Mikrotik actually has a rogue detection service you can configure, but as we have found running apartment complexes, it can give you false positives. To combat this, I’ve come up with a new method.

First configure syslog exporting with the DHCP service dumping. Next enable the dhcp client to run on all your inside facing interfaces. I’ve got my Cacti syslog server set to match “dhcp,info,debug dhcp-client%got ip address”, which is the message sent when the dhcp client receives an IP address. Once the syslog server processes the message it sends us an alert.

Add dhcp-client to each interface, be sure to disable default route, peer dns and peer ntp.

1
2
3

/ ip dhcp-client 
add interface=vlan10 comment="" disabled=no 
add interface=ether2 comment="" disabled=no

This script will need to be scheduled to run around every hour or so. It will release the dhcp reservation on your interfaces. Otherwise it won’t attempt to pull a new address until the old allocation has expired, which can be up to a year. It loops through releasing from all your interfaces.

1
2
3
4

:log info ("dhcp detect release")
:for e from=0 to=40 do={
/ip dhcp-client release ($e)
}

Once you get an alert from your syslog server, you log into the Mikrotik and issue the:

1

/ip dhcp-client print detail

You’ll get the following:

Flags: X – disabled, I – invalid
0 interface=vlan10 status=bound address=192.168.1.100/24
gateway=192.168.1.1 dhcp-server=192.168.1.1
primary-dns=209.189.224.45 secondary-dns=209.189.224.40
expires-after=21h13m2s

Take the dhcp-server address and use it below:

1

/ip arp print where address="192.168.1.1"

You will get the following result:

Flags: X – disabled, I – invalid, H – DHCP, D – dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 192.168.0.253 00:08:74:4B:7F:BC ether1

Now you track this guy down and shut him off at the switch port, or if you are using mac-track in cacti, you simply look him up, connect to the proper switch and kill him. You could also use this in conjunction with the standard rogue detection service to more quickly find the MAC address.

Here’s the log.

3.21

They added a TFTP server, that’s interesting. They still don’t have the ability to TFTP from the mikrotik to another server, or so it appears. There is still no really functional way for the mikrotik to send his backups to an FTP or TFTP server.

Looks like they back ported their MetaRouter to the rb4XX platform.

3.22

They added some features for the new RB450G. Still waiting for them to send me a copy to test with 😉

It appears they added quite a few updates to their MPLS/VPLS engine.

Nothing ground breaking, but interesting.

Check out TikTube. This is Mirkotiks’ area for instructional videos. Right now, it looks like they only have videos from the last MUM up, but I’m sure they will expand. I’ve only watched one thus far, the “Using 900 Mhz in local neighborhood cells.” I work with Steve-O, so I needed some new material to hastle him with; he called Mikrotik Microsoft in his presentation…heh. My only beef is that it is ssssllllllooooowwwww. I had to pause the video and wait until after lunch to watch it. So, if you have patience and don’t mind watching the videos a couple hours in the future, then checkem out.

You are running Mikrotik in hotspot mode for a customer, but don’t allow them connect to the device. They update their EULA(End User License Agreement) semi-regularly. Rather than wasting time updating their login.html constantly, you want a more flexible solution.

My proposal is to simply use an IFrame. An IFrame is a piece of html that allows you to add a frame to your page that contains a completely seperate web page. So in effect, you will have a web page imbedded in your web page.

Click below for PAGE CODE!
read more…