Hi, I need to semplify the life of a friend activating VPN or deactivating it, I would do it by telegram messages or a small web interface with a button, but hoiw can I then send the command to Mikrotik?
It woud be great to have available an URL with cgi request, for example, any similat way? Maybe sending it an email? (does it support email client/processing?) Maybe SNMP?
As for now I can just imagine to establish an SSL connection and type there the command, but it looks a bit risky, to don’t get the result. Thank you
Thank you for your kind reply, it looks I need something else, the easiest way is a method to enable/disable a specific rule, Mikrotik ever though a way to do that? If there is a way to execute a command line (ok I can always send the whole command to set and the opposite command to turn it off), like for example, as you say, port knocking, then a script could be run.
There is any way to start a script from an incoming packet? SMNP can do the trick?
What’s the actual problem? You want to REMOTELY activate someone else VPN, via router config? Port knocking could allow you access, as suggested - your friend doesn’t need to do anything, you just need to know to knock. All paths to run a script (or run any command) from outside of router require authentication. So if you had that, you just enable the VPN yourself…that’s the part I’m missing. And while SNMP could run a script, you’d be exposing all of the router on the internet to do so. SNMP isn’t very granular in what it exposes - all or nothing, read or read-write.
To cover the other approaches:
firewall can’t run scripts.
no incoming SMTP/email support in Mikrotik
similar with IoT MQTT, only publishes (no subscriptions/not a broker)
while SMS that might work, you’d need LTE for that
I suppose you could have your friends router “poll” something via /tool/fetch in a /system/schedule script, where it look for a file (or some specific HTTP response) that indicate the VPN should be turned on, and if it got 404 (or whatever you’d wanna program), it disable the VPN. You could schedule every 1 minute or whatever to check if the VPN should be enabled.
Now if the problem you want your friend to be able to do LOCALLY it without having to do anything on the Mikrotik? There is also webfig and “skin” – in the skin you can remove with most things removed could make activating the VPN relative painless for your friend to login to the mikrotik.
I’m doing exact same thing with SMS commands and having SMS templates in my phone for each action. SMS commands actualy calls scripts that can activate deactivate OpenVPN, Wireguard and Shadowsocks+v2ray running in container. Firewall filter and NAT rules are tagged in comment (eg. [OVPN], [WG] [SS]) by which script can search and enable/disable them.
If your friend owns MikroTik with GSM modem can do in that way.
Thank you mates for you really interesting infos!
I don’t have LTE but the Mirotik is absolutely reachable only from LAN, there are no security worries, so here I make a little brief of solutons:
SMS: I don’t have LTE
knocking TCP ports: it can be ok, but I have one command, I can activate but to deactivate I’ve for example to use a timeover, I need 2 commands, turn on and off.
SNMP into LAN: I still look for infos, if possible, if it can run scripts
New Webfig skin: I have no idea how, it needs a login, I would like a quicker way
MQTT:: no input commands possibile
polling an external device and run script if timeout: really interesting, I have a device which can do that
macro for send SSH strings: possible but doesn’t look good, some commands may not be catched, eventually another SSH session can have place at same time, risky.
I’ll work on poll, if SNMP doesn’t give chances
What can I use for polling? Ping is easiest way, but can I check if a TCP port is opened? Or maybe waiting a particular answer? There are somewhere script examples? Thank you!
Yeah SSH work well with NodeRED, never used but it is kinda interesting. I’m curious how this turns out. Google finds: https://github.com/olivervbk/node-red-contrib-ssh-v2
(you put the path to where the keys live in the “ssh” property)
Since it supports username/password too, so might want to test with that first.
Actually there is a way to fake that out. I wanted to cause the router to execute a script that would send Wake on LAN packets to a specific computer. To trigger the script, I wanted to use a port knock sequence. As noted, the firewall rules for the port knock can’t run the script. However, the last step in the port knock can create a log entry. Next step is a script that runs by schedule every minute that parses the log looking for that log entry. When it finds the log entry, it triggers the WOL script. Works just fine.
It ain’t pretty, but it does get the job done.
It actually is also possible to use SNMP to run a script, as asked/suggested several times above.
Of course you would not want SNMP to be open from the internet, but maybe it could be part of a port knocking sequence that first enables the access to SNMP.
To run scripts, you need a community with write access enabled (of course don’t enable write access for “public”, but add another one).
Using requests using this community, you can read the table of scripts available on the router, run a specified one (by sequence number), and receive the output.
It requires a somewhat clever SNMP client to be useful, as you first need to receive that table and select the proper script from it to use in a second call.
Hardwiring the sequence number would be very dangerous, as it will cause unpredictable things to happen when scripts are deleted (or added?).
Thank you! SNMP looks really interesting,
you wrote different circustamces possible, but on my case I just need to create 2 static scripts, one to enable, the other to disable a rule.
About this, I would also like to ask your help, I’ve searched in the forum and a guy complain the fact it’s not disabling the proper rule, so another user suggested: So to specify a rule for modification within a script, use /ip firewall filter disable [find chain=… action=… …] to specify the rule.
may somebody kindly write here a concrete example about it, supposing I have
The [ find= … ] construct needs to match the rule you want to enable/disable … and possibly match that one alone (so it’s hard to construct match condition without seeing the rest of rules which have to be avoided).
Probably the easiest way is to add a comment to the rule, make sure comment is truly unique. Then match against the comment.
In your case and if possible, I personally suggest using the REST API, as they are simpler and more intuitive and allow you to quickly write down a working script from any language (python, php, etc.); a quick example with cURL taken from MIKROTIK documentation (result piped with jq):
Finally, you can even try to integrate Telegram and MIKROTIK - with REST API o other interfaces - through your own script or ZABBIX, for example, but maybe the second one is a more business scenario; anyway, if you already implemented a ZABBIX system and you are tricky: https://www.zabbix.com/integrations/telegram
Hi everyone, I’ve used the SNMP methid, if may it be useful for someone, here is what I did:
I’ve commented the rule I needed to act/deact under IP firewall mangle
Under IP I’ve enabled SNMP, in the Communities I’ve enabled the write Access and defined the source allowed IP subnet into the existing public profile.
I’ve created under System two scripts, one for activate, the second for deactivate, something licke this:
/ip firewall mangle enable [find comment=thecommentIhavetyped];
and I’ve run them for testing
I’ve installed on Node Red the SNMP module, used the SNMP Set module, specified the Mikroitik IP, Version: v2c, community:public, varbinds: [{“oid”:“1.3.6.1.4.1.14988.1.1.8.1.1.3.1”, “type”:“OctetString”,“value”:“1”}]
this will execute the first script, to execute the second you need 1.3.6.1.4.1.14988.1.1.8.1.1.3.2 and so on, just inject the node with anything, it will set Mikrotik
This is a simple solution, without pretences to be safe/secure if exposed to internet
Yes it will work that way, but note that when you enable write access on “public” you may expose yourself to attacks by malware on your local network.
I would have added a new community, with a “secret” name, given that write access and also the local network or even 1 IP restriction, and use that instead of public only for this purpose.
“public” remains available for read-only use e.g. for monitoring, graphing, etc.
Also note that “first script” is a bit dangerous as a selector. You do not know what the first script is. Later when you edit, delete, re-add scripts it may be that another one is first.
This is generic for SNMP: refererring to table objects by a fixed OID instead of walking the corresponding OID that lists the items by name and use the retrieved sequence number is always dangerous.
Today, more and more manufacturers try to help the user by keeping the OID mapping static, but I remember from Cisco routers that e.g. the interface numbers for any virtual interfaces would change on every reboot. As you normally do not reboot such devices frequently, you got surprises months after you implemented something and considered it working.
Any serious SNMP module should offer the possibility of doing a lookup of some name (script name in this case) and use the found object number in another OID.
thank you for your kind advices, I’ve named the group in another way, even if only men will use it/access to the LAN. Other others excetps from LAN souces are filtered out
OID Mikrotik won’t change, that’s my only goal.
I’ll be careful with script numbers, anyway I think I won’t touch them