Category Archives: Mikrotik

Dynamic DNS Update Script for No-IP DNS

This script was designed to utilize the No-IP Update API which offers direct access to No-IP’s DNS update system.

This script is based on the Dynamic DNS Update Script for DNSoMatic.com.

Tested to work on RouterOS 5.13.
1. Create a new script named no-ip_ddns_update

The following permissions are required for this script to run:

  • write
  • test
  • read

2. Paste the source code that appears below. Edit the user, password, hostname and interface info to match your setup.

# No-IP automatic Dynamic DNS update

#--------------- Change Values in this section to match your setup ------------------

# No-IP User account info
:local noipuser "your_no-ip_user"
:local noippass "your_no-ip_pass"

# Set the hostname or label of network to be updated.
# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host names.
# To specify multiple hosts, separate them with commas.
:local noiphost "hostname.no-ip.net"

# Change to the name of interface that gets the dynamic IP address
:local inetinterface "your_external_interface"

#------------------------------------------------------------------------------------
# No more changes need

:global previousIP

:if ([/interface get $inetinterface value-name=running]) do={
# Get the current IP on the interface
   :local currentIP [/ip address get [find interface="$inetinterface" disabled=no] address]

# Strip the net mask off the IP address
   :for i from=( [:len $currentIP] - 1) to=0 do={
       :if ( [:pick $currentIP $i] = "/") do={ 
           :set currentIP [:pick $currentIP 0 $i]
       } 
   }

   :if ($currentIP != $previousIP) do={
       :log info "No-IP: Current IP $currentIP is not equal to previous IP, update needed"
       :set previousIP $currentIP

# The update URL. Note the "\3F" is hex for question mark (?). Required since ? is a special character in commands.
       :local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP"
       :local noiphostarray
       :set noiphostarray [:toarray $noiphost]
       :foreach host in=$noiphostarray do={
           :log info "No-IP: Sending update for $host"
           /tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
           :log info "No-IP: Host $host updated on No-IP with IP $currentIP"
       }
   }  else={
       :log info "No-IP: Previous IP $previousIP is equal to current IP, no update needed"
   }
} else={
   :log info "No-IP: $inetinterface is not currently running, so therefore will not update."
}

3. Create a new scheduler entry to run this script every 5 mins.

/system scheduler add comment="Update No-IP DDNS" disabled=no interval=5m \
name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test

riverron 03:18, 18 March 2012 (UTC)

forwarding ports on Mikrotik for asterisk

l2tp-out1 это интерфейс L2TP client (собственно VPN для инета)
ether1 интерфейс LAN (в мою квартирную сеть 🙂 )
ether2 WAN в него провод от провайдера
192.168.0.30 адрес Asterisk

Добавил в настройках фаервола дополнительно одно правило
chain=forward action=accept protocol=udp dst-address=192.168.0.30
in-interface=l2tp-out1 out-interface=ether1

и это правило уже было
chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=udp
in-interface=l2tp-out1 dst-port=10000-25000

а эти правила для регистрации клиентов из внешнего мира

chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060
protocol=tcp in-interface=l2tp-out1 dst-port=5060

chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060
protocol=udp in-interface=l2tp-out1 dst-port=5060

Мониторинг OpenWRT в Zabbix

Установить непосредственно заббикс-агент с репозиториев OpenWRT:

opkg update
opkg install zabbix-agentd

Создать пользователя и группу

echo "zabbix:*:42223:42223:zabbix:/var:/bin/false" >> /etc/passwd
echo "zabbix:x:42223:" >> /etc/group

Создать папку под pid-файл (с нужными правами)

mkdir /var/tmp
chown zabbix /var/tmp


Сконфигурировать агента

vi /etc/zabbix_agentd.conf

Hostname=openwrt
StartAgents=1
PidFile=/var/tmp/zabbix_agentd.pid
LogFileSize=1
LogFile=/tmp/zabbix_agentd.log
Server=1.2.3.4
ServerActive=1.2.3.4

Набор дополнительных пользовательских параметров, позволяющих отслеживать состояние WiFi соединения, можно взять в Gist.
Добавить run-скрипт

vi /etc/init.d/zabbix_agentd

#!/bin/sh /etc/rc.common
# Copyright (C) 2008-2011 OpenWrt.org

START=60
SERVICE_PID_FILE=/var/run/zabbix/zabbix_agentd.pid

start() {
[ -f /etc/zabbix_agentd.conf ] || return 1
user_exists zabbix 53 || user_add zabbix 53
group_exists zabbix 53 || group_add zabbix 53
[ -d /var/log/zabbix ] || {
mkdir -m0755 -p /var/log/zabbix
chown zabbix:zabbix /var/log/zabbix
}
[ -d /var/run/zabbix ] || {
mkdir -m0755 -p /var/run/zabbix
chown zabbix:zabbix /var/run/zabbix
}
chgrp zabbix -R /sys/kernel/debug/ieee80211/
chmod g+r -R /sys/kernel/debug/ieee80211/
chgrp -R zabbix /var/state/
chmod g+r -R /var/state/
service_start /usr/sbin/zabbix_agentd
}
stop() {
service_stop /usr/sbin/zabbix_agentd
}

chmod +x /etc/init.d/zabbix_agentd
/etc/init.d/zabbix_agentd start

Mikrotik + Cisco vpn client

Finally got round to actually doing this. For anyone else who needs to run vpnc, here’s what I did:

Follow the instructions here: http://wiki.mikrotik.com/wiki/Manual:Metarouter importing the openwrt
image into the metarouter. Get a copy of vpnc and the tun.ko kernel module. I compiled
them which was a bit of a hassle, but ended up with these if you want to avoid the effort (and
you trust a complete stranger to compile them for you…):
http://www.sbrk.co.uk/vpnc
http://www.sbrk.co.uk/tun.ko

openwrt has a package system called opkg which allows you to point to various repositories for
new packages, but I couldn’t figure out where to point it. I’m sure there is somewhere with
these.

After insmod ./tun.ko, ./vpnc works with my imported configuration leaving the only issue to
set up networking. I bridged the openwrt metarouter and configured a route to the network
used by vpnc, set up nat on the tun0 interface in openwrt and allowed forwarding and all
is working.

There is one issue remaining in that if I reboot my rb, the bridge ports disappear, presumably
because they don’t exist until the metarouter vm starts. So, I have to go in and configure them
again after a reboot.

  • 0
User avatar

normis

MikroTik Support
MikroTik Support
Posts: 19866
Joined: Fri May 28, 2004 11:04 am
Reputation: 43
First RouterOS version: 2.3.18
Location: Riga, Latvia

Re: Mikrotik as cisco VPN client

by normis » Mon Aug 30, 2010 9:49 am

great! I knew RouterOS would be able to help you in some way :) sorry for not recommending metarouter any sooner
No answer to your question? How to write posts
  • 0

seb

just joined
Posts: 1
Joined: Sat Nov 05, 2011 8:36 pm
Reputation: 0
First RouterOS version: 5.8

Re: Mikrotik as cisco VPN client

by seb » Sat Nov 05, 2011 8:47 pm

Hey Mknos, thanks for the basics for a vpnc solution. I have most of it working, but I’m not sure how to set up NAT on openwrt. Can you supply details on that?
  • 0

ivissie

just joined
Posts: 1
Joined: Thu Jan 15, 2015 5:06 pm
Reputation: 0
First RouterOS version: 4.0

Re: Mikrotik as cisco VPN client

by ivissie » Thu Jan 15, 2015 5:27 pm

Hi all,

I have successfully got mine working as well.

The metarouter image I used is: http://openwrt.wk.cz/attitude_adjustmen … tfs.tar.gz

Configure your network interface by using “uci”

  • Show network configutations: “uci show network”
  • Show all configurations: “uci show”

[*]Set configuration: “uci set network.wan=interface”

Mine looks as follow:

network.wan.proto=static
network.wan.ipaddr=172.16.2.6
network.wan.netmask=255.255.255.252
network.wan.ifname=eth0
network.wan.gateway=172.16.2.5
network.wan.dns=172.16.2.5
network.lan=interface
network.lan.proto=static
network.lan.ipaddr=172.16.2.2
network.lan.netmask=255.255.255.252
network.lan.ifname=eth1

Where my WAN interface are used to get internet to the image and the lan will be used to access the VPN connection.
After configuring the network settings you need to commit them and restart the network service.
Run the following commands:

  • uci commit network
  • /etc/init.d/network restart

For some reason the dns nameserver does not take affect and you need to modify it manually at /etc/resolve.conf and enter your dns server details, otherwise you will not be able to update and download the packages needed.

Then you can install vpnc by following the tutorial here: http://wiki.openwrt.org/vpnc.vpn

  • In the file created /etc/init.d/vpnc file. remove the spaces in the first few lines between the START=75 and STOP=01. It does not work with the spaces. Unable to find start/stop on line 2 and line 3 error.
  • At the steps when you try to run “/etc/init.d/vpnc enable” you get an error, first enable the file to be executable by running “chmod +x /etc/init.d/vpnc” and then you will be able to enable the automatic boot script.
  • IP Tables – This one I have not figured out yet. When the metarouter restarts the IPtables are missing and you need to reapply them.

You connect the VPN by either running the startup script or the vpnc client itself.

vpnc
or
/etc/init.d/vpnc start

You can then see that the tunnel is up by using ifconfig

root@metarouter:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:0B:3E:55:A6:23
inet addr:172.16.2.6 Bcast:172.16.2.7 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2517 errors:0 dropped:0 overruns:0 frame:0
TX packets:2039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:888004 (867.1 KiB) TX bytes:364073 (355.5 KiB)

eth1 Link encap:Ethernet HWaddr 02:5B:39:4F:B5:12
inet addr:172.16.2.2 Bcast:172.16.2.3 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4787 errors:0 dropped:0 overruns:0 frame:0
TX packets:2992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:447771 (437.2 KiB) TX bytes:679876 (663.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2748 errors:0 dropped:0 overruns:0 frame:0
TX packets:2748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:186756 (182.3 KiB) TX bytes:186756 (182.3 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.102.253.87 P-t-P:10.102.253.87 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:4428 (4.3 KiB) TX bytes:31605 (30.8 KiB)

On your route make sure that you route the ip ranges you need and masquerade it as required.

Traceroute from PC going to my gateway ( mikrotik) over to metarouter into the VPN.

C:\Users\Administrator>tracert -d 10.117.12.117

Tracing route to 10.117.12.117 over a maximum of 30 hops

1 <1 ms <1 ms 1 ms 10.20.0.254
2 2 ms 1 ms 1 ms 172.16.2.2
3 142 ms 36 ms 26 ms 10.102.250.2
4 213 ms 43 ms 37 ms 10.101.255.73
5 137 ms 24 ms 23 ms 10.101.255.206
6 114 ms 27 ms 26 ms 10.103.82.5
7 70 ms 201 ms 215 ms 10.251.201.0

Success.

Thank you for the tip of using metarouter and vpnc!

  • 0

Shatura

just joined
Posts: 1
Joined: Tue Mar 17, 2015 8:30 pm
Reputation: 0
First RouterOS version: 6.27

Re: Mikrotik as cisco VPN client

by Shatura » Tue Mar 17, 2015 9:07 pm

I tried metarouter image http://openwrt.wk.cz/attitude_adjustmen … tfs.tar.gz as well. And it even works. Several minutes or maybe hours. Then metarouter freezes. The only option you have is to reboot metarouter. While rebooting it makes the host router to reboot as well. Very annoying. And even when it works it loses 20% of bandwidth comparing to Windows Cisco client.

Then I tried the routine http://cases.azoft.com/how-to-connect-m … cisco-vpn/ with Mikrotik-recommended imagehttp://www.mikrotik.com/download/metaro … rootfs.tgz and vpnc from http://rnd.rajven.net/openwrt/mikrotik/ … s/packages repository. This client connects to my corporate Cisco successfully and even makes appropriate routes to my internal networks. But I could not manage to get any traffic through these routes whatsoever. No ping, no telnet, no DNS request. And no errors and no warnings.

I wasted two days trying to make good usage of metarouter vpnc. Eventually I took a cheap spare router and installed DD-WRT there with vpnc. Vpnc works with two different Ciscos on my two remote jobs and provides me with two remote internal networks simultaneously. The only thing Mikrotik has to do with this it routes appropriate requests from my home network to remote networks through internal address of the second router. Works like a charm.