the problem appeared again.
The main reason for this phenomenon is likely to be a damaged or poor contact on the plume going to the display.
In my case, its disconnection/connection did not solve the problem, I had to order it on Aliexpress, it’s not expensive there.
Under the battery is written the full name of the laptop model for which you need to order a cable.
After replacing the loop, the problem was solved.