Community discussions

MikroTik App
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Activate a rule by an external automation

Tue Dec 27, 2022 2:34 am

Hi, I need to semplify the life of a friend activating VPN or deactivating it, I would do it by telegram messages or a small web interface with a button, but hoiw can I then send the command to Mikrotik?
It woud be great to have available an URL with cgi request, for example, any similat way? Maybe sending it an email? (does it support email client/processing?) Maybe SNMP?

As for now I can just imagine to establish an SSL connection and type there the command, but it looks a bit risky, to don't get the result. Thank you
 
gotsprings
Forum Guru
Forum Guru
Posts: 2103
Joined: Mon May 14, 2012 9:30 pm

Re: Activate a rule by an external automation

Tue Dec 27, 2022 1:11 pm

I have a guy who wants to VPN and doesn't want to see the failed log ins.

My answer was to use port knocking to put his IP into an address list. That address list is accepted for the UDP ports of L2TP+IPSec.

He has to send 3 packets to 3 different ports in order.

That adds his address for 60 seconds.

He then has to open the VPN connection.

Once connected... It stays in established connections and the VPN works until disconnected.
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Tue Dec 27, 2022 3:58 pm

Thank you for your kind reply, it looks I need something else, the easiest way is a method to enable/disable a specific rule, Mikrotik ever though a way to do that? If there is a way to execute a command line (ok I can always send the whole command to set and the opposite command to turn it off), like for example, as you say, port knocking, then a script could be run.
There is any way to start a script from an incoming packet? SMNP can do the trick?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3260
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Activate a rule by an external automation

Tue Dec 27, 2022 4:21 pm

What's the actual problem? You want to REMOTELY activate someone else VPN, via router config? Port knocking could allow you access, as suggested - your friend doesn't need to do anything, you just need to know to knock. All paths to run a script (or run any command) from outside of router require authentication. So if you had that, you just enable the VPN yourself....that's the part I'm missing. And while SNMP could run a script, you'd be exposing all of the router on the internet to do so. SNMP isn't very granular in what it exposes - all or nothing, read or read-write.

To cover the other approaches:
- firewall can't run scripts.
- no incoming SMTP/email support in Mikrotik
- similar with IoT MQTT, only publishes (no subscriptions/not a broker)
- while SMS that might work, you'd need LTE for that

I suppose you could have your friends router "poll" something via /tool/fetch in a /system/schedule script, where it look for a file (or some specific HTTP response) that indicate the VPN should be turned on, and if it got 404 (or whatever you'd wanna program), it disable the VPN. You could schedule every 1 minute or whatever to check if the VPN should be enabled.

Now if the problem you want your friend to be able to do LOCALLY it without having to do anything on the Mikrotik? There is also webfig and "skin" – in the skin you can remove with most things removed could make activating the VPN relative painless for your friend to login to the mikrotik.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Activate a rule by an external automation

Wed Dec 28, 2022 12:39 pm

Hi, I need to semplify the life of a friend activating VPN or deactivating it, I would do it by telegram messages or a small web interface with a button, but hoiw can I then send the command to Mikrotik?
It woud be great to have available an URL with cgi request, for example, any similat way? Maybe sending it an email? (does it support email client/processing?) Maybe SNMP?

As for now I can just imagine to establish an SSL connection and type there the command, but it looks a bit risky, to don't get the result. Thank you
I'm doing exact same thing with SMS commands and having SMS templates in my phone for each action. SMS commands actualy calls scripts that can activate deactivate OpenVPN, Wireguard and Shadowsocks+v2ray running in container. Firewall filter and NAT rules are tagged in comment (eg. [OVPN], [WG] [SS]) by which script can search and enable/disable them.
If your friend owns MikroTik with GSM modem can do in that way.
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Wed Dec 28, 2022 11:49 pm

Thank you mates for you really interesting infos!
I don't have LTE but the Mirotik is absolutely reachable only from LAN, there are no security worries, so here I make a little brief of solutons:
SMS: I don't have LTE
knocking TCP ports: it can be ok, but I have one command, I can activate but to deactivate I've for example to use a timeover, I need 2 commands, turn on and off.
SNMP into LAN: I still look for infos, if possible, if it can run scripts
New Webfig skin: I have no idea how, it needs a login, I would like a quicker way
MQTT:: no input commands possibile
polling an external device and run script if timeout: really interesting, I have a device which can do that
macro for send SSH strings: possible but doesn't look good, some commands may not be catched, eventually another SSH session can have place at same time, risky.

I'll work on poll, if SNMP doesn't give chances
What can I use for polling? Ping is easiest way, but can I check if a TCP port is opened? Or maybe waiting a particular answer? There are somewhere script examples? Thank you!
Last edited by GiovanniG on Wed Dec 28, 2022 11:55 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3260
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Activate a rule by an external automation

Wed Dec 28, 2022 11:55 pm

If you on the LAN, you can just use SSH. https://help.mikrotik.com/docs/display/ ... er-SSHKeys

If you add the right keys to the user you'll use, any script/etc your want to run won't be prompted for login/password.
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Wed Dec 28, 2022 11:58 pm

If you on the LAN, you can just use SSH. https://help.mikrotik.com/docs/display/ ... er-SSHKeys

If you add the right keys to the user you'll use, any script/etc your want to run won't be prompted for login/password.
looks really good, I'm plan to use Node Red for this, do you know if there is a module which suport SSH keys?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3260
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Activate a rule by an external automation

Thu Dec 29, 2022 1:56 am

Yeah SSH work well with NodeRED, never used but it is kinda interesting. I'm curious how this turns out. Google finds:
https://github.com/olivervbk/node-red-contrib-ssh-v2
(you put the path to where the keys live in the "ssh" property)

Since it supports username/password too, so might want to test with that first.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Activate a rule by an external automation

Thu Dec 29, 2022 7:37 am

- firewall can't run scripts.
Actually there is a way to fake that out. I wanted to cause the router to execute a script that would send Wake on LAN packets to a specific computer. To trigger the script, I wanted to use a port knock sequence. As noted, the firewall rules for the port knock can't run the script. However, the last step in the port knock can create a log entry. Next step is a script that runs by schedule every minute that parses the log looking for that log entry. When it finds the log entry, it triggers the WOL script. Works just fine.
It ain't pretty, but it does get the job done.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3260
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Activate a rule by an external automation

Thu Dec 29, 2022 8:10 am

That's cleaver. WoL as a notification protocol.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 11:40 am

It actually is also possible to use SNMP to run a script, as asked/suggested several times above.
Of course you would not want SNMP to be open from the internet, but maybe it could be part of a port knocking sequence that first enables the access to SNMP.
To run scripts, you need a community with write access enabled (of course don't enable write access for "public", but add another one).
Using requests using this community, you can read the table of scripts available on the router, run a specified one (by sequence number), and receive the output.
It requires a somewhat clever SNMP client to be useful, as you first need to receive that table and select the proper script from it to use in a second call.
Hardwiring the sequence number would be very dangerous, as it will cause unpredictable things to happen when scripts are deleted (or added?).
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 12:28 pm

Thank you! SNMP looks really interesting,
you wrote different circustamces possible, but on my case I just need to create 2 static scripts, one to enable, the other to disable a rule.

About this, I would also like to ask your help, I've searched in the forum and a guy complain the fact it's not disabling the proper rule, so another user suggested:
So to specify a rule for modification within a script, use /ip firewall filter disable [find chain=... action=... ...] to specify the rule.

may somebody kindly write here a concrete example about it, supposing I have
add action=mark-routing chain=prerouting dst-address=!192.168.24.0/24 new-routing-mark=MYVPN passthrough=no src-address=192.168.1.250
thank you!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 12:45 pm

The [ find= ... ] construct needs to match the rule you want to enable/disable ... and possibly match that one alone (so it's hard to construct match condition without seeing the rest of rules which have to be avoided).

Probably the easiest way is to add a comment to the rule, make sure comment is truly unique. Then match against the comment.
 
arespy
just joined
Posts: 1
Joined: Thu Dec 29, 2022 1:11 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 1:39 pm

Hi, depending on you ROS version, you have a lot of choices and all of them are maybe more flexible.

If you are running ROS v7.1beta4 or above, you can simple use REST API as documented here: https://help.mikrotik.com/docs/display/ROS/REST+API
On the other side, you can take a look to the MIKROTIK ROS APIs: https://help.mikrotik.com/docs/display/ROS/API; that are widely diffused and you can even find an example on MIKROTIK documentantion: https://help.mikrotik.com/docs/display/ ... n3+Example; for those APIs, you may want to take a look to GitHub to find a redy-to-use repository.

In your case and if possible, I personally suggest using the REST API, as they are simpler and more intuitive and allow you to quickly write down a working script from any language (python, php, etc.); a quick example with cURL taken from MIKROTIK documentation (result piped with jq):

 
curl -k -u admin: -X POST https://10.155.101.214/rest/ping --data '{"address":"10.155.101.1","count":"4"}' -H "content-type: application/json" | jq

Finally, you can even try to integrate Telegram and MIKROTIK - with REST API o other interfaces - through your own script or ZABBIX, for example, but maybe the second one is a more business scenario; anyway, if you already implemented a ZABBIX system and you are tricky: https://www.zabbix.com/integrations/telegram
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 3:20 pm

may somebody kindly write here a concrete example about it, supposing I have
add action=mark-routing chain=prerouting dst-address=!192.168.24.0/24 new-routing-mark=MYVPN passthrough=no src-address=192.168.1.250
You can create some comment syntax for that, like tagging for eg. "[MYVPN] rest of comment or empty":
add action=mark-routing chain=prerouting dst-address=!192.168.24.0/24 new-routing-mark=MYVPN passthrough=no src-address=192.168.1.250 comment="[MYVPN]"
and in script you can have like:
/ip/firewall/mangle
:foreach i in=[find where comment~"^\\[MYVPN\\].*"] do={ [disable $i] }
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Thu Dec 29, 2022 4:08 pm

thank you! I can't wait to test it!
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation  [SOLVED]

Wed Jan 04, 2023 10:21 pm

Hi everyone, I've used the SNMP methid, if may it be useful for someone, here is what I did:
- I've commented the rule I needed to act/deact under IP firewall mangle
- Under IP I've enabled SNMP, in the Communities I've enabled the write Access and defined the source allowed IP subnet into the existing public profile.
- I've created under System two scripts, one for activate, the second for deactivate, something licke this:
/ip firewall mangle enable [find comment=thecommentIhavetyped];
and I've run them for testing
- I've installed on Node Red the SNMP module, used the SNMP Set module, specified the Mikroitik IP, Version: v2c, community:public, varbinds: [{"oid":"1.3.6.1.4.1.14988.1.1.8.1.1.3.1", "type":"OctetString","value":"1"}]
this will execute the first script, to execute the second you need 1.3.6.1.4.1.14988.1.1.8.1.1.3.2 and so on, just inject the node with anything, it will set Mikrotik

This is a simple solution, without pretences to be safe/secure if exposed to internet
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Activate a rule by an external automation

Thu Jan 05, 2023 11:47 am

Yes it will work that way, but note that when you enable write access on "public" you may expose yourself to attacks by malware on your local network.
I would have added a new community, with a "secret" name, given that write access and also the local network or even 1 IP restriction, and use that instead of public only for this purpose.
"public" remains available for read-only use e.g. for monitoring, graphing, etc.

Also note that "first script" is a bit dangerous as a selector. You do not know what the first script is. Later when you edit, delete, re-add scripts it may be that another one is first.
This is generic for SNMP: refererring to table objects by a fixed OID instead of walking the corresponding OID that lists the items by name and use the retrieved sequence number is always dangerous.
Today, more and more manufacturers try to help the user by keeping the OID mapping static, but I remember from Cisco routers that e.g. the interface numbers for any virtual interfaces would change on every reboot. As you normally do not reboot such devices frequently, you got surprises months after you implemented something and considered it working.
Any serious SNMP module should offer the possibility of doing a lookup of some name (script name in this case) and use the found object number in another OID.
 
GiovanniG
Member
Member
Topic Author
Posts: 341
Joined: Sun Nov 15, 2015 4:12 pm

Re: Activate a rule by an external automation

Thu Jan 12, 2023 3:53 pm

thank you for your kind advices, I've named the group in another way, even if only men will use it/access to the LAN. Other others excetps from LAN souces are filtered out
OID Mikrotik won't change, that's my only goal.
I'll be careful with script numbers, anyway I think I won't touch them
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3260
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Activate a rule by an external automation

Thu Jan 12, 2023 4:41 pm

If you don't add any scripts, you should be fine.

But you can make two SNMP requests to avoid that, if you want to run a script by it's name. You just need to "walk" 1.3.6.1.4.1.14988.1.1.8.1.1.2.X which as the list of script names. The last X part of OID can then be used in the SNMP SET to run the script via OID:
1.3.6.1.4.1.14988.1.1.8.1.1.3.X - e.g. ...2.1 is contains the script name while ...3.1 is how you'd run it, but the .1 part always refers the same script, just it's parent changes depending on what you looking for. This is backwards from JS/C++/etc where it's object.property, but in snmp it more like property.object.

See: https://wiki.mikrotik.com/wiki/Manual:SNMP#Run_Script
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Activate a rule by an external automation

Thu Jan 12, 2023 7:57 pm

Yes, that is what I meant to say above.
But at the same time, I have seen many naive SNMP clients (e.g. in monitoring systems) where you need to specify the OID as a static value without such a lookup capability...

Who is online

Users browsing this forum: jaclaz and 81 guests