Managing and Monitoring

MUM EU 2019 Amsterdam | Patrik Schaub | © FMS Internetservice GmbH

RouterOS

Agenda

ƒ Company introduction

ƒ Network operationthe big picture

ƒ Management approachesƒ Network monitoringƒ RouterOS monitoring

FMS Internetservice GmbH

Value Added Distribution

FMS Internetservice GmbH

ƒ Value Added Distributor

ƒ Distribution

ƒ Training

ƒ Consulting

ƒ Support

ƒ Founded 1997

ƒ 11 employees

ƒ Southern Germany

FMS Internetservice GmbH

ƒ Inhouse training facility

ƒ All certification levels

ƒ First German speaking Training partnerTR11 & TR23

ƒ First MTCSA certified German distributor

See Training Schedule

Network Operation – Big Picture

Challenges and Elements

The Challenge of Operation

ƒ Growing number of devicesƒ More critical servicesƒ Higher bandwidth (more packets)ƒ Heavy interconnection of sites

ƒ Networksƒ Become largerƒ Become more complexƒ Require higher availabilityƒ Require effective security

Operational Tasks

ƒ Management

ƒ Inventory

ƒ Maintenance

ƒ Debugging

ƒ Monitoring

RouterOS

Network Inventory Management

ƒ Dudeƒ Script based databaseƒ TR069ƒ CAPsMAN

Access to management

ƒ Dudeƒ Management VLANƒ RoMONƒ CAPsMAN

Management technologies

ƒ Webboxƒ Winboxƒ Terminalƒ APIƒ TR069ƒ SNMPƒ Appƒ CAPsMAN

General Tools

ƒ Time / SNTPƒ Watchdogƒ Scripting & APIƒ Netwatchƒ SSH keys

Maintenance

ƒ RouterOS & bootloader updatesƒ Backup/Restore & Import-Export

RouterOS

Debugging (Router)

ƒ Healthƒ Historyƒ local loggingƒ /system ressourcesƒ /system routerboardƒ /tools profileƒ Supout

Debugging (Traffic and Network)

ƒ Neighboursƒ Bandwidth test (old and new)ƒ Traffic generatorƒ Torchƒ Ping, Flood Ping, Ping Speedƒ Tracerouteƒ IP Scanƒ Packet Sniffer (and TZSP

streams)ƒ Port Mirroring (Switch chip)

Logging & 3rd Party Integration

ƒ IP Accountingƒ Traffic Flow (Netflow)ƒ SNMPƒ Graphingƒ Syslogƒ TR069

Management Topologies

Secure and Convenient Management Access

Management Approaches

ƒ Considerationsƒ Securityƒ Convenienceƒ Efficiency

ƒ Common Approachesƒ Separate management and user trafficƒ Management VLANƒ Tunneling payload (e.g. PPPoE)ƒ Tunneling of management (VPN)

Management Approaches

ƒ Central MikroTik toolsƒ The Dudeƒ CAPsMANƒ Usermanager

ƒ Detailed examplesƒ RoMONƒ CLI/scripting (3rd party tools)ƒ API (Application programming interface)

RoMON

Simplify Discovery and Access

RoMON

ƒ Router Management Overlay Networkƒ Proprietary MikroTik protocol

ƒ Device discoveryƒ Device access

ƒ Layer-2 & layer-3 networksƒ Without layer-3 routingƒ Winbox support

RoMON + MAC Winbox vs. Neighbours + MAC Winbox

RoMON

ƒ Creates overlay networkƒ Only with MikroTik devicesƒ Not limited to layer-2 broadcast domainƒ Winbox: discovery and MAC connectionƒ Winbox: RoMON agent connection

ƒ On ethernet like interfaces (Ethernet,WLAN, EoIP, VLAN …)

Neighbour discovery (MNDP)

ƒ Using existing networkƒ Compatible with CDP and LLDPƒ Limited to layer-2 broadcast domainƒ Winbox: discovery and MAC

connection

Local Device Discovery across Routers

192.0.2.0/24 203.0.113.0/24 198.51.100.0/24

Winbox RoMON Agent RoMON enabled Router

RoMON enabled devices RoMON enabled devices RoMON enabled devices

Discovery with MNDPConnect by IP or MAC Winbox

Discovery with RoMON, Connect by RoMON Winbox

Connect to RoMON

RoMON Setup

ƒ Enable RoMON

ƒ Optional but recommended

ƒ Set ID manually

ƒ Use secret(s)

ƒ Optional

ƒ Customize interface

configuration

RoMON Tools

ƒ Discovery

ƒ Ping

ƒ CLI: ssh

ƒ Winbox

Standard Tools in RoMON Network

Ping / MAC Ping RoMON Ping

Winbox Discovery and RoMON Connection

Devices within

the layer-2

network

discovered

Use router as

RoMON agent

1

2

Winbox Discovery and RoMON Connection

Connected to

RoMON agent

Two hops to

reachRoMON

discovery

through agent

3

4

Local Device Discovery across Routers

192.0.2.0/24 203.0.113.0/24 198.51.100.0/24

Winbox RoMON Agent RoMON enabled Router

Discovery with RoMON, Connect by RoMON Winbox

Connect to RoMON

R1 R2

A11 A12 A21 A22 A31 A32

Path to A32 as seen from agent R1

1

2

21

Remote RoMON Agent

ƒ RoMON agent connection by IPƒ Across layer-3 networkƒ E.g. internet

ƒ Remote discovery and management

ƒ Branch officesƒ Customer networks

Remote Network Discovery

INET

203.0.113.0/24

198.51.100.0/24

RoMONenableddevices

RoMONenableddevices

RoMON AgentCustomer 1

RoMON AgentCustomer 2

OperatorWinbox

eth5Disable RoMON on WAN port

Security Considerations

ƒ Disable RoMON on WANƒ Don’t enable Winbox on WAN

ƒ Management VPNƒ VPN to reach RoMON agentƒ RoMON to reach remote devicesƒ VLAN to limit RoMON locally

HSNM Integration

With CLI and Scripting

Hotspot Network Manager (HSNM)

ƒ Commercial Captive Portal solutionƒ Tight MikroTik integration

ƒ Managementƒ Monitoring

ƒ /importƒ Scripting hostƒ Scheduler

HSNM Gatewayƒ MikroTik hotspotƒ WAN/LAN gateway

HSNM Accesspointƒ MikroTik WLAN access

point

MikroTik Gateway Integration

Choosing Hardware and RouterOS Type

MikroTik Specific Settings: WAN

MikroTik Specific Settings: MAC Auth + Hotspot

Initial Configuration

ƒ Download .rscƒ Upload to MikroTikƒ /import

ƒ Initial configurationƒ Scripting

environment

Scripting Environment

ƒ Updating MikroTik gateway configurationƒ Changes of initial configuration will be transferred to gateway

ƒ Importing data from HSNMƒ E.g. walled garden

ƒ Exporting data to HSNMƒ E.g. User Manager accounts, GPS data

ƒ Monitoringƒ Gateway and accesspoint availability

Central Walled Garden

ƒ Domain or gateway levelƒ Automatic import by script

Seamless Integration of legacy Solutions

Legacy ticket printerCreating Usermanager accounts

1

3

3

Ticket Printer 3rd Party Application

MikroTik hotspot gatewaywith Usermanager

HSNM

2

1

2

Legacy 3rd party applicationCreating Usermanager accounts

Exporting UM accounts to HSNMDeleting UM accounts locally

GPS based Maps and Tracking

ƒ Script sends GPS locationƒ Can be stored in HSNM

ƒ Tracking of moving gatewaysƒ E.g. busses, trains, taxies

ƒ Static GPS locationƒ Can be entered in HSNM

ƒ Visualisation of gateway location

Hotspot Network Manager (HSNM)

Hotspot Network Manager (HSNM)

Manual Positioning on Floor Plans and Maps

ƒ Manual positioningƒ Gateways & access pointsƒ Maps or plansƒ Coverage (in m)

Hotspot Network Manager (HSNM)

Hotspot Network Manager (HSNM)

Gateway

Access point

Access pointcontext menue

Hotspot Network Manager (HSNM)

Direct webinterface accessfor gateways andaccess points

Monitoring (HSNM)

ƒ Availability and latency

ƒ Captive portal related valuesƒ Bandwidthƒ Amount of transferred dataƒ Number of connected usersƒ Number od registrations

Get in Touch

Are you looking for a powerfulcaptive portal solution?

+49 761 2926500 | sales@fmsweb.de | Web form

Network Monitoring

Tracking Packets and Flows

Packet Sniffer

Last Resort for Networking Problems

Network Debugging

ƒ Planning / checking firewall settingsƒ Networking problemsƒ Faulty client / server applications

ƒ Things go wrong?ƒ Real insight is necessary

ƒ Packet sniffingƒ De facto standard: Wiresharkƒ RouterOS packet sniffer

MikroTik Packet Sniffer

ƒ General settingsƒ Filterƒ Start/Stop

ƒ Results in CLI / Winboxƒ Results in file, analyse in Wireshark

ƒ Streaming to Wireshark

Remote Packet Sniffing

INET 198.51.100.0/24

Customer 1

Operator

Packet SnifferLocally analyse packets from

a remote sniffer in real time

Sniffer Stream

ƒ Enable “Stream”ƒ Set Wireshark host IPƒ Enable “Filter Stream”

ƒ TZSP stream is sent

ƒ Filter stream in Wiresharkƒ UDP port 37008

ƒ Start sniffer in Winbox

1

2

Live Output

1

Traffic Flow

Statistical Network Information

Traffic Flow

ƒ Compatible with Netflowƒ Statistical network

informationƒ Byte and packet counterƒ Source and destination IP

addressesƒ Source and destination ports

ƒ Top talkersƒ Top protocolsƒ Utilisation

Netflow Collector and Anlysis

ƒ ntop (former) free standardƒ Successor ntop-ngƒ Requires commercial nProbe

to collect Netflow

ƒ Alternative free and opensource collectors available

ƒ E.g as in FMS ManagementPlattform Former ntop GUI

Netflow in FMS Management Plattform

xxxxxxxx

xxxxxxxx

xxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxx

RouterOS Monitoring

Tracking Events

Local RouterOS Logging

ƒ Source for networkdebugging = packets andpacket statistics

ƒ Source for device debugging= local status information

ƒ SNMPƒ Local logging

Log Output

Central Syslog

ƒ External, central syslog server

ƒ Will survive reboots / crashesƒ No tampering from deviceƒ Better searchƒ Correlation across devices

ƒ Example: Investigate VRRP changeƒ Involved: Master, slave, crosslink

switch

VRRP Setup

VRRP1 VRRP2

RSTP

FMS Management Platform

ƒ Syslog, Netflow, SNMP traps …ƒ MongoDB, Elasticsearch …

ƒ Central storageƒ Powerful searchƒ Dashboardsƒ Alerts

ƒ Enhanced MikroTik supportƒ E.g. MikroTik MIB, Log syntax Remote Syslog Configuration

?

WIFI Connects from Syslog across complete Network

10.10.0.29

10.10.0.22

system,error,critical login failure for user admin from 10.10.0.55 via web

Enhanced Log Message Processing

ƒ Make syslog serverunderstand message

ƒ Database fields

ƒ Searchƒ Sortingƒ Analyse

ƒ Login FailureDashboard

1

Failed Logins including Username and Login Type

10.10.0.29

10.10.0.22

Get in Touch

Are you looking for centralisedand MikroTik aware logging?

+49 761 2926500 | sales@fmsweb.de | Web form

CentralLoggingTraining

CentralManagement

RouterOSHosting

ConsultingSupport

ServiceContracts Distribution

+49 761 2926500 | sales@fmsweb.de | Web form

www.fmsweb.de | www.mikrotik-shop.de

Dank u wel!