Recently we had a support question related to asking about FCS ERROR alerts in the…
Tips4Tiks – MikroTik’s Router Management Overlay Network (RoMON)
3.
Tips4Tiks – MikroTik’s Router Management Overlay Network (RoMON)
Unlocking the Power of MikroTik’s RoMON feature: A Comprehensive Guide
One of the things that can really suck as a network administrator is when you fat finger an IP address, subnet mask, CIDR or IP route. Another PITA can be when you have an onsite technician that doesn’t know how to connect to Winbox or can’t get software access to your MikroTik, but it’s physically connected with power and network, but something in the configuration just isn’t right.
Whether it’s commissioning a new config, an update or change that didn’t go so well, or helping out with adding new routing protocols, RoMON can help in a BIG way because it has no dependence on a working IP network, like SSH or Winbox needs. That means that even if routing is completely broken, or if the Tik has a bad configuration, wrong subnets and/or IPs are mismatched, or if the local folks can’t connect, you can still get work done – if you’ve followed this guide!
What is RoMON?
RoMON stands for Router Management Overlay Network. It is a proprietary MikroTik protocol that creates a virtual network, enabling administrators to manage and monitor their MikroTik devices even if they are behind multiple layers of Network Address Translation (NAT). Essentially, RoMON allows devices to be accessible as if they were part of a flat network, simplifying the management of large and complex network topologies.
Key Benefits of RoMON
- Simplified Network Management: RoMON enables administrators to discover and manage MikroTik devices without needing direct IP access. This is particularly useful in networks where devices are spread across different subnets or are behind NAT.
- Increased Efficiency: With RoMON, network administrators can quickly access devices, perform configurations, and troubleshoot issues without the need for complex VPN setups or changes to network infrastructure.
- Versatility: RoMON works seamlessly with various MikroTik tools, such as WinBox, The Dude, and command-line interfaces, providing a versatile management solution.
How to Set Up RoMON
Setting up RoMON is straightforward. Here’s a step-by-step guide to get you started:
Step 1: Enable RoMON on Your Devices
- Open WinBox and connect to your MikroTik device.
- Navigate to Tools > RoMON.
- Check the Enabled box.
Step 2: (Optional) Configure RoMON ID
Each device in the RoMON network needs a unique RoMON ID. This can be the MAC address or a custom identifier. If you leave it blank, it’ll default to the lowest MAC on your Tik, which is what I usually leave it as because you’ll see the SYSTEM IDENTITY of each neighbor as you’ll see in screenshots later in this tutorial, and I name all my Tiks with a unique system name. If you prefer to set the RoMON ID with a custom value:
- Go to RoMON settings in WinBox.
- Enter a unique RoMON ID.
Step 3: (Optional and recommended) Add RoMON security
By default, RoMON runs unsecured and if you’re in complete physical control of your MikroTiks, you may feel comfortable leaving this enhanced and optional security mechanism out of the mix. Personally, I always add a RoMON secret (password) so that when my Tiks discover each other, I’m sure that they aren’t becoming neighbors accidentally with some bad guy who may have plugged a patch cable into one of my devices or joined my WiFi network, not to mention I don’t want to neighbor up with my customers.
- Go to RoMON settings in WinBox.
- Set a Secret for additional security. This secret key will be used to encrypt the RoMON traffic and prevent becoming neighbors with devices that don’t know the secret. Use the same secret on all MikroTiks connected to this network segment that you want to become neighbors with each other.
Step 4: (Optional) Tune which ‘Ports’ can speak RoMON and connect to neighbors
Unless you choose which interfaces, or physical (and logical) ports can participate in RoMON, all interfaces (including VPNs and VLANs) will be able to form neighbors with other RoMON protocol speakers and the benefit of this is wonderful, it just works! However, if your network connects to another user’s or company’s network who also uses MikroTik, it may NOT be desired to form neighbor relationships with them (or your customers!). In that case, you can specify which ports are enabled or take the reverse approach and mark some ports as forbidden.
- Go to RoMON settings in WinBox.
- Click the + to set a new interface you WANT to use RoMON to connect to neighbors (Cost and a Secret override are optional)
- Click the – to remove the “all” interface automatic default RoMON
- If you want to ensure you never form a neighbor on an untrusted interface, you can use the Forbid checkbox on that port
Step 5: Connect to RoMON
To manage devices using RoMON:
- Open WinBox
- Instead of clicking Connect, click Connect to RoMON on the desired device
- See the RoMON Neighbors and click on the row of the device you want to connect to
- Double click will attempt to open Winbox and use the same credentials you connected to RoMON with.
- Or, enter your credentials and click Connect.
- You’re in WinBox on a remote MikroTik using the nearby MikroTik as a proxy!
Practical Applications of RoMON
- Remote Network Management: Ideal for ISPs and enterprises managing multiple locations, RoMON simplifies remote access to network devices, reducing the need for on-site visits.
- Troubleshooting: RoMON provides network administrators with tools to diagnose and fix issues remotely, ensuring minimal downtime.
- Layer 3 independence: Because MikroTik’s RoMON operates at OSI model Layer 2, if routing or firewall is failing, you will still have access!
Combine with Admiral to turbo-charge RoMON!
Want to ensure you have the best chances for remote access? Enable RoMON and also add Admiral Platform on your MikroTik and you can use the Remote Access feature of RemoteWinBox to connect to RoMON on that unit and you’ll instantly be able to reach all the RoMON neighbors of the Admiral configured MikroTik! That’s some incredible and redundant remote access!
Get started with Admiral Platform for remote access to your MikroTik – plus a whole control and visibility platform for your network.
Conclusion
MikroTik’s RoMON feature is a powerful tool that significantly eases the burden of network management. By creating a secure and simplified overlay network, RoMON allows administrators to focus on maintaining and optimizing their networks rather than dealing with the complexities of remote access and management. Whether you are an ISP managing a large fleet of devices or an enterprise with a distributed network, RoMON can enhance your operational efficiency and network reliability.
To get the most out of RoMON, ensure you regularly update your RouterOS to the latest version and take advantage of the comprehensive documentation and support offered by MikroTik.
For more information on RoMON and other MikroTik features, visit the MikroTik Documentation.
Happy networking!