Page 1 of 1

Automatically provisioning RBs

Posted: Tue Sep 14, 2010 12:57 pm
by NAB
Hi all,

We have a standard configuration we need to roll out over many routerboards. Most of this configuration will be the same for every single board, however the IP addressing (and consequently routing) will be different for each board.

So, I'd like to have a standard script I can provision with NetInstall which:

a) sets up all the main functionality (NTP, firewall, queues etc.), tunnel to LNS and then,
b) connects externally to query what IP addresses it should allocate to the LAN interfaces.
c) then, once it's got these, set up the interfaces, DHCP servers, pools and routing

a) and c) I can do no problem at all, but I can't work out the best way of doing b). My initial thoughts are just to wget the information from a web server, but it's a bit of a mess:

1) Security concerns
2) What if there is no 'net connectivity
3) What if the web server doesn't respond
4) What if the web server responds with garbage data

Does anybody have any thoughts on how to provision device-specific configurations on top of a generic configuration?

Re: Automatically provisioning RBs

Posted: Fri Sep 24, 2010 7:07 am
by vik1988
you can use scripts .rsc file at the time of installation or u can also use Flashfig feature in netinstall.

Re: Automatically provisioning RBs

Posted: Fri Sep 24, 2010 11:10 am
by blake
I've thought about this, and its always seemed better as a 'push' operation instead of a 'pull.'

You could probably have the RB run a script on startup which makes a HTTP GET request using /tool fetch to a service listening on a remote server. Send in the MAC of your external interface as the src-path. This server will record the connecting IP and corresponding requested path / MAC. It could then look up the config settings for that MAC in a database, generate a config, then push it via the API, telnet, or SSH. Once provisioning is done delete the initial check-in script, and you're done.

Run the script under /system scheduler if you're worried about the web server being unavailable. This could always be deleted as its being provisioned.

Seems easy, and I may try it one day.

Re: Automatically provisioning RBs

Posted: Fri Sep 24, 2010 7:13 pm
by NAB
you can use scripts .rsc file at the time of installation or u can also use Flashfig feature in netinstall.
Neither of these methods would work on a large scale deployment - imagine rolling out 100 RBs, each of them requiring a (slightly) different configuration.

Re: Automatically provisioning RBs

Posted: Fri Sep 24, 2010 7:21 pm
by NAB
then push it via the API, telnet, or SSH.
I like that. The main problem I was having was how to determine whether the request for provisioning is correct or not. I thought I'd got around the problem by having the RB bring up a L2TP tunnel using a combination of a 'secret' as well as its MAC and serial number and then returning a .rsc in response to a HTTP get. Making the server push rather than pull adds an extra layer of security.

It would be nice if you could pass netinstall a URL and have netinstall pull the configuration from that URL and provision that onto the router. Perhaps doing variable substitution for MAC and/or serial number?

Hmmm. Ah well.

Re: Automatically provisioning RBs

Posted: Sat Sep 25, 2010 4:24 am
by ayufan
NAB for my network I'm using my own rosapi. ROSAPI allows to perform configuration synchronization. It mirrors local config stored on main server to devices. ROSAPI allows you to define in script a php function. Function can build a configuration for device using data stored in database.

In my setup each device has a class, has a mac-address, list of wireless links which is connected to (with backup links), ip addresses, and basic configuration like passwords. Every night each device is synchronized to latest configuration stored on servers. Sometimes I change `trusted-addr` (list of ip hosts which has unlimited access to devices), or for example to revert all hand made configurations (other people have access to `private` and `user` devices). In my network I divided devices into several classes. My configuration is hierarchical. It means that first is global network configuration, than device class configuration, and last is specific device configuration.

Configuration is stored in text files. I will post a few stripped files to let you see how it works:

/config - main configuration file
require sections

# base config
set identity name=%name%
set clock time-zone-name=Europe/Warsaw
set ntp-client enabled=true mode=unicast primary-ntp= secondary-ntp=
set dns primary-dns= secondary-dns= allow-remote-requests=false cache-size=8192 cache-max-ttl=1w00:00:00
set graphing store-every=hour
set e-mail from=%name%@mgnt.osk-net.local server=
set user-aaa use-radius=false accounting=false default-group=read

# backup
var backup_email ayufan@***
var backup_subject "[MGNT] " . [/ system clock get date] . " - %name%"
var backup_event / system backup save name=current; / tool e-mail send subject=(%backup_subject% . ".backup") to=%backup_email% file=current.backup;
var backup_event %backup_event% / export file=current; / tool e-mail send subject=(%backup_subject% . ".rsc") to=%backup_email% file=current.rsc;
add scheduler name=SendBackup disabled=false interval=1d00:00:00 start-date=jan/01/1970 start-time=12:%sub%:00 on-event=%backup_event%

# services config
add service name=telnet port=23 disabled=true address=
add service name=ftp port=21 disabled=true address=
add service name=www-ssl port=443 disabled=true address=
add service name=winbox port=8291 disabled=false address=
add service name=api port=8728 disabled=false address=
add service name=www port=80 disabled=true address=
add service name=ssh port=22 disabled=false address=	

# disable accounting
set accouting enabled=false
set accouting-web-access accessible-via-web=false

# include individual configs
require %class%/config
/user/config - main config for user class devices
# disable connection tracking
set connection-tracking enabled=false

# backbone config
wireless-local-backbone backbone
vlan backbone 100 backbone.local
address backbone 192.168.10.%%/16

# disable
disable ospf ospf-area ospf-interface ospf-network ospf-area-range
disable ppp-aaa ppp-profile pppoe-server

# load device config
require device.%name%
/user/device.mirek - config for device named `mirek`
require default-nat
/user/default-nat - configuration of client side router with dhcp-server
# enable connection tracking
set connection-tracking enabled=true

# enable dhcp-client
add dhcp-client interface=backbone.local use-peer-dns=true use-peer-ntp=false add-default-route=true disabled=false

# enable dhcp-server
address ether1
add ether name=ether1 arp=enabled
add pool name=local ranges=
add dhcp-server interface=ether1 name=local lease-time=01:00:00 address-pool=local add-arp=false bootp-support=static authoritative=after-2sec-delay use-radius=false disabled=false
add dhcp-server-network address= gateway= netmask=24 dns-server=
add dhcp-server-alert interface=ether1 alert-timeout=1h disabled=false
set dns allow-remote-requests=true

# enable nat
require firewall
add firewall-filter chain=forward src-address=! in-interface=ether1 action=drop
add firewall-nat chain=srcnat src-address= out-interface=backbone.local action=masquerade

# disable changes
disable queue-simple queue-type

# allow to create user port mappings in dstnat chain on router!
pass firewall-nat chain=srcnat
Simple script function written in php which fetches data from mysql database and configures wireless interface
function wireless-ap $interface $profile=default $limit=1M/3M
	$parser->call('local-network', array($interface, $interface));
	$parser->call('add-devices', array($interface, $profile, $limit, "ap"));

	if($res = mysql_query("SELECT address,freq FROM interfaces WHERE interface='$interface' LIMIT 1")) {
		if($i = mysql_fetch_assoc($res)) {
	$parser->config('wlan', "name=$interface radio-name=$interface $freq default-authentication=false default-forwarding=false mode=ap-bridge wds-default-bridge=none wds-ignore-ssid=true wds-mode=static wmm-support=enabled security-profile=radius");

	$parser->config('wireless-access-list', "mac-address=00:03:03:03:03:03 interface=$interface comment=dummy disabled=false authentication=true forwarding=false");
	$parser->config('wireless-access-list', "mac-address=00:1D:92:C4:51:E0 interface=$interface comment=gregoxmsi disabled=false authentication=true forwarding=false");
Then this function can be used in script:
wireless-ap wlan1 wpa-protected

Now I can say that ROSAPI is really powerful, but requires some heavy script coding and very good knowledge of RouterOS command line support. When You master ROSAPI, it will make your life easier or even it make you synchronized ;)


For netinstall, You can prepare some predefined configuration, than add device on web and then click synchronize, to push configuration to device ;)



Re: Automatically provisioning RBs

Posted: Sun Oct 03, 2010 11:52 pm
by blake
Would you be interested in sharing ROSAPI with us? I'd like to look at the code, and possibly use it in my network. If you're wanting to make a few bucks off it, give a ballpark price. I'd certainly be willing to pay for a solution that works, and scales.

Re: Automatically provisioning RBs

Posted: Mon Oct 04, 2010 12:45 am
by ayufan

Re: Automatically provisioning RBs

Posted: Mon Oct 04, 2010 9:44 am
by blake
Great, thank you sir!