Mikrotik routers are, I’m finding, well suited to be used with Ansible as infrastructure as code.
I was recently working on a project where I was pulling “/ip firewall nat print without-paging terse”, but the returned output kept adding in \n (carriage returns) on the 81st position…*sigh*.
1 2 | "stdout": [
"0 comment=ReverseNAT chain=srcnat action=src-nat to-addresses=2.1.\n25.64 src-address=1.1.1.1 \n 1 comment=Mail_Reverse_NAT chain=srcnat action=src-nat to-addresses=1.1.1\n25.64 src-address=1.1.2.25 \n 2 X comment=VPN_Traffic chain=srcnat action=masquerade src-address=1.1.9.0/24 \ndst-address=1.1.2.0/24 \n 3 comment=VPN_Traffic chain=srcnat action=masquerade src-address=10.1.9.0/24 \n\n 4 |
It turns out that when connected via ssh, Mikrotik assumes a smaller window size on the terminal. The trick here is to edit the username used to connect with a special set of instructions:
1 | ansible_user=Tacos+cet512w |
+cet512w tells ansible the default terminal width is equal to 512 cols and enables “dumb” terminal mode. After this, all is right with the world 🙂
It took me about 2 hours to suss this out, then when I presented it to Jimmy he said “Oh yeah, that’s why I’ve got “+cet512w” in the user name, so really he gave me the fix. Another lesson hard earned hehehe.
If you are using ansible with Mikrotik and the routeros module is inserting carriage returns, give this a go. Oh, it also helps to have an Ansible Ninja on your team when you need a little help 😉
This week we have Greg, Mike have a 4th of July blowout LOL
**Sponsors**
Sonar.software
Cambium ePMP Bundle
**/Sponsors**
This week we talk about:
FS Box
T-mobile voice outage.
Pedro figured out to have STP BPDUs filtered he had to STP on the switch LOL
Greg wrote an Ansible playbook to backup a router based Dude install.
Greg’s ansible role to backup network devices to git.
Zach made some playbooks that pull backup files to a folder and do diffs.
Hypervisor Comparison
More Hypervisor Stuff
FB LINX
FB Datacenter
Mikrotik RPKI
Pedro found out you shouldn’t delete link local addresses on your BGP peers
What do you do with two links when one doesn’t have capacity to carry load during failure?
WISP Virtual Summit July 28th
How to design the edge/core for maximum flexibility with Mikrotik…should I do X, Y, or Z.
Here’s the video:(if you don’t see it, hit refresh)
Greg talks to Nick Arellano, a consultant and software developer.
This week we talk about:
How a consultant looks at your network
CI/CD
Software dev
Some anxiety I think partially feeling trapped; little access to other humans.
ostriches are devil spawn
GIT
Join the patron only slack at http://patreon.com/thebrotherswisp
Here’s the video:(if you don’t see it, hit refresh)
This can be done in the span of about 5 minutes(it’s almost tooooo easy).
First, ensure that you have public access to TCP ports 80/443 to your tower server(it’s likely you’ve already done that, though).
Tower auto installs and uses nginx as its webserver. Step one is to tell nginx what your FQDN is for this server(make sure you’ve already created a valid/working DNS entry for this):
Edit the nginx config file at: /etc/nginx/nginx.conf
This is the section of the config prior to manipulation:
1 2 3 4 5 6 | # If you have a domain name, this is where to add it server_name _; keepalive_timeout 65; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; |
This is my config with the server name configured:
1 2 3 4 5 6 | # If you have a domain name, this is where to add it server_name towerofpower.gregsowell.com; keepalive_timeout 65; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; |
Now restart the nginx server:
1 | systemctl reload nginx.service |
Now download the LetsEncrypt certbot auto installer and set it to executable:
1 2 | wget -P /usr/local/bin https://dl.eff.org/certbot-auto chmod +x /usr/local/bin/certbot-auto |
Now run the certbot installer:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | certbot-auto Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap) dnf is /usr/bin/dnf dnf is hashed (/usr/bin/dnf) Last metadata expiration check: 2:31:18 ago on Thu 18 Jun 2020 08:35:47 AM CDT. Package openssl-1:1.1.1c-15.el8.x86_64 is already installed. Package ca-certificates-2019.2.32-80.0.el8_1.noarch is already installed. Package python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 is already installed. Dependencies resolved. ================================================================================================================================================= Package Architecture Version Repository Size ================================================================================================================================================= Installing: augeas-libs x86_64 1.12.0-5.el8 BaseOS 436 k ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transaction Summary ================================================================================================================================================= Install 44 Packages Total download size: 52 M Installed size: 135 M Is this ok [y/N]: y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: towerofpower.gregsowell.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for towerofpower.gregsowell.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf |
So when you run the installer you are prompted to pull down required packages, to which I said yes. It will then find your nginx config and locate the server name that was specified. After that I chose option 1 and let it rip.
It then creates the certs and modifies the nginx config with the new certs.
Here’s the nginx config after the above command:
1 2 3 4 5 | # If you have a domain name, this is where to add it
server_name towerofpower.gregsowell.com;
keepalive_timeout 65;
ssl_certificate /etc/letsencrypt/live/towerofpower.gregsowell.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/towerofpower.gregsowell.com/privkey.pem; # managed by Certbot |
Now restart the nginx server:
1 | systemctl reload nginx.service |
After that you should be able to browse to your tower install with a valid cert!
Good luck and happy automating.
Tom Smyth speaks about OpenBSD And OpenBGPD As the ISP Controlplane in is BSDCAN2020 presentation:
● High-level overview of our network
● Routing fundamental crash-course
● Route Servers in 60 seconds
● BGP in 60 seconds
● Recursive Routes in 120 seconds
● Control Plane vs Data Plane
● OpenBGD
● Hardware routers / Switches
Here’s the video:(if you don’t see it, hit refresh)
First a big shout out to this link, which provided me the tools to get started.
The instructions there under requirements give you the first steps. First you add the ESP8266 file uploader plugin to the Arduino IDE. This allows you to add new files the webserver can utilize.
Next you need to install the awesome WebSockets library.
Type Ctl+shift+i. This pulls up the library manager. From here you type websockets and choose ArduinoWebsockets by Gil Maimon.
Next you need to grab the FastLed library from the library manager just like above.
Add the ESP8266 package from the library manager.
Now grab the code from here. This is a great set of webserver files that are uploaded with the ESP8266 uploader and the ardunio sketches to be modified and uploaded.
Now open the ESP-8266.ino arduino IDE file found in the above github. First issue I hit was that I needed to change the flash size of my esp8266 in the IDE. So I choose generic ESP8266, then set the flash size as shown, and last clicked upload. This will get the webserver files in place.
Once the files are uploaded you should modify the IP address, wifi, pixel count, and pixel control pin info.
If you are controlling more than 255 LEDs like me, you have to modify the code, otherwise it will crash on you. In the led_effects.ino file, several variables are defined as uint8_t format which is an 8 bit number, which means it maxes out at 255. I modified the following:
1 2 3 4 5 6 7 8 | //these are all towards the top
//uint8_t idex = 0; //индекс текущего пикселя
uint16_t idex = 0; //индекс текущего пикселя
//uint16_t TOP_INDEX = uint8_t(LED_COUNT / 2); // получаем середину ленты
uint16_t TOP_INDEX = LED_COUNT / 2; // find the middle
// for(uint8_t i = 0 ; i < LED_COUNT; i++ ){
for(uint16_t i = 0 ; i < LED_COUNT; i++ ){ |
As you can see I changed then from 8 bit to 16 bit numbers which allows for 65k pixels…way more than this little micro can reasonably control.
Good luck and happy lighting.
This week we have Greg, Mike, and all the Andrew Thrift you can handle…then just a little more.
**Sponsors**
Sonar.software
Cambium ePMP Bundle
**/Sponsors**
This week we talk about:
Mikrotik 7.0beta7 and 8 out. L3 hardware offloading on CRS317, BGP support multicore peer processing, routing updates, kernel 5.6.3 – syntax is all different…
Andrew Thrift loves making technical web presentations LOL
Speaking in public – mama loves you.
Artemis bgp hijack software
Here’s the video:(if you don’t see it, hit refresh)