Hoping that someone here has an idea how to accomplish something, because so far I have not.

I need to connect to a MT device that sits behind another MT router, and my options are limited only to layer 2 protocols, aka RoMon or Mac-Telnet, connections via IP are not possible. The challenge is that I need to trigger this from the API, and / or a script that runs on the device that I have API access to (no winbox, only API), and the regular mac-telnet command doesn't seem to be possible to script much less utilize from the API.

My actual specific goal is to issue the command "/system reset-configuration skip-backup=yes" to the device on the far side of the API connection. The reset needs to be initiated via the API, and executed via a Layer 2 protocol on the remote device. Assume that username/password of the remote device is available to be supplied either during the API call or saved in a script called via the API.

I've brainstormed many ways to accomplish this so far, but everything I've tried has so far failed to work. Anyone have any ideas?

Couldn't use the API to temporarily adjust the firewall to allow winbox temporarily via WAN (e.g. /firewall/filter/add port=8291 insert-before=0...), so you can use RoMON via the first router's IP? RoMON's first hop can be IP, and that router will proxy via RoMON via layer-2. But the 2nd hop/L2-only router already need RoMON enabled for it to work. The remove the winbox rule after fixing...

Although I'm guess you're looking to automate in one step... There... I think your right there is nothing like ssh-exec/etc that let run a single command via Layer-2... Mac-telnet will give you a terminal, which isn't what you want...

Couldn't use the API to temporarily adjust the firewall to allow winbox temporarily via WAN (e.g. /firewall/filter/add port=8291 insert-before=0...), so you can use RoMON via the first router's IP? RoMON's first hop can be IP, and that router will proxy via RoMON via layer-2. But the 2nd hop/L2-only router already need RoMON enabled for it to work. The remove the winbox rule after fixing...

Although I'm guess you're looking to automate in one step... There... I think your right there is nothing like ssh-exec/etc that let run a single command via Layer-2... Mac-telnet will give you a terminal, which isn't what you want...

not sure I quite follow the logic you're suggesting with RoMON as the best I can still tell RoMON connections are not supported via the API (something I have been requesting now for about 5 years), and as for Winbox, that requires the 2nd device to have a IP assigned to it (it doesn't), and also accept winbox connections (it doesn't). Layer 2 is a requirement here given other requirements.

More a suggestion to use RoMON to restore Layer 3 access manually.

But Mikrotik "API via Layer 2" begs the question of how you're going to generate layer 2 frames in a typical programming language. Most network operations assume some BSD socket API. Layer2 API seems harder/specialized. I suppose Mikrotik could publish winbox protocol as some C library, since winbox protocol already does Layer2 stuff, but doubt that will happen.

On RouterOS, some "/tool/mac-exec" or "roman-exec"... as alternative to interactive /tool/mac-telnet be handy ... so you can script CLI commands to another non-IP enabled router. But nothing like that exists AFAIK.

sorry, you misunderstand or maybe I didn't explain clearly. I'm connected via the API to one device that's on the same layer2 network as the 2nd device. I need to execute a command from there on the 2nd device that's reachable via layer2 only. In this example it's just setting the system identity (aka just execute some valid command)
In this case device AA:BB:CC:DD:EE:FF is reachable via RoMON and I can successfully connect to it manually using the command line.

the problem is that trying to do this from the API gives the return

AH... What I didn't know is there is actually a "/tool/romon/ssh" today. Learn something new. RoMON is kinda last resort, so I've always done it "manually" – didn't know it even be scriptable.

Now I get it. You're saying that isn't in the API, but in CLI. Well, that sounds like bug.

AH... What I didn't know is there is actually a "/tool/romon/ssh" today. Learn something new. RoMON is kinda last resort, so I've always done it "manually" – didn't know it even be scriptable.

Now I get it. You're saying that isn't in the API, but in CLI. Well, that sounds like bug.

either tool mac-telnet or romon would solve the problem, I'd prefer romon since I believe it's more secure, but ultimately it doesn't matter which method, just as long as I can from a script OR directly from the API trigger the command to execute on the 2nd device.

The problem is the authentication to the 2nd router, mac-telnet can't pass the credentials via any process I've found, and romon ssh gives the Terminal is not prompting error, which I presume is the same basic issue.

Yeah /tool/romon/ssh has NO password= – apparently that has to be provided interactively – annoying... So it doesn't work via script either & if not attribute on CLI, would not be in API.

Yeah /tool/romon/ssh has NO password= – apparently that has to be provided interactively – annoying... So it doesn't work via script either & if not attribute on CLI, would not be in API.

yup, when I saw the news about :put [:typeof (>[])] I was hoping that might somehow be used to get around the interactive issue with the authentication as maybe the prompt could be captured / fed into with the pointer like code behavior, but I haven't gotten anything to work.