Mikrotik RouterOS and SNMP

If you’ve been following along for the past few weeks you’ll know that we’ve configured a P2P wireless bridge using WDS, or Wireless Distribution System, and it’s high time we began to monitor the health of this setup.  In this post I’m going to talk about SNMP and configuring these devices for community management.  Naturally, to make these changes, you’ll need to get connected and I recommend using SSH.  SSH to your device and login as admin.

From the “root” menu you can access the SNMP settings by typing “/snmp” – from the /snmp menu you have a couple root commands, but a simple “print” command is going to show you the current state.  Here’s how mine looks:

[admin@localAPHost-AP1] /snmp> print
enabled: no
contact: “”
location: “”
engine-id: “”
engine-boots: 0
time-window: 15
trap-sink: 0.0.0.0
trap-community: (unknown)
trap-version: 1

Based on the command output you can see that SNMP is not enabled and nothing has been configured.  Let’s remedy that using a set command:

set contact=support@domain.com-555-444-3333 location=11AP_Address_Location enabled=yes

Now examine the output of the print command:

[admin@LocalAPHost-AP1] /snmp> print

enabled: yes
contact: “support@domain.com-555-444-3333″
location: “11AP_Address_Location”
engine-id: “”
engine-boots: 0
time-window: 15
trap-sink: 0.0.0.0
trap-community: (unknown)
trap-version: 1

So at this point SNMP is turned on and the contact and location fields have been filled in.  However, we have no yet enabled community access.  To get that going we need to invoke the community sub-menu (from /):

/snmp community

a quick “print” will reveal the current settings:

# NAME                               ADDRESS            SECURITY   READ-ACCESS
0 public                                0.0.0.0/0              none              yes

In the above output you see that read access has been enabled.  If you do not have read access you must use the following to enable it:

/snmp community set public read-access=yes

Here is an example of how MRTG can be used to interpret this data.

Now, be aware that by opening this device up and providing public read access you’re opening yourself up for potential security problems.  I have found that SNMP can be safely deployed if you use ACLs to allow only certain hosts to connect to SNMP ports, but that may not work for everyone.  As an alternative you can use the following command to limit access to community access:

/snmp community set address=192.168.10.0/24

this will only allow hosts on the 192.168.10.0/24 subnet to access this information.