I needed to mass-configure MikroTik Routerboards. Each needed a very similar but not identical configuration: they would have a unique management IP, and a unique username and password for their VPN connection back to my employer’s headquarters. I don’t have time or desire to do this routine configuration myself, so I needed a method that would let a less technical person do the work.
You can back up and restore RouterOS configurations, but then I’d need to have the user do all sorts of pointy-clicky things to configure the device. Pointy-clicky is difficult to reliably reproduce. RouterOS also supports exporting the configuration as a script, but they warn that this script is not suitable for duplicating a system. I wound up using the export function, but modifying the resulting script to create a new configuration that could be loaded onto the new device.
All of this was tested with Routerboard 750s, running RouterOS 5.6. I used one device as a master, and a second to test loading the new configuration. I also created a list of hostnames, IP addresses, and VPN usernames and passwords. (My team will manage these devices remotely, so the user will never see the username and password. If I deployed more than a couple dozen boxes, I’d need a different auth scheme.)
First, make sure your Routerboard is in the default configuration. Reset to the factory defaults if necessary. Load the same version of RouterOS onto the new device as exists on your master device.
Log onto your master device. Configure it the way you want, and export the configuration.
admin@master> export file=cleanconfig
admin@master> file print
...
0 cleanconfig.rsc script 16 507 jan/02/1970 19:26:39
...
This file is the seed of my configuration script. copy it to your desktop. (The detail-oriented among you will note that my configuration should include “Set the system clock.” Feel free to stay after class and clean the blackboards as a reward.)
Unlike Cisco and its imitators, RouterOS isn’t modal. You don’t need to enter a configure mode to change the router. Instead, it has a hierarchical configuration method from the command line. For example, there’s an interface
command, with an Ethernet
subcommand. To work on the Ethernet interfaces, you would enter interface Ethernet
. Starting a command with a leading slash tells RouterOS to go back to the root. Most of the actual commands within this level are fairly self-explanatory to anyone experienced with routers.
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 \
mac-address=00:0C:42:5A:D9:50 mtu=1500 name=ether1-gateway speed=100Mbps
The set
command tells RouterOS to change a setting for an existing item. The Ethernet interface already exists, you just need to give it a configuration. Alternately, the add command tells RouterOS to add something new to a configuration, such as an IP address.
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no \
interface=ether2-master-local network=192.168.88.0
The system has no IP address, so you must add one.
If your script tries to add something that already exists, it will fail. For example, if your configuration already has a DHCP client setting, adding a new, identical one will terminate your script early. For my application, I had to remove the following from my master configuration.
/interface ethernet switch
/interface wireless security-profiles
/ip hotspot profile
/ip hotspot user profile
/ip ipsec proposal
/queue type
/routing bgp instance
/routing ospf instance
/routing ospf area
/system routerboard settings
/user group
/interface ethernet switch port
/interface l2tp-server server
/interface ovpn-server server
/interface sstp-server server
/interface wireless align
/interface wireless sniffer
/interface wireless snooper
/ip accounting
/ip accounting web-access
/ip dhcp-client
/ip dhcp-server config
/ip firewall connection-tracking
/ip firewall nat
/ip firewall service
/ip hotspot service-port
/ip neighbor discovery
/ip proxy
/ip socks
/ip ssh
/ip traffic-flow
/ip upnp
/mpls
/mpls interface
/mpls ldp
/port firmware
/ppp aaa
/queue interface
/radius incoming
/routing bfd interface
/routing mme
/routing ospf network
/routing rip
/store
/system console
/system health
/system resource irq
/system upgrade mirror
/system watchdog
/tool bandwidth-server
/tool email
/tool graphing
/tool mac-server
/tool mac-server ping
/tool sms
I then had some items that were different in my desired configuration and the default configuration. For example, the default 750 configuration has a firewall. I needed a firewall configuration that had no overlap with the default configuration. I added entries at the beginning of my script to remove that configuration. Similarly, I didn’t want the default IP address on this device.
/ip pool remove 0
/ip dhcp-server network remove 0
/ip dns static remove 0
/ip firewall filter remove 3
/ip firewall filter remove 2
/ip firewall filter remove 1
/ip firewall filter remove 0
/system logging remove 3
/system logging remove 2
/system logging remove 1
/system logging remove 0
/ip address remove 0
Other parts were more tricky. I wanted to configure the Ethernet interfaces, but I didn’t want to change the MAC address of the interfaces. I removed the mac-addr statements from the Ethernet interface configuration.
Now that I have a clean master script, I copy it to a separate file for the slave configuration script. In the copy, I change the IP address, hostname, username, and passwords as necessary.
I could then copy the script to my target machine and run
admin@target> import configscript.rsc
admin@target>
If the script doesn’t exit silently, it failed. Compare the target platform’s new configuration to your script to see where it failed, or run your script piecemeal to see where it crashes.
This was a good day’s work to learn how to do, but now I can hand my script to a junior tech and tell him to set up a couple dozen of these without bothering me. It’ll save me days of my time in the long run.