Guide to Mikrotik RoMON

    Everyone had situations when it is necessary to configure remote equipment (sometimes new), and access is only available to other network devices, no PCs / laptops or users with phones. In the case of Mikrotik, this problem can be solved in two ways: the built-in RouterOS mac-telnet and RoMON. About them and will be discussed below.

    Mac Telnet from the router

    For those who have forgotten: Mac telnet runs on Layer2, so connection is possible within the same network segment.


    We connect via winbox or ssh to the configured router (Mkt1) and through it via mac-telnet to the new one (Mkt2).

    Where to find mac-telnet:

    * [IP] -> [Neighbors] - if neighbor detection is enabled
    * [IP] -> [ARP] - if there is any ip on the new router and it resolves to mac
    * [Tools] -> [Telnet] - here besides mac-telnet there is a regular telnet and ssh
    * / tool mac-telnet - from the console



    What you should remember: if the device has a default configuration, then mac-telnet will be available only on lan ports (everything except ether1, usually), so clearly tell the installers where to connect the cable, otherwise no mac-telnet and RoMON will help you.

    There is access, you can configure, but you want convenience? Especially when configuring queue trees and a large number of firewall rules.

    Connecting via RoMON

    RoMON (Router Management Overlay Network) - Ability to use one mikrotik device to which there is ip access as a transit for connecting to the device via mac.

    RoMON is disabled by default. The client part is built into winbox, so you do not need to install anything.

    Setting on the transit router (Mkt1):

    [Tools] -> [RoMON]

    * Enabled - Enable RoMON
    * ID - Manual RoMON ID setting, by default one of the router's mac addresses is selected
    * Secrets - A set of passwords for RoMON authentication, used if The password on the port is not explicitly specified. The wiki details the password selection procedure.

    [Tools] -> [RoMON] -> [Ports]

    By default, ALL ports are turned on, which is not particularly safe and it is not possible to disable all, so we set Forbid = yes on it , more precise rules for interfaces will block all.

    Create a rule for ether4:

    * Interface - the port for which we are configuring
    * Forbid - disable RoMON on the interface
    * Cost - taken into account when building the path in large garlands
    * Secrets - Set of passwords for authentication


    Console option:

    /tool romon
    set enabled=yes id=00:00:00:00:00:10
    /tool romon port
    set [ find default=yes ] forbid=yes
    add disabled=no interface=ether4 secrets=test-for-romon

    Setting up on a remote router (Mkt2):
    Here we have a mac-telnet connection, so the settings will be console:

    /tool romon
    set enabled=yes id=00:00:00:00:00:20
    /tool romon port
    set [ find default=yes ] forbid=yes
    add disabled=no interface=ether5 secrets=test-for-romon

    Now in [Tools] -> [RoMON] -> [Discovery] on Mkt1 we see a neighbor:


    And another neighbor who is connected in transit through Mkt2, I leave the connection settings as an independent task, everything is similar.


    Launch Winbox and connect to in RoMON mode using a regular account and password, secrets in RoMON refers only to the connection between routers:


    And here we see the most interesting thing - all routers in the RoMON chain are available for connection through a single transit Mikrotik.


    We select one of the addresses (RoMON ID) and connect to the router of interest.


    Bottom line: We get transparent access to all routers in the chain, without the need for a consistent login via mac-telnet.


    [Tools] -> [RoMON] -> [Ping] - utility for ping routers by RoMON ID.

    Regular mac-telnet is not a secure communication channel; if you have RoMON, you can establish an ssh connection using RoMON ID.

    /tool romon ssh 

    Connection via RoMON in command line mode (for shortcuts):

    winbox.exe --romon 

    That's all. Functionality is not for everyday use, but it is useful to remember and know how to configure it.

    Also popular now: