The company that I work for needs to comply for CALEA, and the CEO of the company suggested to me to download the v3 of RouterOS. I’ve successfully installed the OS now, but I’m having troubles trying to issue it an IP address.
While looking through the v2 documentation, it tells me to type /setup - however in v3 that feature is not there - I installed everything.
Could someone point me in the right direction as to how I can configure v3, and more specifically, for CALEA?
login to the router from the console. (Usualy “admin” for user, “nothing,blank,nada” for password IE press enter when prompted.
Type “IP ADDRESS ADD”
The system will prompt you for an address. This address is in the form of “IP/MASK BITS”
IE 10.0.0.1/16
The system will then prompt you for an interface. This will be in the form of “ether1” or similar. IE: “ether1” , “ether2”, “wlan1”. which ever is the interface you are connecting to your network with. I would use the interface you will be connecting to the LAN to allow winbox configuration to start. I would try “eher1” first and change it as you see fit later after you are familiar with the system.
Once you have assigned an IP to the interface, it is time to test it.
Ping an address on the local subnet. IE a gateway device.
Type "ping " & ip address of remote device… IE: ping 10.0.255.255
If you get replys then press Ctrl-C to stop the ping.
If you do not recieve replys then try another interface. IE move the cable.
Once you have replys, open a brouser from a machine on the same subnet as the router you are building, and download and run the “WINBOX” tool… this will give you a graphical user interface to complete the configuration of the router.
As for the CALEA, the interface is still command line based at the moment, here is a link to a presentation held at the las MikroTik users meeting or “MUM”. It has a sample of the CALEA server / probe commands near the end of the PDF document. The settings and what the do are there..
Hi thanks again for the push in the right direction. I was able to stumble through and set up primary and secondary dns, as well as the IP address for ether1. Now, I try to ping the gateway and I get a ping timeout.
Is there anything else I need to configure? Am I overlooking something? I read your instructions a few times, and I don’t think I’m missing anything.
Most likely you either have the wrong ethernet connection configured or you have the wrong subnet mask so it’s not broadcasting correctly. Just my 2 cents.
I was finally able to get RouterOS v3 installed with a demo key, and now that I’ve set up the IP address, gateway, and DNS, I’ve come to a roadblock where I don’t know what needs to be done next.
I read the PDF and most if it makes sense.
So, after I do the basic install of RouterOS, I’m good to go until we get a summons? Then I will issues these commands to start filtering certain IPs - correct?
As far as I understand you will need to configure to “watch” specific customer (specific IP address), ONLY when you will get respective document from local authority.
You may look here for the specific configuration example for Calea configuration, http://wiki.mikrotik.com/wiki/Calea#Calea_Server.2FClient_Configuration_Example
When a CALEA trap is created, the capture begins. (created on “server” then “tap”)
(Files hide, must create an action for new files to be seen in winbox IE backup the router or delete a file)
By the way I noticed that the file structure and location of the chains as well as an additional security setting has been introduced… (All of you running beta9 had better check your user settings… mine did not upgrade the admin user, and I was getting permission problems) Also the file name and “type” have changed.. so much for the code I wrote to move the data to “RAID” storage…
Anywho… here is the issue…
Once the capture is running, if the tap device goes down for ANY reason, the capture stopps (duh…), but when the unit comes back online, the stream does not resume (at all) there is no traffic from the “tap” to the server (RE: CALEA) of any type… (OOPS !!)
If the rules are removed and then re-created, the capture resumes…
I noticed this as the “tap” is a test box I carry with my laptop at all times…
Things that make you go Hmmmmm…
And then OH SH1# when you lost days of data… and the feds are standing in front of you tapping their toes and dollar signs are rollong in their eyes…
Well, I have tried to reproduce the same issues with the latest 3.0 and 2.9, using default configuration (I have disabled outgoing interface for ‘tap’ device), sniffing continious after ‘tap’ router is back online.
The best way to report issues about RouterOS to contact MikroTik support (support@mikrotik.com) with provided problem description and router configuration (support output files).