Support of the heated backup by means of two MikroTik'ov
In the last article, I talked about a possible way to make centralized backup configurations from MikroTik routers. It would seem that one can calm down, but for some branches the management requires immediate restoration of work in case of failure of any part of the network. The first thing that comes to mind is, of course, you need to have two identical glands nearby. However, the second logical thought is that using VRRP is not suitable for a number of reasons, one of which is the use of IPSec. So you need to again shaman crutch and synchronize the configuration in the semi-manual mode, that is, to be scripted.
1. We connect via ssh to the active router and change the address of the physical interface through which the heated router is connected to 10.0.0.1/24
2. Using port forwarding by firewall, we connect via ssh to the pre-heated router through the active
3. We check the serial number to make sure that they are actually connected to the heated router, so as not to threaten the active
4. Retrieve the ftp backup from the active router and reboot the reheat
5. We connect via ssh to the active router and return the original physical interface address to 10.0.0.2/24, through which the heated router is connected
I need manipulations with changing the address for the reason that once a day I remove backup from all routers. Further, when I will upload a backup to a pre-heated router, I will need to somehow get to it, for this it will already have the address 10.0.0.2/24 configured, and on the active one I will temporarily set the address 10.0.0.1/24, this IP in backups will never appear. In this way, we achieve identity configurations.
... as it is shown in the picture, namely - it does not matter how you connect the Internet and LAN in your case, the only important thing is that the interfaces with which we connect the active and heated routers are the same. Further it will be clear why.
')
We will configure the interfaces in an identical way - yes, yes, there is nothing criminal in this.
We also need SSH onboard both glands:
Let there be a non-standard port, since What is the standard for which you may still need.
We also do port forwarding:
That's right, changing the source address as the second rule, because the backup router will already have some kind of default gateway and it will try to answer through it, and we need to go back to the active router.
In addition, you need FTP, but we will hide it from outsiders:
At this preparatory work is over, draw a script.
There is already a prepared blank from the previous experience, you just need to add some touches:
When the active router breaks down, you just have to use your hands to plug all the wires into the heated router — I checked it myself, it works.
- the scheme of work is such that it will oil the built-in flash drive during each execution, thereby reducing its lifetime, so I would not advise performing this operation more often than once a week
- the method will work only with hardware of the same model and the same firmware version, otherwise the numbering of the interfaces may shift
- this is still a crutch and you need to understand it
Respect to habraiser just_wow for practical advice on organizing an array with credentials.
Logics
1. We connect via ssh to the active router and change the address of the physical interface through which the heated router is connected to 10.0.0.1/24
2. Using port forwarding by firewall, we connect via ssh to the pre-heated router through the active
3. We check the serial number to make sure that they are actually connected to the heated router, so as not to threaten the active
4. Retrieve the ftp backup from the active router and reboot the reheat
5. We connect via ssh to the active router and return the original physical interface address to 10.0.0.2/24, through which the heated router is connected
I need manipulations with changing the address for the reason that once a day I remove backup from all routers. Further, when I will upload a backup to a pre-heated router, I will need to somehow get to it, for this it will already have the address 10.0.0.2/24 configured, and on the active one I will temporarily set the address 10.0.0.1/24, this IP in backups will never appear. In this way, we achieve identity configurations.
We connect the heated piece of iron
... as it is shown in the picture, namely - it does not matter how you connect the Internet and LAN in your case, the only important thing is that the interfaces with which we connect the active and heated routers are the same. Further it will be clear why.
')
We will configure the interfaces in an identical way - yes, yes, there is nothing criminal in this.
/add address=10.0.0.2/24 comment=backup disabled=no interface=ether10 network=10.0.0.0We also need SSH onboard both glands:
/set ssh address="" disabled=no port=2222Let there be a non-standard port, since What is the standard for which you may still need.
We also do port forwarding:
/ip firewall nat add action=dst-nat chain=dstnat comment="dst-nat to knock-to hotbackup" disabled=no dst-port=2422 protocol=tcp to-addresses=10.0.0.2 to-ports=2222
/ip firewall nat add action=src-nat chain=srcnat comment="to knock-to hotbackup we either need to change source address from ssh being connected" disabled=no dst-address=10.0.0.2 dst-port=2222 protocol=tcp to-addresses=10.0.0.1That's right, changing the source address as the second rule, because the backup router will already have some kind of default gateway and it will try to answer through it, and we need to go back to the active router.
In addition, you need FTP, but we will hide it from outsiders:
/set ftp address=10.0.0.0/24 disabled=no port=21At this preparatory work is over, draw a script.
Script
There is already a prepared blank from the previous experience, you just need to add some touches:
#!/usr/bin/env python # -*- coding: utf-8 -*- # for SSH import paramiko from paramiko import SSHClient from paramiko import AutoAddPolicy # for versioning import datetime # for file operations import os # for sleep import time # for strip() import string # versioning Version = datetime.date.today() print "\n" + str(Version) # credentials array arrCreds = (\ ("R0", "11.22.33.44", "user0", "password0", "serial0"), \ ("R1", "1.1.1.1", "user1", "password1", "serial1"), \ ("R2", "2.2.2.2", "user2", "password2", "serial2"), \ ) # FTPD IP FtpdIP = "10.0.0.1/24" BackupIP = "10.0.0.2/24" sshCli = SSHClient() sshCli.set_missing_host_key_policy(AutoAddPolicy()) LogFile = "/var/log/remotes/scripts/scripts1.log" paramiko.util.log_to_file(LogFile, level=10) print "header done" # loop adresses inside given network for (site, host, user, Password, SerialNumberA) in arrCreds: print datetime.datetime.now() print "\n" + host # define operations ChangeBackupIfAddr = '/ip address set [/ip address find address="' + BackupIP + '"] address="' + FtpdIP + '"' SSHToBackup = "/system ssh address=" + BackupIP.replace('/24', '') + " port=2222 user=" + user + "\n" GetSerial = ':put [system routerboard get value-name=serial-number]' GetBackupFromFtp = "/tool fetch address=" + FtpdIP.replace('/24', '') + " mode=ftp src-path=" + site + "_" + host + "_" + str(Version) + ".backup" + " user=" + user + " password=" + Password ApplyBackup = "/system backup load name=" + site + "_" + host + "_" + str(Version) + ".backup" ChangeBackupIfAddrA = '/ip address set [/ip address find address="' + FtpdIP + '"] address="' + BackupIP + '"' # try for not to fail the whole script on one error try: print "connecting to active router.." + site + "_" + host + "@" + user + ":" + Password sshCli.connect(str(host), port=2222, username=str(user), password=str(Password)) time.sleep(2) print "..done" print "changing backup interface IP address form 10.0.0.2/24 to 10.0.0.1/24.. " + ChangeBackupIfAddr sshCli.exec_command(ChangeBackupIfAddr) print "..done" print "connecting to hotbackup router.. " sshCli.connect(str(host), port=2422, username=str(user), password=str(Password)) time.sleep(2) print "..done" # we need to check if we're not still on active router print "checking router serial number.. " + GetSerial stdin, stdout, stderr = sshCli.exec_command(GetSerial) type(stdin) SerialNumberCurrent = stdout.read() SerialNumberCurrent = SerialNumberCurrent.strip() print "SNA=" + SerialNumberCurrent # if SerialNumber == Active router SN, so we are still on active router and must stop script if SerialNumberCurrent == SerialNumberA: print "we are still on active device, aborting host processing" continue else: print "successfully connected to hotbackup device, going on futher host processing" print "downloading backup from active router ftp.. /" + GetBackupFromFtp sshCli.exec_command(GetBackupFromFtp) time.sleep(2) print "..backup downloaded from active router" print "apply backup on HotBackup.. /" + ApplyBackup sshCli.exec_command(ApplyBackup) # and say yes sshCli.exec_command("y") time.sleep(2) print "..done" print "connecting to active router.. " sshCli.connect(str(host), port=2222, username=str(user), password=str(Password)) time.sleep(2) print "..done" print "giving backup interface address 10.0.0.2/24.." sshCli.exec_command(ChangeBackupIfAddrA) time.sleep(2) print "..done" except: print "Error connecting to host", host When the active router breaks down, you just have to use your hands to plug all the wires into the heated router — I checked it myself, it works.
Minuses
- the scheme of work is such that it will oil the built-in flash drive during each execution, thereby reducing its lifetime, so I would not advise performing this operation more often than once a week
- the method will work only with hardware of the same model and the same firmware version, otherwise the numbering of the interfaces may shift
- this is still a crutch and you need to understand it
Respect to habraiser just_wow for practical advice on organizing an array with credentials.
Source: https://habr.com/ru/post/140866/
All Articles