Mikrotik RouterOS SSH Ping probe for Smokeping
This is a probe for Smokeping that connects to a Mikrotik RouterOS Device via SSH to source ping requests to monitor latency.
SmokePing, written by Tobias Oetiker and Niko Tyni, is a latency graphing and alerting system. Smokeping is a valuable tool to monitor network performance metrics. Also checkout the (Github Repo)
Where routers/switches are placed around a network's logical topology, one can set up SmokePing to monitor not only the latency between the local end and remote end (i.e. a local server to a remote server), but sourcing those pings from anywhere on your network from any vlan, network, or interface on the router can give insight into latency on any given segment of a network. Placing/sourcing a ping from your networks edge can eliminate internal metrics and isolate upstream metrics. This can, of course, be accomplished with Cisco, Juniper, Dell, Huawei, ZTE, and others.
Smokeping provides a number of Probes to connect to a router or switch in order to source ping requests to gather latency metrics from the remote device. However, only two probes provided by the Smokeping project provides SSH connectity and only to Arista and Juniper devices. Smokeping also provides the TelnetIOSPing probe for Cisco devices.
I wanted a probe to connect to Mikrotik RouterOS devices via SSH. So I created this probe to provide that functionality.
-
Net::OpenSSH
-
IO::Pty
** Your OS may require that you install the openssh-client if you are seeing any of the following errors:
SSH connection failed: unable to establish master SSH connection: bad password or master process exited unexpectedly at
unable to establish master SSH connection
This is because the version of the Net::OpenSSH Perl module installed on your distro does not provide the multiplexing functionality required
According to Net::OpenSSH documentation:
- To install the needed support
- Alpine dist - run: apk add openssh-client
- debian dist - run: [sudo] apt install openssh-client
- Data::Dumper
- Log::Log4perl
- Source IP
- Preferred Source IP
- Interface Name
- Host IP or FQDN. (FQDN if DNS is enabled on Mikrotik Router)
- Packet Size
- Target Ping Count
- Routing Table Name
- Time to Live
- DSCP ID
- Do Not Fragment flag
- Source SSH Port (Standard or Non-Standard)
- User defined openssh-client path (/usr/bin/ssh)
- Multiplexed SSH Connections
- User defined SSH Control Socket File Path
- User defined SSH Control Socket Persist Timeout
- Target specific debug output
- Specify user defined output file and location
Multiplexing is the ability to send more than one signal over a single line or connection. In OpenSSH (>=v3.9), multiplexing can re-use an existing outgoing TCP connection for multiple concurrent SSH sessions to a remote SSH server. The benefit is avoiding the overhead of creating a new TCP connection (on both the local and remote hosts), reauthenticating each time and faster connection time. Reference: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
-
Create a smokeping group with limited policy rights (ssh, read, test). Then create a smokeping user with the smokeping group rights
-
Ensure you have the SSH service enabled.
-
Set/Filter the allowed IPs either in the IP->Services or set up a Firewall rule to permit SSH connections per your security policy
There are some requirements for this feature to work. OpenSSH requires that the directory and it's parents, where the Master Control Socket File is created, must be writable only by the current effective user or root, otherwise the connection will be aborted to avoid insecure operation. By default ~/.libnet-openssh-perl is used.
This probe will attempt to determine the $HOME directory of the user running/executing Smokeping, usually "smokeping" or "root". In some cases, if using Docker or other container platform. For example, the user could be "abc" in the case of using s6-supervise. You can override this behaviour and specify the directory where the Master Control Socket File is created by setting the multiplex_socket_file_path option in the Probes config file. You must ensure that the path meets the requirements as previously stated and that the permission masks be 0755 or more restrictive so that no other user can write to the dir/file.
-
The error you will see in the smokeping.log (smokeping debug and logging enabled) if you have defined your own socket file path w/o properly setting up permissions:
-
OpenSSHMikrotikRouterOSPing: OpenSSHMikrotikRouterOSPing connecting <source IP>: unable to establish master SSH connection: bad password or master process exited unexpectedly
For each unique source (router) the probe will create a unique master control socket file.
abc@5fef45006a04: mkdir /tmp/smokeping_ssh_sockets
abc@5fef45006a04: chown -R abc:users /tmp/smokeping_ssh_sockets
abc@5fef45006a04: chmod -R 0744 /tmp/smokeping_ssh_sockets
Example of two multiplexed control sockets created for two target hosts
abc@5fef45006a04:/$ ls -alF /tmp/smokeping_ssh_sockets/
total 8
drwxr--r-- 2 abc users 4096 Oct 16 08:55 ./
drwxrwxrwt 1 root root 4096 Oct 16 08:47 ../
srw------- 1 abc users 0 Oct 16 08:55 'control-smokeping@10.10.0.1'=
srw------- 1 abc users 0 Oct 16 08:55 'control-smokeping@10.20.12.1'=
See https://metacpan.org/pod/Net::OpenSSH for full documentation
-
Copy the
OpenSSHMikrotikRouterOSPing.pm
file to the Smokeping probes directory on your server. It can be located in a number of places depending on your distro.Common locations are:
- Ubuntu: /usr/share/perl5/Smokeping/probes
- Alpine docker: /usr/share/perl5/vendor_perl/Smokeping/probes
- Or 'sudo find / -type f -name
Smokeping.pm
' to locate base directory
+ OpenSSHMikrotikRouterOSPing
forks = 5
offset = 50%
step = 300
timeout = 60
packetsize = 56
pings = 20
# interface = <interface name> # Not used by default
# ttl = 20 # Not used by default
# dscp_id = <id number> # Not used by default
# rtable = <routing table name> # Not used by default
# do_not_fragment = false # Not used by default
routerospass = <userpass>
routerosuser = <username>
# ssh_binary_path = /usr/bin/ssh
multiplex_ssh = true # Default
# multiplex_control_persist_time = 10 # Default is 10 min. A value of 0 will leave socket file indefinitely
# multiplex_control_file_path = ~/.libnet-openssh-perl # Default
debug = false # Default
debug_logfile = /tmp/smokeping_openssh_mtik.log
# Config Examples
+ Edgerouter
# Define some defaults for this sections Targets
probe = OpenSSHMikrotikRouterOSPing
title = Edge Router
menu = Edge Router
source = 172.20.0.1
psource = <WAN/Public Facing IP Address or other Internal Facing Interface>
++ nyc1_digitalocean_com
title = speedtest-nyc1.digitalocean.com (DigitalOcean New York 1)
host = speedtest-nyc1.digitalocean.com
# source - uses parent defined
# psource - uses parent defined
rtable = secondary_wan
# multiplex_ssh = true # Default
multiplex_control_file_path = /tmp/smokeping_ssh_sockets
multiplex_control_persist_time = 0 # Indefinitely
debug = true
# More Config Examples
++ RemoteRouters
# Define some defaults for this sections Targets
probe = OpenSSHMikrotikRouterOSPing
title = Remote Routers
menu = Remote Routers
++ remote_router1
title = Remote Router1
source = <remoterouter1_WAN_IP_Address>
# psource - No default defined, will use source address to source pings
host = <IP_of_interest>
ssh_port = 22431
debug = true
debug_logfile = /tmp/smokeping_remote_router1.log
++ remote_router2
title = Remote Router2
source = <remoterouter2_WAN_IP_Address>
psource = <some_other_IP_address_on_remote_router>
host = <IP_of_interest>
rtable = <name_of_routing_table_other_than_main>
ssh_port = 29437
multiplex_ssh = false # Don't use multiplexed ssh connections - but why would you not want to
++ remote_router3
title = Remote Router3
source = <remoterouter3_WAN_IP_Address>
host = <IP_of_interest>
interface = ether1-WAN
ttl = 20
dscp_id = 5
do_not_fragment = true
ssh_port = 29437
# multiplex_ssh = true # Default behaviour
multiplex_control_file_path = /tmp/smokeping_ssh_sockets # Override default ~/.libnet-openssh-perl
multiplex_control_persist_time = 20 # Override to use 20 minutes
- None reported
- Add support
- SSH Key Authentication
GNU GENERAL PUBLIC LICENSE v3.0