In this article, I will try to describe step by step the process of installing a test server of a great project to a fully functional state, and show practical techniques for working with mikrotik: configuration through parameters, script execution, updating, installing additional modules, etc.
The purpose of the article is to push colleagues to refuse to manage network devices using terrible rakes and crutches, in the form of self-written scripts, Dude, Ansible, etc. And, on this occasion, to cause fireworks and mass rejoicing in the squares.
0. The choice
Why freeacs and not genie-acs mentioned in how more alive?
Because there are Spanish publications on genie-acs with mikrotik. Here they are и from last year's MUM. Auto cartoons on slides are cool, but I would like to get away from the concept of writing scripts, to run scripts, to run scripts…
1. Freeacs installation
We will install in Centos7, and since the devices transmit a lot of data, and ACS is actively working with the database, we will not be greedy with resources. For comfortable work, we will select 2 CPU cores, 4GB RAM and 16GB of fast storage ssd raid10. I will install freeacs in the Proxmox VE lxc container, and you can work in any tool that is convenient for you.
Don't forget to set the correct time on the machine with ACS.
The system will be a test one, so let's not be smart, and just use the kindly provided installation script, as is.
wget https://raw.githubusercontent.com/freeacs/freeacs/master/scripts/install_centos.sh
chmod +x install_centos.sh
./ install_centos.shAs soon as the script finishes, you can immediately get into the web interface by the ip of the machine, with the credentials admin/freeacs
Here is such a nice minimalistic interface, and how cool and fast everything turned out
2. Freeacs initial setup
The basic unit of control for ACS is the unit or CPE (Customer Premises Equipment). And most importantly, what we need to manage units is their Unit Type, i.e. a hardware model that defines a set of configurable parameters for a unit and its software. But until we know how to get a new Unit Type correctly, it would be best to ask the unit itself about this by turning on Discovery Mode.
In production, this mode is absolutely impossible to use, but we need to start the engine as soon as possible and see the capabilities of the system. All basic settings are stored in /opt/freeacs-*. Therefore, we open
vi /opt/freeacs-tr069/config/application-config.conf , we find
discovery.mode = falseand change to
discovery.mode = trueIn addition, we would like to increase the maximum file sizes that nginx and mysql will work with. For mysql, add the line to /etc/my.cnf
max_allowed_packet=32M, and for nginx, add to /etc/nginx/nginx.conf
client_max_body_size 32m;to the http section. Otherwise, we will be able to work with firmware no more than 1M.
We reboot, and we are ready to work with devices.
And in the role of the device (CPE) we will have a baby workaholic .
Before a test connection, it is advisable to manually configure the CPE to the minimum working configuration so that the parameters that you want to configure in the future are not empty. For a router, you can minimally enable a dhcp client on ether1, install the tr-069client package and set passwords.
3. Connect Mikrotik
It is desirable to connect all units using a valid serial number as a login. Then everything will be clear to you in the logs. Someone advises to use WAN MAC - do not believe it. Someone uses a common login / pass pair for everyone - bypass them.
Opening the tr-069 log to monitor "negotiations"
tail -f /var/log/freeacs-tr069/tr069-conversation.logOpen winbox, menu item TR-069.
AC URL: http://10.110.0.109/tr069/prov (replace with your IP)
Username: 9249094C26CB (copy serial from system>routerboard)
Password: 123456 (not needed for discovery, but to be)
We do not change the Periodic inform interval. We will issue this setting through our ACS
Below are the settings for remote initialization of the connection, but I couldn’t get mikrotik to work with it with a swoop. Although remote request works out of the box with phones. Will have to figure it out.
After pressing the Apply button, data will be exchanged in the terminal, and in the Freeacs web interface you can see our router with the automatically created Unit Type "hAPaclite".
The router is connected. You can look into the automatically generated Unit Type. We open Easy Provisioning > Unit Type > Unit Type Overview > hAPaclite. What is not there! As many as 928 parameters (I spied on the shell). A lot or a little - we'll figure it out later, but for now we'll just take a quick look. That's what Unit Type means. This is a list of supported options with keys but no values. Values are set in the levels below - Profiles and Units.
4. Configure Mikrotik
It's time to download This 2011 guide is like a bottle of good, aged wine. Let's open it up and let it breathe.
And ourselves, in the web interface, click on the pencil next to our unit and go to the unit configuration mode. It looks like this:
Let's briefly analyze what is interesting on this page:
Unit configuration block
- Profile: This is the profile within the Unit Type. The hierarchy is like this:
UnitType > Profile > Unit. That is, we can create, for example, profileshAPaclite > hotspotиhAPaclite > branch, but within the device model
Block Provisioning with buttons
Hints hint that all buttons in the Provisioning block can instantly apply the configuration via the ConnectionRequestURL. But, as I said above, this does not work, so after pressing the buttons, you will need to restart the tr-069 client on mikrotik to manually start provision.
- Freq/Spread: How many times a week to deliver the configuration ± % to reduce the load on the server and communication channels. By default, it costs 7/20, i.e. every day ± 20% and hint how it is in seconds. So far, there is no point in changing the frequency of delivery, because. there will be extra noise in the logs and not always expected application of settings
Provisioning history block (last 48 hours)
- In appearance, the story is like a story, but by clicking on the title, you get to a convenient database search tool with regexp and goodies
Parameters Block
The largest and most important block, where, in fact, the parameters for this unit are set and read. Now we see only the most important system parameters, without which ACS cannot work with the unit. But we remember that we have them in Unit Type - 928. Let's see all the values, and decide what Mikrotik eats with.
4.1 Reading the parameters
In the Provisioning block, click the Read all button. The block has a red inscription. A column will appear on the right CPE (current) value. Changed ProvisioningMode to READALL in system settings.
And… nothing will happen except a message in System.X_FREEACS-COM.IM.Message Kick failed at....
Restart the TR-069 client or reboot the router, and keep refreshing the browser page until you get the parameters in the cheerful gray boxes on the right
If anyone wants to take a sip of the old seasoned one, this mode is described in the manual as 10.2 Inspection mode. It turns on and works a little differently, but the essence is described quite
The READALL mode will turn itself off after 15 minutes, and we will try to figure out what is useful here, and what can be corrected on the fly while we are in this mode.
You can change IP addresses, enable / disable interfaces, firewall rules, which are with comments (otherwise a complete mess), Wi-Fi, and so on little things.
That is, it is not yet possible to sanely configure mikrotik using only TR-069 tools. But you can monitor very well. Statistics on interfaces and their status, free memory, etc. are available.
4.2 Delivering parameters
Let's now try to deliver the parameters to the router, via tr-069, in a "natural" way. The first victim will be Device.DeviceInfo.X_MIKROTIK_SystemIdentity. We find it in the parameters of the All unit. As you can see, it's not set. This means that any unit can itself have any Identity. Enough tolerating this!
We poke a daw in the create column, set the name Mr.White and poke the Update parameters button. What will happen next, you already guessed. At the next communication session with the headquarters, the router must change its Identity.
But this is not enough for us. A parameter like Identity is good to always have at hand when looking for the right unit. We poke into the name of the parameter and put the checkboxes Display (D) and Searchable (S) there. The parameter key is changed to RWSD (Remember, names and keys are set at the highest Unit Type level)
The value is now not only displayed in the general search list, but also available for search in Support > Search > Advanced form
We initiate provision and look at Identity. Hello Mr.White! Now you will not be able to change your identity yourself while tr-069client is running
4.3 Executing scripts
Since we have found out that there is no way without them, let's fulfill them.
But before we start working with files, we need to correct the directive public.url in file /opt/freeacs-tr069/config/application-config.conf
After all, we still have a test configuration installed with one script. Haven't forgotten?
# --- Public url (used for download f. ex.) ---
public.url = "http://10.110.0.109"
public.url: ${?PUBLIC_URL}Reboot the ACS and head straight to Files & Scripts.
But what is being opened with us now belongs to the Unit Type, i.e. globally to all hAP ac lite routers, be it a branch router, hotspot or capsman. We do not need such a high level yet, therefore, before working with scripts and files, you should create a profile. You can call it yourself, as the "position" of the device.
Let's make our baby a time server. Decent position with a separate software package and a small number of parameters. Let's go to Easy Provisioning > Profile > Create Profile and create a profile in Unit Type:hAPaclite timeserver. We didn’t have any parameters in the default profile, so there’s nothing to copy Copy parameters from: "don't copy..."
There are no parameters here at all yet, but it will be possible to set those that we later want to see on our time servers molded from hAPaclite. For example, the general addresses of NTP servers.
Let's go to the unit configuration, and move it to the timeserver profile
Finally we go to Files & Scripts, make scripts, and here we are waiting for amazingly convenient buns.
In order to execute a script on a unit, we need to select Type:TR069_SCRIPT а Name и target name must have .alter extension
At the same time, for scripts, unlike software, you can either upload a finished file, or simply write / edit it in the field Content. Let's try to write right there.
And so that you can immediately see the result - add the vlan router to ether1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=1
We drive, we press Upload and done. Our script vlan1.alter waiting in the wings.
Well, let's go? No. We also need to add a group for our profile. Groups are not included in the equipment hierarchy, but are needed to search for units in UnitType or Profile and are required for script execution through Advanced Provisioning. Usually, groups are associated with locations, and have a nested structure. Let's make a Russia group.
Imagine we just narrowed down our search from "All world time servers on hAPaclite" to "All Russian time servers on hAPaclite". There is still a huge layer of everything interesting with groups, but we have no time. We drove already into scripts.
Advanced Provisioning > Job > Create Job
Since we are in Advanced mode, after all, here you can specify a bunch of different conditions for the start of the task, error behavior, repetitions and timeouts. I recommend reading all this in the manuals or discuss it later when implementing it in production. For now, let's just set n1 to Stop rules so that the task stops as soon as it is completed on our 1st unit.
We fill in the necessary, and it remains only to launch!
Press START and wait. Now the counter of devices killed by the underdebugged script will run briskly! Of course not. Such tasks are given for a long time, and this is their difference from scripts, Ansible, and so on. Units themselves apply for tasks on a schedule or as they appear on the network, ACS keeps track of which units have already received tasks, and how they ended, and writes this to the unit's parameters. There is 1 unit in our group, and if there were 1001 of them, the admin would start this task and go fishing
Come on. Reboot the router already or restart the TR-069 client. Everything should go smoothly and Mr.White will get a new vlan. And our Stop rule task will go into the PAUSED status. That is, it can still be restarted or changed. If you press FINISH, the task will be written off to the archive
4.4 Updating the software
This is a very important point, since Mikrotik's firmware is modular, but adding modules does not change the overall version of the device's firmware. Our ACS is normal and not used to this.
Now we will do it in the style of quick & dirty, and push the NTP module into the general firmware right away, but as soon as the version is updated on the device, we will not be able to add another module in the same way.
In production, it is better not to use such a trick, and install modules that are optional for Unit Type only with scripts.
So, the first thing we need to do is prepare software packages of the required versions and architecture, and put them on some available web server. For the test, anyone who can reach our Mr.White will go, and for production, it’s better to build an auto-updating mirror of the necessary software, which is not scary to put on the web
Important! Don't forget to always include the tr-069client package in updates!
As it turned out, the length of the path to the packets is very important! When I try to use something like http://192.168.0.237/routeros/stable/mipsbe/routeros-mipsbe-6.45.6.npk, mikrotik fell into a cyclic connection with the resource, sending repeated TRANSFERCOMPLETE logs to tr-069. And I wasted some nerve cells trying to figure out what was wrong. Therefore, while we put it in the root, until clarification
So, we should have three npk files available via http. I got it like this
http://192.168.0.241/routeros-mipsbe-6.45.6.npk
http://192.168.0.241/routeros/stable/mipsbe/ntp-6.45.6-mipsbe.npk
http://192.168.0.241/routeros/stable/mipsbe/tr069-client-6.45.6-mipsbe.npkNow this needs to be formatted into an xml file with FileType = "1 Firmware Upgrade Image", which we will feed to Mikrotik. Let the name be ros.xml
We do according to the instructions from :
<upgrade version="1" type="links">
<config />
<links>
<link>
<url>http://192.168.0.241/routeros-mipsbe-6.45.6.npk</url>
</link>
<link>
<url>http://192.168.0.241/ntp-6.45.6-mipsbe.npk</url>
</link>
<link>
<url>http://192.168.0.241/tr069-client-6.45.6-mipsbe.npk</url>
</link>
</links>
</upgrade>A lack is evident Username/Password to access the download server. You can either try to enter it as in paragraph A.3.2.8 of the tr-069 protocol:
<link>
<url>http://192.168.0.237/routeros/stable/mipsbe/ntp-6.45.6-mipsbe.npk</url>
<Username>user</Username>
<Password>pass</Password>
</link>Or ask the Mikrotik officials directly, as well as about the maximum path length to * .npk
We go to the known Files & Scripts, and create a SOFTWARE file there with Name:ros.xml, Target Name:ros.xml and 6.45.6
Attention! The version must be specified here exactly in the format in which it is displayed on the device and is passed in the parameter System.X_FREEACS-COM.Device.SoftwareVersion.
We select our xm-file for loading and you're done.
Now we have a lot of ways to update the device. Through the Wizard in the main menu, through Advanced Provisioning and tasks with the SOFTWARE type, or just go to the unit configuration and click Upgrade. Let's choose the easiest way, otherwise the article is swollen.
We press the button, initiate provision and you're done. The test program has been completed. Now we can do more with mikrotik.
5. Заключение
When I started writing, I wanted to first describe the connection of an ip-phone, and use its example to explain how cool it can be when tr-069 works easily and effortlessly. But then, as I progressed and digged into the materials, I thought that for those who connected the Mikrotik, no phone would be scary for self-study.
In principle, Freeacs, which we tested, can already be used in production, but for this you need to configure security, SSL, you need to configure microtics for autoconfiguration after reset, you need to debug the correct addition of Unit Type, disassemble the work of webservices and fusion shell, and much more. Try, invent, and write a sequel!
Everyone, thank you for your attention! I will be glad to corrections and comments!
List of used materials and useful links:
Source: habr.com