Community discussions

MikroTik App
 
famadorian
just joined
Topic Author
Posts: 14
Joined: Sat Nov 20, 2021 10:57 am

Console Access (OOB)

Fri Jan 27, 2023 5:48 pm

I'm new to Mikrotik and I wonder if their equipment can be managed with commands on a console port, like Cisco does?

I have a Mikrotik Cap AC and I see it has two Ethernet ports; may any of them be used as a console port out of band?
 
RiFF
newbie
Posts: 35
Joined: Sun Apr 29, 2018 9:35 pm

Re: Console Access (OOB)

Fri Jan 27, 2023 6:01 pm

Yes, they can be managed via the console port, but you need to buy hardware with this port (not all devices have it) e.g. - https://mikrotik.com/product/RB3011UiAS-RM
Some MT devices has USB port, you can buy additional adapter (Woobm-USB - https://mikrotik.com/product/woobm) then management console will be available by WiFi
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Console Access (OOB)

Fri Jan 27, 2023 7:00 pm

Besides the OOB console there is the in-band terminal (SSH) or (New Terminal) in Winbox and (Terminal) in Web interface.
Also have a look at the MQS: https://i.mt.lv/cdn/product_files/RBMQS_190942.pdf for OOB access to the ethernet port.
 
famadorian
just joined
Topic Author
Posts: 14
Joined: Sat Nov 20, 2021 10:57 am

Re: Console Access (OOB)

Sun Jan 29, 2023 2:57 pm

ok, right now I wonder about this Cap AC device;) The only way to configure it is over IP? It has no USB port and there's no way to access it OOB over Ethernet.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Console Access (OOB)

Sun Jan 29, 2023 3:01 pm

ok, right now I wonder about this Cap AC device;) The only way to configure it is over IP? It has no USB port and there's no way to access it OOB over Ethernet.
RoMON would let you do that, it uses a different ether-type and runs on Layer-2.
 
famadorian
just joined
Topic Author
Posts: 14
Joined: Sat Nov 20, 2021 10:57 am

Re: Console Access (OOB)

Sun Jan 29, 2023 3:14 pm

right, but this is something which has to be enabled as far as I can see

However, when reading about what RoMON was, I discovered mac-telnet.

That looks like some kind of OOB way to access the device through its mac address?;)

Hmm; now I read "MAC telnet is possible between two MikroTik RouterOS routers only". Damn.

So, I can't access this device OOB without first setting up an IP, then enabling RoMON?;) I must be missing something here;)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Console Access (OOB)

Sun Jan 29, 2023 4:37 pm

Re: RoMON - Correct, RoMON must be enabled first. winbox let you connect to an RoMON using Layer2, and the winbox can see all the "neighbor" RouterOS to the router you connected to via winbox+RoMON. If RoMON is enabled on more of your routers, it RoMON will find a path through multiple RoMON instances. I've just use winbox with RoMON, I'm not sure of any CLI tools to use it.

Re: mac-telnet - You don't need RoMON once you're connected to one RouterOS terminal, since /tool/mac-telnet can use it's own interface directly. It doesn't need an IP address for that to work. But yes it only between RouterOS devices - if I recall, mac-telnet actually uses the winbox wire protocol (which works at L2 and L3), to essentially "tunnel" the terminal.
 
famadorian
just joined
Topic Author
Posts: 14
Joined: Sat Nov 20, 2021 10:57 am

Re: Console Access (OOB)

Sun Jan 29, 2023 9:09 pm

This seems like terrible for an administrator; that I have to "enable" it before I can use it. Imagine if I had a Cisco access point and I had to set it up with IP before I could manage it; it would kind of defeat the purpose.

I do however see that there is a github page for a mac-telnet implementation; may I use this to connect directly from my computer?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Console Access (OOB)

Sun Jan 29, 2023 10:42 pm

Security and convenience are often mutually exclusive.

The mac accesses (Telnet, SSH) do not use IP addresses and are not filtered by the IP Firewall.
It is enabled by default (like after a pushbutton reset) and it is open to everyone, who gets a device or L2 link connected to the network.
I do recover MT devices after full reset by somebody else, with the MAC-Telnet from an adjacent MT on the network, while 1200km away.

Don't know about the github code, but any RouterOS around is my bridgehead into another MT.
(Unfortunately MAC-SSH/Telnet it is not enabled by default on the default WLAN wifi settings.)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Console Access (OOB)

Sun Jan 29, 2023 11:41 pm

ok, right now I wonder about this Cap AC device
If you're planning on using CAPsMAN, and you have wireless devices, they'd have one more "OOB method", of CAPs mode. If someone press the button for ~10 seconds at startup, they can be found and provisioned ("adopted") by the CAPsMAN controller. See https://help.mikrotik.com/docs/display/ROS/Reset+Button and https://help.mikrotik.com/docs/display/ROS/CAPsMAN.

You can also use Netinstall/Flashfig to enable RoMON or whatever config you want to mass setup units before needing OOB when installed at a site.

I'm just not sure what you're looking for. Mikrotik gives you a ton of tools here. But, automatic USB configuration method is not one.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Console Access (OOB)

Mon Jan 30, 2023 12:04 am

This seems like terrible for an administrator; that I have to "enable" it before I can use it. Imagine if I had a Cisco access point and I had to set it up with IP before I could manage it; it would kind of defeat the purpose.

I do however see that there is a github page for a mac-telnet implementation; may I use this to connect directly from my computer?
You can use the winbox application to configure it over layer2. Just click the mac address of the CAP in the list of neighbors, use the username admin, and leave the password blank. Of course this is if it is just oob and not configured any. No need for any ip information to get into it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11437
Joined: Thu Mar 03, 2016 10:23 pm

Re: Console Access (OOB)

Mon Jan 30, 2023 9:23 am

The github code for mac-telnet is not working for recent ROS versions. MT changed the way password is passed between client and server (due to change in how passwords are stored on MT devices) and the new protocol is not supported by open source implementations (AFAIK).

IMO MAC-<whatever> is not truly OOB administration ... they are still susceptible to L2 configuration errors and can still be limited to certain interfaces (under /tool/mac-server, so susceptible to configuration errors). True OOB management is only via console (serial) port or WOOBM. Sadly some Mikrotik devices support none of them (serial console prot is only available on older and/or high-end devices, USB port is frequently missing on modern devices).
Another possibility is to use dedicated ethernet port (if properly configured), some devices even have one (but it can be "misused" as yet another ether port), on other it's not too hard to configure it as management port (but has to be configured out of any bridge, IP address set, possibly DHCP server set, properly configured firewall rules, allowed MAC-<whatever>, etc.). This is, again, susceptible to configuration errors so not truly OOB management.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Console Access (OOB)

Mon Jan 30, 2023 1:27 pm

I agree it's not out of band. I'm curious to your opinion of other vendors that only have in band management, ones that try to unify the experience.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11437
Joined: Thu Mar 03, 2016 10:23 pm

Re: Console Access (OOB)

Mon Jan 30, 2023 3:55 pm

In principle there's nothing wrong with in-band only administration. As long as that equipment is used in non-mission critical environment. In mission critical environment diagnosing faults on devices is almost as important as keeping them running ... because in case of recurring failures it's crucial to analyse the reasons for them to happen. And in such cases, often true OOB connectivity is the only possible way of doing it.

The problem with MT environment is that software-wise (flexibility of ROS, CLI, etc.) it can be compared to high-end competition (although competitors' devices come with price tags of an order of magnitude higher than MT's) ... and that's true also for low-end MT devices (where price difference goes into two orders of magnitude). But hardware is often behind competition. And lack of OOB options is just one example. OOB connectivity might seem a tiny detail, but when talking about corporate environments (with assoiated price tags) these details tend to be deal breakers.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Console Access (OOB)

Mon Jan 30, 2023 4:36 pm

Well put @MKX!

Who is online

Users browsing this forum: Bing [Bot], jamesperks, mtkvvv and 46 guests