I have looked into this a bit and hit a wall of sorts. I would like to send a script to an installer (remote from me) that is preconfigured and ready to go. They could then “run after reset” and the router would be configured. I do not, however, want them to have access to the configuration script for two reasons 1) make chances to the script that could cause issues, 2) have access to my work.
I have not tried this, but I suppose I could teamview into the installers laptop and drop the file directly onto the routers files section, and run it from there…
Anyone have a solution for doing this? Any 3rd party tools that allow for this?
scp the rsc script to the device, ssh to the device, and import the rsc, then delete the rsc…
Instead of scp you can of course also use “/tool fetch …” to download the rsc from your own server…
Of course the ssh service (default port 22) of the device must first be reachable from Internet…
Thanks for this… Then I would have to have a script installed to run the main configuration script… I don’t use fetch much, but it looks like anyone could use that link to pull the script.
@RackKing, are you aware of the fact that any legitimate user with access to the router can
issue the command “/export” in the CLI, or look in Webfig or in Winbox to see/get all the configuration?
Do you want to allow only yourself to manage the device of the user? If yes, then just don’t give the user any login credentials;
then he/she cannot login onto the device. There is no other way to prevent the user from seeing the config.
Thanks for the reply . So - I have created a restricted user with read, write, and web credentials. I have then gone into webfig and created a custom skin that limits access to only the things I want them to see, like DCHP reservations for example. All other access like winbox, telnet, and console are disabled for this “basic” user. Locking down webfig with a custom skin for that user seems pretty good. I have not tired to “hack” it as I am not a web guy, perhaps it is not secure and somebody with experience can bring those hidden menu options back.
So - I think I have the webfig and winbox part handled. Am I wrong in this?
Secondly - I want the best of both worlds. I would like to manage/configure the router, but yet let the installer do some basic configuration, but no have access to the whole deal or be able to export the backup or script. Assuming creating a limited basic user in this fashion works, then I am back to where I started.
I wish there was a way to configure a virgin router without being local to it… and putting it on the internet. A default router on the internet would get hit pretty quick.
Perhaps there is some way of using an additional application that could do this keeping the script encrypted until it actually installs it. I have read some about his, but I am not a developer by any means, hence my post. I wish I knew more about python and the like.
@mutluit - thank you for your replies and feedback. I suspect there are lurkers here who have figured this out. I am assuming it is a proprietary process using an application they have written. I am just not smart enough to figure that out.
If the router is on your network TR069 is designed for remote management.
Another option is getting the installer to use Quickset and configure a unique VPN user and basic internet connection. Once you have your configuration with remote access remove the initial VPN config.
Configure a Mikrotik MAP with USB cellular dongle as a remote terminal they attach to the router for you to configure it. You can lock the MAP router so the installer has no access to it.
It depends on whether you want to protect your work from any possible guy who wants to steal it (good luck with that!!) of whether you just want to avoid that someone gets your rsc in the mail, opens it in wordpad to study it, makes some changes and uploads it to the router.
When you send a small “bootstrap” to the installer (person), that does the minimal setup to the router to connect it to internet and then retrieves the full config and loads and deletes it, I would say that would be plenty for most of such scenarios. You can add some checks on the webserver so it recognizes that it is fetched by the router and not by someone pasting the link into a webbrowser (e.g. examine the user-agent). You could have a unique string sent by the script (as part of the URL) and arrange that it can be fetched only once or only on a certain date or similar.
Of course most measures are easy to work around when someone is determined, but good enough to fend off most people.
Of course what I mean is just a script file that does the internet settings (if at all required, i.e. internet is not “ether1 with DHCP”), then it does a fetch to get the real config and an import.
You would write it in the RouterOS scripting language and send it as a .rsc file.
Ah - I thought you were talking about Python or something of the sort. So - a helper script to pull a target script. I get it. That I could probably handle, I have not worked much with fetch. Getting a webserver setup shouldn’t be to hard, probably some good tutorials on that.
I played around with teamviewer to make this simple… I can transfer a file to the “installer” pc desktop, and then drag it on to the router. Permanently deleting the file and clearing the clipboard would be the cleanup I think. I am sure there is some software that could run and copy the interaction and copy the file.
Of course you can also write a complete program in Python or whatever that uses API or even telnet/ssh to command the router to do whatever you want.
You would then have to run that program on the installer’s computer and hope that he will not try to find out what it is doing exactly.
It all depends on what you expect from the installer, how complex is the configuration and its variations (e.g. different models, different setups),
how often you are going to use this (5 subsidiaries of a company, or 100000 users of an ISP), etc.
That also determines how much effort you would want to spend on unfamiliar technologies (scripting, TR-069, etc)
. So - I have created a restricted user with read, write, and web credentials. I have then gone into webfig and created a custom skin that limits access to only the things I want them to see, like DCHP reservations for example. All other access like winbox, telnet, and console are disabled for this “basic” user. Locking down webfig with a custom skin for that user seems pretty good. I have not tired to “hack” it as I am not a web guy, perhaps it is not secure and somebody with experience can bring those hidden menu options back.