Mikrotik y Wireshark

Monitoring and Debugging
(with) RouterOS
MUM EU 2019 Vienna | Patrik Schaub | © FMS Internetservice GmbH

Agenda
ƒ Company introduction
ƒ Network operation
the big picture
ƒ Management approaches
ƒ Network debugging
ƒ RouterOS debugging
FMS Internetservice GmbH
Value Added Distribution
ƒ Value Added Distributor

ƒ Distribution
ƒ Training
ƒ Consulting
ƒ Support
ƒ Founded 1997
ƒ 11 employees
ƒ Southern Germany
ƒ Inhouse training facility

ƒ All certification levels
ƒ First German speaking Training partner

TR11 & TR23
ƒ First MTCSA certified German distributor
See Training Schedule

Distributor Table
10G Radio Links Wireless LoRaWAN IoT Solution
5 year warranty & next day replacement 3km transmition & 10 years battery life
Network Operation – Big Picture
Challenges and Elements
The Challenge of Operation
ƒ Growing number of devices

ƒ More critical services
ƒ Higher bandwidth (more packets)
ƒ Heavy interconnection of sites
ƒ Networks
ƒ Become larger
ƒ Become more complex
ƒ Require higher availability
ƒ Require effective security
Operational Tasks
ƒ Inventory
ƒ Management
ƒ Debugging
ƒ Maintenance
ƒ Monitoring
RouterOS
Network Inventory Management Management technologies General Tools
ƒ Dude ƒ Webbox ƒ Time / SNTP

ƒ Script based database ƒ Winbox ƒ Watchdog
ƒ TR069 ƒ Terminal ƒ Scripting & API
ƒ CAPsMAN ƒ API ƒ Netwatch
ƒ TR069 ƒ SSH keys
Access to management ƒ SNMP
ƒ App Maintenance
ƒ Dude ƒ CAPsMAN
ƒ Management VLAN ƒ RouterOS & bootloader updates
ƒ RoMON ƒ Backup/Restore & Import-Export
ƒ CAPsMAN
RouterOS
Debugging (Router) Debugging (Traffic and Network) Logging & 3rd Party Integration
ƒ Health ƒ Neighbours ƒ IP Accounting

ƒ History ƒ Bandwidth test (old and new) ƒ Traffic Flow (Netflow)
ƒ local logging ƒ Traffic generator ƒ SNMP
ƒ /system ressources ƒ Torch ƒ Graphing
ƒ /system routerboard ƒ Ping, Flood Ping, Ping Speed ƒ Syslog
ƒ /tools profile ƒ Traceroute ƒ TR069
ƒ Supout ƒ IP Scan
ƒ Packet Sniffer (and TZSP
streams)
ƒ Port Mirroring (Switch chip)
Management Topologies
Secure and Convenient Management Access
Management Approaches
ƒ Considerations
ƒ Security
ƒ Convenience
ƒ Efficiency
ƒ Common Approaches
ƒ Separate management and user traffic
ƒ Management VLAN
ƒ Tunneling payload (e.g. PPPoE)
ƒ Tunneling of management (VPN)
Management Approaches
ƒ Central MikroTik tools

ƒ The Dude
ƒ CAPsMAN
ƒ Usermanager
ƒ Detailed examples
ƒ RoMON
ƒ API (Application programming interface)
RoMON
Simplify Discovery and Access

RoMON
ƒ Router Management Overlay Network

ƒ Proprietary MikroTik protocol
ƒ Device discovery
ƒ Device access
ƒ Layer-2 & layer-3 networks

ƒ Without layer-3 routing
ƒ Winbox support
RoMON + MAC Winbox vs. Neighbours + MAC Winbox
Neighbour discovery (MNDP) RoMON
ƒ Using existing network ƒ Creates overlay network

ƒ Compatible with CDP and LLDP ƒ Only with MikroTik devices
ƒ Limited to layer-2 broadcast domain ƒ Not limited to layer-2 broadcast domain
ƒ Winbox: discovery and MAC ƒ Winbox: discovery and MAC connection
connection ƒ Winbox: RoMON agent connection
ƒ On ethernet like interfaces (Ethernet,

WLAN, EoIP, VLAN …)
Local Device Discovery across Routers
Discovery with RoMON, Connect by RoMON Winbox
Connect to RoMON
Winbox RoMON Agent RoMON enabled Router
192.0.2.0/24 203.0.113.0/24 198.51.100.0/24
RoMON enabled devices RoMON enabled devices RoMON enabled devices
Discovery with MNDP

Connect by IP or MAC Winbox
RoMON Setup
ƒ Enable RoMON
ƒ Optional but recommended

ƒ Set ID manually
ƒ Use secret(s)
ƒ Optional
ƒ Customize interface
configuration
RoMON Tools
ƒ Discovery
ƒ Ping
ƒ CLI: ssh
ƒ Winbox
Standard Tools in RoMON Network
Ping / MAC Ping RoMON Ping

Winbox Discovery and RoMON Connection
Devices within Use router as

the layer-2 2 RoMON agent
network
discovered 1
Winbox Discovery and RoMON Connection
Connected to
RoMON agent
3
Two hops to
RoMON 4 reach
discovery
through agent
Local Device Discovery across Routers
Discovery with RoMON, Connect by RoMON Winbox
Connect to RoMON
Winbox RoMON Agent RoMON enabled Router
1
192.0.2.0/24 203.0.113.0/24 198.51.100.0/24
R1 R2
2
A11 A12 A21 A22 A31 A32
Path to A32 as seen from agent R1
1 2
Remote RoMON Agent
ƒ RoMON agent connection by IP

ƒ Across layer-3 network
ƒ E.g. internet
ƒ Remote discovery and management
ƒ Branch offices
ƒ Customer networks
Remote Network Discovery
RoMON Agent
Customer 1 RoMON
198.51.100.0/24 enabled
Operator devices
Winbox
INET
RoMON
Disable RoMON on WAN port 203.0.113.0/24
eth5 enabled
RoMON Agent devices
Customer 2
Security Considerations
ƒ Disable RoMON on WAN

ƒ Don’t enable Winbox on WAN
ƒ Management VPN
ƒ VPN to reach RoMON agent
ƒ RoMON to reach remote devices
ƒ VLAN to limit RoMON locally
MikroTik API
Custom-tailored Management Access

FMS Management Platform
Initial situation: Initial requirements:

ƒ Distributed Hotspot System ƒ Easy operation
ƒ Hundreds of sites
ƒ New gateways will be deployed ƒ Auto configuration of gateways
ƒ site to site VPN, INET access, basics
ƒ 100+ third party devices per site

ƒ Third party devices
ƒ Fixed local IPv4 addresses
ƒ Direct access to WEB interfaces
ƒ Conflicting local subnets
ƒ Central inventory
ƒ Central monitoring with dependencies
ƒ Two small NOCs, Road Warrior
NOC 1 Customer Site 1
MikroTik
1 2 3
Captive Portal Router

RouterOS
INET VPN INET

Concentrator
Third Party
Access Points
FMS Management Plattform

MikroTik
Router
Road Warrior Datacenter Customer Site 3
Adding new Sites
MikroTik
RouterOS
INET VPN INET

Concentrator
ƒ Site router ƒ Captive Portal

configuration configuration
ƒ VPN server ƒ Monitoring of site
configuration router
Adding new Devices
MikroTik
RouterOS
INET VPN INET

Concentrator
Tasks:
ƒ Central access to
third party devices
ƒ Monitoring of third
party devices
Coping with IP Conflicts / Management
MikroTik
192.168.40.10/24
Customer Site 2
RouterOS
INET VPN INET

Concentrator
FMS Management 192.168.40.10/24

Plattform
ƒ Tunnel end point known
ƒ Port forwarding on site ƒ EndPointIP:DevicePort
router by API
Coping with IP Conflicts / Monitoring
MikroTik
192.168.40.10/24
Customer Site 2
RouterOS
INET VPN INET

Concentrator
192.168.40.10/24
FMS Management
Plattform
ƒ API to execute ping on
MikroTik site router
Local Retailer
NOC Customer Site 1
ERP / Captive DVR / MikroTik
Cash register Portal Surveillance Router
Security Services Customer Site 2

RouterOS
INET VPN INET

Concentrator
FMS Management Plattform

Third Party
Access Points
Stock & Payment Management Datacenter Customer Site 3
IoT – Management “only” Networks
ƒ Dedicated networks for management Access for vendors

(e.g. CNC machines)
and monitoring
ƒ Often small but many sites

ƒ Only purpose is management
ƒ Lack of trained network staff
Smart metering for
ƒ Efficiency and simplicity most
transformer stations
important
Get in Touch
Are you looking for a centralised and

individual management platform?
+49 761 2926500 | sales@fmsweb.de | Web form

Network Debugging
The Needle in a (huge) Haystack
Packet Sniffer
Last Resort for Networking Problems

Network Debugging
ƒ Planning / checking firewall settings

ƒ Networking problems
ƒ Faulty client / server applications
ƒ Things go wrong?
ƒ Real insight is necessary
ƒ Packet sniffing
ƒ De facto standard: Wireshark
ƒ RouterOS packet sniffer
MikroTik Packet Sniffer
ƒ General settings
ƒ Filter
ƒ Start/Stop
ƒ Results in CLI / Winbox

ƒ Results in file, analyse in Wireshark
ƒ Streaming to Wireshark
Remote Packet Sniffing
Customer 1
Operator
INET 198.51.100.0/24
Packet Sniffer
Locally analyse packets from
a remote sniffer in real time
Sniffer Stream
ƒ Enable “Stream”
1
ƒ Set Wireshark host IP
ƒ Enable “Filter Stream”
ƒ TZSP stream is sent 2
ƒ Filter stream in Wireshark

ƒ UDP port 37008
ƒ Start sniffer in Winbox

Live Output
1
Traffic Flow
Statistical Network Information

Traffic Flow
ƒ Compatible with Netflow

ƒ Statistical network
information
ƒ Byte and packet counter
ƒ Source and destination IP
addresses
ƒ Source and destination ports
ƒ Top talkers
ƒ Top protocols
ƒ Utilisation
Netflow Collector and Anlysis
ƒ ntop (former) free standard

ƒ Successor ntop-ng
ƒ Requires commercial nProbe
to collect Netflow
ƒ Alternative free and open

source collectors available
ƒ E.g as in FMS Management

Plattform Former ntop GUI
Netflow in FMS Management Plattform
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
Debugging RouterOS Installations
The other Needle in another (huge) Haystack
RouterOS Debugging
ƒ Source for network

debugging = packets and
packet statistics
ƒ Source for device debugging

= local status information
ƒ SNMP
ƒ Local logging
Log Output
Central Syslog
ƒ External, central syslog server

VRRP1 VRRP2
ƒ Will survive reboots / crashes

ƒ No tampering from device
ƒ Better search RSTP
ƒ Correlation across devices
VRRP Setup
ƒ Example: Investigate VRRP change
ƒ Involved: Master, slave, crosslink
switch
ƒ Syslog, Netflow, SNMP traps …

ƒ MongoDB, Elasticsearch …
ƒ Central storage
ƒ Powerful search ?
ƒ Dashboards
ƒ Alerts
ƒ Enhanced MikroTik support

ƒ E.g. MikroTik MIB, Log syntax Remote Syslog Configuration
WIFI Connects from Syslog across complete Network
10.10.0.29
10.10.0.22
Enhanced Log Message Processing
1
ƒ Make syslog server system,error,critical login failure for user admin from 10.10.0.55 via web
understand message
ƒ Database fields
ƒ Search
ƒ Sorting
ƒ Analyse
ƒ Login Failure
Dashboard
Failed Logins including Username and Login Type
10.10.0.29
10.10.0.22
Get in Touch
Are you looking for centralised

and MikroTik aware logging?
+49 761 2926500 | sales@fmsweb.de | Web form

Services and Contact
Training Central
Logging
RouterOS
+49 761 2926500 | sales@fmsweb.de | Web form Central
Management
Hosting
www.fmsweb.de | www.mikrotik-shop.de
Support Consulting
Service
Contracts Distribution
Thank You

Mikrotik y Wireshark

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mikrotik y Wireshark

Uploaded by

Copyright:

Available Formats

Monitoring and Debugging

MUM EU 2019 Vienna | Patrik Schaub | © FMS Internetservice GmbH

ƒ Value Added Distributor

ƒ Inhouse training facility

ƒ First German speaking Training partner

See Training Schedule

10G Radio Links Wireless LoRaWAN IoT Solution

ƒ Growing number of devices

Network Inventory Management Management technologies General Tools

ƒ Dude ƒ Webbox ƒ Time / SNTP

ƒ Health ƒ Neighbours ƒ IP Accounting

ƒ Central MikroTik tools

Simplify Discovery and Access

ƒ Router Management Overlay Network

ƒ Layer-2 & layer-3 networks

Neighbour discovery (MNDP) RoMON

ƒ Using existing network ƒ Creates overlay network

ƒ On ethernet like interfaces (Ethernet,

Discovery with RoMON, Connect by RoMON Winbox

192.0.2.0/24 203.0.113.0/24 198.51.100.0/24

RoMON enabled devices RoMON enabled devices RoMON enabled devices

Discovery with MNDP

ƒ Optional but recommended

Ping / MAC Ping RoMON Ping

Devices within Use router as

Discovery with RoMON, Connect by RoMON Winbox

Path to A32 as seen from agent R1

ƒ RoMON agent connection by IP

ƒ Remote discovery and management

RoMON Agent devices

ƒ Disable RoMON on WAN

Custom-tailored Management Access

Initial situation: Initial requirements:

ƒ 100+ third party devices per site

NOC 2 Customer Site 2

INET VPN INET

FMS Management Plattform

INET VPN INET

ƒ Site router ƒ Captive Portal

INET VPN INET

INET VPN INET

FMS Management 192.168.40.10/24

INET VPN INET

Security Services Customer Site 2

INET VPN INET

FMS Management Plattform

ƒ Dedicated networks for management Access for vendors

ƒ Often small but many sites

Are you looking for a centralised and

+49 761 2926500 | sales@fmsweb.de | Web form

Last Resort for Networking Problems

ƒ Planning / checking firewall settings

ƒ Results in CLI / Winbox

ƒ TZSP stream is sent 2

ƒ Filter stream in Wireshark

ƒ Start sniffer in Winbox

Statistical Network Information

ƒ Compatible with Netflow

ƒ ntop (former) free standard

ƒ Alternative free and open

ƒ E.g as in FMS Management

ƒ Source for network

ƒ Source for device debugging

ƒ External, central syslog server