Yesterday’s MikroTik Newsletter announced a new feature added to MikroTik RouterOS, RoMON. This was first discussed at the Mikrotik Miami MUM held earlier this year but is apparently now a part of RouterOS since version 6.38. So what is RoMON and what does it do? In simple terms, RoMON takes care of all the back end tunneling for managing a RouterOS network. RoMON coupled with the new Winbox Version 3 allows you to link your Mikrotik devices together into a Layer2 management network and then by logging into one router, you can access all other RoMON routers that are a part of the network. A picture is worth a thousand words as they say so here we go. Imagine a network similar to this:
With MikroTik RoMON the requirements to participate in the RoMON network are simple:
- They must be directly connected to another RoMON router. that is, on the same LAN.
- If they are not directly connected, they must be on the same “Ethernet Like” segment. Typically this is an EoIP tunnel.
EoIP was made for RoMON and with the addition of IPSEC over EoIP automatically added in version 6.30, this is a no brainer for a monitoring network. To turn this network into a RoMON network, simply create two EoIP tunnels, one between routers B and C and one between routers A and B. The result using EoIP will be something like this:
There is no need to put the EoIP interfaces on any bridges, simply having the Layer2 network between the routers is sufficient. Creating EoIP interfaces is covered very well on the MikroTik WiKi so I won’t bother with it here.
The steps to create the RoMON network are as follows:
- Create the necessary EoIP tunnels. You only need enough tunnels to connect routers that aren’t directly connected to other RoMON routers and RoMON will do the rest. In this example we use tunnels to interconnect routers separated by the public internet.
- Ensure you have at least RouterOS version 6.29 on all routers. Then, enable RoMON like this:
As you can see there are other options here like specifying the Router ID, Secrets, etc. and these options are explained on the Wiki. For security, you should only enable RoMON on ports where it is necessary. By default, all ports are looking for RoMON routers. These interface rules re ordered like firewall rules so you could leave the default rule of “all” and then add a rule to forbid on ether1-gateway like this:
You can also manipulate port cost to ensure the path that is used to get to the RoMON router is optimal for your architecture. The default cost is 100 and these costs have nothing to do with routing, they are only used for RoMON.
3. This needs to be enabled on all routers in the RoMON network that you want to be able to manage.
Once this is done, the last step is to ensure you have Winbox version 3, latest release candidate downloaded from the MikroTik.com web page. The RoMON enabled version looks like this:
Once you click the button Connect to RoMON, you get a new neighbors tab entitled RoMON Neighbors:
Click any MAC address in the list and you will immediately be logged into that RoMON router, through Layer2 RoMON hops along the path. It’s that easy! Another cool featured I noticed in Winbox is the ability to save layouts as sessions and to spawn a new Winbox session from Winbox.
Some things to remember when building a RoMON network:
- Only enable RoMON on interfaces facing other RoMON routers for security. Also, use a RoMON secret.
- Use IPSEC on EoIP interfaces as they are not secure. 6.30 will make that really easy.
- Only use as many EoIP tunnels as you need to join dissimilar network segments.
- Use port costs to ensure optimal routing, otherwise you may take a long or slow path unnecessarily.
Some other cool features are RoMON discovery, shows you all your RoMON routers, RoMON Ping, and the ability to set the router ID used by RoMON (MAC address).
Finally, the big question; “Should I implement this across my entire network today?” I believe the answer is no. Start small and test thoroughly. Allow RoMON to mature. I have sen some instability in Winbox Version 3 and that needs to get sorted out, but in the meanwhile you can start small and give it a good test run. Have fun RoMON’ing!
Recent Comments