Feature requests

freemannnn · Sun Jan 15, 2017 7:21 pm

how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.

Sob · Sun Jan 15, 2017 8:33 pm

Small improvements:
1) First column is for rule numbers, logging indicator would better fit in second one, which is sort of status column already.
2) Add a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets. Before this very nice feature that any rule can be also logging rule was added, I used to make a duplicate rule for the one I was interested in, turned it into logging rule and put it before original one. The huge advantage was that it could be enabled/disabled by just one click. With these new non-dedicated logging rules, it requires 3-4 clicks. It may not seem as too much, but it is a little annoying.

easy-log.png

Chupaka · Mon Jan 16, 2017 2:25 am

I'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).

If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.

just create a bridge (call it Loopback1

) and assign address to it

how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.

Right Click -> Show Columns -> Log. Voila!

Add a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets.

as a workaround you may enable logging in the rule and then just press 'Undo' to disable it after a few seconds

mada3k · Mon Jan 16, 2017 11:12 am

I'm quite satisfied for the most part, but there is some things i miss from higher-end platforms.

Firewall rules "grouping" (example: https://sc1.checkpoint.com/documents/R7 ... 103603.png)
Configuration sync to other devices (eg. firewall-rules/lists, dhcp/dns-objects)

Sob · Mon Jan 16, 2017 9:02 pm

Right Click -> Show Columns -> Log. Voila!

You're right, it's there. But not visible by default and too far at the right and "lost" between other columns when enabled. Since logging is useful option available for all rules, IMHO it would deserve more prominent place. But ok, it is usable this way.

And about the toggle button, I might want to quickly not only turn logging off, but also to turn it on, so I think it would be very convenient to be able to do it using only one click. And there's plenty of space for one additional button in button bar.

tri · Wed Jan 18, 2017 8:10 pm

I'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).

If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
just create a bridge (call it Loopback1 ) and assign address to it

True dat. Thanks. Actually realized this almost immediately after posting. Still, for whatever reason, in Linux there is a dummy interface in addition to bridge. I wonder if there is some overhead involved.

tri · Wed Jan 18, 2017 8:15 pm

I often miss "copy rule" feature in web management firewall setup. What I'd like to be able to do, is to create a new rule from the existing one so that instead of starting from blank (as in "Add New") I would start with the data of an existing rule.

While this might be really useful especially for firewall rules, I think it could also be nice e.g. in PPP and some other segments too.

//Rinne

savage · Wed Jan 18, 2017 8:59 pm

If it hasn't been mentioned yet... In the wireless access-lists, you can provide the VLAN ID and VLAN Type for the client's traffic to be taged. In the registration table however, this information is not displayed. So once a client connects, you have no idea to which VLAN the traffic is going (especially when VLANs are assigned via AAA).

Can we include the VLAN information in the registration tables please?

tri · Thu Jan 19, 2017 4:06 pm

It would be extremely useful in many cases to have a ppp interface dynamically created form the ppp secret (when more than one connection is allowed and/or there is no explicit server binding) to be automatically added to a named interface list when it's created and removed when it's deleted.

Basically there is no need to limit this to dynamically generated interfaces. It might as well apply to a static interfaces if there is an explicit server binding. In any case it would be a property in PPP secret. Something like "Add interface to list: <menu-of-existing-interface-lists>".

I'm sure this would be hugely useful for many users.

Railander · Thu Jan 19, 2017 4:16 pm

did a quick search and only found a very old thread.

Add OID for SFP-specific port information such as:

Rx Power
Wavelength
Link Length
Connector Type
Vendor Name
Vendor Part Number
Vendor Revision
Vendor Serial
Manufacturing Date.

AlexeyIlinsky · Fri Jan 20, 2017 8:42 am

Hello it would be good to have optional Radius servers round robin rotation, not only from top to the bottom.

And in Tr069 we (in our configuration) feel like router identity would be useful information in inform update requests.

If that attribute would be writable that it would be easier to change router identity in initial provisioning instead of walk-around with .alter script download containing /system set identity..

2dfx · Thu Jan 26, 2017 12:24 am

Please add the ability to specify more than one server. for OpVPN and SSTP
And check box "remote random"

Thanks!

shortcircuitonline · Thu Jan 26, 2017 1:54 pm

i m looking into future hardware if possible i hope one day mikrotik can produce some thing like this

cpe with 2 wlan or more wlan cards and same on base station side to
advantages as under:-
bonding to increase speed
may b fail over 2 different base stations or more
different frequency
different channels like 10/20/30/40
and more possibilities are there

shortcircuitonline
raj singh

Dmitriy34 · Fri Feb 03, 2017 9:29 am

Hello.

How about accept RADIUS Attribute "Class" in CoA requests?

msatter · Fri Feb 03, 2017 1:31 pm

Not only being able to extend the timeout in address lists but also being able to reduce the timeouts by entering a lower timeout by a action in a firewall rule.

ckleea · Sat Feb 04, 2017 9:16 am

Is it possible to add /ip cloud ddns to x86 ROS? It is already available in routerboard hardware and I think it should be extended to x86.

Thanks

Sat Feb 04, 2017 1:53 pm

Is it possible to add /ip cloud ddns to x86 ROS?

This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.

ckleea · Sat Feb 04, 2017 4:16 pm

Is it possible to add /ip cloud ddns to x86 ROS?
This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.

I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct

Sat Feb 04, 2017 4:19 pm

I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct

No, you don't. Software ID is not the same as hardware serial number.

saaremaa · Mon Feb 06, 2017 11:37 am

Please implement this command:

/ip service set dns address=192.168.0.0/24 disabled=no

savage · Mon Feb 06, 2017 12:33 pm

Please implement this command:
Code: Select all
/ip service set dns address=192.168.0.0/24 disabled=no

+1 MT by default being a open resolver is a HUGE pita. You can't expect an ISP with thousands of customers to protect them all, and you can't expect thousands of Mikrotik users to know how to protect their router either. I know of multi 10GB/s ISPs that went down completely due to MT being used in DNS amplification attacks.

Yes, you can block it in firewall, but as soon as you do you loose piles of features (ala fastpath/fasttrack/connection tracking/etc). Silly that other services can be protected by /ip services, but not CRITICALLY VULNERABLE services, such as DNS, SMB, Proxy, Socks, etc. which is known to be used in exploits and DDoSes.

Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.

expert · Mon Feb 06, 2017 12:54 pm

Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.

Afaik factory default is 192.168.88.1/24, but I agree. On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc. It also does not support modern features like DNSSec, so I would rather go with Ubound or Knot running on dedicated host.

savage · Mon Feb 06, 2017 1:22 pm

On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc.

As is NTP Servers (ntp server magically disappeared from ROS in some version), web proxy, socks (really now, who still uses socks?), smb, and I'm sure other things too. Unfortunately, that seems to be what consumers want. Just really wish we could have all these things in separate packages so that we don't have to always have them installed.

Most of these services, belong on proper servers yes. I'm all for moving all these things (at the very least) to a meta router image, which is completely separated from ROS and installed at will, not by default. Userman is separated, dude is separated, I fail to see why the other stuff can't be made separated as well.

Sob · Mon Feb 06, 2017 8:27 pm

NTP server was always separate package, as long as I remember. Other stuff could be moved into one (or more) too, but there probably isn't good enough reason to do it (not counting your peace of mind

). If you don't enable any of it, all this stuff does is taking few hundreds kilobytes of disk space at most.

And of course consumers want it, it's because it's useful for them. If you're big ISP, it does not make any sense to run e.g. DNS resolver on RouterOS (not in its current state with very limited features, that's for sure). But if you're home user or small office, then it's the exact opposite. Keeping dedicated machine for this stuff is huge overkill. Current routers are pretty powerfull and can easily handle all these little extras and still manage to stay bored.

Btw, I think SOCKS is very underrated. It works with TCP and UDP, support both outgoing and incoming connections, supports authentication, can be used as IPv4/IPv6 proxy, and still it's very lightweight. It may not sound as much now, since almost everyone took different path, but this all was available since 1996 (year of SOCKS5 RFC). Why things like HTTP CONNECT caught on instead of this is beyond me. It still has some fans.

Arcticfox · Mon Feb 06, 2017 11:31 pm

Can you make a small feature for mAP devices such as USB-NIC?

savage · Tue Feb 07, 2017 9:50 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules

Tue Feb 07, 2017 10:07 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules

This has been requested, and confirmed by Mikrotik for routing filters in v7.

savage · Tue Feb 07, 2017 10:13 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules
This has been requested, and confirmed by Mikrotik for routing filters in v7.

Oh fantastic! So, when can I get V7 then

lavv17 · Thu Feb 09, 2017 2:50 pm

Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.

So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.

P.S. Thanks to msatter who pointed out the existing

dst-address-type=local

option.

msatter · Thu Feb 09, 2017 3:25 pm

Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.

So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.

There is the option:

src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address type:

unicast - IP address used for point to point transmission
local - if address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices

And this one can also be used if you have an dynamic WAN address.

agomes · Thu Feb 09, 2017 4:47 pm

It will be good if RouterOS will have integrated brute force protection and filter.
It does

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Nice!

Larsa · Thu Feb 09, 2017 10:54 pm

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules
This has been requested, and confirmed by Mikrotik for routing filters in v7.

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?

Chupaka · Fri Feb 10, 2017 12:44 am

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?

yes

Wyz4k · Fri Feb 10, 2017 12:59 am

It will be good if RouterOS will have integrated brute force protection and filter.

Most definitely! The current "implementation of brute force protection" is a joke. A counter on port visits as opposed to actually checking whether the login succeeds or not.

Larsa · Fri Feb 10, 2017 11:37 am

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes

Great, any chance we'll see acl's (filter groups) as well?

Chupaka · Fri Feb 10, 2017 2:51 pm

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes
Great, any chance we'll see acl's (filter groups) as well?

what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?

lavv17 · Fri Feb 10, 2017 3:00 pm

There is the option:
src-address-type (unicast | local | broadcast | multicast; Default: )
local - if address is assigned to one of router's interfaces

Cool, thanks! I'll use this feature.

Larsa · Fri Feb 10, 2017 3:27 pm

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes
Great, any chance we'll see acl's (filter groups) as well?
what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?

The ability to utilize grouping of for example firewall filters is a matter of making network management more manageable and perspicuous, thus this is especially useful in complex environments. If you're familiar with Cisco ACL Object Groups you probably know what I mean...

Ref: Cisco IOS: Object Groups for ACLs

Rolek · Fri Feb 10, 2017 11:16 pm

Hi!

HotSpot Status page sometimes is not necessary

> ip hotspot user profile set open-status-page=
always http-login never

Larsa · Sat Feb 11, 2017 2:19 am

RoS v7 wishlist 2017-02-11

I’m rather new to the MT-world since about a year ago and it’s probably way too late to influence R&D at this stage but anyhow, here is my wish list for v7:

- A good object oriented scripting language with a small “footprint” for embedded system such as Lua (eLua), Python, Squirrel, TinyC, Tcl, JavaScript, AngelScript, Picobit, Forth
- Object oriented interfaces for all hardware resources and network related elements for example:

Ethernet eth1 = router.hardware.ether1;

eth1.ip.address = “192.168.0.1”;
eth1.status = enabled;

log (“Eth1 - current speed: “ + eth1.speed);

- Script libraries.
- Event triggers on all objects that have properties that may change.
- Object groups for acl’s, routing policies, interfaces, queue, etc.
- Enhanced debugging/tracing that can show the whole packet path through all chains, queues and possible stops.
- Simplified interface for queue management in complex environments.
- Virtual hardware interface for direct attached AP's, BaseBox SXT LTE, etc in order to check and control important properties and subscribe to real time events like link status etc.
- Pluggable interfaces and protocols to preserve resources.
- Pluggable controller to enable Software Defined Networking.
- Fast and structured storage like sqlite for scripting purposes..
- The ability to develop and run third party pluggable add-ons running on a sandboxed environment (e.g. Linux Docker) for supplementary services like:

hotspot management
accounting and billing
two factor authentication
OpenVPN AS
performance tools
enhanced management services
storage providers
move User-Manager and Netwatch here

- API using standardized interfaces and RCP techniques such as, or similar to:

JSON/REST
CORBA RPC
ONC RPC
DCE RPC

- Encrypted key storage for storing passwords used in scripts, certificate private keys, etc.
- Security enhancements

Two factor authentication for management access and VPN tunnels.
Password (or possible ACL) protected files and settings
LDAP integration for management access.
Real brute force protection

- Network Monitoring and Management

- Pluggable module for Network Management (NMS) with support for:
OpenFlow/NetFlow (SDN)
RMAN2
CIM/WBEM (SBLIM)
SNMPv3 with enhanced security
Enhanced MIB-II trees
SNAP traps for all manageable objects (both hw and sw)

- Various protocol enhancements: IKEv2, OpenVPN UDP + options like ZLE/EAS/TLS-AUTH etc, 2FA, DNSSEC, IPSEC/VT, NAT64.
- Multiple MAC’s and IP’s per ethernet/sfp interface.

Work out a new license model and divide the above into different level of capabilities that will also make it possible to run on less powerful devices.

Sob · Sat Feb 11, 2017 4:47 am

Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?

Larsa · Sat Feb 11, 2017 1:22 pm

Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?

Well, most definitely not before 2020 if they choose to develop everything from scratch.

It's actually possible to create a working prototype with most of the features from the wishlist on a small device like the Raspberry Pi in just a couple of days. And yes, you obviously need to configure everything manually the typical Linux way through shell scripts and edit tons of files. But it's quite doable and I've done it my self although the configuration process was definitely the major obstacle. You could probably even use a RB to implement your own prototype: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard

Hopefully they'll implement RoS v7 on a new and flexible platform using frameworks such as XDP/eBPF/NFtables, pluggable kernel modules for example communication and management protocols, and using Linux Docker as sandbox environment for third party add-ons. And there are plenty of open source protocol stacks that can act as base for further work. An example of a company that make heavy use of open source is Brocade and you can even find the complete src for the old Vyatta Vrouter. If R&D at MikrotIk choose this way of working they can initially implement the basic functionality quite fast and work their way up in the food chain so to speak.

There's nothing new under the sun and everything is up for grabs but hopefully they'll make it happen!

Sob · Sat Feb 11, 2017 4:20 pm

The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.

Larsa · Sat Feb 11, 2017 6:15 pm

The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.

Yeah, the prototype is usually just a part of a POC they probably did ages ago. If they are smart, they'll release a version that will match the functionality in v6 and continues from there when things have stabilised. One thing is for sure, the folks at marketing will have to cope with all the people that have extremely high expectations of v7 and that believes it will solve all problems in the world!

Anyhow, I would guess that much of the work is put on developing their own nftable bytecode compiler/decompiler "engine" that needs to be tightly integrated into the user interface. In general it's a quite big step to move from iptables to nftables but in the long run, the operation and management of the development projects will become greatly simplified in regards of correcting bugs and adding new features.

And they will of course need to integrate new protocol stacks that's not part of the standard kernel but I really hope they'll avoid develop new protocols themselves and instead put all effort in integrating open source or licensed software...

Larsa · Sat Feb 11, 2017 6:42 pm

Btw, are there currently any big showstoppers in regards of bugs or missing features that would actually force people to pick other vendors even if they preferred MT?

SystemErrorMessage · Sun Feb 12, 2017 12:40 am

All i want is for mikrotik routerOS for routerboards at least to have all the features that both consumer and prosumer routers have and many features that industrial routers have as well. By that i mean in consumer routers in the config you can use domains in some of the configuration which is resolved when used rather than stored as an IP. If you look at openwrt and what linux based consumer routers can really do if you get into the linux bit and start adding and changing config files, it really makes those routers flexible. Mikrotik routerOS is only flexible with what you see infront of you, being able to add rules but you cant do really complex things without having to deal with MT's script and scheduler which tends to get broken and fixed multiple times. Last month i updated to 6.37 and it broke the scheduler and the OpenDNS update script timed out. Updated to lastest firmware today for the TILE and while the scripts work now the scheduler still doesnt work. I use the commands you would use in the command lines to run multiple scripts from 1 schedule which worked till i updated to version 6.37.

craterman · Mon Feb 13, 2017 9:07 am

RFC 3021

Larsa · Mon Feb 13, 2017 9:46 am

RFC 3021

What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...

dukejjjj · Wed Feb 15, 2017 8:17 am

I have a suggestions

ip firewall connections add new columns like IP Geo / country / ISP .... information

dattl · Thu Feb 16, 2017 11:24 am

Hi,
First: I love Mikrotiks, I have allready 60+ pieces brought out to a lot of Customers.
One litte thing that would be very handy for me is:

IPSec Policy with ADDRESSLIST

feature instead of 1 policy per subnet on same VPN-Peer, as I have 1 customer with around 150 subnets and this is a total overkill for searching throug policis.
The Mailfirewall there is a Sonicwall and this supports subnetgroups for VPN-Policies. So the similar thing would be addresslists in Mikrotik.

Thank you for youre great work!
Best
-Dattl

SDFadfasdfadsf · Sun Feb 19, 2017 2:47 am

RFC 8092 BGP Large Communities implementation Feature Requested 2016090522001073

timeline available?

JanezFord · Thu Feb 23, 2017 12:58 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

Thu Feb 23, 2017 1:14 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

JanezFord · Thu Feb 23, 2017 8:30 pm

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Thank you, I will look at your suggestion ... but anyway I find it would be way more user friendly to have for example a "Locate" button in Routerboard menu instead of having to program scripts for such a task.

JF.

anuser · Mon Feb 27, 2017 5:40 pm

What about enhancing CAPSMAN:
- centralized upgrade for RouterBoot (button for "/system routerboard upgrade") would be nice.
- "Right click" into remote CAPs list and directly connect to one of the CAP device itself
- management of all routerboards, also without wifi

CerpinTaxt · Wed Mar 01, 2017 3:16 am

Usermanager:
Currently, maintaining users via web browser provides more information than can be obtained using the CLI directly on the router (e.g. Total time left/Till Time can be seen on browser, but not Winbox) this makes using the API to get this information impossible. Could this be added in the output of

/tool user-manager user print

or even

/tool user-manager user print detail

would be great. The CLI should have everything a GUI has (plus more?!)

gilson · Sat Mar 04, 2017 10:02 pm

While using Winbox, I always missed the ability to allow to mark and copy form the log panel to clip board, as well a Find box. It would be very useful.

Wyz4k · Mon Mar 06, 2017 3:04 am

The ability to copy and paste data more easily.
1) Selected text from the log to the clipboard.
2) From random tables into the clipboard in csv format.

hyperpaccket · Mon Mar 06, 2017 6:15 am

More than 2GB of ram for the X86 Build.

JanezFord · Fri Mar 10, 2017 2:39 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

mlow · Fri Mar 10, 2017 11:43 pm

RFC6939 for the DHCPv6 relay.
Would be extremely useful for doing MAC address based DHCPv6 reservationsRFC4649

exploit · Mon Mar 13, 2017 7:55 am

1. I believe that you need to add ability to associate an IP address with two different mac-addresses. This allows you to give the same network address to a device that connects at different times from different interfaces (for example, ethernet or Wi-Fi in laptops)
This feature is implemented in dnsmasq (for example, dhcp-host=38:B1:DB:38:B4:23,28:d2:44:d0:e0:3e,192.168.0.111)

2. I do not receive the network route specified in the profile of the l2tp client. This topic was previously discussed in your forum: viewtopic.php?t=56079
This feature is implemented in SoftEther

Thus, both possibilities requested by me are technically feasible.

meckanix · Wed Mar 15, 2017 4:29 pm

Can we add a VRF setting to the DHCP relay so that the relay can be used within a VRF?

neticted · Fri Mar 17, 2017 1:18 pm

I use wireless roaming feature and I have set Signal range in Access list to kick clients with low signals.

It works fine for most of the time but sometimes some clients got kicked frequently even with good signal.

After some time of monitoring this issue I concluded that problem is that it happens that client momentarily is received with low signal, and Mikrotik kicks it at once.

If I set lowest allowed signal to very low, client does not get kicked. But, that ruins whole idea of roaming as then clients stay connected to node even with very low signal.

My proposal is to introduce option to set hysteresis (delay) to kicking clients if signal is out of specified level range. Goal is to kick client if it really has low signal for some time not just because it is measured low for a moment.

lavv17 · Wed Mar 29, 2017 3:41 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

savage · Wed Mar 29, 2017 3:44 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

And IPv6 filter on dst-address doesn't work at all in Winbox

Wyz4k · Thu Mar 30, 2017 4:09 am

Bridge-like filtering (L2) for Mesh.

lavv17 · Tue Apr 04, 2017 12:34 pm

It would be nice if routing updates were more atomic. Currently converging BGP full view can lead to temporary routing loops. They last for a minute or two.

My setup consists of 3 CCR1036 routers facing different providers; iBGP between each pair of them. When a router boots up, a temporary loop can be created for a pair of minutes.

Also I'd like to repeat my plea of a graceful reboot option: viewtopic.php?f=1&t=45934&p=556840&hili ... ul#p556840

Nee · Tue Apr 11, 2017 5:03 pm

1. dstnat for output chain - i.e. to route Mikrotik's DNS requests to different DNS servers / interfaces
2. hardware ipsec acceleration for processors, which support it (i.e. RB3011) - maximum ipsec performance is the must for many modern configs, imho

Wyz4k · Thu Apr 13, 2017 8:11 am

Please add a button to clear the log. It's practically impossible to try and debug routers over crappy connections when just attempting to load the log causes the connection to break. If I could periodically clear the log it would reduce the traffic enough for the connection to remain viable.

I've tried the methods listed on the forum and they no longer work.

OnixJonix · Thu Apr 13, 2017 10:32 am

Please come up with CAPS logs explanation!!!!
Stuck with capsman problems - see problems in log files, but not sure what it mean an what direction look for!!

for example:
caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

Thu Apr 13, 2017 11:39 am

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

OnixJonix · Thu Apr 13, 2017 1:08 pm

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

No certificates at all!! Maybe thats the problem??

Thu Apr 13, 2017 1:33 pm

No certificates at all!! Maybe thats the problem??

Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

felipelinkmais · Thu Apr 13, 2017 9:31 pm

Will be nice if mikrotik create a new OLT package.. to turn any mikrotik device with sfp slot in one GPON/EPON OLT.

OnixJonix · Tue Apr 18, 2017 8:25 am

No certificates at all!! Maybe thats the problem??
Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

Have ~50Caps - in Capsman Radio list shows all, and in the list no dublicated macs!!! This was my first gues, but seems there everything is ok!!

Wyz4k · Tue Apr 18, 2017 10:34 am

Please make it possible to change the comment associated with a connection without it restarting said connection.

Wyz4k · Wed Apr 19, 2017 6:39 am

Could we get the LAC (local area code) also being displayed in in the info box for 3G/4G modems? This information is required to locate the sim. Currently the cellid is being displayed and it's possible to determine MCC and MNC. See http://cellidfinder.com/

scus · Wed Apr 19, 2017 3:54 pm

In case that public key authentication is used (and passwords are disabled) the SSH server should drop the connection immediately if no public key is provided by the client (instead of asking for a password and denying access even if a valid password is provided). There should also be a configuration option to allow password authentication in addition to public key authentication.

I have thousands of failed login attempts (from different IPs), all trying to login as admin, user, test, etc. using passwords...

juliokato · Wed Apr 19, 2017 5:06 pm

[Active Users (Admins)]
Is there any way to cut the connection of a remote admin.
Amazing how this feature does not exist!

Wed Apr 19, 2017 9:21 pm

Do you want to be cut off by a hacker?

juliokato · Thu Apr 20, 2017 3:25 pm

Look this:
How do I delete previous sessions stuck in an easy way?

macsrwe · Fri Apr 21, 2017 9:29 pm

Hi,

Please add feature that will allow me to add DNS name instead of exact IP address. I need this to connect 2 or more MKT routers (PPTP connection) if they are connected to internet thru ADSL and theirs IP addresses are dynamic. I hope that you understand what I am saying and that we can expect this feature in new ROS.

bye,

i think that this should be global. anywhere you specify a dns name it should be resolved.

Yes, but not immediately - it should be stored as a DNS name and resolved in real time. For example, it's pointless to resolve /tool email server once and store it as a numeric address, which is why ROS will store it as a name. However, /system watchdog resolves the same server once and then stores it as a number, which is wrong. Also, you don't want things to fail because they can't be resolved immediately when you are configuring a router on a workbench and it has no connection to your network.

macsrwe · Fri Apr 21, 2017 9:34 pm

Please make it possible to change the comment associated with a connection without it restarting said connection.

This would be good for both /int wireless access and /int wireless connection; also the "add to access list" and "add to connection list" operations, where you already know that the resulting entry will not be incompatible with the connection that already exists, because it is being generated from that connection.

macsrwe · Fri Apr 21, 2017 9:38 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.
Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

Many of the newer, lower-cost devices have no beepers.

I have come to rely on the beepers for so much diagnosis (esp. SXT setup) and I really miss them. I would pay the extra buck.

horhay · Fri Apr 21, 2017 11:44 pm

Help us old keyboarders out and add ALT tags to menu and buttons.

This way we can use ALT C for a Close button or ALT O for OK.

skuykend · Sat Apr 22, 2017 3:59 am

During an Export of /Interface/Ethernet/Switch/Ports it would be nice to have it use a [ find default-name=xxxxx ] like the /interface ethernet export instead just the set#.

Andrew08 · Sat Apr 22, 2017 10:32 am

Ip dns port support
So for example we can use 208.67.220.220:443

biatche · Sat Apr 22, 2017 4:39 pm

Requesting for neater and more readable exports

currently:

export compact
/something1
some config
/something2
some config

suggestion:

export compact
/something1
some config

/something2
somet config

spacing them out improves readability a lot.

Zero3K · Sun Apr 23, 2017 1:33 am

It would be nice if there was an option to display a box containing the Ethernet and DHCP Clients (with the Mac, IP, and how long it has been online) connected to it in the Quick Set page.

tawhwat · Sun Apr 23, 2017 5:29 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!

The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

juliokato · Sun Apr 23, 2017 7:26 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!
The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

+1

biatche · Mon Apr 24, 2017 8:02 pm

please, MSTP & PVRSTP next version...

sparker · Tue Apr 25, 2017 9:49 am

+1
Really need, please!

biatche · Wed Apr 26, 2017 5:55 am

request: a default set if IPv6 firewall rules with IPv6 enabled be default

Wyz4k · Wed Apr 26, 2017 6:46 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

pass example:
:local macAddress "00:11:22:33:44:55"
:local interface [/ip neighbor find where mac-address=$macAddress]

pass reason:
gives exact same result as :local interface [/ip neighbor find where mac-address="00:11:22:33:44:55"]
contains only interfaces that have that MAC address

Chupaka · Thu Apr 27, 2017 2:08 am

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

setup some VPN tunnel between the routers

then you may ping inside the VPN, or just use VPN Interface state to detect remote failure

Chupaka · Thu Apr 27, 2017 2:15 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

that's because the variable name "identity" is the same as parameter name "identity". the following code works correctly:

:local id "testRouter"
:local interface [/ip neighbor find where identity=$id]

by the way, use the following is also correct:

:local interface [/ip neighbor find where $identity=$id]
:local interface [/ip neighbor find $identity=$id]

Wyz4k · Thu Apr 27, 2017 5:39 am

Thank you, I will try it out!

doneware · Thu Apr 27, 2017 9:37 pm

this one can be quite neat if someone is into parental control

https://datatracker.ietf.org/doc/draft- ... -clientid/

the code is there in dnsmasq since 2.76

Wyz4k · Fri Apr 28, 2017 3:58 am

Can we get standard 802.11s support? https://wiki.mikrotik.com/wiki/Manual:I ... e/HWMPplus indicates that the HWMP+ protocol is based on 802.11s draft but is not compatible with it.

kalaposl · Fri Apr 28, 2017 1:00 pm

I would love if I could run a script as a firewall action.

doneware · Sat Apr 29, 2017 12:25 am

I would love if I could run a script as a firewall action.

this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

macsrwe · Sat Apr 29, 2017 2:27 am

I've been waiting over five years for /system upgrade upgrade-package-source to allow specification of its password parameter on the command line instead of demanding it interactively. This one deficiency makes Flashfig entirely useless to us and makes initializing every one of our MikroTik CPEs a multi-step manual process. I've been told this is done for "security," but every other password, encryption key, secret, etc. can be set from the CLI except this one (which is a relatively minor "security" function at best), so I'm not buying that argument. How hard can this be, guys?

nordex · Sat Apr 29, 2017 8:14 pm

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

Wyz4k · Mon May 01, 2017 4:10 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.

biatche · Mon May 01, 2017 6:07 am

request switch vlan support on RB750Gr3

doneware · Wed May 03, 2017 10:57 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.
where i do see the quite a bit of flexibility, but it is a fundamental change how the PF code is organised. say we're just fine with a serialised code execution on a single core if it comes down to handle a flow, but that doesn't mean that cpu cycles are there to be wasted on unoptimised execution. also for me is not clear whether the script should be run in a non-blocking or blocking manner. all in all, since its just a set of interpretable code, it would be quite unpredictable whether it is to be executed parallelised or not. the result would be varying delay that could potentially affect (read: ruin) TCP throughput.

i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

i think this fulfils your requirements of "hands shall not be bound", but also provides enough safeguarding for the "not so creative/unexperienced" users, whose forwarding performance would be seriously degraded by running code based on firewall rule matches. and for the RouterOS developers its always a give-and-take situation, where to go, what to risk: provide a very versatile toolset where you can do anything, which can (and most probably will) result a thousands of trouble-tickets and sad faces when used inappropriately, or leave it to be solved by the excessive creativity of the few ones who actually do require it. they need to think in the dimensions of megapackets per seconds for a while, and "tinkering" does not fit into the scope no more. and there is a whole world outside of RouterOS, a lots of tools that may be used to contribute to its original functionality, we just need to think outside the box.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

Wyz4k · Wed May 03, 2017 4:54 pm

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.

Yes, the method that you describe of using a firewall rule and logging is an option, but potentially something that can become really messy really quickly.

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

doneware · Wed May 03, 2017 5:52 pm

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

seems we have to leave it to Mikrotik guys do decide which way to go

Wyz4k · Thu May 04, 2017 7:46 am

seems we have to leave it to Mikrotik guys do decide which way to go

Indupitably

Wyz4k · Wed May 10, 2017 8:11 am

Please add the ability to ping / ssh / telnet / other from the ip dhcp-server screen in winbox. This is already offered from the wireless registration page.

Any chance we could get the ability to form simple socket connections / ssh from the router in a script? Currently it's really one sided in that it's possible to connect to the router, but not possible for the router to automatically connect to other things.

makstex · Thu May 11, 2017 7:25 am

Please add compression for the OpenVPN client.

Wyz4k · Thu May 11, 2017 9:16 am

Could we get a proper AT command + reply interface?

Sending down AT commands in the info string and then having them randomly overwrite some output as a response is far from ideal.

On that same topic, it would be great if the /interface ppp-client info section can be rewritten to go away and read all the data and then come back with the data instead of having to be polled repeatedly hoping to get all the data after x polls.

felipelinkmais · Thu May 11, 2017 4:34 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

teddyhsu · Fri May 12, 2017 2:25 pm

I hope I can create a counter only supout file, that only take process information and count connections and users.

When my routerboard have more then 100K connections and 2000 users, making supout file will take more 2 hours and bigger then 1GB.
The heavy loading reboot is very hard to debug.

Wyz4k · Sat May 13, 2017 3:38 pm

I would like to request the required changes in order to allow 3G/LTE signal strength to be monitored on a continual basis without interrupting the signal - see https://forum.sierrawireless.com/viewto ... 108#p41108

Mon May 15, 2017 12:20 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

macsrwe · Tue May 16, 2017 10:11 pm

/ip firewall address-list has a creation-time field that is read only, although it appears in the add box. It would be quite handy if that were writeable at add time, such that the entry would take effect at whatever date and time is entered. This would allow us to schedule changes in account behavior at a future date without having to be sure to log in on that date to make it happen.

SiB · Wed May 17, 2017 10:14 am

Now I must create the same few rules in FILTER ICON again and again in many place of WinBox (I use AutoIt to do it like workaround)
PLEASE ADD the SAVE option for filtering rules.
I will be creating prifile filters like, dhcp with dynamic only, Arp static only, Contrack show network1, conntrack show net2 - You gotta idea. Open filters and select own save before filters rules - perfect.

CsXen · Wed May 17, 2017 11:19 am

Hi.
I know, that Mikrotik dropped the mipsle platform support... I know... but..
Please, backport two fantastic changes to mipsle, specifically to RB532.
1. WPS client mode.
2. EAP-PEAP-MSCHAPv2

Please, make a "routeros-mipsle-6.32.5" package with these features to make our old routers happier.

Thanks and best regards: CsXen

Vooray · Tue May 23, 2017 10:39 am

Please, add /31 mask on p2p support (rfc3021).

freemannnn · Mon May 29, 2017 3:12 pm

it would be nice in capsman interfaces tab a column with how many devices are connected per cap.

Murmaider · Mon May 29, 2017 8:46 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.

5nik · Thu Jun 01, 2017 12:58 pm

Please add support for DHCPInform for PPP link. It is usefull for Windows VPN clients (push additional info such as domain name, classless routes etc.). Now I must redirect DHCPInform request from PPP to external DHCP server.

Pilson · Fri Jun 02, 2017 9:40 pm

Please add support for setup l2tp client source portselection - set port by maunal, or set random port. Something like /interface l2tp-client set l2tp-out1 src-port=port_number, or src-port=random. It would be a very useful feature, especially if multiple l2tp clients + ipsec establishes connections from local network via one NAT address.
Thanks.

aacable · Sat Jun 10, 2017 8:35 am

'Unmetered Content' / to bypass local servers from radius accounting.

maznu · Sun Jun 11, 2017 1:45 am

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

craterman · Sun Jun 11, 2017 11:07 am

Please add:
- Incremental SPF
- IP FRR (RFC5714) and microloops (RFC5715)
- LFA (RFC5286) & Remote LFA (RFC7490)

And it would be really great if you add:
- RSVP FRR (RFC4090)
- MRT (RFC7812)

Sob · Sun Jun 11, 2017 7:13 pm

About the WireGuard idea, are you a time traveller writing to us from future?

I almost got excited, but at present time, things don't look so bright yet:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:

After version 1 is finalized, an RFC will be written and standardized.

maznu · Sun Jun 11, 2017 7:23 pm

About the WireGuard idea, are you a time traveller writing to us from future? :)

Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)

drivebydex · Wed Jun 14, 2017 11:53 pm

Please add in capsman registration table "active host name" and "active address"! THX

ajack46 · Thu Jun 22, 2017 3:51 pm

Providing Compression for the OpenVPN client, would be something i would wish for.

biatche · Sat Jul 01, 2017 10:45 am

1. add /ip route check-gateway-ping-interval
2. ability to customize fasttrack rules a little bit. more dual wan friendly. right now i cannot figure out a way to have fasttrack with both ipsec and multi wan, although it does appear possible if its just one extra feature.

th0massin0 · Sat Jul 01, 2017 4:34 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

biatche · Sat Jul 01, 2017 9:59 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better

biatche · Sat Jul 01, 2017 10:01 pm

/tool fetch keep-result (yes | no; Default: yes) If yes, creates an input file.

rename this to save-tofile or something.... from what i am seeing, keep-result appears to save the output to disk. or is it input? i've no idea anymore.

MT could possibly hire an englishman to straighten the terms out.

th0massin0 · Mon Jul 03, 2017 1:22 am

Could you please describe how did you worked out port forwarding in dual wan environment with fasttrack?

platitude · Tue Jul 04, 2017 11:59 pm

DNSCrypt feature request topic has been started in 2012! Your customers waiting it about 5 years and still no support from you. Looks like you are not interested in customer's data privacy at all. Now open your eyes, read the message and satisfy us.

biatche · Sun Jul 09, 2017 2:42 am

add tool: tcp/udp open port tester.

pe1chl · Sun Jul 09, 2017 12:34 pm

Feature request: move all configuration related to one physical interface to another.
E.g. you have a router with two hardware switches or with ports inside/outside switch.
You have configured e.g. ether8 which is on switch2 with all kinds of options (address, dhcp server, firewall config, etc)
and you decide it would be better to move all this to ether4 which is on switch1, e.g. because you want to free up a port
that is on switch2, to do hardware switching to the other ports on that switch. It would be convenient when this could
be done with a single command, just like an interface can be renamed with a single command and it is reflected everywhere
in the config. After issuing that command and plugging the cable from port 8 to port 4, all functionality would remain the same.
For practical purposes (what would happen to the config that was on port 4), maybe the easiest implementation would
be in the form of "swap interface configurations" What was on ether4 will be on ether8 and vice-versa.

msatter · Sun Jul 09, 2017 2:21 pm

When adding an adress in large adress-list is a PITA when an address already exits. The the script is stopped an you can work with on-error to seek sequential through the list use set to update it timeout on the dynamic address. This takes ages when you have to seek each time.

On the moment you get collision it would be a pleasure to be able to directly use set on that entry to set the expire time in the on-error.

cental63 · Sun Jul 09, 2017 6:22 pm

I find that Userman is a really good choice to build a hotspot service for a company, but i think, as installer, that there is something missing, few things like embedded sms verification (and not the script), and the one that i found more interesting, make the userman database readable (just think about a company with a newsletter). All could be added to make userman like a serious radius server (chr would allows more performance for anought clients). more competitive !
Thats all

Regards from an Italian user

schadom · Sun Jul 09, 2017 7:56 pm

Please add the 'Comments' column and the 'Add/Edit Comment Button' which is currently missing in WinBox 3.11 under

Routing =>BGP => Networks
Routing => BGP => Aggregates

Interestingly it is available in Routing => OSPF => Networks, but missing in all of the other tabs
While I personally prefer the CLI for configuration, WinBox is nice to get a quick overview.

Thanks

Wyz4k · Thu Aug 10, 2017 1:39 pm

Please add SMB support to the fetch tool or the ability to limit FTP accounts to specific folders to the FTP server. The SMB server is considerably more advanced than the FTP server on Mikrotik and makes it easier to limit clients to a specific folder.

pe1chl · Fri Aug 11, 2017 12:16 pm

/queue tree elements can now only match on "packet marks", when multiple packet marks are specified they are OR'ed.

Please add the capability to also match on the "packet priority" field, and make it an AND match with the packet marks.
(so if a queue tree element is specified with both packet marks and a priority, it will only be used when one of the specified packet
marks is present AND the priority field of the packet is as specified)

Alternatively, introduce the option of doing an AND match on packet marks. It is already possible (although cumbersome)
to add packet marks based on the packet priority field.

dgrenetz · Wed Sep 13, 2017 2:31 am

We are deploying Mikrotik virtual appliances to centralize and replace several disparate VPN solutions. We need a way to hand out our domain suffix to VPN clients so they won't have to use Netbios broadcast to resolve names. Currently, without domain suffix setting, accessing hosts by hostname takes about 5 seconds longer than it does on our existing legacy VPN solutions. I Googled the issue and see people complaining about this all the way back to 2010. However I do not see it anywhere in this Feature Request thread. Longstanding issue - please help!!
David

diasem · Tue Sep 19, 2017 1:22 am

Normis add /31 address for PTP links.

Chupaka · Tue Sep 19, 2017 10:23 am

Normis add /31 address for PTP links.

/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3

vytuz · Tue Sep 19, 2017 3:09 pm

Do You maybe have in plans to make more detailed user group list? Different user access to i.e. wireless, firewall filter, nat rules, ip addresses, dhcp and etc. I imagine it may be hard to add databases and additional cunfiguration to every configuration field. Maybe any possibility to add at least additional wireless user option. Clients sometimes wants to change wifi name, password, but we do not want to allow to change other options with given password.

nelfou · Fri Sep 22, 2017 1:07 pm

Being able to customize the hAP WPS button behavior, like having it trigger a script.
(our use case would be to easily turn the Wi-Fi on/off)

Vooray · Sat Sep 23, 2017 8:42 pm

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Chupaka · Mon Sep 25, 2017 11:01 am

It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

... and routing table/vrf

OnixJonix · Tue Sep 26, 2017 12:37 pm

Make Address List from DHCP lease table!!
For example - select multiple LEASE entries and put them in address list (then you can use for firewall)!! Something like in wirelless - you can add entries from registration table to access list!!
Thansk!

Tue Sep 26, 2017 1:53 pm

Lease script doesn't work for you in this case?

Chupaka · Tue Sep 26, 2017 3:59 pm

Looks like he needs it in WinBox (one-time context menu like 'Make static' or something)

By the way, if your leases are static, you can just set 'Address List' for them

bajodel · Wed Sep 27, 2017 12:41 am

Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

..and the possibility to set source address (e.g. remote ipsec hosts)

Wed Sep 27, 2017 1:46 am

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Netwatch can trigger a script.

Example - my netwatch:

/tool netwatch
add comment="Watch Dog" down-script="log info \"Netwatch missed a ping to 192.0.2.254 - starting 5 minute timeout script\" ; /system script run NetWatchBoot-192.0.2.254" host=192.0.2.254 timeout=1s500ms

Example - My script called by netwatch:
/system script
add name=NetWatchBoot-192.0.2.254 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local addresstoping 192.0.2.254;
:local addresstoping 192.0.2.254;
:local interface "wlan1";
#
:local continue true;
:local counter 0;
:local maxcounter 28;
:local sleepseconds 10;
:local goodpings 0;
:log error "-----> Tom's Netwatch-Script-Warning - Netwatch could not ping $addresstoping - Will begin further testing in $sleepseconds seconds - and will continue for $maxcounter times $sleepseconds seconds";
:while ($continue) do={
:set counter ($counter + 1);
:delay $sleepseconds;
:if ([/ping $addresstoping interval=1 count=1] =0) do={
:log info "----->ping to $addresstoping failed on attempt $counter of $maxcounter -- Will try again in $sleepseconds seconds";
} else {
:log warning "-----> ping success on to $addresstoping attempt $counter of $maxcounter <----- No Further testing needed --- Program will exit -----";
:set continue false;
:set goodpings ($goodpings +1);
/interface wireless monitor $interface once without-paging do={
:local status $"status";
:local band $"band";
:local freq $"frequency";
:local wprotocol $"wireless-protocol";
:local noise $"noise-floor";
:local signal $"signal-strength";
:local snr $"signal-to-noise";
:local thruput $"p-throughput";
:log info "-----> Status: $status --- Band: $band --- Frequency: $frequency --- WProtocol: $wprotocol --- NoiseFloor: $noise";
:log info "-----> Optional Info if Available ---> SignalStrength: $signal --- SNR: $signal --- PThroughput: $throughput";
/interface wireless monitor $interface once
:local txr $"tx-rate";
:local rxr $"rx-rate";
:local sstr $"signal-strength";
:local signoise $"signal-to-noise";
:local curdistance $"current-distance";
:local txccq $"tx-ccq";
:local rxccq $"rx-ccq";
:log info "-----> TxRate: $txr --- RxRate: $rxr --- SignalStreng: $sstr --- SignalToNoise: $signoise --- CurrentDistance: $curdistance --- TxCcq: $txccq --- RxCcq: $rxccq";
};
}
:if ($counter=$maxcounter) do={:set continue false;}
}
:if ($"goodpings" = 0 ) do={
:log info "-----> Rebooting in 15 seconds";
:delay 5;
/file print file=ScriptRebootReason
/file set ScriptRebootReason.txt contents="Rebooted by Toms script on $[/system clock get date] at $[/system clock get time]"
:log error "-----> Rebooting in 10 seconds";
:delay 5;
:log error "-----> Rebooting in 5 seconds";
:delay 5;
:log error "-----> Rebooting now";
:delay 1;
/system reboot
/system reboot
/system reboot
/system reboot
}

With the above - a netwatch ping failure will trigger my script "NetWatchBoot-192.0.2.254"
The script will retry the ping for (:local maxcounter 28) 28 times
While pausing (:local sleepseconds 10;) 10 seconds between pings

If the script gets a ping response, the script aborts - and make a log.
If the script loops through the count-down and does not get a ping, the script will reboot the Mikrotik - and make a file named ScriptRebootReason just prior to the reboot.

I am sure this netwatch & script procedure could be modified to do many things you may want when netwatch triggers.

In my case, I have this netwatch & script on all of my Mikrotik client devices and all of my internal core network Mikrotik devices. The IP address 192.0.2.254 is an RFC IP address and is OK to use for in-house (non-external-Internet-Routed). If I want to reboot every Mikrotik everywhere on my network, all I need to do is disable the 192.0.2.254 device a few minutes. Presto - everything everywhere will auto-reboot. This is good for keeping Mikrotiks on-line when the network might have a problem.

North Idaho Tom Jones

Wed Sep 27, 2017 1:57 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

Wed Sep 27, 2017 10:31 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1

anv · Mon Oct 16, 2017 3:23 pm

Routeros openvpn server needs a way to push routes to the clients.

CsXen · Sat Oct 21, 2017 6:51 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.

(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

WreckLoose · Tue Oct 24, 2017 11:25 pm

Yes, I think that a great feature would be greater support for Intel network interfaces. Most notably the I218 stuff. I would love top be able to run RouterOS in the Intel NUC.

Wed Oct 25, 2017 6:48 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

It might be nice to have an option for color in the logs.
There is a work-around that I use which gives me three colors in my logs.

In your script that writes to the logs (or at the CLI prompt) you can use this:

log error "This is a log error --- RED"
log info "This is a log info --- BLACK"
log warning "This is a log warning --- Blue"

With the above 3 lines, you will see this in your logs:

This is a log error --- RED
This is a log info --- BLACK
This is a log warning --- Blue

North Idaho Tom Jones

gorec2005 · Fri Nov 03, 2017 6:43 am

Add please shadowsocks server & client ?

safiullahtariq · Sun Nov 26, 2017 2:30 pm

Can you please add a feature in which Hotspot doesn't account the local traffic, or to a specific subnet?

kometchtech · Fri Dec 01, 2017 4:15 pm

Despite being asked before in the past.
It seems that implementation of Wireguard is planned for the future Kernel.

https://www.phoronix.com/scan.php?page= ... d-Features

I would like you to consider implementing this function which has high encryption strength and excellent performance.
It seems that correspondence to several distributions is progressing as well.

Florian · Tue Dec 19, 2017 2:23 pm

I know it's not ready yet, but +1 on Wireguard.

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

pe1chl · Tue Dec 19, 2017 2:36 pm

When you read "it is planned in a future Linux kernel" you know it is not going to happen in RouterOS 6.x and probably not in 7.x either (because a kernel version probably has been decided on).
So, you can put it on the wishlist for RouterOS 8.x

Florian · Tue Dec 19, 2017 2:39 pm

I guess so, but, It's to show the devs my (or "ours") interest in this, if they can find a way to implement it, some people would be very happy.

lavv17 · Mon Dec 25, 2017 2:59 pm

I'd like to have a setting to change ppp aaa order: radius first, then local. The default is now local first.

ege · Tue Dec 26, 2017 6:52 pm

SSL Bump feature for webproxy like Squid-in-the-middle.
Thanks

eccles · Thu Dec 28, 2017 2:10 am

We really need two options which are normally provided with OpenVPN on most Routers:

a) LZO Compression - I suspect that this might be an issue if the CPU doesn't natively support it

b) UDP - We can achieve faster transmission (with less bandwidth) by using UDP instead of TCP. UDP is an OpenVPN option provided on all other routers that I have worked with. Our protocol incorporates all of the required checking to ensure reliable delivery so the additional overhead of TCP isn't required or justified.

The reason is that we are using the wapLTE device at remote sites with 4-G transmission of datalogging records to a central site. Bandwidth is expensive (we pay by the MB/GB). We have done what we can by reducing transmissions to one per day, etc. but with the increasing number of remote sites the cost of traffic is becoming a real issue. It seems that the local ISPs are wanting to capitalise on IoT device traffic, but in any case cellular data transfer is very expensive here.

Eric

pamribeirox · Thu Dec 28, 2017 1:37 pm

It should be very simple to add support for selecting the bits of the IPv6 RA that announce if the router have "High", "Medium" or "Low" preference for being selected as a default router for the terminals in the segment. (RFC4191 2.1 Preference values)
I know VRRP could be used for that, but I think this clean and native solution is better for IPv6 first hop redundancy.
As an example, Cisco does it with the command "ipv6 nd router-preference [High|Low|Medium]" at interface level.
regards.

pe1chl · Thu Dec 28, 2017 1:50 pm

It should be very simple to add support for selecting the bits of the IPv6 RA

I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.

pamribeirox · Thu Dec 28, 2017 2:06 pm

To ease the management of IPv6 networks is useful as a first step to base them on the existing IPv4 network structure.
One of the things that could be done is using some elements embedded in the IPv6 link-local address so the Windows "ipconfig /all" (and alike from other OSs) provide an simple way to verify the terminal are correctly connected/configured.

RouterOS should allow us to change the IPv6 link-local address from the default one (based on EUI-64 logic) to a manual defined address in the block reserved for link-locals in the RFC4291 (fe80::/10)

Then, as an example, the interface with IPv4 address 192.0.2.1 could also have an IPv6 LL fe90::192:0:2:1

regards.

pe1chl · Mon Jan 01, 2018 1:23 pm

Feature request: enable WMM (QoS based on DSCP) for WiFi interfaces (preferably by default) without having to use mangle rules to set priority based on DSCP.
The disadvantage of mangle rules is that they only work when all "fast" options are disabled and when the "use IP firewall" is enabled on the bridge.
Competing products have WMM enabled by default without having to configure anything. In MikroTik it requires settings like:

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes

and deleting the "fast track" rules.
As some of these have quite global effect on performance, it would be preferable to have some way of just doing WMM with a simple checkmark in the Wireless settings.
(there is one, but it does not do the prioritization)

moose999 · Tue Jan 16, 2018 12:49 pm

I am aware I can control access to services (web, winbox, api, etc.) and rights (read, write, sensitive, etc.) but it would be very useful to be able to control access to features (/ip firewall nat for example) as well.

Does anyone know if this is possible?

Thanks,
Justin.

upower3 · Thu Jan 18, 2018 8:59 am

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

ViennaAustria · Thu Mar 01, 2018 9:23 am

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...). A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

If a rinetd-like function would be added to RouterOS it would be GREAT!

Thanks!
Thomas

upower3 · Thu Mar 01, 2018 9:28 am

I might me a bit wrong but why don't you just use NAT?

I'd like to re-request the function of rinetd.

pe1chl · Thu Mar 01, 2018 12:16 pm

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

Never heard of that before, but I did similar things in the past using "netcat" ("nc")

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).

You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!

A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

HOW???
A local linux box can be a Raspberry Pi which would be more like $50.

wtm · Sun Mar 04, 2018 2:06 am

Would like to see a Radius tester available for the "Tools section". Something along the lines of Radtest, so you can see that the external radius server is actually getting something from the Mikrotik router, and if not what the problem may be to fix it. Currently there is not enough information available in the Logging to help you on that.

Quasar · Fri Mar 09, 2018 2:45 pm

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.

Virtual private networks with WireGuard

gerakon · Wed Mar 21, 2018 3:46 pm

In Winbox I think the Dashboard menu could go away and just have all of it's items enabled by default. Unless there's some reason people don't want to see this information or there is some amount of overhead on the router.

If it can't go away, it would be great if it would at least remember my settings between routers so that I don't have to re-enable them to compare times more easily between routers that are having IPSEC negotiation problems or when the CPU is maxed.

pe1chl · Wed Mar 21, 2018 5:01 pm

it would be great if it would at least remember my settings between routers

This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.
Some other requests have been seen to e.g. allow "set current winbox settings as default for new connections" and/or to simply allow
the sharing of the same settings between all routers in a Group.

Wed Mar 21, 2018 5:07 pm

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

pe1chl · Wed Mar 21, 2018 5:35 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

hackclub · Wed Mar 21, 2018 8:51 pm

urgent request to (for) mikrotik
viewtopic.php?f=1&t=132062

gerakon · Thu Mar 22, 2018 12:26 am

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.

Unless there's some reason that I'm not seeing?

Thu Mar 22, 2018 12:28 am

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions) ,
The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones

mkx · Thu Mar 22, 2018 11:25 am

The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.

.
Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

Perhaps by giving us possibility to set unit ... e.g. bits/second (default, current setting) or kbps (gives 1000-times higher limits) or Mbps. After all, with Gbps speeds it is not really sensible to set limits with bps resolution. Or is it?

pe1chl · Thu Mar 22, 2018 11:43 am

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

WirelessRudy · Thu Mar 22, 2018 12:02 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

This is what I have been asking for several times over the years. It's good someone else now asks again.
Somewhere some Mikrotik guy decided what the default settings are when on a virgin router a virgin winbox is openend. I would like to be able to just change that 'virgin' setting myself.
By default winbox shows a lot of info I have never interest in. But many other field I need everytime again are not there by default.... Especial when you work with many PC's it would be easy to have one winbox.exe that is everywhere the same to MY like.

Thu Mar 22, 2018 5:09 pm

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.

I am pretty sure my CHR-x86-64Bit and my ROS-x86-32-Bit systems have plenty of CPU horse-power. All of my virtual ROS systems can btest to 127.0.0.1 in the 19+Gig ranges. (btest uses only 1-core. Now if you use 8+ cores (hyper-threading disabled for maximum CPU throughput) then I would assume possible system-wide-throughput might be 8x greater.

(My next hyper-visor system I am planning to build soon will allow me to configure 44 Xeon CPU cores to a hosted system - such as a CHR.)

Also , just about all new carrier-grade network equipment has one or more 10-Gig interfaces. Thus another reason for a simple-queue fix/update is needed.

Also - remember the Mikrotik post about "What would you like to see in a future Mikrotik ...something... with a 40-Gig throughput..." Thus another reason for a simple-queue fix/update.

Everything in my server room and my Internet feed uses 10-Gig interfaces. And I need an ability to use simple-queues up to 10-Gig.

artemk · Sat Mar 24, 2018 8:07 pm

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1
It works for SSH but it would be really good to make Winbox to be able to authenticate via radius.

ahmedramze · Sun Mar 25, 2018 4:34 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

ivicask · Sun Mar 25, 2018 4:39 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

Sob · Sun Mar 25, 2018 8:52 pm

... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.

sarada · Sun Apr 01, 2018 11:03 pm

Hi,

Can you add a feature in User manager which support WPA EAP and add 6to4 tunnel to vlan or bridge, please?