Mikrotik RouterOS + PHP script on the site. Empowerment
At the time of ROS 5.x, there was a need to raise a tunnel to a router with a white dynamic address. In ROS 5, we did not specify the name, but the IP address. Option 2: DDNS service, the implementation of which we will consider briefly and the second about which the story will be.
There was an idea to make a center where routers would report their addresses, and read the addresses of others. It was decided to go through the least resistance - the site on PHP.
At the moment, implemented a couple of simple things.
Implemented through a request to the script with an indication of its (router) name and password:
')
The name and password are needed so that no one could disguise itself as you and did not initiate the connection of your router to your router or could not consider the address of your router. Using the fetch utility, we open the necessary script on the server and pass the name and password through GET. The script through $ _SERVER ['REMOTE_ADDR'] gets the external address of the router and writes it to the database.
Again, we call the web script through the same utility:
dst-path = "adr.txt" - we indicate that the received data is saved to a file. On the webpage itself, we have a purely text with the address of the requested router:
$ query = "SELECT address FROM table_routers WHERE ((id = '$ _ GET [i]') AND (password = '$ _ GET [p]'))";
$ adr = mysql_query ($ query) or die (mysql_error ());
$ router = mysql_fetch_assoc ($ adr);
echo $ router [address];
: global routeradr [/ file get adr.txt contents] - set the value of the file contents to a global variable. Then this variable can be applied according to need and desire.
Everything is the same as in the previous script, but we import the file into the router config, and then delete this file.
What is it for? For example, you inadvertently cut off access to the router in the firewall. Then you can add on the site a script for this router with which you specify the corrected firewall rules. The router following the schedule connects to the site, where PHP looks to see if there are any unsent scripts for this router in the database:
First, we check if the password and the router number are set correctly (so that no one else can read your script, maybe you change the passwords in the config file), and then we look at which script is in the queue not transferred to this router.
This method does not solve the problems that have arisen; it helps to prevent them. That is, you must first “lay straws” and score in the scheduler every X minutes / hours the router checks for new scripts for it.
This method is also good when the router has a gray ip address, and access to it must be obtained from outside. We are scoring the script of raising the VPN-tunnel to our white ipishka and after a specified time we have access to the device even for 10 NATIs.
Here is such a short story. I will once remarks and ideas what else can be screwed to such a service. There are still small statistics in the plans - so that the router would merge a couple of its parameters into the database, for example, temperature, processor load and others.
As a bonus, a piece of ready-made scripts, which I wrote about at the beginning, get ip from the host name and add it to the IPsec policy.
Plus, it works in conjunction with Mikrotik + soapboxes that support ddns and ipsec (Dlink 804 for example). The script that gets the IP address from the remote peer name and inserts it into the necessary policy:
And the script that substitutes on the remote side the current ip in the ipsec policy:
There was an idea to make a center where routers would report their addresses, and read the addresses of others. It was decided to go through the least resistance - the site on PHP.
At the moment, implemented a couple of simple things.
Announcement of your address
Implemented through a request to the script with an indication of its (router) name and password:
')
:local number "ROUTER_NUMBER"; :local pass "PASSWORD"; /tool fetch url="http://whoami.ho.ua/adr.php\?i=$number&p=$pass" mode=http The name and password are needed so that no one could disguise itself as you and did not initiate the connection of your router to your router or could not consider the address of your router. Using the fetch utility, we open the necessary script on the server and pass the name and password through GET. The script through $ _SERVER ['REMOTE_ADDR'] gets the external address of the router and writes it to the database.
Reading another's address
Again, we call the web script through the same utility:
:local number "ROUTER_NUMBER"; :local pass "PASSWORD"; /tool fetch url="http://whoami.ho.ua/getadr.php\?i=$number&p=$pass" mode=http dst-path="adr.txt" :global routeradr [/file get adr.txt contents] dst-path = "adr.txt" - we indicate that the received data is saved to a file. On the webpage itself, we have a purely text with the address of the requested router:
$ query = "SELECT address FROM table_routers WHERE ((id = '$ _ GET [i]') AND (password = '$ _ GET [p]'))";
$ adr = mysql_query ($ query) or die (mysql_error ());
$ router = mysql_fetch_assoc ($ adr);
echo $ router [address];
: global routeradr [/ file get adr.txt contents] - set the value of the file contents to a global variable. Then this variable can be applied according to need and desire.
Reading the script from the database
:local number "ROUTER_NUMBER"; :local pass "PASSWORD"; /tool fetch url="http://whoami.ho.ua/getscript.php\?i=$number&p=$pass" mode=http dst-path="script.rsc" import file-name=script.rsc /file remove script.rsc Everything is the same as in the previous script, but we import the file into the router config, and then delete this file.
What is it for? For example, you inadvertently cut off access to the router in the firewall. Then you can add on the site a script for this router with which you specify the corrected firewall rules. The router following the schedule connects to the site, where PHP looks to see if there are any unsent scripts for this router in the database:
SELECT id FROM table_routers WHERE ((id='$_GET[i]') AND (password='$_GET[p]')) $adr=mysql_query($query) or die (mysql_error()); $router=mysql_fetch_assoc($adr); $query="SELECT script, id FROM table_scripts WHERE ((router='$router[id]') AND (executed='N')) ORDER BY id ASC LIMIT 1"; First, we check if the password and the router number are set correctly (so that no one else can read your script, maybe you change the passwords in the config file), and then we look at which script is in the queue not transferred to this router.
This method does not solve the problems that have arisen; it helps to prevent them. That is, you must first “lay straws” and score in the scheduler every X minutes / hours the router checks for new scripts for it.
This method is also good when the router has a gray ip address, and access to it must be obtained from outside. We are scoring the script of raising the VPN-tunnel to our white ipishka and after a specified time we have access to the device even for 10 NATIs.
Here is such a short story. I will once remarks and ideas what else can be screwed to such a service. There are still small statistics in the plans - so that the router would merge a couple of its parameters into the database, for example, temperature, processor load and others.
As a bonus, a piece of ready-made scripts, which I wrote about at the beginning, get ip from the host name and add it to the IPsec policy.
Plus, it works in conjunction with Mikrotik + soapboxes that support ddns and ipsec (Dlink 804 for example). The script that gets the IP address from the remote peer name and inserts it into the necessary policy:
:local nname RHost1; :log info "start $nname"; :local newip [:resolve "rmotehost1.zapto.org"]; :local curip [/ip ipsec policy get [/ip ipsec policy find comment=$nname] sa-dst-address]; :log info "newip = $newip"; :log info "currentip = $curip"; :if ($newip != $curip) do={ :log info "ip $nname is $curip not $newip"; /ip ipsec policy set [/ip ipsec policy find comment=$nname] sa-dst-address=$newip; :log info "end $nname"; } And the script that substitutes on the remote side the current ip in the ipsec policy:
:global lastip :local wanip :local wanif "pppoe-out1" :if ([ :typeof $lastip ] = nil ) do={ :global lastip "0" } :local wanip [ /ip address get [/ip address find interface=$wanif ] address ] :if ([ :typeof $wanip ] = nil ) do={ :log info ("WANIP: no ip address on $wanif .") } else= { :for i from=( [:len $wanip] - 1) to=0 do={ :if ( [:pick $wanip $i] = "/") do={ :set wanip [:pick $wanip 0 $i]; :log info ("wan ip now is $wanip") } } :if ($wanip != $lastip) do={ :log info ("Renew ipsec Policy: $wanif -> $wanip") # ipsec /ip ipsec policy set 0 sa-src-address=$wanip :global lastip $wanip } } Source: https://habr.com/ru/post/267293/
All Articles