Skip to main content

PI-NET 2.0 Mikrotik rollout - technician guide

This guide is for preparing a new MikroTik gateway for PI-NET 2.0 to be used on Prison Islands franchisee-sites.

Use Prison Island /pi-net-gateway repo main-branch

Target device: MikroTik L009UiGS-2HaxD
Target RouterOS: long-term channel, RouterOS 7.21.4 or newer

1. Start and connect to the MikroTik

  1. Power on the MikroTik.

  2. Connect directly to the router.

  3. Log in with WinBox, preferably by MAC address during first setup.

  4. Confirm that the router is reachable and responsive.

Check basic info:

/system resource print 
/system package update print
/system device-mode print

2. Upload helper scripts to MikroTik root

Upload these files from the repo extras/ folder to the MikroTik file root:

149-device-mode-full-reset-prep.rsc 
150-routeros-upgrade-longterm.rsc
151-first-run-before-reset.rsc

153-admin-cleanup-before-shipping.rsc

Note:

152 is only needed for legacy/no-bond mode. For normal PI-NET 2.0 baseline rollout, not needed.

3. Run pre-reset helper scripts

Import the scripts in this order:

/import file-name=149-device-mode-full-reset-prep.rsc

If 149 requests device-mode confirmation, physically confirm it on the router and let it reboot.

After reconnecting, continue:

/import file-name=150-routeros-upgrade-longterm.rsc

If 150 upgrades RouterOS or RouterBOARD firmware, let the router reboot and reconnect again.

Then run:

/import file-name=151-first-run-before-reset.rsc

For a normal new PI-NET 2.0 install, baseline mode is expected.

Confirm marker:

/file print where name~"installmode"

Expected:

pi-net-markers/installmode.baseline

4. Generate the site-specific installer

On your computer, from the repo root, run:

python3 tools/merge.py --siteid <SITEID> --ipwg <WG_IP>

Example:

python3 tools/merge.py --siteid TMPID --ipwg 10.0.0.123

Expected output in releases/:

pi-net-main-install.rsc run-after-reset-bootstrap.rsc <SITEID>_<YYYYMMDD_HHMMSS>.rsc

Keep the timestamped file as archive/proof of what was generated.

5. Upload generated install files and secrets

Upload these files from releases/ to the MikroTik file root:

pi-net-main-install.rsc run-after-reset-bootstrap.rsc <SITEID>_<YYYYMMDD_HHMMSS>.rsc

Also upload the full secrets/ folder to the MikroTik file root.

The router should now have at least:

run-after-reset-bootstrap.rsc pi-net-main-install.rsc 149-device-mode-full-reset-prep.rsc 150-routeros-upgrade-longterm.rsc 151-first-run-before-reset.rsc 152_legacy_access_no_bond_delta.rsc 153-admin-cleanup-before-shipping.rsc secrets/

6. Reset and apply PI-NET 2.0 config

Run:

/system reset-configuration no-defaults=yes skip-backup=yes keep-users=yes run-after-reset=run-after-reset-bootstrap.rsc

Wait for the router to reset, reboot, and apply the generated PI-NET config.

Do not power off the router during this step.

7. Reconnect and verify install

Reconnect to the MikroTik.

Check PI-NET markers:

/file print where name~"pi-net-markers"

Expected markers include:

pi-net-markers/version.2.0 pi-net-markers/profile.full pi-net-markers/role.gateway pi-net-markers/installmode.baseline

Check log for install result:

/log print where message~"PI-NET|bootstrap|rollback|error"

Check that rollback has been disarmed:

/system scheduler print where name~"rollback" /system script print where name~"rollback"

There should be no active rollback scheduler/script after a successful install.

8. Register and test WireGuard

Find the router WireGuard public key and confirm the configured WG IP:

/interface wireguard print detail /ip address print where interface=wireguard1 /interface wireguard peers print detail

Add the MikroTik as a peer on the WG server.

Use:

Public key: from the MikroTik wireguard interface Allowed address: <WG_IP>/32 Preshared key: from the matching site secret

Then test from the WG/server side:

ping <WG_IP>

Also test management access over WireGuard, for example WinBox or SSH to the router WG IP.

Do not continue to cleanup before WG access is confirmed.

9. Set identity and admin passwords

Set the correct system identity:

/system identity set name="<SITEID>-NETGW00"

Set final admin passwords according to current internal credential routine:

/user set [find name="admin"] password="<FINAL_PASSWORD>" /user set [find name="pi-net-siteadmin"] password="<FINAL_PASSWORD>"

Confirm users:

/user print

10. Reboot and verify again

Reboot the MikroTik:

/system reboot

After reboot, verify:

/system identity print /interface wireguard print /ip address print /ip route print /log print where message~"error|warning|wireguard|PI-NET"

From HQ/WG side, confirm again:

ping <WG_IP>

Also confirm WinBox/SSH access over WireGuard.

11. Final cleanup before shipping / handover

Only run this after:

- WG access works - identity is correct - passwords are changed - router has been rebooted - access still works after reboot

Run:

/import file-name=153-admin-cleanup-before-shipping.rsc

This creates a final encrypted shipping backup and removes temporary install files, secrets, logs, and old backup material.

After running 153, manually download/archive the final shipping backup from the MikroTik file list.

12. Final report back

Report back with:

Site ID: Router identity: RouterOS version: WG IP: WG test result: Final backup filename: Install markers confirmed: yes/no Rollback disarmed: yes/no 153 cleanup completed: yes/no Notes/errors:

The MikroTik is done when it is reachable over WireGuard after reboot and the final cleanup has completed.

Did this answer your question?