Hi
I have a model RB951-2n (RouterOS v6.48.4) that has served us well for quite some time. Now it is going to be replaced by a new RB750Gr3 with higher speeds.
Is there a way to "migrate" my current configuration/setup from the old box to the new box? Eg. backup/restore? Or will that spoil something in the new box's configuration?
Thanks in advance!
/John
Re: Migrate config to new Mikrotik box
You can use backup/restore only to the same exact model.
To transfer the config you need to export the config.
on the old router:
this will generate a transfer.rsc file that you need to copy to the new router.
on the new one:
Before importing you may need to change or remove some settings that are not valid on the ne one, and you need to have no default configuration on the new router.
To transfer the config you need to export the config.
on the old router:
Code: Select all
export show-sensitive file=transferon the new one:
Before importing you may need to change or remove some settings that are not valid on the ne one, and you need to have no default configuration on the new router.
Code: Select all
import file=transfer
Re: Migrate config to new Mikrotik box [SOLVED]
No there is not. That is a major omission in RouterOS.Is there a way to "migrate" my current configuration/setup from the old box to the new box?
It will depend on your actual configuration what is the best way to proceed.
The first thing you can do is use /export file=config to export the configuration to a single readable file, download the config.rsc file and examine it in an editor.
(when you are on RouterOS v7 also include the show-sensitive option with that export)
Now get your new router and perform the following steps:
1. connect it "behind" your RB951, ether1 on your LAN, ether2 to a computer, logon, and do an "upgrade" of RouterOS (system->packages->check for updates).
Also decide which version, v6.xx or v7.xx, you are going to use. There are pros and cons to each of them.
2. after the reboot, do System->Routerboard->Upgrade to upgrade the firmware (BIOS).
3. do a "reset to defaults". that is very important! you need to reset to defaults under the recent RouterOS you are going to use, not the factory-installed one.
4. now it depends on what you want to carry over. You can cut/paste sections of config using your editor and a telnet or ssh session to the new router, but I would advise not to carry over the firewall. Build that from scratch, using your exported config as a guideline what you need.
It is a laborious process, but it is the only way to do it. And it often is a good moment to cut away the crap that accumulated over the years.
Using the cut/paste you can easily migrate more complicated things like VPN or routing setup, or parameters like the internet connection, DNS servers, time servers, etc.
Do NOT just import the whole config as jookraw suggests. That will NOT work.
Re: Migrate config to new Mikrotik box
Thanks pe1chl
I haven't followed the changes to version 7. I have just used the auto update feature to keep the current box updated.
Any good pointers of pro/contra for updating to the latest version? If I will be forced to at some point I might as well do it now - or why should I stay on v.6?
If I go for v.7 should I then upgrade the current box to v.7 first? And if so will there then be some manual steps of upgrading the old box to v.7?
And can I split the configuration into several files and just import one of them at a time (e.g. VPN and DNS separately). And then if something fails will I have to do a "reset to defaults" and redo all previous steps again? If so then I must remember to export any changes made directly (like firewall).
/John
I haven't followed the changes to version 7. I have just used the auto update feature to keep the current box updated.
Any good pointers of pro/contra for updating to the latest version? If I will be forced to at some point I might as well do it now - or why should I stay on v.6?
If I go for v.7 should I then upgrade the current box to v.7 first? And if so will there then be some manual steps of upgrading the old box to v.7?
And can I split the configuration into several files and just import one of them at a time (e.g. VPN and DNS separately). And then if something fails will I have to do a "reset to defaults" and redo all previous steps again? If so then I must remember to export any changes made directly (like firewall).
/John
Re: Migrate config to new Mikrotik box
Works for me, I have migrated multiple times using that way (after removing the incompatible parts, like non-existant interfaces), just need to make sure that the destination device is clean, without any default config, also the port where you are connected needs to be out of the bridge when importing.Do NOT just import the whole config as jookraw suggests. That will NOT work.
Re: Migrate config to new Mikrotik box
It is possible to use import but only when you are an expert and even then it will normally require several iterations until it is right. And there is risk that you copy something you should not.
E.g. when you have used the RB951 for a long time and never reset it, you should NOT copy the firewall. Use the new default firewall.
Yes you can copy individual sections using cut/paste in a terminal window. Then watch what errors you get and correct them manually when required.
Some lines are "set" type and you can always repeat them, some are "add" type and they will fail when an item with the same name is already present.
You can go to a section e.g. /ip dns and then type export there (without the /) to see what is there and if it conflicts with what you want to paste.
E.g. when you have used the RB951 for a long time and never reset it, you should NOT copy the firewall. Use the new default firewall.
Yes you can copy individual sections using cut/paste in a terminal window. Then watch what errors you get and correct them manually when required.
Some lines are "set" type and you can always repeat them, some are "add" type and they will fail when an item with the same name is already present.
You can go to a section e.g. /ip dns and then type export there (without the /) to see what is there and if it conflicts with what you want to paste.
Re: Migrate config to new Mikrotik box
I'm definitely with pe1chl on this one.
Major omission that there are no better tools to do so but import from rsc using text editor and copy/paste on top of a default config is the most sensible way.
In my opinion.
@jookraw
what you are describing is actually more or less the same (but not completely).
Only you import the edited file instead of copy/paste the pieces.
What you do forget is that sometimes in different versions certain settings have a different default for a good reason.
You may stick to the old settings with your method which could cause issues.
Major omission that there are no better tools to do so but import from rsc using text editor and copy/paste on top of a default config is the most sensible way.
In my opinion.
@jookraw
what you are describing is actually more or less the same (but not completely).
Only you import the edited file instead of copy/paste the pieces.
What you do forget is that sometimes in different versions certain settings have a different default for a good reason.
You may stick to the old settings with your method which could cause issues.
Re: Migrate config to new Mikrotik box
Those 2 parts contradict...just need to make sure that the destination device is clean, without any default config, also the port where you are connected needs to be out of the bridge when importing.
without any default config = no ports on any bridge. There will be no bridge.
Re: Migrate config to new Mikrotik box
Yeah, I have done what he wrote, but using MAC connection from winbox on a directly connected machine (which does not require a bridge).
However, even when you know what you are doing there are lots of small details, and when there is one small mistake in the imported file the import stops at that point with an often ambiguous error message like "item already exists".
Of course you can use /import verbose=yes but even then it is a painstakingly repetitive process of fixing small errors and restarting.
And then we aren't even mentioning the bugs in RouterOS (especially in the ipv6 section which apparently is low-priority) where the order of the export is incorrect and has to be fixed for a correct import.
MikroTik really should work on a mechanism to transfer config to another router. Maybe by enabling the load of the .backup on another router and then presenting a dialog that asks you what you want to transfer from that backup (so you can exclude e.g. explicit MAC addresses, or can map interfaces that are different (e.g. wlan1->wlan2 or sfp1->sfpplus1).
Or else make the import much more failure-resistant, e.g. when it encounters config for items the new router does not have (LED, LCD, WLAN etc) just ignore it instead of crapping out.
And have an option in import to tell it to "clear config and import".
However, even when you know what you are doing there are lots of small details, and when there is one small mistake in the imported file the import stops at that point with an often ambiguous error message like "item already exists".
Of course you can use /import verbose=yes but even then it is a painstakingly repetitive process of fixing small errors and restarting.
And then we aren't even mentioning the bugs in RouterOS (especially in the ipv6 section which apparently is low-priority) where the order of the export is incorrect and has to be fixed for a correct import.
MikroTik really should work on a mechanism to transfer config to another router. Maybe by enabling the load of the .backup on another router and then presenting a dialog that asks you what you want to transfer from that backup (so you can exclude e.g. explicit MAC addresses, or can map interfaces that are different (e.g. wlan1->wlan2 or sfp1->sfpplus1).
Or else make the import much more failure-resistant, e.g. when it encounters config for items the new router does not have (LED, LCD, WLAN etc) just ignore it instead of crapping out.
And have an option in import to tell it to "clear config and import".
Re: Migrate config to new Mikrotik box
Thank you very much for your insights!
I agree on getting the "newest" defaults especially for the firewall. The majority of the setup work is in DNS, VPN, DHCP etc. so it would be fine to be able to import that.
Also agree on the need for a "robust" import method as this can also be used for recovery if a device dies and the new/backup device is not exactly the same model.
/John
I agree on getting the "newest" defaults especially for the firewall. The majority of the setup work is in DNS, VPN, DHCP etc. so it would be fine to be able to import that.
Also agree on the need for a "robust" import method as this can also be used for recovery if a device dies and the new/backup device is not exactly the same model.
/John
Re: Migrate config to new Mikrotik box
Having gone through all that last year when I replaced a RB750r2 (on my DSL internet) and a RB750Gr3 (on my cable internet) with a single RB4011 (DSL replaced with fiber + the cable). Export from the old and carefully paste sections into a terminal window on the new router. Make sure you understand what is going on with any error messages or pastes that don't do what you expect. Pain in the neck! But it worked.
Wish Mikrotik would make that process easier !!!
Wish Mikrotik would make that process easier !!!
Re: Migrate config to new Mikrotik box
When performing the import, if in the import config the port that you are connected is included in a bridge you'll lose the connection and some times the import was interrupted and I had to start over.Those 2 parts contradict
without any default config = no ports on any bridge. There will be no bridge.
Re: Migrate config to new Mikrotik box
Recently I have successfully migrated config (fully) from a RB4011 to RB5009.
I just had to remove some extra ports from the RB4011 and removed the default configuration of RB5009 before the import.
My config uses a firewall part that works for my setup, and it contains the default rules from Mikrotik's docs.
if you leave the default config you'll have "item already exists"
I just had to remove some extra ports from the RB4011 and removed the default configuration of RB5009 before the import.
My config uses a firewall part that works for my setup, and it contains the default rules from Mikrotik's docs.
if you leave the default config you'll have "item already exists"
Re: Migrate config to new Mikrotik box
I have now spent a few hours today to get the new RB750Gr3 up and running.
After a number of resets I have come down to just adding my "fixed" DHCP addresses and locally defined DNS entries. I basically discovered that quite a few things have changed in the default config since I set up the other box.
Therefore, I intend to set up firewall filter and VPN "from scratch". First and most important is to accept incoming traffic on port 25 from a list of IP-addresses (that I have created a list for). However, when I use a port scanner to see if there is a whole through in my "test bench" (not connected to the real network with the mail server) I can't seem to open that port...
Does the order matter? I would have thought so - but can't seem to find a way to move my rule up...
I have tried to put my filters (where I have just added the last) and the nat config below:
And here that nat where I have added the specific ports only:
And for the VPN I tried to "enable" it on the first welcome "config" page and then intend to try and set it up from scratch using the current best practice (any pointers are welcome).
Thanks for the sparring so far!
/John
After a number of resets I have come down to just adding my "fixed" DHCP addresses and locally defined DNS entries. I basically discovered that quite a few things have changed in the default config since I set up the other box.
Therefore, I intend to set up firewall filter and VPN "from scratch". First and most important is to accept incoming traffic on port 25 from a list of IP-addresses (that I have created a list for). However, when I use a port scanner to see if there is a whole through in my "test bench" (not connected to the real network with the mail server) I can't seem to open that port...
Does the order matter? I would have thought so - but can't seem to find a way to move my rule up...
I have tried to put my filters (where I have just added the last) and the nat config below:
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Mail via O365" dst-port=25 \
in-interface=ether1 protocol=tcp src-address-list=mail-gateway
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.42.240 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
to-addresses=192.168.42.240 to-ports=443
add action=dst-nat chain=dstnat dst-port=1352 in-interface=ether1 protocol=\
tcp to-addresses=192.168.42.222 to-ports=1352
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp \
to-addresses=192.168.42.222 to-ports=25
Thanks for the sparring so far!
/John
Re: Migrate config to new Mikrotik box
With the new default firewall there is NO need to change anything in the filter settings to allow forwarding a port.
You just have to enter the dstnat entry for that port forward in the nat settings.
You just have to enter the dstnat entry for that port forward in the nat settings.
Re: Migrate config to new Mikrotik box
Thanks! Very interesting....
But how should I do it if I want to only allow the connection to port 25 from a limited list of IPs?
But how should I do it if I want to only allow the connection to port 25 from a limited list of IPs?
Re: Migrate config to new Mikrotik box
add a firewall source address list to your /ip nat destination nat rule.
Re: Migrate config to new Mikrotik box
Thanks @anav
That is a much cleaner solution than the one I came up with myself where I added a firewall rule to drop all on port 25 that were not on my source IP list
And just to tell where we are these days... When I had ssh'ed to the router the console looked like this:
Crazy.... Just 5-10 mins after I switched to the new router. And they keep coming from several other IPs... 
That is a much cleaner solution than the one I came up with myself where I added a firewall rule to drop all on port 25 that were not on my source IP list
Code: Select all
add action=drop chain=forward comment="Only mail via O365" dst-port=25 in-interface-list=WAN protocol=tcp src-address-list=!mail-gateway
Code: Select all
08:54:19 echo: system,error,critical login failure for user root from 211.226.10.196 via telnet
08:54:22 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:54:24 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:54:28 echo: system,error,critical login failure for user root from 211.226.10.196 via telnet
08:54:31 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:54:34 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:54:38 echo: system,error,critical login failure for user root from 211.226.10.196 via telnet
08:54:41 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:54:44 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:54:48 echo: system,error,critical login failure for user default from 211.226.10.196 via telnet
08:54:51 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:54:54 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:54:58 echo: system,error,critical login failure for user admin from 211.226.10.196 via telnet
08:55:01 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:55:04 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:55:08 echo: system,error,critical login failure for user support from 211.226.10.196 via telnet
08:55:10 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:55:13 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:55:17 echo: system,error,critical login failure for user guest from 211.226.10.196 via telnet
08:55:20 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
08:55:23 echo: system,error,critical login failure for user shell from 211.226.10.196 via telnet
08:55:27 echo: system,error,critical login failure for user root from 211.226.10.196 via telnet
08:55:29 echo: system,error,critical login failure for user enable from 211.226.10.196 via telnet
Who is online
Users browsing this forum: adel5454 and 29 guests