Hi guys,
I was given a task to transfer config from one Mikrotik to another - the idea is to be as much closer to High Availability as possible. Generally if one of the routers goes down the other to be able to take it’s place.
Looked at many articles, but wasn’t able to find such thing.
I have managed to transfer parts of the config from Master device (let’s name that way the device on which you are doing changes) to the Slave (the one that will take it’s config from Master). So, in other words, you will type commands on the primary device and changes will be transferred to the secondary. I am doing it twice a day, but you could do it on whatever intervals you need.
So, in my case I am using the section under IP FIREWALL, as you will see from my script. It leaves all the other config as it is - i.e. you won’t end up with duplicated IPs etc.
Think this is the most important part for day-to-day tasks (ip firewall), but you can use same approach for other parts of the entire config. Just need to tune the scripts and schedulers, but they are pretty explanatory themselves, so I shouldn’t be a problem.
Important: Both devices need to be able to access each other on the LAN - this is needed for FTP access to transfer config from Master to Slave. You could have a dedicated interface with /30 if you wish. Also, make sure the clocks are synchronized on both Master and Slave. It is important.
I would not recommend doing it via WAN - it is not SFTP or FTPS 
At the end the idea is - make your config (for example inbound or outbound access) on Master device and let it replicate automatically to the second one. In case of primary device failure - you will have the needed config on Slave, without need to entering same commands on secondary device.
During this I have used Winbox and CLI - so kinda mixed stuff, but could be done solely via Winbox
So, on the topic gents!
Master:
- IP Services - allow FTP service. This will be used for transfer config from Master to Slave. You can restrict the IP from which connection to FTP server comes etc. I would recommend it.
- System → Users - create FTP user. I have allowed full rights - it did not worked for me with read-only, but worth to try.
- System → Scripts → Create New. I have called it Export and the source is: ip firewall export file=firewall.rsc
Save it. The purpose of this one is to export the contents of IP FIREWALL part on Master in order to be transferred on Slave on later stage. The file generated is in Files - you could have a look on what is exported. - System → Scheduler → Create new scheduler. Here I have created 2 schedulers Export 1 and Export2.Those run on a daily basis - one at noon and the other at the end of the working day. On event: /system script run export
So, my IP firewall config on master is exported twice a day. Of course you can do as many schedulers as you want, but please have in mind that those need to be synchronized with the scripts and schedulers on Slave.
Now on Slave: - System->Users - create same FTP username as on Master with the same password.
- System-> Scripts. Here we create 3 new scripts:
2.1. Script called ftp:
/tool fetch address=192.168.x.x src-path=firewall.rsc mode=ftp user=ftp_username password=ftp_username password
192.168.x.x - address of Master which is accessible form Slave
user=ftp_username - {the ftp username you created}
password={ password for ftp user}
2.2 Script called dele:
/ip firewall filter remove [/ip firewall filter find]
/ip firewall address remove [/ip firewall address find]
/ip firewall mangle remove [/ip firewall address find]
/ip firewall nat remove [/ip firewall nat find]
The purpose of this one is to delete the "old"entry for - ip firewall filter;ip firewall address;ip firewall address;ip firewall nat;
Those are the parts I want to replicate in this case, but you can use similar approach for other parts of the config.
2.3 Script called import:
/import firewall.rsc
The idea is - script 1 gets the exported ip firewall section from Master and downloads it. Once downloaded script 2 deletes the parts we want changed on Slave. Then Script 3 imports the new settings from Master. - System → Scheduler.
Here I have created 6 schedulers - twice per day for each script.
- dele /system script run dele
- ftp /system script run ftp
- import /system script run import
Here the important part is to set the schedulers timing between each script.
Mine are:
ftp - starts at 19:30:03
dele - starts at 19:30:05
import - starts at 19:30:09
So entire thing lasts like 10 seconds and there could be disruption during this time, but we don’t care much, since Master is working. If Master goes down, you should manually disable scripts to avoid it.
Please note that the export script on Master is set for 19:30:00, so slave gets the latest config.
Basically this is it. Hope this will help you guys.
Next time when I have time, will write how to backup Mikrotik config with Rancid - it was challenging task too.
Please excuse me if someone already posted similar thing.