最後更新: 2018-06-19

目錄

• System boot 時響聲
• RouterOS 特別功能
• Quick Setup
• Change admin password
• SSH
• Clock
• Interface List
• Download File
• system command
• Password reset
• RoMON
• System upgrade
• Disk
• File
• Package
• Backup(Export/Import)
• Clone Rules in Web
• Reset Configuration
• arp tables
• DHCP
• print cli
• Set Route
• DNS
• 互 ping FW rules
• PC license(x86)
• Logout Console
• Log
• Install x86
• License

 

---

System boot 時響聲

 

 * B => boot

 * BB => system running
 

---

RouterOS 特別功能

 

MetaROUTER

Each Metarouter instance uses the same amount of resources as a stand-alone RouterOS installation.

8 virtual machines and up to 8 virtual interfaces

The MetaRouter function is useful for allowing clients or lower-privilege users access to their own 'router' and config to configure as they like, without the need for a complete second router, or giving them access to the main router configuration.

Mesh

...

Switch Chip Features

...

NAT helpers

...

Safe Mode

if telnet connection (or winbox terminal) is cut,

    then after a while (TCP timeout is 9 minutes) all changes that were made while in safe mode will be undone.

Exiting session by [Ctrl]+[D] also undoes all safe mode changes, while /quit does not.

查看行了什麼 command

/system history print

In / Out Safe Mode "[CTRL]+[X]"

[admin@HeYuen \90FW] >                         # 按 Ctrl+X
[Safe Mode taken]
[admin@HeYuen \90FW] <SAFE>

You can see all such changes that will be automatically undone tagged with an F flag in system history(/system history print)

Flags: U - undoable, R - redoable, F - floating-undo
  ACTION                                   BY                 POLICY
F route added                              admin              write  

Traffic flow

...

Socks

...

RoMON

...

 

---

Quick Setup

 

/setup

 

---

Change admin password

 

/password

 

---

SSH

 

enable ssh server

ip service> enable ssh

ip service> set ssh port=65

ssh client

/system ssh 192.168.88.1

/system ssh 192.168.88.1 user=lala

tcp port forwarding

/ip ssh set forwarding-enabled=both

Allows to control which SSH forwarding method to allow:

no - SSH forwarding is disabled;(Default)

local - Allow SSH clients to originate connections from the server(router),
          this setting controls also dynamic forwarding;(常用那個)

remote - Allow SSH clients to listen on the server(router) and forward incoming connections;

both - Allow both local and remote forwarding methods.

 

---

Clock

 

/system clock print

                  time: 16:39:32
                  date: feb/22/2016
  time-zone-autodetect: yes
        time-zone-name: Asia/Hong_Kong
            gmt-offset: +08:00

# 設定時區

/system clock set time-zone-name=Asia/Hong_Kong

 

 

---

Interface List

 

# 查看有什麼 NIC List

/interface list print

# List 內的 member

/interface list member print

/interface list member print where list=LAN

# 加 NIC 入 List

/#clockinterface list member add interface=ether3 list=LAN

 

---

Download File

 

/tool fetch

It is used to copy files from any network device to a Mikrotik router via HTTP or FTP.

# HTTP

/tool fetch url="http://www.mikrotik.com/img/netaddresses2.pdf" mode=http

# FTP

/tool> fetch address=192.168.88.2 mode=ftp port=21 src-path=conf.rsc \
user=admin password=123 dst-path=123.rsc  \
host="" keep-result=yes

# Opts

host=x.x       # Domain name or virtual domain name

upload (yes | no; Default: no)

# Check File

/file print

 

---

system command

 

reboot / shutdown command

/system reboot

/system shutdown

license

system license > print

resource

system resource> print

             uptime: 9h22m47s
            version: 6.32.2
         build-time: Sep/17/2015 15:20:53
        free-memory: 446.3MiB
       total-memory: 469.8MiB
                cpu: e500v2
          cpu-count: 2
      cpu-frequency: 533MHz
           cpu-load: 0%
     free-hdd-space: 431.5MiB
    total-hdd-space: 512.0MiB
  architecture-name: powerpc
         board-name: RB850Gx2
           platform: MikroTik

 

---

Password reset

 

* password can only be reset by reinstalling the router

* Button reset

Using: unplug the device power, hold the button, apply power and wait until the USER LED starts flashing.

Now release the button to clear configuration.

Note:

If you wait until LED stops flashing, and then release the button,

this will instead launch Netinstall mode, to reinstall RouterOS.

 

---

RoMON

 

RoMON = Router Management Overlay Network

RoMON works by establishing independent MAC layer peer discovery and data forwarding network.

packets are encapsulated with EtherType 0x88bf and dst-MAC 01:80:c2:00:88:bf and

its network operates independently from L2 or L3 forwarding configuration.

RoMON protocol does not provide encryption services. Encryption is provided at "application" level, by e.g. using ssh or by using secure winbox.

 

---

System upgrade

 

Manual upgrade methods

把 *.npk upload 上 "/", 之後 reboot

Winbox – drag and drop files to the Files menu

FTP - upload files to root directory

# checking

/file print

# reboot your router for the upgrade process to begin

system reboot

 

---

Disk

 

/disk print

 

---

File

 

/file print

# NAME                        TYPE                             SIZE CREATION-TIME

If RouterOS ".npk" package is uploaded, file menu will also show package specific information, like architecture, build date and time, etc.

/disk print

 

---

Package

 

/system package

disable     # schedule the package to be disabled after the next reboot.

print        # outputs information about the packages

enable     # schedule package to be enabled after the next reboot

 

---

Backup(Export/Import)

 

Binary Backup

# The backup file is shown in the /file submenu.

/system backup

opt:

• load name=[filename] - Load configuration backup from a file
• save name=[filename] - Save configuration backup to a file
• dont-encrypt - tells the system to not use any encryption and make the file readable in text editors

i.e.

[admin@MikroTik] > /system backup

[admin@MikroTik] > save name=20200422.cfg dont-encrypt=yes

[admin@MikroTik] > /file print

[admin@MikroTik] > /system backup load name=setting.cfg

Export & Import(txt)

Export

The configuration dumped is actually a batch of commands that add (without removing the existing configuration) the selected configuration to a router

# root level export

/export

# Part of config (Compact Export)

# Starting from v5.12 compact export was added.

/ip address

export

P.S.

"/system user" 及 password 是不能 import 的.

export opts

• terse
• compact         # export only part of configuration that is not default RouterOS config
• verbose
• file

Import

# Script file loaded and executed

/import [file_name]

i.e.

import address.rsc

"verbose=yes" argument

It will stop also stop import process on problem which you already encountered,
but will also show place where export failed.

 

 

---

Clone Rules in Web

 

# 找出要 Clone 的 Rules

/ip firewall nat export

# 在 Web 上輸入它們

System > Scripts > Press "Add New" > fill in "Source" > OK > "Run Script"

 

---

Reset Configuration

 

# clears all configuration of the router and sets it to the default including the login name and password ('admin' and no password)

# After the reset command router will reboot.

/system reset-configuration

• keep-users: keeps router users, passwords and ssh host keys(since v6.45.1)
• no-defaults: doesn't load any default cofigurations, just clears everything
• skip-backup: automatic backup is not created before reset, when yes is specified
• run-after-reset: specify export file name to run after reset

 

---

arp tables

 

/ip arp print

Flags: X - disabled, R - radius, D - dynamic, B - blocked
 #   ADDRESS                                 MAC-ADDRESS       HO SER..
 0 D 192.168.28.192                          10:4F:A8:F0:6F:29 an dhcp1

"SER.." 空白代表 manual assign static IP

---

DHCP

 

# 設定 dhcp range

/ip pool

ip pool> add name=dhcp-pool ranges=192.168.8.11-92.168.8.200

ip pool> print

ip pool used> print

# DHCP assigment static IP

/ip dhcp-server lease
add address=n.n.n.n mac-address=n:n:n:n:n:n comment="ssss"

 

---

print cli

 

print without-paging

 

---

Set Route

 

# Set Default Gateway

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.x.y

# IPSec ping anther side

# remote lan: 10.1.1.0/24 <-> local lcan: 10.2.2.0/24
/ip route 
add dst-address=10.1.1.0/24 pref-src=10.2.2.1

pref-src

Which of the local IP addresses to use for locally originated packets

 * no effect on forwarded packets

 * if set to IP that is not local address of this router then the route will be inactive

 * none => router will choose one of local addresses attached to the output interface that match destination prefix of the route

 

---

DNS

 

Setting

/ip dns print  

                      servers: 8.8.8.8,8.8.4.4
              dynamic-servers:
               use-doh-server:
              verify-doh-cert: no
        allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 24KiB

allow-remote-requests (yes | no; Default: no)    

Specifies whether to allow network requests, 所以 Default 問唔到 DNS

dynamic-server (IPv4/IPv6 list)                         

List of dynamically added DNS server from different services, for example, DHCP.

When both static and dynamic servers are set, static server entries are more preferred,

however it does not indicate that static server will always be used

(for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred).

DNS Cache

# Cache Monitoring

# Default 只 show type "A"

/ip dns cache

# All DNS Entries

ip dns> cache all

# Flushing DNS cache

ip dns> cache flush

OR

/ip dns cache flush

Manual Host IP (Domain -> IP)

ip dns static> add name=www.example.com address=10.0.0.1

 

 

---

互 ping FW rules

 

/ip firewall filter
add action=accept chain=input icmp-options=8:0-255 protocol=icmp comment=ping 
add action=accept chain=input icmp-options=0:0-255 protocol=icmp
add action=accept chain=output protocol=icmp

 

---

PC license(x86)

 

RouterOS licensing scheme is based on SoftwareID number that is bound to storage media (HDD, NAND)

/system license print

    software-id: "XXXX-XXXX"
         nlevel: 6
       features:

Level

• 0 (Trial mode)    # 24hrs
• 1 (Free Demo)   # All 1 (Except: WebProxy, RADIUS client, Routing Protocol, Wireless)
• 5 (WISP)           # USD$45 (夠用)
• 6 (Controller)

All Licenses:

• never expire
• can use unlimited number of interfaces
• are for one installation each
• offer unlimited software upgrades

Change license Level ?

There are no license level upgrades

 

---

Logout Console

 

/quit

Or

Ctrl+d

 

---

Log

 

/ip firewall filter
add chain=input comment=test disabled=no protocol=icmp src-address=192.168.30.254 action=log

log

/log print where message~"the-text-you-want" and (topics~"topic-name-1" or topics~"topics-name-2")

 

---

Install x86

 

下載所須 ISO

https://mikrotik.com/download/archive

i.e.

https://download.mikrotik.com/routeros/6.48.6/mikrotik-6.48.6.iso

 

---

License

 

# RouterOS v6.47.9

smartctl -i /dev/sda

=== START OF INFORMATION SECTION ===
Device Model:     VMware Virtual IDE Hard Drive
Serial Number:    00000000000000000001
Firmware Version: 00000001
User Capacity:    62,914,560 bytes [62.9 MB]
Sector Size:      512 bytes logical/physical
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   ATA/ATAPI-4 T13/1153D revision 17
Local Time is:    Sun Mar 13 14:27:40 2022 UTC
SMART support is: Unavailable - device lacks SMART capability.

mount -o ro /dev/sda1 /mnt        # ext3

當 HDD 不同了, "software ID" 就會改變