Mint Cacti for Mikrotik Queue

Mikrotik does routing beautifully but the same cannot be always said about its traffic monitoring facilities. While graphing does exist, its is as flexible as Trump supporter on immigration issues.

For me, one of the best ways to monitor router on the cheap is Cacti. Completely free and has built in SNMP support. Guess what else has built in SNMP support? Yep - Mikrotik.

To get Mikrotik’s SNMP working, just enable it from terminal window, adjusting firewall if necessary:

/snmp set enabled=yes

/ip firewall filter
add chain=input protocol=udp dst-port=161 in-interface=!ether1 action=accept place-before=0 comment="Allow local SNMP"

While we are playing with Mikrotik, we can also print OIDs for queues:

/queue simple
 print oid without-paging
 0    name=.1.3.6.1.4.1.14988.1.1.2.1.1.2.19
      bytes-in=.1.3.6.1.4.1.14988.1.1.2.1.1.8.19
      bytes-out=.1.3.6.1.4.1.14988.1.1.2.1.1.9.19
      packets-in=.1.3.6.1.4.1.14988.1.1.2.1.1.10.19
      packets-out=.1.3.6.1.4.1.14988.1.1.2.1.1.11.19
      queues-in=.1.3.6.1.4.1.14988.1.1.2.1.1.12.19
      queues-out=.1.3.6.1.4.1.14988.1.1.2.1.1.13.19
 ...

Just store this data somewhere are we are going to need bytes-in and bytes-out entries later.

To get Cacti running, I went with the latest Linux Mint distribution. Procedure is quite generic so you can select essentially any Linux. Just add a few packages:

sudo apt-get -y install lamp-server^
sudo apt-get -y install snmpd
sudo apt-get -y install cacti cacti-spine

During installation, some packages might have additional questions - especially password related - you might want to set. For the purpose of this exercise I just went with all defaults.

After all packages are installed, it is a good time to test if we get anything from Mikrotik:

snmpwalk -v 2c -c public ^^192.168.88.1^^

And yes, this command is going to show a lot. :)

Now that we know SNMP is working we can go further with Cacti setup. For that we go to http://127.0.0.1/cacti and answer a few questions - essentially just setting the admin password and confirming tool locations.

The next thing on Cacti’s Console page is selecting Devices and adding a new one. You need to enter Mikrotik’s IP address here and change SNMP version to 2. Once you create entry, you should see system name and uptime.

Now we can finally go to New Graph and create one based on SNMP - Generic OID Template. For the purpose of byte counting Maximum Value should be set to U and OID should be one belonging to Mikrotik’s queue byte count. In my case value .1.3.6.1.4.1.14988.1.1.2.1.1.8.19 is the one used for input bytes of my Internet queue. A few minutes afterward you can check your Graphs/Preview tab and you should see your data nicely displayed.

Of course, with Cacti’s seemingly infinite configurability, this is just a start. Feel free to snoop around and discover. :)

PS: To monitor router’s health, check out resource OIDs:

/system resource print oid
             uptime: .1.3.6.1.2.1.1.3.0
    total-hdd-space: .1.3.6.1.2.1.25.2.3.1.5.1
     used-hdd-space: .1.3.6.1.2.1.25.2.3.1.6.1
       total-memory: .1.3.6.1.2.1.25.2.3.1.5.2
        used-memory: .1.3.6.1.2.1.25.2.3.1.6.2
           cpu-load: .1.3.6.1.2.1.25.3.3.1.2.1

Escaping Backtick in (Perl)grep

It all started with a simple list of name='value' and name=`value` entries, all within the same line. My wish was to color a few matching entries for the devious purpose of making them more visible. First stab at solution was extremely easy:

something | grep --color=always -P "somename='.*?'"

Two things to note here: I had to use PERL-style grep as I needed a non-greedy matching and secondly this didn’t fulfill its task. Yep, it didn’t match backtick (`) character.

Simple regex adjustment one might think:

something | grep --color=always -P "somename=['`].*?['`]"

But no - backtick is a tricky one as it serves a special purpose in bash.

I tried a bunch of escaping methods before I remembered that hexadecimal characters are still a thing. Wouldn’t you know it - that worked. To match a backtick, instead of using character itself, one can always use its hexadecimal escape code:

something | grep --color=always -P "somename=['\x60].*?['\x60]"

OpenVPN or SSTP on Mikrotik?

As I have covered creating both OpenVPN and SSTP server on Mikrotik, one might rightfully wonder - which one is better?

Security-wise, on Mikrotik, they are pretty much even. Both use certificates, both can use AES, and both allow for the perfect forward secrecy. If you decide to stick with Windows 10 or you are willing to tweak Windows 7 a bit, SSTP can even be forced to use only TLS 1.2.

When it comes to connectivity, by default SSTP has a slight advantage as it defaults to port 443 which traverses pretty much any firewall. But it is not a big advantage as OpenVPN can offer exactly the same success rate if configured accordingly. Unfortunately both also support only TCP as the base protocol, by design in the case of SSTP and by Mikrotik’s choice in the case of OpenVPN. If you are on a lossy or even just slow link, TCP-over-TCP tunneling is going to make bad situation worse.

OpenVPN does have a bit of advantage when it comes to support across various platforms as you cannot find an OS without it. If you are dealing with Linux platforms (including Android), OpenVPN is probably the best route. While there are open source versions of SSTP for various platforms, it roots are on Windows and there it works flawlessly and out of the box. It is the VPN of choice if you need to get Windows machine on VPN without installing any additional software.

Guess what, performance of both protocols, if configured similarly, is also close. OpenVPN might seem a bit slower at the time but usually this is when different ciphers are selected. If you keep both at AES-128 (SSTP’s default in force-aes mode), you will see both as being equal. Mind you, neither is “cheap” as far as CPU usage goes. It is just that neither has advantage over the other.

Frankly, based on all things I cared about, either protocol will do a good job but neither is perfect nor supported on all devices. I personally keep both turned on with a common security profile so I can use the same user name and password for both. If I am connecting from Windows computer I go SSTP route just because it is so frictionless. For all non-Windows devices, including mobile phones, I go OpenVPN.

Unable to Execute File From NAS4Free Share

I use NAS4Free based server for all my file sharing needs. Give it a bit of ZFS turbo and you have a reliable setup.

However, I noticed one quirk if you will. From my computer I could execute installations located on the network share while my kids were greeted with “Windows cannot access…” error. Cause was clear. My kids had read-only access while I had full rights. And it was definitely that, as I could use chmod +x to make file executable and go on my marry way.

Doing it recursively over all directories would have solved the problem but not necessarily permanently as any newly created file would need the same adjustment. And yes, it would be possible to force inheritance of attributes from parent but that seemed overly restrictive - not even taking into consideration that my NAS4Free command line would suddenly auto complete every executable file in directory.

Fortunately, Samba 4.1 has a simple solution for it - acl allow execute always. This option than “fakes” executable attribute without setting it on the underlying system. It is as close as it gets to “have your cake and eat it too”.

NAS4Free unfortunately doesn’t have this option exposed to user. However, it does have free form field for configuration parameters. Solution is just finding Auxiliary parameters under Services, CIFS/SMB and adding acl allow execute always = true into a text box. Short restart later and any restricted Windows user will be able to execute files from the network share.

[2018-07-22: NAS4Free has been renamed to XigmaNAS as of July 2018]

Access Point and Station Combo on Mikrotik

While wireless is available in the most hotels these days, the good old ethernet cable seems to be disappearing bit by bit. That means you cannot simply plug-in your own wireless and have it just work. Having a device capable of bridging two wireless networks is becoming a necessity. Why would you even bother, you wonder?

One reason is convenience - if you always connect to your own wireless access point, you have everything setup and ready to go without annoying web prompts. Particularly handy if you bring your Roku or Chromecast with you as they generally have no provisions for even entering user name/password combination.

Other reason is security. Connecting to an open network (or one with widely known key) means every single device is fully exposed to snooping gremlins hiding around. And you will be surprised how much data is actually not encrypted. Yes, having your own wireless doesn’t necessarily fix that as you still go over unprotected media but it is a necessary first step. In one of the future posts we can talk about connecting over VPN and how to skin that particular cat.

For me a favorite wireless-to-wireless bridge device was aging Asus WL-330gE. Unfortunately, the device hasn’t had any update in ages and using alternative firmware makes wireless bridging functionality much more difficult than it should be.

Lately I’ve been using two Mikrotik mAP lite devices back-to-back. One serves the function of a wireless client toward the hotel’s wireless while the other is an access point with VPN on board. As I needed one mAP for another project of mine, I started to wonder how to setup the same device to be both wireless client and an access point.

This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Assuming you start with fresh mAP lite, first order of business is connecting to its default wireless network and cleaning the whole router out. This will allow connecting WinBox via the cable to the router’s MAC address as default configuration assumes that port is intended for WAN.

/system
reset-configuration no-defaults=yes skip-backup=yes

Since all is deleted, pretty much the only thing one can do is connect to ethernet port and use neighbor discovery on your Mikrotik. When device is found, just connect using the MAC address.

If we do not know exact wireless network we are interested in, we can enable wireless and perform a scan to see what is around.

/interface wireless
scan wlan1

Once we wither find network by scan or because we already new its name, it is time to set it up. Of course, security profile mode and all other parameters must match network you are connecting to.

/interface
wireless security-profiles add name=client-profile mode=^^dynamic-keys^^ authentication-types=wpa2-psk wpa2-pre-shared-key=^^hotel_wireless_password^^
wireless set wlan1 ssid=^^hotel_network_name^^ security-profile=client-profile frequency=auto disabled=no

This is actually one of rare situations where it is probably worth actually using GUI and wireless Scanner tool instead of getting all this sorted out manually. Regardless, if all went well, you should see upper case R next to the wlan1 interface.

As we destroyed the whole network configuration, we need to setup DHCP client on wlan1 interface so we can obtain IP. This is a nice second checkpoint as you should see the hotel’s IP address getting assigned to your router.

/ip
dhcp-client add interface=wlan1 disabled=no
address print

Now that we have client sorted out, we need to create the access point. That involves setting up a security profile, creating the access point interface on top of the existing wlan1, getting its DHCP server interface sorted out, NAT, and lastly the basic firewall.

/interface
wireless security-profiles add name=ap-profile mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key=^^access_point_password^^
wireless add name=ap-wlan master-interface=wlan1 mode=ap-bridge ssid=^^access_point_network_name^^ security-profile=ap-profile disabled=no

/ip
address add interface=ap-wlan address=192.168.89.1/24
dhcp-server network add address=192.168.89.0/24 gateway=192.168.89.1
pool add name=ap-pool ranges=192.168.89.10-192.168.89.99
dhcp-server add name=ap-dhcp interface=ap-wlan address-pool=ap-pool disabled=no

/ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade

/ip firewall filter
add chain=forward action=accept in-interface=wlan1 connection-state=established,related disabled=no
add chain=forward action=accept out-interface=wlan1 disabled=no
add chain=forward action=drop disabled=no

/system reboot

Assuming everything went fine, after reboot, you will have your access point going through hotel’s wireless.

This setup is not necessarily the most comfortable one as every time you want to connect to new network you will have to use WinBox over the ethernet cable. And no, you cannot use access point for configuration since access point is only active if its master - hotel’s connection - is running.

Again no, you cannot do it other way round - have the access point as the main wireless interface and station as slave because you need to have station tracking for your hotel’s access point. If you setup your access point first, you will need to set its frequency to match hotel’s access point at all times. That doesn’t play well if you roam through hotel and see APs with the same name and different frequency nor it will play well if AP changes its frequency, for example, due to radar detection.

However, this setup gives you the full power of Mikrotik to use in a wireless bridge at the cost of a single device.

Me? I’ll stick to my double mAP method.

PS: Yes, you could work around the need for Ethernet cable but it gets complicated enough that it is not worth the trouble.

PPS: Yes, firewall is VERY basic.