MikroTik

Jotne

PS. There are different License Level, so not all product can do what other can do.

Jotne

This is the beauty of RouterOS. You can use nearly all product in the way you like to use it.

Is hAP AC a wireless router or an access point?

Yes

Jotne

Most home ruter does only have 16MB, so to use multiple partition you need a larger router with at least 32MB
https://wiki.mikrotik.com/wiki/Manual:Partitions

Jotne

I guess that could not be done to all routers?

Jotne

I took the JUMP and hit the concrete on the bottom with my head!! WTF Mikrotik!! Erase the routing tables (/routing/table), leaving me with setting about 50 different routing-marks all who are all over the place!!!!! I started the recovery but ran out off breath doing them all and will think hard o...

Jotne

Then it should show up as testing:
development: error: file not found.
long term: error: file not found.

Now you are tricked to belive that 7.1 is a stable long term version. Yes I do now that it is not, but other may think so.

Jotne

Both 7.2 rc3 and r4 does shows wrong in long term release
long term: 7.1
stable 7.1.3
testing 7.2 rc4
development: error: file not found.
Strange that 7.1.3 is stable and 7.1 is long term :)
.

long term.jpg

Jotne

No public IP, so you have a router in front of you. It only shows your LAN part. So you can not get NAT or uPnP to work in this router. You need to configure router in front of your Mikrotik Router. If this is an ISP, you can not configure it, but you can ask if they can bridge it, so you get a publ...

Jotne

/8 i havent touched, everything is default except for enabling poe and mucking about trying to get port forwarding and then upnp working. I have never seen /8 as a default configuration. And as 404Network writes, you should start over. PS and do not QUOTE the full post above you. If you have not se...

Jotne

/ip address add address=192.168.88.1/8 interface=ether2 network=192.0.0.0 Innside IP should be set on bridge and not on interface part of a bridge. And do you really need a /8 with 16,777,216 IP address.????? For normal home nett /24 with 256 IP should be more than enough. I do not see any DHCP ser...

Jotne

You can use Netwatch. Give an IP on the other side. If ip goes away, send email.

Jotne

New version with Netwatch logging is not the way. See this post in this thread on how it works:
viewtopic.php?p=888800#p888800

Jotne

Thanks for the update and explanation rextended

Now it work both on 7.x and 6.x

Jotne

@Jonte, which one, and what problem you having? I can offer what see in @rextended's examples below, but can't vouch that's all the V7 issues.

My latest postet script do work on both 6 and 7, but version rextended posted does not work on v7.

Jotne

Not a direct reply to your question, but IP Accounting is going a way (not included in v7). I have used it in my Splunk MikroTik monotoring. Se link in my signature. So to still get accounting data from each client in v7, I moved over to use Kid Control that gives much of the same information (set u...

Jotne

@wongdi Telnet/SSH/Winbox should never ever be open to the router from outside IP. Seeing your logs that someone tries to connect from public IP tells us that its open. VPN is nearly to one good way to work on remote routers. Make a new post (not this thread). Post your complete config and ask for a...

Jotne

My version do work at both 6 and 7. What do I need to make rextendeds script to work on 7.x?

Jotne

Does not work. Tested in 7.1.2

Pasting this to terminal, does not give anything.

:parse "/export show-sensitive file=test.rsc"

But this works:

[:parse "/export show-sensitive file=test.rsc"]

Jotne

Perfect. Did learn some new today, so thank you for the help :) Was just what I needed and have tested the script on various version and works fine. # # Created Jotne 2022 v1.3 # # 1.1 Added "show-sensitive" # 1.3 Fixed v6/v7 compability # # Takes two different backup and send then to emai...

Jotne

Backup script to send config to Gmail account. # # Created Jotne 2024 v1.7 # # 1.7 Fixed new CHR naming (Credit bp0 & baragoon) # 1.6 Fixed script for x86 devicews (Credit rextended) # 1.5 Fixed for router missing serial # 1.4 Added Router OS version # 1.3r Revised by rextended # 1.3 / 1.2 try t...

Jotne

Why do you need to reboot every day?

Jotne

Oh, thank you so much!, its possibe to disable or remove? thanks

Why?

Jotne

How do you see that a user has 3 times login failure? From the log?
If its from the log, you can modify this script to search for log inn errors:
viewtopic.php?p=743875#p743875

Jotne

From this in OPs post "/system/logging/remove", I do assume he is talking about deleting configuration of logging, not logging entries (that can not be deleted).

Jotne

You can do :for i from=0 to=50 do={ :put $i } But take care!! What you see from /system logging print Flags: X - disabled, I - invalid, * - default # TOPICS ACTION PREFIX 0 X* info memory 1 * error memory 2 * warning memory 3 * critical echo 4 dhcp logserver MikroTik 5 !debug logserver MikroTik !pac...

Jotne

What is your goal? Remove all logging config?

Jotne

Are anything added to the access list "hotspot_blacklist"

Jotne

Try to upgrade to latest 6.x, before you look from Upgrade.

Jotne

1. Do not quote post above you. There is a big Post Reply button under the post to use to reply. 2. Do use code tags when posting code. </> button above the post. I have cleaned up the script and added code tags to be able to read it. #Hotspot IP to MAC binding# :foreach a in=[/ip firewall address-l...

Jotne

Blocking all and open certain sites may be a way to go. Many sites do not work with just one IP open, everything is interconnected.
But then the kids just use their cellular network, friends cellular network, neighbor wifi etc.

Jotne

block thing like facebook.com Can not be done. Same as with torrent etc. As long as you do not have 100% control of the clients (typical a corporate network), you are out of luck. You can try block DNS: Client uses another DNS You try to redirect DNS: Clients uses DoH You try to block IP: Facebook ...

Jotne

If you can see it in the logs, you can make a script for it.
This is nearly the same as block VPN user not authenticate correctly.
See here:
viewtopic.php?t=148397

Jotne

This was an old thread to comment.
To get a random password:
viewtopic.php?t=164114

Jotne

I'd call it a WinBox feature, not a bug.

Table are far from equal.
Bridge/Host has on my test router 40 entry and only mac

IP/Arp has 7 item and do include IP and MAC

I do like that Cli and WinBox show the same at same place in the same menu structure (MT are far off for the latter).

Jotne

What is the output of:

:put [/ip firewall connection find where connection-type=sip]

and

:put [/ip firewall connection find where connection-mark=SIP]

If its more than one, you may need to loop trough it.

Jotne

In 7.2.1 (7.x) you can get Bridge Port for the IP arp list. But this seems to work only in WinBox. Is this a bug, or is it a hidden command to see it in the terminal as well? If its a bug, please fix. If I miss some, please enlighten me :)
.

BridgePort.jpg

Jotne

Or some forgot that it was done :) Just another strange notice. I do always open this page with scripts and announcement: https://forum.mikrotik.com/viewforum.php?f=9 to look for new releases and scripts problem. But this time this page does not show the new 6.49.3 post???? But if you look at this p...

Jotne

If this compile time is true, this is the far longest time between compile date and post date. Longest I did found other than this is the 19 day for 6.42.11.
viewtopic.php?t=143805

:)

Jotne

try again, it should work correctly now

Was 6.49.3 really compiled Des 22 2021?
.

6.49.3.jpg

Jotne

Ping from where to where? If its over internet you do not have much control.
What do you get when you ping from a device connected to the router, to the router? Did that go up?

Jotne

You did not post output of my command above. With that I can see if logs looks like what I expect. I did forget to ask on what platform you do run Splunk. Some of my first information in my first post: Installation 1) On your PC Works on Windows and Linux, but use Linux (clearly the best choice and ...

Jotne

I do see some strange on a 750Gr3 running 6.49.2 When I select upgrade, it shows 7.1.2 That is ok. But when I select testing, it shows 7.1.1??? Why would some one install 7.1.1 when 7.1.2 on the same train is released? 7.2.rc2 is not shown in any of the channels. Development gives ERROR: file not fo...

Jotne

I did just take a look at release history of Winbox 3.x since first release in 2015. It's a very clear trend that Winbox upgrade are released in bulk at same short time periods. Then it can goes up to nearly 1 year without new version. Maybe some more testing before release should be a good thing. :)

Jotne

Can't find this update on my RB5009. Have checked for updates in /system packages
Quick Set > Check for updates shows installed version 7.0.5 and latest version 6.49.2

Upgrade to 6.49.2 and you should see 7.1.2

Jotne

A quick google search:
viewtopic.php?t=116253

PS I have not tested it.

Jotne

Try change from :put ("name=\"" . $qName . "\" target=" . $qTarget . " bytes=" . $qBytes . " enabled=" . $qStatus) to: :local logmessage ("name=\"" . $qName . "\" target=" . $qTarget . " bytes=" . $qBytes . &qu...

Jotne

what is 6to4 tunnel? Where did you see this? I do not see any mention on 6to4 in this post. Found on google 6to4 tunnels enable isolated IPv6 sites to communicate across an automatic tunnel over an IPv4 network that does not support IPv6. To use 6to4 tunnels, you must first configure a boundary rou...

Jotne

Upgraded all my devices...no problem upgrading.

If this is a huge production network, you have big balls, 42 min after release :)
I always wait some weeks (reading forums) to see if some goes wrong.
Also test one test router that are like my production routers to make sure all my functions works.

Jotne

This is fixed in 7.2rc2.

Still very long export time on devices with little CPU in 7.2rc2 (compare to 6.x)
viewtopic.php?p=908897#p908897

Jotne

Interesting. Learned some new to day. So with this type of routers, you have to take even more care and maybe ask some professional to set it up.

Jotne

No, someone told me that removing : in front will make some stuff not working

Jotne

Thanks for giving me credits and for using code tags and tabs.
But you can remove all ; at end of all lines. Only needed when there are multiple commands on same line.

Jotne

You try to set a filter where source address is nothing. That will not work and gives error.

This works:

{
/ip firewall filter
:local A 8.8.8.8
:local B This
:local C is
:local D a
:local E test
add action=accept chain=forward comment="$B-$C-$D-$E" src-address="$A"
}

Jotne

Can you post some line output of

index=* | fillnull value="-" | table _time index sourcetype _raw

That do contains some data from router?

Do you run as this:
Splunk as root and port 514 open to Splunk
or
Splunk as non root, Splunk getting data from rsyslog that listen in 514

Jotne

When you get a Mikrotik Router, it has a default configuration that is an OK starting point. I this case some has either removed default config and add own config, or reset the router with opt out default configuration to start to make the config from scratch. It does not go away by it self. So if y...

Jotne

This is how Cisco works. Any config you are setting will not be stored in a reboot, if you do not "write mem" or "copy running-config startup-config"

Jotne

Have you looked at the netwatch function?

https://www.youtube.com/watch?v=UgKfkhyynKk

Jotne

Did you see the debug section 2h-2? 2h) Debugging 1. See if any data are coming inn to splunk at all. index=* 2. Test if data has correct tag "MikroTik" (Capital M & T) index=* | table _time sourcetype _raw Follow this section 100% 2b) Then select what modules to log. Splunk can listen...

Jotne

I was just replying to your question.

Is the rb750gr3 compatible with Router OS v7? I haven't found a way to upgrade to this new version yet.

Yes, it compatible, and showed how to upgrade.

Now your reply.

RouterOS 7 is not an option

Why did you then ask this in first place?

Jotne

You do not need 3 cables between Mikrotik and TP-Link. You can send all VLAN in trunk mode over one cable and get same result. (if TP-Link supports VLAN)

Jotne

As far as I know, no.

Jotne

Do your linux server run any form for SMTP (mail server)? On the linux server, run: ss -topan | grep ":25" Si if you have some LISTEN 0 128 0.0.0.0:25 0.0.0.0:* That mean you have an SMTP server running. If you have many of this: ESTAB 0 0 serverIP:22343 publicIP:25 users:(("xxxxx,pid...

Jotne

The topic of this thread is "ping", it is logical that we are only talking about that command...

I do know, but not all read all detail

Jotne

Just a small correction.

as-value do exist on 6.x, but not in ping.

This is from 6.48.4

:put [/interface vlan print as-value ]
.id=*c;arp=enabled;interface=Bridge1;mtu=1500;name=VLAN20;vlan-id=20

Jotne

Its better to test to see if vlan is already created, and if not, create it. I was told (by rextended) its better to fix the problem and do not use on-error { /interface vlan :if ([:len [find where interface=bridge1 vlan-id=2]]=0) do={ add interface=bridge1 name=vlan2 vlan-id=2 } } Script tries to f...

Jotne

Wow Anav are reading log lines :) I do see that the config is complex and it may be better to start all over and make it as simple as possible. Make a drawing that shows all your rules. From/To/Nat/Blocked etc. Here are firewall rules on one of my Router. (This is one with a rather complex setup) FW...

Jotne

We're talking about inbound DNS requests from the Internet.

53 should not be open to internt by default.
@pyeager Please post full config and what you are trying to do and why.

Jotne

I can not see any obvious reason for the script has stopped. But please use code tags when post data </> button above the post. I have reformatted the post and removed unneeded ; at the end of lines to make it easier to read. ###/log print file=ppplog.0.txt :global voldvlist :global l2tplist "L...

Jotne

Why?

OP has not replayed to that.
If some blocks 53, its to block DNS. Then use DoH (or DoT ) and bypass this block.
So why block it?

Jotne

I can not say anything about the other. Have only used EVE-NG to make labs. Its easy to configure, upload new images. For me it does what I like to test. Have only free version, but would like the full version (no limit in transfere speed and no limits in number of nodes). You can connect devices to...

Jotne

Link removed

Jotne

My home lab is free :) EVE-NG is the best you can get to learn and to experiments on MikroTik Routers. (Wifi may be the only thing missing) It shows up as real routers in your network. You can even use VPN from this virtual routers to the outside world. You do loose some function on the free version...

Jotne

I have not used time to study the eval code, so there I can not help you.

Jotne

You are welcome. If you need it as a function to do the you for multiple use. Here is a simplified "to human" version. Without the not needed ; every where ;) :global human do={ # Converts a number to SI-Prefix number :local INP [:tonum $1] :local Co 0 :while ($INP > 1024) do={ :set $INP (...

Jotne

This is one good one :) PS I learned most of my stuff from copy/past and study... { :local Bytes ([/interface get pppoe-out1]->"rx-byte") :local Type [:toarray "B,KB,MB,GB,TB,PB,EB"] :local Counter 0 :while ($Bytes > 1024) do={ :set $Bytes ($Bytes/1024) :set $Counter ($Counter+1)...

Jotne

This should convert the data to your need: { :local Type :local Bytes ([/interface get pppoe-out1]->"rx-byte") :if (($Bytes/1073741824)>0) do={ :set $Bytes ($Bytes/1073741824) :set $Type "GB" } else={ :if (($Bytes/1048576)>0) do={ :set $Bytes ($Bytes/1048576) :set $Type "MB&...

Jotne

Found this on a site. Posted 1 April 2014 :) I guess at that time, many were tired of waiting for v7 in 2014!! Interesting to see the suggestion of what was added, compare to what we have today. What's new in 7.0: *) dude - 5.0 package released for PPC and CCR platforms *) ppp - LNS/LAC support adde...

Jotne

Ok Some more time spend on unneeded stuff.... Found correct compile date and post date for nearly all version, except the first 7.0 betas. For some reason posting of the 7.x betas and rc has been different from all other releases and was hard to find correct info. My table now has both compile time ...

Jotne

If I do find some more time

I will look at the post date.
Some version are announced before they are compiled like 7.1.1 here:
viewtopic.php?t=181472

Jotne

Updated post #1 with renaming 6.46 normal release to 6.46re to get it better sorted and med graph some thicker. Found various 7.x beta (some did have date some not. For those without date, I used first post found as date) I get the impression that new stable releases are often released on Friday aft...

Jotne

Do agree, but then I need to rename the version. Splunk do default sort by name, so 6.46 berfore 6.46beta before 6.46rc. Timestamp is from forum announcement post What's new in 7.1.1 (2021-Dec-21 13:53) Timezone should not matter since its what written in the post and not time of post in the forum. ...

Jotne

Just for fun I have made a map of the RouterOS release history the last years. Every bar i one version.
Beta version are mostly released in the morning, RC and normal version some later in the day.
.

RouterOS.jpg

.

RouterOS2.jpg

Jotne

This is how to print number of routes:

:put [:len [/ip route find where dst-address="0.0.0.0/0"]]

to get it inn to a variable

:local Routes  [:len [/ip route find where dst-address="0.0.0.0/0"]]

Jotne

When you have done all that, they can just setup a VPN or Proxy.

Why not just turn off secure filter on google or bing search. Then just search for any pron you like and select pictures.
There are no way to prevent this (can be controlled some on a company pc with forced policy)

Jotne

You can send each data line to syslog server instead of a file. Then you can use an external server to examine logs. Should be easy to implement to my Splunk/Mikrotik prosjekt. See signature. Here is an example to test on your terminal: { /queue simple :local queueList [find] :foreach q in=$queueLis...

Jotne

You can even remove the not needed semi column.

:execute {/system reboot}

Works on latest 7.2rc3 as well

Jotne

Please edit your post and use code tag button </> to make formatting of post better. Some like this:

{
	:local PutString do={
		:put function
	}

	:for i from=1 to=3 do={
		:put $i
		$PutString
	}
}

Jotne

Can confirm that it does not work on 7.2rc3, but do work on 7.1. Send an email to support@mikrotik.com so they make a support case out of it.

Jotne

I am attempting to setup redundancy.

Then two interface bound together should be enough.

Jotne

The OP never claimed that it is done to solve a problem.

That is why I ask why he need to reboot, to adopt the answer to what the need is. Not guess it just for fun.

Jotne

If I do decide to do an upgrade, yes I can schedule a reboot, but only after I have chosen to do so. No automatic upgrade of anything.
But if OP replay that its due to a problem, he should clearly find the root cause and fix that first.

Jotne

Do you need to bound all interface? What do you try to achieve?

Jotne

Is it possible to force reboot on RouterOS?

This thread is missing a question.
Why?

If its due to a problem, its better to fix the problem, so reboot are not needed.
I never reboot my routers (only when upgrade).

Jotne

Have you tested latest beta? If so add these information as well to support@mikrotik.com

Jotne

SSID can easily be change by a scrip scheduled at fixed time.
Not sure how to do it by GPS location,.

Jotne

/export on older ruters like SXT 5HPnD (400Mhz) still does not work. Start slow and just hangs, or take very long time. Cpu show 100% the whole time Sometimes it may show the config after 15 min other times it shows this: Console has crashed; please log in again. Device works and have some basic co...

Jotne

Still no ZeroTier for mips...

Jotne

Not sure what you mean.
What I posted was a manual change.

Do you like a script that automatically change port? Try Netwatch

Jotne

Fixed in above post.

Jotne

This is clearly a bug on 7.1.1 and 7.2.rc1. Please report this to support@mikrotik.com I did try to find it and its not in termial. :put [/ip dhcp-server/lease get *1 ] active-address address-lists block-access dhcp-option-set insert-queue-before queue-type src-mac-address active-client-id agent-cir...

Jotne

Here you go: Disable sfp-sfpplus1, enable ether10 { /interface/ethernet/disable [find where name=sfp-sfpplus1] /interface/ethernet/enable [find where name=ether10] } Disable ether10, enable sfp-sfpplus1 { /interface/ethernet/disable [find where name=ether10] /interface/ethernet/enable [find where na...

Jotne

To get pvid for an IF ether3 { :local IF [/interface bridge port find where interface=ether3] :put [/interface bridge port get $IF pvid] } Or in one line: :put [/interface bridge port get [find where interface=ether2] pvid] To set pvid 20 for interface ether3 /interface bridge port set [find where i...

Jotne

Post it in Code tags and tabs, makes it easier to read. PS I have not tested it. fixed: elese-else removed extra: } removed: do removed not needed ; at end of lines # VARIABLES :local asr1 "212.2.33.84" :local pingCount 20 :local stableConnectionFrom 95 :local quality ([/ping count=$pingCo...

Jotne

To see memory problem, write down memmory usage every 30 min or 1 hour (depends how often it reboots.) If memory usage goes up and not goes down again, you may have a problem. You can use an external program like SNMP tools or use Splunk from my signature to monitor the router. I had a memory proble...

Jotne

Do it reboot with default config?
My guess is that here are some config/function that do eat memory or other resources. Router the reboots.

Do you need to use 7.x?

Jotne

Some times MT do change stuff, so it does not work. Since I do not have capsman, I need some help to debug it.
Can you post a list of log line here?

Example output of:

index=* "caps,info"

Jotne

Here is how you can convert the IP. Since there are no easy way to find last dot, I need to find all and count. It may be a faster way { :local ip "64.128.34.17" :local A1 [:find $ip "."] :local A2 [:find $ip ($A1+1)] :local A3 [:find $ip "." ($A2+1)] :local new ([:pick...

Jotne

Yup.
This will not give you much, since most sites today uses 443

Jotne

Some like this could do:

{
:local UP "45w1h3m49s"
:local days ([:tonum [:pick $UP 0  [:find $UP "w"]]]*7)
:local UPdays ($days.[:pick $UP [:find $UP "w"] 999])
:put "Weeks $UP -  Days $UPdays"
}
Weeks 45w1h3m49s -  Days 315w1h3m49s

Jotne

Updated to 1.5 so its easy to see what is the latest :) +4 and +5 is correct. If you look at how the pick works, you will see it gives the position on the first found letter. from 8.8.8.8 x1234567890 for 8.8.8.8 x1234567890 So for the "from" , you need to add 5 to get the first part of 8.8...

Jotne

This will add one by one IP to the address list "Blocking" { :local c3 "PC4SHOPS" :local IP :foreach i in=[/ip dhcp-server lease find where host-name="$c3"] do={ :set $IP ([/ip dhcp-server lease get $i address]) /ip firewall address-list add list="Blocking" ad...

Jotne

You are 100% correct. Here is a fixed version. Thanks :) # Created Jotne && rextended 2022 v1.5 # # This script add ip of user who with "IPSEC negotiation failed", "SPI* not registered" and "Invalid exchange" to a block list for 7 days # Schedule the script to r...

Jotne

Its how local variable work. Global variable are "permanent" and works everywhere Local variable works fine in script, but if you cut an past it to a terminal session, you need to put it in brakets like this: { :local c3 "PC4SHOPS" :local IP :foreach i in=[/ip dhcp-server lease f...

Jotne

Instead if put, use set to put it inn to a variable.

:global c3 "PC4SEARCH"
:local IP
:foreach i in=[/ip dhcp-server lease find where comment="$c3"] do={:set $IPAddress ([/ip dhcp-server lease get $i address])}

Jotne

Should work.
Only comment is that you should not run splunk as root user, and use rsyslog to listen on port 514.

Jotne

Mine never needs to be restarted. Have one version where Splunk listen on port 514 (not recommended as it needs to be root) Other version have rsyslog server as input and Splunk reads rsyslog logs. Both running fine.' Do you pass any firewall on the way from MikroTik to the Splunk server? What do yo...

Jotne

Not a quick fix, but if you do run RouterOS x86 you can change to RouterOS CHR (run on VmWare).

Jotne

You can put pfsense behind Mikrotik and let the Mikrotik be the main router.
I do use HAproxy as a reverse proxy for many websites placed behind the Mikrotik

If you nat in both pfsense and Mikrotik, I do suggest that you remove nat in the second device and use Mikrotik without nat.

Jotne

Why do you need the pfsense box? Mikrotik can do it all.

Jotne

Can VXLAN be used:
https://help.mikrotik.com/docs/display/ROS/VXLAN
https://www.youtube.com/watch?v=_e1Fdvcd-P4

Jotne

I did always use Shift-Ins and Ctrl-Ins until I did get a HP computer without a dedicated ins key.
So now I do use Ctrl-c Ctrl-v
And after starting using Teams I have learned
Shift-Ctrl-V that is paste without format.

Jotne

So you like to have all ppp user profile stored to an SQL base?
Why?

Jotne

Remove the underscore in the variable name.
Use

:local wginterface wireguard_s2s_ag

And
1. You can remove ; at end of all line. Only needed while there are multiple command on same line.
2. :delay 4000ms is the same as :delay 4s

Jotne

Capital should work fine as in "Uptime"

Jotne

Remove one or all of these lines: # print some debug info :log info ("UpdateDynDNS: username = $username") :log info ("UpdateDynDNS: password = $password") :log info ("UpdateDynDNS: hostname = $hostname") :log info ("UpdateDynDNS: previousIP = $previousIP")

Jotne

Its to make dot a dot and not just any character. (see regex info)
I RouterOS you need to double escape.

Jotne

Error found. Here is some data from the log: 64.62.197.52 phase1 negotiation failed. 64.62.197.217 phase1 negotiation failed. 65.49.20.109 phase1 negotiation failed. phase1 negotiation failed due to time up 92.200.200.100[500]<=>27.115.124.10[48536] 0011223344556677:5c5c77ed781bf459 phase1 negotiati...

Jotne

There is an 1.3 in this thread as well. Test it out. (Do not remember what was changed from 1.2 to 1.3)

Jotne

If you upgrade to latest 6.x (6.49.2 at the moment), you will see 7.1.1 under testing and upgrade train.
.

7.1.1.jpg

Jotne

Old system that I use for som backup purpose. Should have been upgraded

Jotne

@jotne, waste of time, my drop all rule works just fine for scans.. If you have an open port then at least put a source address list on it, and the port wont appear on scans. If you have port forwarding also ensure its an encrypted type of connection for login, not just plain user name. If you thin...

Jotne

DNS logs comes from the Router log, so to stop it change from:

/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp

to

/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns

Jotne

Here is one tip that I like to add to my router: https://forum.mikrotik.com/viewtopic.php?f=23&t=178496 If someone tries any port on my router that is not open (typical a scan script), then this IP will be blocked for 24 hour on all ports. This way the can not continue to hack on open ports like...

Jotne

Here is another from EVE NG (paid version), taken from the Network Bergs lab.
All is working as an ISP with BGP ++
.

EVE_NG2.jpg

Link to source:
https://www.youtube.com/watch?v=_e1Fdvcd-P4

Jotne

Visio can be used like this:
.

FW.jpg

Also the EVE NG is a cool tool. It not just draw your config, but it s actual Mikrotik Router / Cisco or other that do works and can be configured.
Free version have some limitation. (Speed/number of nodes)
.

EVE NG.jpg

Jotne

Some FW tips from me.

Use config that has been posted in this thread.
Have a block rule as last rule.
Make a diagram of all the rules, and understand what they do.

Here is an example from one of my Routers.
.

FW.jpg

Jotne

@reinerotto

To solve this discussion. Give me a VPN to a site that you control and is porn secure, and I can send you some print screen show what I can get when using your VPN. (As long as you have standard usable open net. Not all IP blocked.)

Jotne

I do not spread wrong information.

Question: How do I block pornographic images in my RB?
Answer: Only in some degree. (Far from 99.9%)

You are dragging with other solutions, no me.

Jotne

If you are not using RouterOS, what are your doing here?

Jotne

What are you trying to prove? Yes, you can block some with DNS, yes you can block some with IP, Yes you can block some more with Safe Search and you can even block more with control of the clients. But not 99.9% To get around Forced Safe search: * Login to your Google account and disable "Safe ...

Jotne

As repeatedly posted many times. Block porn with DNS helps just some. As more and more OS (IOS 14) starts to use DoH/DoT, it bypass it without any problem. Also I have seen that devices like Chormecast that is hard coded to DNS 8.8.8.8 stops working if its redirected. You are wrong, in regards regar...

Jotne

There will be some routers that can not be upgraded, so there may be more 6.x version'.

Jotne

Bad example: Various methods to force "Safe Search" for bing, google, etc. For details, google "How to force safe search google". And you are off topic again. How do I block pornographic images in my RB? To do what you suggest, you have to do some with the clients. This was not ...

Jotne

Correct is: "Porn is not 100% blockable, but 99.9%". Assuming proper knowledge and tools, of course. I would say closer to 80%, not 99.9% Example when search for "sex" in google.com using any browser, how would you block that. If you do not control the PC, typical a company PC, ...

Jotne

Try a search using google:
https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login)

Jotne

I do recommend SFTP instead.

Jotne

We are far out of what was asked for.

Block pornographic on the Router OS.
Can be done in some degree (by setting DNS to sites that filter it). But can be bypassed with simple steps.
And for the rest. Is it possible to block some permanent. No, without doing some with all clients.

Jotne

I think he was talking about not put a password on the remote router, and then use the script without password.
Not recommended.

Jotne

After you get config inn to an variable, who would you then use it from there, to what?

Jotne

Intercept of https and de-crypt/ inspect/ en-crypt requires cert installs on clients, as decribed. This is what I was looking for. Since you need to do some with the clients, this is more or less the same as how Palo Alto or Forcepoint works. Only a solution for company that has 100% controls of th...

Jotne

Password is a must and on newer RouterOS you are forced to set password. No password, no security.

Jotne

And no change on the clients, no control, no modification, no policies added/changed? RB + Untangle gives 100% control (or close to)? Can you give a quick description on how it does it? Does it open and examine all https package (how)? If I search for porn in google, how does it block it? Untangle s...

Jotne

So then back to OPs request.

How do I block pornographic images in my RB?

Can't be done.

Jotne

Without 100% control of all clients in a network, you can not control what they can do or can not do. Example. Here in Dubai (vacation), they have blocked video/audio on Whats app/MSN ++, but had no problem finding a way to get around it. In Turkey they blocked various sites, like Wikipedia. DoH fix...

Jotne

If you look at my script here, you see how to search last 5 min to get some from the log. Run a script every 5 min.
viewtopic.php?p=743875#p743875

The Splunk page (signature link), there are a view to see status in graphics all PPPoE logged inn/out + much more. 100% free.

Jotne

Why not syslog? Its created for that purpose: sending logs to other systems.
See my Splunk prosjekt in my signature for how to sending syslog and monitor your solution.

Jotne

:local ipS [:pick $logMessageS ([:find $logMessageS ">"]+1) ([:find $logMessageS "["]-1)] ==> it does not work You are close. Problem is the second find , it does find the first [ (before 500), not the second [ (before 30992) that you need. This works: { :local test "phase1...

Jotne

And I English that will become? Any solution that involves DNS will not work if client do use DoH/DoT (IOS 14 as an example) There are no any simple solutions to 100% block any thing on your network without removing the cable, or if you are a lager company that you have 100% control of all devices o...

Jotne

It's silly because the OP came here asking to get his current setup to work better, not asking for recommendations on upgrades. The "upgrading to a better system then it will work better" answer is kind of obvious. That's like going around and telling people the sky is blue. This is not s...

Jotne

No need to quote my post for asking that. You are not replying to my post.
An I already asked for the same (other routers)

And one link to same paid product in link is enough.
Stop spamming with new post everywhere. Have some forum etikette.

9 post today to promote your monitor solution.

Jotne

There are many solution.

With Splunk you have 100% control of everything. You server, your setup. And free (up to 500MB/day)
Store as much data as long as you like.

Jotne

@kubotor

This is all your fault that you run inn to problems.

As an ISP you should know that you should test every upgrade on devices not in production. If all does work and there are no showstoppers, then upgrade the routers, if its needed.

Jotne

RouterOS v7 understand v6 script so this works for both: :global c3 "PC4SEARCH" :foreach i in=[/ip dhcp-server lease find where comment="$c3"] do={:put ([/ip dhcp-server lease get $i address])} And recommend to change from ~$c3 that means contain (example it will hits on "PC...

Jotne

Dont use print in script:

try this:

:local LaRed [/ip address get [find  where interface="bridge"] network ]

If this does not get any result, post output of:

/ip address print

Jotne

Its possible to do, but do not have pppoe setup. You can make a script that add counter to global variable (one for each users) or add number to comments of the user. Then test every 5 min and see if user logins passes a limit. I have made a Dashboard for Splunk that do show all user when they login...

Jotne

socks5 now ok in 7.2rc1 is, but 7.1.1 still problem

Why do you ask about this here? What is fixed is clear that its fixed for 7.2rc1. Not anything is mention about this in 7.1.1 thread.

Jotne

OPs question "How do I block pornographic images in my RB?" Simple answer: Can not be done. As Anav writes: Do educate your user. I would guess DoH/DoT will become standard and automatically for more and more products, so any attempts to block/control det old, non encrypted, obsoleted DNS,...

Jotne

Not sure what you like to have done?

Jotne

Can you explain how this is done? Can it be done one RouterOS? I am not sure how to block this without having 100% control of the clients. You can setup as many DoH server as you like on the internett. Since this is https packets, I do not see how you can block them without opening the https packets...

Jotne

This will help some.
Problem is that you can set your own DNS (that could be redirected using rules to your DNS)
Some clients are using DoH/DoT and will not use normal DNS server at all. (example iOS >=14)
https://paulmillr.com/posts/encrypted-dns/

Jotne

True, better to educate than to deny because deny doesn't work in our society especially if you have money. Best word as far in this thread. I guess they don't permit their children to have friends either? Because it they do, whole thing is in vain. ;) Also a good comment :) Friends share their mob...

Jotne

Untangle can also do man-in-the-middle SSL decryption and re-encryption, like Palo Alto and Fortinet devices. You have to trust the certificate of course in order for this to work properly without throwing scary errors to the user. So then you need to have control of the clients (PC/Phone ++++). No...

Jotne

An this will open google search (https/quic) packets and block search for "sex nude"?
How can I the trust https?

I can understand how this can block sites, but not some part of data from a site.
It will not help OP that like to do it with a MT Router.

Jotne

So untangle will help here? (I have not looked at it)

Jotne

This is where Zerotier can help

And when will we get Zerotier on other Routers, (MIPS)?

Jotne

Here is script rewritten to work with 7.x RouterOS Output You are logged into: Link123-Remote ############### system health ############### Uptime: 6d06:02:27 d:h:m:s | CPU: 100% RAM: 41504/65536M | Voltage: 12.2 v | Temp: 14c ############# user auth details ############# Hotspot online: 0 | PPP onl...

Jotne

The script gives a login page with info about Router health and a list of hotspot and ppp users. Its ok for a single router management. The way system resources are being presented are change in v7. This shows how I collect it from RouterOS in a script to get it inn to Splunk (that I do use to monit...

Jotne

Do you have the script, page is blank?

Jotne

The Untangle admin will never turn Web Filter off ,,,, the level of sophistication is significant: So this solution does not work if you do not have 100% control of all clients in the network. PaloAlto and Forcepoint (and other) also have solution that change the certificate and examines all the pa...

Jotne

Do you need two firewall? If not remove one.

Jotne

You can downgrade, but not sure if config would be ok. Going from 6.x to 7.x router my convert some config.
So a backup before upgrade. And do not upgrade on production equipment before you have test that an upgrade goes well on a test system.

Jotne

You can block porn by using a solution like Untangle running in conjunction with your RB Router ... Can this block porn when you do a google search for "sex nude" and search filter is turned off? How should Untangle see the different from a search fro "Nasa" or for "sex&quo...

Jotne

Here I have a router with around 10 000 addresses in the blocked address list. I have a rule that add any IP that tries any port on my router that is not open, to a bloc list for 24 hour. They have nothing to do on my router. 6.49.2
.

List.jpg

Jotne

This not crash an X86 (running on a VmWare Workstation), it takes it down completely and router will not come back up again.
So DO NOT RUN this on a production router.

Jotne

Tested "shutdown" on a SXT 5HPnD and it just made a reboot.
So for me "shutdown" could be removed.

Jotne

You see what i did reply to in the quote. All v7 are still in early stage. If you do not need it, and all are ok with 6.x, use 6.x
And if 7.x works fine, no problem use it. Its up to you to test to see if it fits your needs.

Jotne

RB951G still works fine with v6.x of software, so you do not need to upgrade.

Jotne

When you like to reboot or take down the router, are there any need for do a shutdown?
I can see message after reboot that the router was not properly shutdown.

This question apply to RouterBoard as well as CHR/X86 routes.

Jotne

So 7.1.1 and 7.2rc1 are versions to stay away from?

If you read the may comments in the 7.x threads, you see the following comments.

Do your router work fine with 6.x software and you do not need any of the new 7.x functions, stick with 6.x

Jotne

The new logo?
.

channels4_profile.jpg

Jotne

If look more carefully %) - on one screenshot above you can see profile open for 7.1.1

From latest picture, it seems that 7.1.1 uses one CPU compare to the 6.49 that uses 8?

Jotne

If you could use array for creating commands like here in this post, could would be much shorter.
viewtopic.php?p=900392#p900392

Jotne

Isn't this just the same, but just with more wrapped lines?

Jotne

Jingle Bells based on data posted by ALIEN360 and format by Eworm :local Beeps { { 659; 150 }; 300; { 659; 150 }; 300; { 659; 500 }; 600; { 659; 150 }; 300; { 659; 150 }; 300; { 659; 500 }; 600; { 659; 150 }; 300; { 783; 150 }; 300; { 523; 400 }; 500; { 587; 75 }; 100; { 659; 950 };1200; { 698; 150 ...

Jotne

In nat, you do not need to specify to-port while its equal to dst-port add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80 protocol=tcp to-addresses=192.168.29.174 to-ports=80 could be written: add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80 protocol=tcp to-addr...

Jotne

It was just to show that trying to block some are more complicated and nearly impossible today.

Jotne

Turn off safe search on your google search

Do a search for example for "sex nude"
Select picture.

To block this, you need to have 100% control of the PC.
You can block google.com, but then just use bing.com instead. Same problem.

Jotne

You dont have a picture of "Profile" while CPU running high try to see what module cause the problem?
I only see picture while all are ok.

Jotne

Mine works fine with:
https://dns.nextdns.io/dns-query
and Verify Certificate selected.

Jotne

Also usable for example to monitor ZeroTier participants on your "cloud" LAN.

Do ZeroTier work more or less like Wireguard with no logging on connecting/up/down etc?
If yes, this can be used for ZeroTier as well.

Search found 3689 matches