Is it possible to monitor a local network for an out-of-the-box mikrotik router so when it is connected to the network for the first time, a script is sent to it to it for execution?
What I am trying to accomplish is automating the process of updating new mikrotik routers. I have a main mikrotik router on the network that can be used to monitor for new connections.
We do something similar to this with Ubiquiti access points. They are immediately recognized on the network and available for update and adoption.
It would be very cool if we could do this with Mikrotik routers!
I’ve noticed that as soon as you connect a new router to the network, it shows up on the main router under neighbor discovery.
If there is a way to create a script to ftp a command or file to the new router from the main router I think it would work.
Can you ftp to an IP address that is not in the local network? If not, how about to a Mac address? The neighbor discovery shows the Mac address for the new router.
You can not FTP to IP address outside local IP subnet without using gateway. Which is kind of awkward if gateway knows nothing about subnet that IP in question belongs to …
How about this: when a new device appears in neighbour discovery, add additional IP address to LAN interface (normally that’s bridge interface) … and select IP address from same IP subnet as the newly discovered device (best bet would be address that would fit into same /30 subnet as discovered device, that’s the smallest IP subnet still fully supported in ROS). Then you should be able to FTP and SSH into device using default password … which used to be blank, but I hear some models come with random string set as password … in which case you probably can’t automatize anything.
Yes, I know about auto import, and plan to use it for this.
The legislation should NOT apply to devices like Mikrotik because they are not for end users or novices who don’t know what they are doing. I don’t think many Mikrotik users ever use the settings out of the box without some form of programming, especially the password. Mikrotik is not a ring doorbell or a device mass marketed to end users.
And there you are wrong.
These devices ARE being used in home context so the legislation DOES apply.
As a consumer I CAN buy these devices from various sources.
Mind you, I don’t like it either but I understand why it is being enforced.
One of the biggest bot net in history was based on Mtik routers. Devices never upgraded, never protected with a real password by their customers…
So nowadays mandatory security is a must, we are not in “tele tabbies country”
And anyhow if the device could be programmed remotely by you after boot, someone else might even be faster and config/lock the device before you do!
Again look through the security blog few years back, with all the problems Mtik had and which forced them to further improve/close the default firewall…
I’m in the US, and in the land of big-box stores, no home user is accidentally getting a Mikrotik - I have never seen a Mikrotik in any US retail store. IANAL but Mikrotik only sells through distributors, so they likely pawn off the responsibility to the reseller, who might face the EU rules . But Mikrotik seem pretty stubborn so they argue they do force a password change, maybe a defensible position, IANAL.
I’ll offer that some of the “paired” 60GHz kits DO already use autogenerated password, so guess that’s possibility in the future. But even on these, if you push-and-hold reset I recall you getting a default configuration without a password, so I won’t worry too much.
While default IP is 192.168.88.1. Also, you might try using “/ip neighbor” to find the Mikrotiks you want to configure
/ip neighbor print
For example, if you want the first IP of a device named the default “MikroTik”, you can do something like this:
:global namedmikrotik [/ip neighbor find identity="MikroTik"]
:put $namedmikrotik
:global firstip [/ip neighbor get [:pick $namedmikrotik 1] address4]
:put $firstip
# then you can run /tool/fetch + :import OR you can use SSH to issue commands:
/system ssh command="/ip address print" user=admin address=$firstip
Then once setup (and given a name), you can manage that set differently using their name instead of “MikroTik”. If they didn’t show up in discovery after your changes, you can use that to flag an error in your automatic setup script, etc.
