just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
Right Click -> Show Columns -> Log. Voila!how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.
as a workaround you may enable logging in the rule and then just press 'Undo' to disable it after a few secondsAdd a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets.
You're right, it's there. But not visible by default and too far at the right and "lost" between other columns when enabled. Since logging is useful option available for all rules, IMHO it would deserve more prominent place. But ok, it is usable this way.Right Click -> Show Columns -> Log. Voila!
True dat. Thanks. Actually realized this almost immediately after posting. Still, for whatever reason, in Linux there is a dummy interface in addition to bridge. I wonder if there is some overhead involved.just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correctThis has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
No, you don't. Software ID is not the same as hardware serial number.I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct
/ip service set dns address=192.168.0.0/24 disabled=no
+1 MT by default being a open resolver is a HUGE pita. You can't expect an ISP with thousands of customers to protect them all, and you can't expect thousands of Mikrotik users to know how to protect their router either. I know of multi 10GB/s ISPs that went down completely due to MT being used in DNS amplification attacks.Please implement this command:Code: Select all/ip service set dns address=192.168.0.0/24 disabled=no
Afaik factory default is 192.168.88.1/24, but I agree. On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc. It also does not support modern features like DNSSec, so I would rather go with Ubound or Knot running on dedicated host.Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.
As is NTP Servers (ntp server magically disappeared from ROS in some version), web proxy, socks (really now, who still uses socks?), smb, and I'm sure other things too. Unfortunately, that seems to be what consumers want. Just really wish we could have all these things in separate packages so that we don't have to always have them installed.On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc.
This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
Oh fantastic! So, when can I get V7 thenThis has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
dst-address-type=local
There is the option:Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.
So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.
And this one can also be used if you have an dynamic WAN address.src-address-type (unicast | local | broadcast | multicast; Default: )
Matches source address type:
unicast - IP address used for point to point transmission
local - if address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices
Nice!It doesIt will be good if RouterOS will have integrated brute force protection and filter.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Most definitely! The current "implementation of brute force protection" is a joke. A counter on port visits as opposed to actually checking whether the login succeeds or not.It will be good if RouterOS will have integrated brute force protection and filter.
Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Cool, thanks! I'll use this feature.There is the option:src-address-type (unicast | local | broadcast | multicast; Default: )
local - if address is assigned to one of router's interfaces
The ability to utilize grouping of for example firewall filters is a matter of making network management more manageable and perspicuous, thus this is especially useful in complex environments. If you're familiar with Cisco ACL Object Groups you probably know what I mean...what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Ethernet eth1 = router.hardware.ether1;
eth1.ip.address = “192.168.0.1”;
eth1.status = enabled;
log (“Eth1 - current speed: “ + eth1.speed);
Well, most definitely not before 2020 if they choose to develop everything from scratch.Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?
Yeah, the prototype is usually just a part of a POC they probably did ages ago. If they are smart, they'll release a version that will match the functionality in v6 and continues from there when things have stabilised. One thing is for sure, the folks at marketing will have to cope with all the people that have extremely high expectations of v7 and that believes it will solve all problems in the world!The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.
What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...RFC 3021
feature instead of 1 policy per subnet on same VPN-Peer, as I have 1 customer with around 150 subnets and this is a total overkill for searching throug policis.IPSec Policy with ADDRESSLIST
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
Thank you, I will look at your suggestion ... but anyway I find it would be way more user friendly to have for example a "Locate" button in Routerboard menu instead of having to program scripts for such a task.This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.
/tool user-manager user print
/tool user-manager user print detail
Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
And IPv6 filter on dst-address doesn't work at all in WinboxHello!
RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).
Please, make ipv6 route lookups fast as well.
You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
No certificates at all!! Maybe thats the problem??You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?No certificates at all!! Maybe thats the problem??
Have ~50Caps - in Capsman Radio list shows all, and in the list no dublicated macs!!! This was my first gues, but seems there everything is ok!!Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?No certificates at all!! Maybe thats the problem??
Yes, but not immediately - it should be stored as a DNS name and resolved in real time. For example, it's pointless to resolve /tool email server once and store it as a numeric address, which is why ROS will store it as a name. However, /system watchdog resolves the same server once and then stores it as a number, which is wrong. Also, you don't want things to fail because they can't be resolved immediately when you are configuring a router on a workbench and it has no connection to your network.i think that this should be global. anywhere you specify a dns name it should be resolved.Hi,
Please add feature that will allow me to add DNS name instead of exact IP address. I need this to connect 2 or more MKT routers (PPTP connection) if they are connected to internet thru ADSL and theirs IP addresses are dynamic. I hope that you understand what I am saying and that we can expect this feature in new ROS.
bye,
This would be good for both /int wireless access and /int wireless connection; also the "add to access list" and "add to connection list" operations, where you already know that the resulting entry will not be incompatible with the connection that already exists, because it is being generated from that connection.Please make it possible to change the comment associated with a connection without it restarting said connection.
Many of the newer, lower-cost devices have no beepers. I have come to rely on the beepers for so much diagnosis (esp. SXT setup) and I really miss them. I would pay the extra buck.Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
JF.
export compact
/something1
some config
/something2
some config
export compact
/something1
some config
/something2
somet config
+1I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!
The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.
The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.
The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"
setup some VPN tunnel between the routersThe problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.
The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"
that's because the variable name "identity" is the same as parameter name "identity". the following code works correctly:Please add the ability to do a where query in [] with any valid-variable.
fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]
fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.
:local id "testRouter"
:local interface [/ip neighbor find where identity=$id]
:local interface [/ip neighbor find where $identity=$id]
:local interface [/ip neighbor find $identity=$id]
this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks
there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)
seems we have to leave it to Mikrotik guys do decide which way to goYou do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.
Indupitablyseems we have to leave it to Mikrotik guys do decide which way to go
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.
After version 1 is finalized, an RFC will be written and standardized.
Spoiler alert: Trump gets impeached!About the WireGuard idea, are you a time traveller writing to us from future? :)
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/FasttrackQueues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
Normis add /31 address for PTP links.
/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3
... and routing table/vrfIt will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
Netwatch can trigger a script.Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
It might be nice to have an option for color in the logs.Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)
An please, put a "find" option to log.
Best regards: Xen
You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?
How about instead we look to the future: WireGuard https://www.wireguard.io
Clients for every major OS, modern cryptography, and the performance looks pretty amazing:
Screen Shot 2017-06-10 at 23.44.39.png
I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.It should be very simple to add support for selecting the bits of the IPv6 RA
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
I'd like to re-request the function of rinetd.
Never heard of that before, but I did similar things in the past using "netcat" ("nc")I'd like to re-request the function of rinetd.
https://boutell.com/rinetd/
http://brewformulas.org/Rinetd
You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).
HOW???A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.
Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.
This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.it would be great if it would at least remember my settings between routers
But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as
Next time before connecting to new router pick saved session.
.The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
This is what I have been asking for several times over the years. It's good someone else now asks again.- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.
Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..Hello
to disable DNS attacking
please add listen address on better from use ip firewall filters
/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y
Regards
All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.
Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.
You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
Do you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
There are some non port 53 DNS configurations/uses.Is there any DNS server on port other than 53?..
The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)There are some non port 53 DNS configurations/uses.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.
It is not a limitation of those routines, but of the maximal length of a variable content.file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!
I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.Is there any DNS server on port other than 53?..
1.3.6.1.4.1.9.9.150.1.1.1.0
/interface pppoe-server print count-only where service=service5
You can have this info from the radius server. (if used)Feature Request:
Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when usingCode: Select all1.3.6.1.4.1.9.9.150.1.1.1.0
Mikrotik routers as BRAS/BNG/PPPoE Server.
If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.
To workaround we can use this:BUT it should be a nice feature to add to SNMPCode: Select all/interface pppoe-server print count-only where service=service5
/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255
i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.phpIs there any DNS server on port other than 53?..
vote +1 for dstnat in output chainCurrent RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
dst-nat not working in output chain, AFAIKDo you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
So, you'll need to enter encryption password each time router reboots?Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.
1+Please, implement bandstearing for wifi, especially in CAPsMAN.
Please, add support 802.1x for wire interfaces.
Yes! +1, pretty please?Please, add support 802.1x for wire interfaces.
/system telnet address=192.168.1.20 port=80
Sorry Normis, and no disrespect to you, but what does influence this list? People screaming for proper vrf seperation, IPSec VTI Support, DHCP Option 82 Snooping in ROS, Proper BNG Features, IPv6 Needs alot of fixing, BFD (YMMV), BGPv4 MIB and many others.no, the list does not influence our priorities, just gives us ideas about what people want to see.
[me@router] > put [ping 8.8.8.8 count=3]
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 57 9ms
1 8.8.8.8 56 57 10ms
2 8.8.8.8 56 57 8ms
sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=9ms max-rtt=10ms
3
There is indeed. Thanks Sob, you are a legend!@Wyz4k: There's also Select All in right-click menu.
Hi Chupakha I just wanted to say thanks for your patience, I am just a tad slow and finally get what you are saying.The same with TCP Flags and ICMP Option in Advanced tab.
Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens when the signal hasSo what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.
One of the problems with RFCs and standards is that often 90% of manufacturer network devices only follow RFCs and standards by only 90%.Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There are standards for fast handover but they weaken the security. Also there are standards to provide roaming information so the clients know what other AP's to lookYeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There is only one association, a client does not reassociate if they move from one AP to another. There is not a loss of service when a client moves to a closer AP.So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
Sounds interesting. But is part of the evolution in wireless also not that now the spectrum is saturated where 10 years ago is was hardly used? I mean, my first Mikrotik 2,4Ghz 802.11b outdoor AP on a 8dBi omnidirectional had no problem to communicate with my laptop at some 300-400 meters away. And that communication was the sending of an e-mail.I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).
Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).
Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)
If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.
The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.
North Idaho Tom Jones
The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is the feature requests channel. I am requesting a very basic feature that will take all of 30 seconds for somebody to add.If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.
/ip ssh set always-allow-password-login=yes
Not for winbox though.This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.Code: Select all/ip ssh set always-allow-password-login=yes
Yeah. Also not for WebBox, not for Telnet, not for API...Not for winbox though.
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
{
/interface bridge port remove [find interface=ether1]
/ip dhcp-client add disabled=no interface=ether1
}
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!orCode: Select all{ /interface bridge port remove [find interface=ether1] /ip dhcp-client add disabled=no interface=ether1 }
Code: Select all/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Just press Terminal on the left of WinBox. If you use "{ }" - commands inside of brackets will be executed when you press Enter after the bracket. Like this:Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection
[admin@s.internal] > {
{... :put "here"
{... :put "we"
{... :put "go!"
{... }
here
we
go!
[admin@s.internal] >