I recently had the task of setting up an out of band management solution for a Cisco router at a remote location. We produced a tidy solution using a Mikrotik Routerboard 411U – (with USB interface) and Vodafone 3G USB dongle. The OOB solution has the ability to connect to devices via IP and serial console and dynamic DNS capability to update the dynamic address obtained via the 3G connection. The following was used in this configuration:
- Mikrotik Routerboard 411U
- Vodafone HSPA USB dongle (Model K3805-Z) as sold by Vodafone New Zealand at the time of writing
- Cisco router (as device to be managed)
Firstly you need to upgrade to the latest routeros version to maximize compatibility with your USB dongle. Version 5.4 was the latest available. Upgrade your router via your favorite method [1]. Next thing is to disable some packages that we don’t need for this task, this helps to reduce the load on the router, harden the security of the device and provides an over all tidier solution. We only need the system, routerboard, routeros, ppp, security and advanced-tools features, so disabled the rest and reboot the router as follows:
/system package disable ipv6,wireless,hotspot,mpls,routing,dhcp /system reboot
Now we need to configure the 3G connection – you can edit the default profile that is created for the USB dongle under /interface ppp-client, called ppp-out1. In Vodafone NZ’s case, with this particular dongle we need to change the values of both the data and info channels to 2. Our APN is internet (the default).
/interface ppp-client set ppp-out1 disabled=no data-channel=2 info-channel=2
Once the configuration changes have been made, you can initiate the connection by pinging something on the internet. Below you can see the stages as the connection is established, and then the address we have recieved dynamically from the ISP.
/ping 8.8.8.8
HOST SIZE TTL TIME STATUS
timeout
no route to host
no route to host
8.8.8.8 44 56 291ms
8.8.8.8 44 56 295ms
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
1 D 124.6.202.138/32 10.0.0.1 ppp-out1
Now the 3G connection is established, we should put some security on the router. A simple firewall should do the trick. Amend the 10.0.0.0/24 network below to your management IP range or static IP address of your internet connection – where you want to administer this router from.
/ip firewall address-listadd address=10.0.0.0/24 disabled=no list=management
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no dst-port=8291,22 protocol=tcp src-address-list=management
add action=accept chain=input disabled=no protocol=icmpadd action=drop chain=input disabled=no
Now we just need to setup the serial port to allow outbound connections, this means switching off the console of this router so from now on you will not be able to manage this Mikrotik router via the console, only via the ethernet or ppp-client interfaces.
/system console set [find] disabled=yes
Finally we want to specify the baud rate of the device that we are connecting to – in this case 9600.
/port set serial0 baud-rate=9600
Now we can test a connection to our device.
/system serial-terminal serial0 [Ctrl-A is the prefix key] Router>
All going well you will see the Cisco router prompt as above. The Ctrl+A menu is used to prefix commands to the Routerboard itself – ie: to quit the terminal or send keystrokes not permitted from within the terminal.
The last thing we need to do now is to setup the dynamic DNS service so that we can always find this router on the internet. Since RouterOS does not implement this service natively, we use a script and scheduled task to achieve this. This is a slightly modified script from the Mikrotik Wiki [2]. Again, you’ll want to change the values in read to suit your configuration.
/system script add name=update-dyndns policy=read source=":local ddnsuser \"dyndns-username\"\r\ \n:local ddnspass \"dyndns-password\"\r\ \n:local theinterface \"ppp-out1\"\r\ \n:local ddnshost \"hostname.dyndns.org\"\r\ \n:local ipddns [:resolve \$ddnshost];\r\ \n:local ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\ \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\ \n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\ \n} else={\r\ \n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\ \n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\ \n :set ipfresh [:pick \$ipfresh 0 \$i];\r\ \n } \r\ \n}\r\ \n \r\ \n:if (\$ipddns != \$ipfresh) do={\r\ \n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\ \n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\ \n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\ \n :local str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\ \n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\ \n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\ \n :delay 1\r\ \n :local str [/file find name=\"DynDNS.\$ddnshost\"];\r\ \n /file remove \$str\r\ \n :global ipddns \$ipfresh\r\ \n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\ \n }\r\ \n}"
And the scheduled task to call the script every minute – this has the upside of keeping the 3G connection up too.
/system scheduler add disabled=no interval=1m name=dyndns \ on-event="/system script run update-dyndns"
Now you should be able to connect to your console-server router at it’s dyndns address from the management address specified above via SSH and Winbox.
[1] RouterOs Manual – Upgrading http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
[2] RouterOs Manual – Dynamic DNS http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS