MikroTik

Posted: **Fri Apr 07, 2017 7:36 am**

I have been digging a while but have not found anything specific.
So i work at a wireless ISP using cambium APs at tower sites, and Mikrotiks as well.

So a question being, cambium radios are always accessible at 169.254.1.1 if you put a 169 on your computer (locally connected), so what i am interested in doing is having a rule in the tower router that is normally disabled, but if the AP crashes/defaults i would like to be able to get to the radio without a drive.

Is there a way to forward say, 10.10.5.50 to forward on to the etherport chosen (we will say port 3) to send/receive all traffic from the 169?
So if we are using a 2011, and 3 radios defaulted, port 2/4/5. Enable the rule, change to port 2, punch 10.10.5.50 in the computer, travels to router, then forwards to the radio talking at 169

Posted: **Fri Apr 07, 2017 8:05 am**

I suppose this would be possible with a nat rule. In that case the "computer" could be just about any in question as long as it had reach-ability to the tower router. You would tell the router if IP x.x.x.a then nat it out the appropriate interface. Assign a 169 address on ether1, if x.x.x.b then mangle it to 169 on ether2, etc...

/ip address add disabled=no address=169.254.1.21/24 interface=ether1
/ip address add disabled=no address=169.254.1.22/24 interface=ether2
/ip address add disabled=no address=169.254.1.23/24 interface=ether3

/ip firewall nat add disabled=no action=srcnat chain=srcnat src-address=10.5.1.11 dst-address=10.5.1.21 out-interface=ether1 to-addresses=169.254.1.21 log=yes
/ip firewall nat add disabled=no action=srcnat chain=srcnat src-address=10.5.1.11 dst-address=10.5.1.22 out-interface=ether2 to-addresses=169.254.1.22 log=yes
/ip firewall nat add disabled=no action=srcnat chain=srcnat src-address=10.5.1.11 dst-address=10.5.1.23 out-interface=ether3 to-addresses=169.254.1.23 log=yes

/ip firewall nat add disabled=no action=dstnat chain=dstnat src-address=169.254.1.1 in-interface=ether1 dst-address=169.254.1.21 to-addresses=10.5.1.21 log=yes
/ip firewall nat add disabled=no action=dstnat chain=dstnat src-address=169.254.1.1 in-interface=ether2 dst-address=169.254.1.22 to-addresses=10.5.1.22 log=yes
/ip firewall nat add disabled=no action=dstnat chain=dstnat src-address=169.254.1.1 in-interface=ether3 dst-address=169.254.1.23 to-addresses=10.5.1.23 log=yes

Posted: **Fri Apr 07, 2017 8:27 pm**

So, i am no networking tech obviously. This is a cap of what is at one site we had an issue at prior to my initial post. Radio on port 2 (which is 10.255.2.34 addressed) can normally be accessed from the office with its IP, however a tech accidently kicked it to SM mode and cause some issues. All of our radios can be accessed at the web page of 169.254.1.1 (when plugged into them with a 169 placed on the computer)
Obviously i cant load a 169 from the office, which is why i was looking at if we can forward another ip to the ether2, basically any communication to 10.10.5.50 hits port 2, translated to 169.254.1.1 to the radio.

On this tower, ether3 is the feed link from the office

Capture.PNG

Posted: **Fri Apr 07, 2017 8:34 pm**

A correction! I labbed this up quick and it seems to work. You probably don't need the mangle. See the attached picture.

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=172.16.2.22 in-interface=ether1 log=yes \
    new-connection-mark=DeadCambium1
/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=DeadCambium1 log=yes to-addresses=169.254.1.1
add action=src-nat chain=srcnat connection-mark=DeadCambium1 log=yes out-interface=ether2 to-addresses=\
    169.254.1.22

MikroTik Forums - Manage Cambium 169.254.1.1 IP from Anywhere_1.png

The list of IP addresses on the dead device (you'll see it only has 169.254.1.1):

dead1#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            169.254.1.1     YES manual up                    up      
Serial0/0                  unassigned      YES unset  administratively down down    
FastEthernet0/1            unassigned      YES unset  administratively down down    
Serial0/1                  unassigned      YES unset  administratively down down    
Serial0/2                  unassigned      YES unset  administratively down down    
Serial0/3                  unassigned      YES unset  administratively down down    
Serial0/4                  unassigned      YES unset  administratively down down    
Serial0/5                  unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  administratively down down    
FastEthernet2/0            unassigned      YES unset  administratively down down    
dead1#
*Mar  1 00:06:10.723: %SYS-5-CONFIG_I: Configured from console by console
dead1#

I used a Cisco device to simulate my dead cambium device because well that's what I had and it was different than a MikroTik. I used a tinycore Firefox appliance that comes with GNS3 to act as the Admin PC back at the home office.

These rules can be active all the time and you likely could filter the traffic in some way or you can like you said enable them on demand.

I used the IP 172.16.2.22 semi-randomly. It just needs to be an unused IP that would or could be made to route to the MikroTik in the tower. You could even re-use the Cambian's IP but then you'd be in a situation where you had to toggle the rule on and off to get desired functionality.

Good luck.

Posted: **Sat Apr 08, 2017 3:21 pm**

Thanks, will give it a try monday when i get in. Since the 169 works regardless of if the radio is programmed or not, it can be live tested too!

Posted: **Tue Apr 11, 2017 3:12 am**

Thanks, will give it a try monday when i get in. Since the 169 works regardless of if the radio is programmed or not, it can be live tested too!

How'd it work out?

Posted: **Tue Apr 11, 2017 2:20 pm**

Ended up taking monday off lol. Will test today

Posted: **Tue Dec 19, 2017 7:19 pm**

Verrrrry late reply!!
I had been trying to avoid network stuff myself lol. IT WORKS!! Of course you probably knew that!
We have been switching form a bridged network and everything is going OSPF. So i played around with this today since they installed new panels at a tower and we had no access to them. Just going to paste my copy from what you gave me, along with my notes lol, i made it into my own cheat sheet, but going to past it so if anyone searches for the same thing, it will be a more compact with directions

/ip address add disabled=no address=169.254.1.22/24 interface=ether2
##Change "interface" to the etherport of dead/inaccessible radio

/ip firewall mangle add action=mark-connection chain=prerouting dst-address=172.16.2.22 in-interface=ether1 log=yes new-connection-mark=DeadCambium1
##A)Change "172.16.2.22" to a accessible IP, example, if the defaulted/dead radio WAS 10.30.53.250, 
##A)put that in "dst-address", this is how you will access it in browser
##B)Change "in-interface" to the WAN of the router, example, at NMTN ether1 is the feed, so you choose that port

/ip firewall nat add action=dst-nat chain=dstnat connection-mark=DeadCambium1 log=yes to-addresses=169.254.1.1
##Use as is

/ip firewall nat add action=src-nat chain=srcnat connection-mark=DeadCambium1 log=yes out-interface=ether2 to-addresses=169.254.1.22
##Change "out-interface" to the port the dead/inaccessible radio is on

/ip address add address=169.254.1.22/24 disabled=no interface=ether2
##Change "interface" to ether that dead/inaccessible radio is on

MikroTik

Ip to Lan port

Ip to Lan port

Re: Ip to Lan port

Re: Ip to Lan port

Re: Ip to Lan port [SOLVED]

Re: Ip to Lan port

Re: Ip to Lan port

Re: Ip to Lan port

Re: Ip to Lan port