Guru's Verification engine ensures consistency, confidence, and trust in the knowledge your organization shares. Learn more.

MikroTik Management

Introduction

This page is to show step-by-step instructions for the correct way to configure the V259 Management Network for MikroTik Routers. It will include the basic steps of adding the VLAN interface, IP, Route, Routing Table, and Routing Rules necessary to make this network function.

Management Network

The MikroTik Management Network is configured on VLAN 259 and subnet 192.168.21.0/24. IP's and interface will need to be added into Netbox to be considered properly documented. Provisioning can be done one of 2 ways, through the Winbox GUI or through CLI, in either a terminal in winbox or through an SSH session to the device. This page will show both.

VLAN and IP

Creating The VLAN

Provisioning - GUI

To create the VLAN interface select the Interfaces tab on the left-side menu.

image.png

Once you have the Interfaces window open you can add a VLAN one of two ways, either you can go to the VLAN tab at the top of the window or you can select the drop down arrow next to the blue + in the upper right corner of the window.

image.png

If you select the VLAN tab it will take you to another window and you can select the blue + in the upper right of that window and be able to add the interface. If you select the drop down arrow it will drop down a menu and you can select VLAN from that list and it will open a "New Interface" window, see below.

winbox64-7_69lqPzCiDC.gif

In the "New Interface" window you will be able to setup the new VLAN interface. This VLAN will need to be assigned to the uplink interface of the MikroTik, wherever the ONT or Backhaul is plugged into. The first thing to fill out will be the name of the VLAN interface. Our naming structure will be the first initial and number denoting the uplink interface, followed by a period and then the 4 digit number of the VLAN, if the VLAN is only 3 digits a 0 would be the first character. So in this instance, ether1 will be the interface we are assigning it to, and VLAN 259 will be the VLAN ID so e1.0259 will be the name of the interface. Next the VLAN ID near the bottom of the window will be set to whatever 259, and the Interface will be set to ether 1. Everything else, MTU, ARP, etc., will be left default. Select the Comment button on the right side, it will open a new small window and put MikroTik Management Network then select OK" Once that window closes select the OK button on the upper right of the "New Interface" window.

image.png

You will now see the VLAN in the Interface list.

image.png

Provisioning - CLI

To provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the VLAN interface through the CLI you would use the following command. interface vlan add name=e1.0259 vlan-id=259 interface=ether1 comment="Mikrotik Management Network" Again you would have to fill out the name, VLAN-ID, and interface that the VLAN would be attached to. This example again is using ether 1 and VLAN 259. In this example we are also taking care of the comment for the interface in the same command as creating it, make sure that you use "" around the comment if it has any spaces. After running the command you can use interface print to make sure the interface looks correct.

image.png

Setting The IP

Provisioning - GUI

On the left-hand side menu select IP and it will open a drop down then select Addresses. This will open a new window named "Address List" with a blue + in the upper left corner. Select the + and it will open another window named "New Address."

winbox64-7_mzr5aMIu89.gif

In the "New Address" window you will put the assigned IP from the 192.168.21.0/24 network, make sure that the CIDR notation is included. Then make sure the correct interface is selected from your drop down menu, in this case it will be e1.0259. Then select the Comment button to open the small window and put MikroTik Management in it and select OK. Then in the "New Address" window select the OK button.

image.png

Now you will see the IP in the Address List.

image.png

Provisioning - CLI

Again to provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the IP through the CLI you would use the following command. ip address add address=192.168.21.111/24 interface=e1.0259 comment="MikroTik Management" Again you would have to fill out the address and the interface that the IP would be attached to. In this example we are also taking care of the comment for the IP in the same command as creating it, make sure that you use "" around the comment if it has any spaces. After running the command you can use ip address print to make sure the IP looks correct.

image.png

Routing

Creating New Routing Table

For this setup we will have to create a secondary routing table to carry the default route for the 192.168.21.0/24 network to allow it to communicate with the SRX and the rest of our internal/management network. As with everything else it can be done through the GUI in winbox or through CLI in a terminal window or through SSH.

Provisioning - GUI

To create a new routing table first your would select the Routing tab on the left-hand side of winbox, which will open a drop down and from there you can Tables to open the "Tables" window. Once open, select the blue + in the upper left hand corner to open the "New Routing Table" window.

winbox64-7_rAqGpqbiLz.gif

In the "New Routing Table" window you will change the name to Management and select the checkbox next to FIB. FIB (Forwarding Information Base), is used to make packet forwarding decisions. It contains a copy of the necessary routing information and is necessary for the routing table to work properly in this instance. Then select the OK button on the upper right-hand side.

image.png

Your "Tables" window should look like this

image.png

Provisioning - CLI

To provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the Routing Table through the CLI you would use the following command. routing table add name=management fib After running the command you can use routing table print to make sure everything looks correct.

image.png

Creating Routing Rule for 192.168.21.0/24

Once we have the Management table created, we have to add a rule so that anything coming from the 192.168.21.0/24 network will only go out the new table that we created. This allows us to build a second default route to point back to the SRX.

Provisioning - GUI

To create a new routing rule first your would select the Routing tab on the left-hand side of winbox, which will open a drop down and from there you can Rules to open the "Rules" window. Once open, select the blue + in the upper left hand corner to open the "New Policy Routing Rule" window.

winbox64-7_kT6F0zRjeE.gif

In the "New Policy Routing Rule" window you will need to set the Src. Address to 192.168.21.0/24, the Action to "lookup only in table", and the Table to Management. Then select the OK button on the upper right-hand side.

image.png

Now your "Rules" window should look like this.

image.png

Provisioning - CLI

To provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the Routing Rule through the CLI you would use the following command. routing rule add src-address=192.168.21.0/24 action=lookup-only-in-table table=Management After running the command you can use routing rule print to make sure everything looks correct.

image.png

Creating Default Route

Once we have the table and rule created, we have to add a default route for the Management table so that it can reach the SRX.

Provisioning - GUI

To create a new route first your would select the IP tab on the left-hand side of winbox, which will open a drop down and from there you can select Routes to open the "Route List" window. Once open, select the blue + in the upper left hand corner to open the "New Route" window.

winbox64-7_xb5iKs5e0L.gif

In the "New Route" window you will need to set the Dst. Address to 0.0.0.0/0, the Gateway to 192.168.21.1, and the Routing Table to Management. Then select the OK button on the upper right-hand side.

image.png

You should now see a second default route active in your Route List window.

image.png

Provisioning - CLI

To provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the Routing Rule through the CLI you would use the following command. ip route add dst-address=0.0.0.0/0 gateway=192.168.21.1 routing-table=Management After running the command you can use ip route print to make sure everything looks correct.

image.png

Test Management Network

Make sure and test that the Management Network is now working by pinging 192.168.21.1 from the MikroTik and by pinging the 192.168.21.0/24 address that you assigned to the MikroTik from your machine on the SECOM Secure Network. If both ping you have successfully set up the management IP.

Documentation

Make sure that all changes made are properly documented in the correct places, Netbox, Zabbix, and Unimus will be the key areas that will need to be updated.

Netbox

The interface will need to be added to the MikroTik device in Netbox and properly labeled. The IP will then need to be assigned to that interface. When you create the interface make sure and Name it the same as it is in the MikroTik, for the Type select Virtual, there is a checkbox under "Operation" that says Management only, make sure that is selected. Finally, for the Description put VLAN 259 - MikroTik Management Network.

image.png

Once the Interface is created you can select + Add IP Address under the "IP Addresses" table and add the proper 192.168.21.0/24 address to the interface. This will also add the IP under the 192.168.21.0/24 range.

brave_JVJehHrycX.png

Zabbix

In Zabbix you will need to add a new interface under the host with the 192.168.21.0/24 address assigned to the device.

brave_J2uOcwan0w.gif

Once the interface is created under the host you will have to go into the hosts items and change the interface to the new IP. This can be done utilizing Mass Update at the bottom of the items list, but Mass Update can only be done on like types at the same time, e.g. you cannot change SNMP Agent items and Simple Check items at the same time Calculated items do not need to be changed. You also need to change the interface on any active Discovery Rules or they will always change the discovered items back to the old interface.

brave_auvYETQvgm.gif

Unimus

In Unimus you only need to change the IP of the device to the new 192.168.21.0/24 address.

brave_xR1SvP2ICS.gif

You must have Author or Collection Owner permission to create Guru Cards. Contact your team's Guru admins to use this template.