However trying to run these commands in the Mikrotik node in a Node-Red flow isn’t working.
The print command works just fine, returning an array object, but issuing either, enable or disable, just results in an error!
“ Error executing cmd["/interface/bridge/port/enable 6"]: {} “
I enabled SSH on the router, and using an SSH node, in Node-Red, the CLI commands, enable and disable, work just fine, but the print output is truncated and would be hard to parse.
Can anyone tell me why the API commands are failing?
or more likely what I am doing wrong!
I realise I could just use the API connection to get port status and the SSH to manipulate them but having two connections to do one set of tasks will mess with my OCD tendencies !
Additionally,
I found this “ /interface ethernet disable ether8 “ which doesn't work, even in the CLI, and I would like to understand why? Because all my port are in a bridge perhaps?
Sorry if I am just being daft, much of this just isn’t something I know much at all about.
The problem with quoted sequence of commands (which is probably biting you) is that index numbers (e.g. 6, used in your example) are temporary numbers, only available and meaningful immediately after print is executed. I'd guess that in API, each call is independent of previous ones so when trying to do something with interface 6, that number is meaningless.
In CLI one should instead go with a construct like this:
and the argument(s) to find can refer to any of oroperties of that particular object (for bridge port those are nunerous, port name is perhaps most useful). Beware: if the [ find ] construct rrturns multiple results, the command will be effective on all of them.
Disclaimer: text written in this post is true for CLI, I don't know if it directly applies to API calls as I don't have any experience with it.
Sorry not clear…
I wasn’t running those commands back to back, it was just a list of thew single commands I tried.
The ‘6’ is the ordinal of the port in the bridge, which I think is fixed, but then I am here to learn not make assumptions.
Based on your suggestion I tried:- /interface/bridge/port/enable [find interface=ether8]
That works in the CLI for both enabling and disabling and looks like a better approach to me other than the fact that the find returns everything if it is mal formed… Not good potentially
Running this:- /interface/bridge/port/enable [find interfac=ether8] with a miss spelled field results in all bridge ports being enabled and then returns the error ‘failure: can not change dynamic port’
which I assume is it trying to change stuff somewhere that it shouldn’t!
The other behaviour is unchanged,
an SSH connection will run the command whilst the API connection, which will run the print, fails when trying to change anything, including /interface/bridge/port/enable [find interface=ether8]
You're wrong. As I explained, the index number is temporary. Perhaps in certain configuration sub-menus it doesn't appear as such, but it is.
And yes, find command doesn't output human-readable results, it outputs pointers to items. You can run it as :put [ find ... ] to see it (those asterisk-prefixed HEX numbers are pointers).
And yes, find could return empty result list if passed arguments are invalid ... but I guess MT devs made a decission about it quite a while ago and I doubt this would be considered a bug. But you can try to file a bug report (via official support channels, this forum is not one of them).
All good to know, thanks. I have only ever looked at small devices in SOHO configurations, and just assumed the the order of bridge ports was fixed… That would be one of those poor assumption I mentioned.
When I run print on the bridge ports, using the API, I get a load of information that I don’t see when doing in the Winbox CLI which makes me think I am missing something fundamental.
I am assuming I should be able to look at all this in the Winbox CLI, but likely need to be asking for less perhaps? Even if the CLI printed 10 o0f these it wouldn’t be very useful after all.
Is there a way to use find with print, or something similar… For example to examine the status of port, say its disabled property, based on a find using its interface name?
Lastly any I idea why I don’t seem to be able to change anything using the API, despite it working for a print and the identical commands working over SSH or in the Winbox CLI
I did find something suggesting the API syntax had some differences but still couldn’t get it to work.
BTW, I have achieved what I ‘need’ at this point, but the solution isn’t clean and I clearly need to learn some basics… Hence additional questions…
The nodered plugin you're using uses the native API. So it follows that syntax described here:
In nodered, their connector needs a JSON array with the string API clauses as array elements. And the native API has some tricky syntax, especially when repackaged by nodered.
First, the [find] syntax does not exist in API (or REST API), so it's two operations that are needed. One to get the id of the needed item, and the a second API call that uses the previous result in the =numbers=.
The core problem may be mistaking the numbers shown in the output of a CLI "print" for what's need as a ID or "numbers" in APIs. The numbers from print are relative, always starting at 0 & change if where is used – so these are WRONG as "numbers" or ".id" needed in API. To find the "real id" of a config item using CLI, use print show-ids which will always be shown with a * preceding the number/hex, which is immutable (so it does not change unless deleted and re-added)
The first issue was me just not using the Node-Red API node properly, it seems happy with the array approach you suggest, I clearly missed the point somewhere…
The second issue is more fundamental and seems to exist between the chair and the keyboard...!
Essentially there appears to be a huge void where some understanding of the CLI should exist.
Go figure!
Sage advice indeed… As you can see.
OK. SO… Back in the CLI…
[xxx@AP-CM-Hub] > /interface/ethernet/enable numbers=*A
This first command isn’t working, despite the ID being correct.
[xxx@AP-CM-Hub] > /interface/bridge/port/enable numbers=*6
Same syntax but looking at ..bridge/port.. and substituting the id returned from there, works just fine.
SORRY scratch that, did a quick test AND…
They both work, just not how I expected, which is why I am leaving this in, as it maty help others.
I am assuming this will not be news to many of you but disabling a port in ’ethernet’ doesn't make that port show up as disabled in ‘bridge’, or vice-versa!
Can anyone explain…
Why that would be?
If disabling in either place is functionally equivalent?
What my simplest option is to disconnect a device connected to an ethernet port?
If there is a way to deny/allow a single MAC/IP internet access, on the fly, without disabling physical connection?
Just in case anyone is wondering, I am trying to find a way an industrial control system can soft-stop an ASIC Bitcoin miner, prior to shutting off its power… To avoid the heat soak associated with just dumping the power. The Miners, Bitmain units, don’t have SSH, or anything else useful enabled to manage them, just a clunky web interface.
It seemed like a good little side project as a good excuse to learn a bit about the Mikrotik functionality.
Thanks for all the help thus far,
I am struggling to make much of the CLI documentation because I know so little about its context.
Some things just are 100% consistent. You may need =.id= in some commands, instead of =numbers= when using the *XX ids. I think "numbers" means it will take a name, as alternative to the *XX ids, while ".id" strictly takes *XX ids & and in some both forms are excepted. So generally trying either "numbers" or ".id" to see what works is helpful.
Very likely disabling a port in a bridge disables it "in the contest of the bridge", while disabling altogether a port disables it, but the bridge doesn't care.
There could be firewall rules, or possibly even routing rules might do, but of course it depends on your overall configuration of the Mikrotik device.
Depending on config, but the bridge filters can block by MAC address. Now if you want it to be real-time, I'm not sure the nodered plugin support the /listen method which allows events on config changes.
Blocking doesn't need to be event based real-time, at lest not outside RouterOS.
There are 10 ~3kW miners installed at a small hydro facility where there is generation capacity that we cant export. The miners are cycled on/off, in response water availability, once the export limit is reached.
The idea behind disconnecting the LAN/internet form individual miners, is to force them to go idle and cool down, before we turn off the power, the latter being a bunch of contactors.
Thanks to all the help I can now achieve what I need and have a slightly better understanding of a few concepts and much more idea how to look for answers.
Thanks to all.
The problem with knowing as little as I do is not knowing what to search for or even what may be relevant.
Cheers,
I will look at firewall and bridge MAC filters…
Again I don’t know much but I guess blocking anything in the output chain from a disallowed MAC list could work. I think I mean output chain although likely with an out interface filter of WAN… I would have to fiddle as I cant remember if forward gets involved.
Anyway that’s off topic and not at all urgent.
Last question related to this…
What would you guys recommend, hardware wise?
No requirement for POE or radios and bandwidth/traffic would be low.
Minimum 12 ethernet ports**.
*
* Unless MAC/IP filtering was being used, as opposed to ports, to allow/deny internet access. In which case minimum ports would be 2, 1 in 1 out, and almost anything, SOHO, would likely to the job.
Router Vs switch… Is why I am asking, I don’t know.
Right now all 10 units are connected to an unmanaged switch and I guess if I were to use MAC/IP, and a firewall or bridge filter, to manage what can see the WAN then I could keep the unmanaged switch and just add a small router between it and the rest of the LAN.
MAC/IP/or even VLAN, assuming tagging isn’t port based, sounds like a reasonable way forward but I lack the underlying knowledge to make an assessment.
My gut tells me that bridge filtering sounds like a simple way to go, but I only just found out it exists, much less have ever encountered or tried it.
Firewall I use, and sort of understand the basics of, so could probably muddle my way through but I suspect I would fall foul of hardware offload and Fastrack bypassing rules in ways I don’t understand.
Honestly, if I can add a small RouterOS device onto the uplink/trunk port of the existing unmanaged switch and then deny WAN access by IP or MAC, using a list I can modify with the API I will be delighted.
I have a couple of hEX POE Lite and hAP AC Lite devices kicking about but wouldn’t know how to go about configuring RouterOS to drop traffic to none LAN addresses, unless they were configured as routers.
I am assuming it can all be done, but I know I lack the basic understanding of Router OS to do it.
Verry, very, happy to learn if anyone is up for a bit of hand holding…
What I don’t have is weeks to tinker! Though finding hours, or even a day or two, seems reasonable if I expand my severely lacking base knowledge in the process.
My home network is all bridged, WAP’s and CAP’s, configured via CapMan, on my main router, which in turn routes to an external 4G router. Thus, my only experience of firewall config is limited to managing traffic on the WAN port, or not the LAN subnet… AND probably isn’t ideal anyway!
BTW… Anyone cringing at my last statement… Please tell me if I should be doing it differently, I would welcome the critique. (Just muddling through here!)
Absolute Ideal scenario, for the site in question…
Replace the existing Teltonica 3G/4G router with an ARM based Mikrotik device that is capable of maintaining a routed ZeroTeir tunnel whilst giving basic 4G/3G access over a cheap data SIM.
Talk to this, new, device with a Node-Red API node, to selectively deny internet service, not the ZeroTier tunnel, to an editable list of devices on there LAN.
Provide access to all local LAN devices, over the VPN, to any remote client that can access the VPN.
FYI…
I have a raspberry on site right now that deals with the ZeroTier tunnel and routing, the Teltonica has a basic cheap EE SIM and anyone accessing the site, PLC/HMI, whatever, uses a zerotier client on there device to do that. No inbound/forwarded traffic permitted, or even possible, given the CGNAT associated with UK cellular APN’s.
Backup access is via a site PC with RemotePC unattended access installed.
And yes… Off my own topic… Just saying for context!
All help, and likely justifiable criticism, will be very much welcomed.
