Starting in RouterOS version 6.28, MikroTik has included a new tool, which is arguably the most valuable to you can have in your toolbox. RoMON stands for Router Management Overlay Network. The basic idea is, as long as RoMON is turned on and you can access one router on your network, you can access all of your routers on that network over a Layer 2 connection. Its a lot like MAC-Telnet, but on steroids. What makes RoMON so valuable? Let’s look at a few different scenarios.
Network Management Beyond NAT
First, let’s say that nothing is actually broken on our network, but because of masquerade we would not normally be able to Winbox into the whole network from the outside, only the gateway router. Now, in truth, this is a very common scenario and it is usually handled either with NAT rules or with a tunnel, but RoMON can make this even easier. RoMON works over any “Ethernet-like” connection such as Ethernet, Fiber, Layer 2 tunnels, bridged wireless, and so on. The limitation that the tunnel and the NAT fixes have is that we really need Layer 3 connectivity to all devices for it to work well. We have MAC-Telnet at our disposal if something gets broken, but this is very cumbersome for people who are not comfortable with the command line interface. With RoMON, as long as we could reach the gateway router in this network, we could winbox into every participating router… whether they were configured properly or not!
That means we can make major changes remotely and with confidence. That means fewer trucks rolls and higher up times. That also means it a little bit safer to let the new guy try to make changes first (under supervision, of course). Since the majority of MikroTik users are more comfortable with Winbox over the command line, now there is a tool that will let them work the same sort of magic that advanced users of MAC-Telent have been doing for years. There are a few limitations though. First, RoMON’s default setting is disabled, so you have to log into every router and turn it on. Secondly, this is a MikroTik proprietary protocol, so that means we need devices between MikroTik routers to be in a layer 2 configuration. Third, encryption takes places at a higher level that Layer 2, so the security requires some careful considerations. Some of those considerations will be at the end of this tutorial.
Reaching Out To Mis-configured Routers
Now, let’s take another look at this network, but this time our perspective has changed and we are on the inside… something gets broken and we lost Layer 3 connectivity. This could be because routes were removed, we made a bad change to a routing protocol, we made a bad change to the firewall, or any number of other possibilities. All of us have been in this boat at some point, but now as long as we can get access to one router and that router has Layer 2 connectivity to another router… an another… and however many we have on our network… we can easily winbox into all of them. Each router will act as a sort of proxy for any other routers that it has Layer 2 connectivity to and this continues until all of the routers can be accessed. Since this is Layer 2, that means we have access even if we make a mistake in our Layer 3 firewall (most of the time). When I first learned about “Safe Mode” I thought that had to have been the best safety mechanism that any product ever implemented. RoMON actually surpasses “Safe Mode” in shear usefulness… and that’s a pretty impressive accomplishment.
Let’s take a look at how easy it is to use RoMON.
Step 1 – Set the System Identity on all routers by going to System -> Identity. RoMON uses the lowest MAC address on the router as the default identity, so naming your routers will be important to remove confusion.
Step 2 – Enable RoMON on all routers by going to Tools -> RoMON and putting a check in the enabled checkbox. Many people could be done configuring RoMON at this point and be ready to use it, but keep reading in case your network is not one of those.
Connecting to RoMON
RoMON also works from the command line, but we are going to focus on its use with Winbox. To connect, point Winbox to the router that you have Layer 3 connectivity to, but instead of selecting the “Connect” button you will click on the “Connect to RoMON” button. Within a few seconds a new list of devices will appear. This is all of the routers that can be seen from the one you have a connections to. Click on the appropriate device from this new list and then click the “Connect” button. See below:
Disconnecting from RoMON
Sometimes when your connection gets broken, Winbox will still have the “RoMON Agent” field filled with the last device you connected to and Winbox will have trouble connecting to something. To get Winbox to work normally again, just clear that field out.
RoMON also works from the command line as stated earlier and file transfers will work over RoMON as well.