Community discussions

MikroTik App
 
User avatar
grzesjan
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

How to automate updating one rule in many mikrotiks?

Mon May 22, 2006 5:47 pm

have many mikrotiks with private addresses which act as a nat. However I have several network prefixes (all in my own network) I don't want to nat the traffic to.

I have done it making /ip firewall address-list nonat and defining there some prefixes and one rule in /ip firewall nat which accepts dst-addresses in nonat address-list and then src-nat is done to other addresses.

Everything is fine but the prefixes I don't want to nat change - some network connects and they join the list, some disconnect and they are removed.

Is there a way to automate changing the configuration od 20 mikrotiks?
All 20 mikrotiks have the same /ip firewall address-list nonat and all I want to do is to somehow automate the process of updating the list. It doesn't not to be immidiately, for example the update (if needed) once an hour is OK.

I have thought to put some file on web and that file has all prefixes listed.
Once an hour Mikrotiks downloads the file, update the firewall address-list.
Is it possible to do it?

Thanks in advance for your help.

Gregor
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Mon May 22, 2006 7:00 pm

Better run a bash script from dedicated box, something like:

for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
grzesjan
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Mon May 22, 2006 7:30 pm

Better run a bash script from dedicated box, something like:
for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done
Yes, I know such solutions - they are good but have one weak point - after compromising one "dedicated box" all my mikrotiks stay open. That is why I prefer web data fetching.

Can you suggest mi something more secure?

Thanks in advance,

Gregor
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Tue May 23, 2006 8:20 pm

Are you suggesting that http is more secure than ssh?

Hint: it isn't.

--Eric
 
changeip
Forum Guru
Forum Guru
Posts: 3810
Joined: Fri May 28, 2004 5:22 pm

Tue May 23, 2006 8:23 pm

I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Tue May 23, 2006 9:12 pm

Ahh, I see.

Sorry, I misunderstood.

I will also echo the request for wget, or even better curl.

One avenue you may wish to explore, would be linking a BGP instance to the address-list(s), with a frequently run script (I use a funky ping, and a firewall rule that detects it, to avoid writing to flash, and to ensure the address ages out correctly). That way, you could keep them updated in near real-time, and a compromise of your route server would only give access to the address-list(s) under it's control. I've been playing with something like this, and it does work, but I haven't actually used it for anything yet.

--Eric
 
User avatar
grzesjan
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Tue May 23, 2006 9:22 pm

One avenue you may wish to explore, would be linking a BGP instance to the address-list(s), with a frequently run script (I use a funky ping, and a firewall rule that detects it, to avoid writing to flash, and to ensure the address ages out correctly). That way, you could keep them updated in near real-time, and a compromise of your route server would only give access to the address-list(s) under it's control. I've been playing with something like this, and it does work, but I haven't actually used it for anything yet.
--Eric
I'm not sure if I have understood - do you suggest that I make bgp route server and announce there routes which I don't want to nat?
And then script on mikrotik which searches for routes received and adds them to firewall address-list?

Gregor
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Wed May 24, 2006 1:36 am

Basically, yes.

What I have been doing is something like this:
/routing filter add chain=rs-bgp-in bgp-communities=65009:666 set-routing-mark=drop-me set-disabled=yes

/ip firewall filter add chain=output src-address=0.0.0.1 action=add-dst-to-address-list address-list=drop-me address-list-timeout=10m

/ip firewall filter add chain=output src-address=0.0.0.1 action=drop

/ip firewall filter add chain=forward src-address-list=drop-me action=drop
And then, a script that runs every 5m:
:foreach X in [/ip route find routing-mark=drop-me] do={
     /ping [/ip route get $X dst-address] count=1 src-address=0.0.0.1]
}
So, any address (/32 route) coming in over BGP instance "rs" with a community of 65009:666 will have all packets sourced from it dropped.

It would be easy enough to replace that last filter, with something that controls NAT. (Or other things, the possibilities are near endless)

--Eric
 
changeip
Forum Guru
Forum Guru
Posts: 3810
Joined: Fri May 28, 2004 5:22 pm

Wed May 24, 2006 2:52 am

Eric,

Thats a cool idea - I went at it a different way but accomplished the same thing I think.

http://wiki.mikrotik.com/wiki/Generate_ ... ting-marks

I am sure I will find a use for having the MT produce the pings to add rules though, so I'm glad you posted that. I have internal web servers using that ping method to add blocks to the firewalls on the fly, just found more uses for your scripts above : )
 
User avatar
grzesjan
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Wed May 24, 2006 11:47 am

Thanks all for your help. BGP route server is quite resonable idea. I will try to implement this. But I still think that we should have wget :)

Gregor
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Thu May 25, 2006 9:54 pm

Yup, they are quite similar.

The major difference is that the bogon one modifies the config, and does not break on non-/32 routes; while the ping-based one is just the opposite. I wanted to avoid modifying the config, and take advantage of the address-list-timeout option. But, you can't ping a /24 as a whole; and if it looped through sending pings to each address, as the address-list could grow huge and inefficient. :(

I suppose one could make a hybrid, where it would ping if a /32, and manually add if not, but that could be confusing (and inconsistent in it's timeout method). :?

Slightly different tools for slightly different tasks, I guess.

Unless, of course, MT wanted to add a direct path between BGP and address-lists, bypassing the need for a script entirely. Something like:
/routing filter add chain=rs-bgp-in bgp-communities=65009:666 mirror-dst-in-address-list=drop-me set-disabled=yes
Or, something to that effect. Another feature suggestion, MikroTik guys. :D

--Eric
 
changeip
Forum Guru
Forum Guru
Posts: 3810
Joined: Fri May 28, 2004 5:22 pm

Thu May 25, 2006 10:45 pm

/routing filter add chain=rs-bgp-in bgp-communities=65009:666 mirror-dst-in-address-list=drop-me set-disabled=yes

That would be handy. Being able to use address-list for BGP annoucements / filters would be nice : ) We plan on providing BGP feeds as a public service shortly... subscribe to a feed of known zombies, port scanners, rbls, etc. Somewhat like the Cymru bogons bgp feed. It would be nice to use mikrotik for this.

Sam
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Thu May 25, 2006 11:00 pm

Distributed real-time multi-ISP firewall, I like it. :twisted:

--Eric
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Fri May 26, 2006 6:40 pm

I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam

Well, if the box they pull data from is compromised, the result is the same.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Fri May 26, 2006 6:40 pm

I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.

Another vote for wget : )

Sam

Well, if the box they pull data from is compromised, the result is the same.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
grzesjan
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Fri May 26, 2006 11:35 pm

Well, if the box they pull data from is compromised, the result is the same.
No, becouse we can filter pulled data. Some checking can be done. Some damage can be done if main box is compromised (for example they can turn off nat for everyone), but they can not _compromise_ the rest of boxes, for example they can not steal data from them.

Gregor
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sat May 27, 2006 7:51 am

I think he/she means that doing a pull from each router (each with their own security) is more secure than pushing from a single location, because if that single location gets compromised they gain access to all the boxes.
Haha, wget would be cool but consider if someone compromises the webserving server?

Talk about shooting yourself in the foot.

And injecting text into http tcp connections is among the easier things to do with . All the hacker would need to be doing is be connected to the same bridged/switched/hubbed network. Doesn't have to be the same access point event!

Ettercap actually comes with a GUI now :D
Move along. Nothing to see here.
 
davidw
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Fri Apr 27, 2007 11:11 pm

Re: How to automate updating one rule in many mikrotiks?

Tue Aug 18, 2009 4:36 pm

Hi Gregor, not sure if you found a decent solution but... you could try http://www.routertools.com.au. We wrote this software after trying to manage 400 routers became near impossible doing it 1 by 1.
have many mikrotiks with private addresses which act as a nat. However I have several network prefixes (all in my own network) I don't want to nat the traffic to.

I have done it making /ip firewall address-list nonat and defining there some prefixes and one rule in /ip firewall nat which accepts dst-addresses in nonat address-list and then src-nat is done to other addresses.

Everything is fine but the prefixes I don't want to nat change - some network connects and they join the list, some disconnect and they are removed.

Is there a way to automate changing the configuration od 20 mikrotiks?
All 20 mikrotiks have the same /ip firewall address-list nonat and all I want to do is to somehow automate the process of updating the list. It doesn't not to be immidiately, for example the update (if needed) once an hour is OK.

I have thought to put some file on web and that file has all prefixes listed.
Once an hour Mikrotiks downloads the file, update the firewall address-list.
Is it possible to do it?

Thanks in advance for your help.

Gregor
 
User avatar
m4rk0
Member Candidate
Member Candidate
Posts: 195
Joined: Sat Feb 16, 2008 8:30 pm
Location: BA

Re:

Thu Sep 03, 2009 6:23 pm

Better run a bash script from dedicated box, something like:

for i in $ROUTER_ADDRESSES do
ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>";
done
Do You have full script which will send specified command to all routers in $ROUTER_ADDRESSES?
http://www.mreza-wisp.ba/
Please, give Karma if I fix your problem
Certified MTCNA

Who is online

Users browsing this forum: No registered users and 20 guests