yes, plus "System -> Users -> AAA -> Use RADIUS"Yes, we use Radius, but only for PPP authentication. You talk about this point → Radius Server settings: Service = Login?
yes, plus "System -> Users -> AAA -> Use RADIUS"Yes, we use Radius, but only for PPP authentication. You talk about this point → Radius Server settings: Service = Login?
The walled garden options support regular expressions so there's nothing stopping you from doing this already.Many interesting suggestions here. I'm wishing for a walled garden configuration that allows an entire web site to be accessed. Seems to be too narrow, now. How about wild card support in the URL field?
/ip hotspot walled-garden add dst-host=":^www\\.paypal\\.com\$" dst-port=443 action=allow /ip hotspot walled-garden add dst-host=":^content\\.paypalobjects\\.com\$" dst-port=443 action=allow /ip hotspot walled-garden add dst-host=*.akamaiedge.net action=allow /ip hotspot walled-garden add dst-host=paypal.112.2O7.net
More specific domains take precendence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for *.google.com to 1.2.3.4, except *www.google.com, which will go to 2.3.4.5
you need to set static IP address for that lease and add /32 network for that address with necessary gatewayAdd a feature to the dhcp server that makes it possible to change the default gateway for static leases.
Okay, I saw that it is indeed possible to add another gateway in RouterOS version 6. Too bad that I can't upgrade right now until a few other issues has been resolved in the latest release.you need to set static IP address for that lease and add /32 network for that address with necessary gatewayAdd a feature to the dhcp server that makes it possible to change the default gateway for static leases.
[admin@Mikrotik] > ping 127.0.0.1 count=2
HOST SIZE TTL TIME STATUS
127.0.0.1 56 64 6ms
127.0.0.1 56 64 5ms
sent=2 received=2 packet-loss=0% min-rtt=5ms avg-rtt=5ms max-rtt=6ms
HOST SIZE TTL TIME STATUS
there's some undocumented featurewhen an entry appears in /ip dhcp-server lease you could then launch a script passing internal *id as parameter and do some actions based on it.
add custom firewall rule etc.
i know this is a "BIG" feature request, but imagine the possibilities.
/ip dhcp-server set 0 lease-script=
1 why is it undocumented ?there's some undocumented featurewhen an entry appears in /ip dhcp-server lease you could then launch a script passing internal *id as parameter and do some actions based on it.
add custom firewall rule etc.
i know this is a "BIG" feature request, but imagine the possibilities.Code: Select all/ip dhcp-server set 0 lease-script=
Wiki includes info about that. I wrote on the board about variables for lease-script, before it was published on wiki.there's some undocumented featurewhen an entry appears in /ip dhcp-server lease you could then launch a script passing internal *id as parameter and do some actions based on it.
add custom firewall rule etc.
i know this is a "BIG" feature request, but imagine the possibilities.Code: Select all/ip dhcp-server set 0 lease-script=
+1Xtables-Addons with GeoIP for Firewall
We use TheDude to manage MT Devices. Makes things much easier than using winbox alone.Hi, an other basic request:
I work for an ISP, we have to manage a very high number of mikrotik devices.
We have been using winbox.exe but in our situation looking for the correct device is becoming really frustrating...
Add a "search button" on winbox applicaton could help us..
Thank you!
use 'Filter' button, 'Enabled' -> 'is' -> 'yes'From time to time i wish i can hide "disabled" interfaces in winbox "Interface list" menu. I think this can be useful when working with new CCR switches and even 2011 RB's.
if you close the window, not saved\если закрыть окно -не сохраняетсяuse 'Filter' button, 'Enabled' -> 'is' -> 'yes'
Or at least an on lease script call out for the dhcp clientDoes MT support Multiple DHCP Scopes and Multiple IP's on the LAN interface?
:global ifslink 5180,5750,5770,5790,5810,5830,5850,5870,5890 :global ifs5ghz 5390,5410,5430,5450,5470,5490,5510,5530,5550,5570,5590,5610,5630,5650,5670,5690,5180,5750,5770,5790,5810,5830,5850,5870,5890 :global ifs2ghz 2409,2429,2414,2434,2419,2439,2424,2444,2449,2469,2454,2474,2459,2479,2464,2484(example have even more channels) But how do i configure this device in winbox?
You mean SOHO routers? RouterOS is in no way a SOHO software, even despite the fact that quite a few of Mikrotik routers are targeting SOHO market.I can't understand why all decent routers I have met in my life
I uphold this. I also need in ppp profile an option to specify default packet-marks for simple queue.MT please please. We need more queue options in PPP profile. For example we need different values in max-limit and limit-at. When using Radius for AAA, now dynamic simple queues create with same value at limit-at. It restricts us to do some QoS and it fights off RouterOS`s powerful, intelligent queue features.
+1UPS package should be refreshed with more options ... event reporting (mail) would be nice and also possibility to share ups status with other routerboards (and linux boxes running for example apcupsd) over the network so all units could be safely shutdown in case of ups battery exhaustion. After power restoration WOL commands could be issued and so on ...
JF
SSH2 0: hostkey algo not supported: client ssh-dss, server ssh-rsa
Are really so ignorant ? Why even bother ?please read my post again, because you completely missed my point. I said - why even bother encrypting it? it will just take a little more time to read. Better deal with your other security hole - why can somebody take your router and do what he pleases?
/ip firewall connection
25 tcp 212.77.100.128:80 91.xxx.xxx.xxx:52378 established 2h47m39s
print where src-address=212.77.100.128
/ip firewall connection print where src-address~"212.77.100.128"
/routing bfd interface> disable 0
failure: cannot disable 'all' interface config
Rumor has itSuricata on CCR
normis,Some features have already been requested before, to better manage this, you can register on the Wiki and cast your vote there:
http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests
Of course, in addition, it would be great if you also posted a message here, explaining why you need that particular feature. And as usual - search before you post, maybe a topic exists already.
Better if it could be possible for each poolNote: Whenever possible, the same ip address is given out to each client (OWNER/INFO pair).
It should already be possible using so called "Recursive routes".Would be perfect in IP/ROUTES Check-Gateway to be able to specify an IP-Adress other the the default Gateway.
http://wiki.mikrotik.com/wiki/Advanced_ ... _ScriptingI seem to have seen an example somewhere in the wiki as well, but can't find it at the moment.
you mean, 'Copy' button, which is there for may years already?..If I have opened a firewall rule, a Button to clone this rule.
The pages already deletedSome features have already been requested before, to better manage this, you can register on the Wiki and cast your vote there:
http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests
Of course, in addition, it would be great if you also posted a message here, explaining why you need that particular feature. And as usual - search before you post, maybe a topic exists already.
we already have it, it is called SNMPPlease, create universal versatile graphing that allows user to set whatever value that is readable in ROS to be graphed. Combined graphing (e.g. CPU, memory and number of connected clients together in one graph) would be something extra!
And please, ensure that power loss, reboot or ROS upgrade will not erase old graphs. It is still unsolved bug that emmerges very often still in 6.18 (contemporary latest).
I would have to disagree.That isn't graceful restart. Graceful restart means "hold your routes until I come back, wait up to x seconds for me to finish my operation then update routes after we reestablish adjacency". The change you requested is best handled with bfd.
I would love to see uptime graph added to the graphing section. That way we dont have to run an extra snmp machine.Please, create universal versatile graphing that allows user to set whatever value that is readable in ROS to be graphed. Combined graphing (e.g. CPU, memory and number of connected clients together in one graph) would be something extra!
And please, ensure that power loss, reboot or ROS upgrade will not erase old graphs. It is still unsolved bug that emmerges very often still in 6.18 (contemporary latest).
erm, you actually can do this (not with ACLs but with multiple IPs)I would be nice that in /ip service I could set more ip address or one addres-list
Why not just block unwanted access by firewall?erm, you actually can do this (not with ACLs but with multiple IPs)I would be nice that in /ip service I could set more ip address or one addres-list
Why not just block unwanted access by firewall?erm, you actually can do this (not with ACLs but with multiple IPs)I would be nice that in /ip service I could set more ip address or one addres-list
isn't it already here?.. just use 'action=netmap" in 'dstnat' chain...+1Functionality such as DNETMAP
Please add ability to set comment for dynamically added entries in address list.
This feature let for e.g. make script which resolves blocked IP addresses to their FQDN and puts it into comment field.
[admin@TestPlace] > /ip firewall address-list
[admin@TestPlace] /ip firewall address-list> add list=mylist address=1.1.1.1 dynamic=yes comment="FQDN.HERE"
[admin@TestPlace] /ip firewall address-list> print where list=mylist
Flags: X - disabled, D - dynamic
# LIST ADDRESS TIMEOUT
0 D ;;; FQDN.HERE
mylist 1.1.1.1
[admin@TestPlace] /ip firewall address-list>
+1 on the MAC address Lists.MAC Address List . This is very useful especially in a topology where there are multiple subnets.
Create a bridge, use split bridge horizon to isolate the ports, and create a PPPoE server on that bridge.hi if it is possible to have the pppoe server listens to serveral interfaces instead of one interface ..
i have 7 vlans and i have to have 7 pppoe servers for each vlan interface it would be nice to have one pppoe server for 7 interfaces
OVPN Server+Client LZO+UDP+AESIs OVPN Client side LZO Compression and UDP support somewhere out there in plan? the wiki link is missing.
for now you should be able to create Network entry per IP with changed settings (just set address=x.y.z.h/32 netmask=24 or something)Feature request:
Ability to specify boot-file-name on a per static lease basis. This would add much needed flexibility for rather than using the global setting at the 'ip dhcp-server networ' level where all clients receive the same file.
This is interesting. Could you please elaborate?Provide a simple way to use switch chip to do wire-speed IP routing. Although the switch chips can only support limited routing rules, it can serve smaller setups well.
You can already do this...Add option to define in radius configuration tab, IP by which will be sending always request to Radius server
I have 30 IP's and MT always is sending request to radius server via first IP. Sometimes something is wrong and MT is trying send request via other IP.
Problem is that on radius server i have configured rules to only received radius request from one IP.
/radius
add address=1.1.1.1 secret=123456 service=login src-address=10.0.0.100
Thank you, so if I'm using ppp, my configuration should look like that:You can already do this...Add option to define in radius configuration tab, IP by which will be sending always request to Radius server
I have 30 IP's and MT always is sending request to radius server via first IP. Sometimes something is wrong and MT is trying send request via other IP.
Problem is that on radius server i have configured rules to only received radius request from one IP.Code: Select all/radius add address=1.1.1.1 secret=123456 service=login src-address=10.0.0.100
add address=1.1.1.1 secret=passwd service=ppp,login src-address=212.121.121.121
I second this! It has been asked before but it might serve to post this again. Same counts for `watchdog` feature. We should have the option to set the 'time' of a timeout and the amount of timeouts.Hi All,
could you add a "skip" option to netwatch system, please?
So when netwatch pings a host and sometimes it has a timeout the host goes down immediately... and goes up on the next ping. It occurs because of a transmission timeout or something else but the host doesn't inaccessible.
If we had a "skip" option to be set to "3" for example then the system could skip 3 timeouts and the host doesn't get down on a simple ping timeout until it has 3 timeouts. When "skip" is "0" all goes the same than before.
thank you much!
Gabor
If you're doing this as part of the deployment it's probably better (IMHO) to use part of the config script to determine the IP address for that interface and set it up because it's a once off, while your IP address on an interface could change (or an interface could have multiple IP's)Being able to set the RADIUS source IP to an interface instead of an explicit IP address would be useful... for me, at least!
We have ROS boxen that speak RADIUS over a VPN to our freeradius servers; if I could set the RADIUS request source IP to the VPN interface, it would make for simpler "cookie cutter" config when rolling such things out or making changes.
AQM... codel and fq_codel... the power that this can add, to the power user, and to a wizard setup, would just be insane seller...also would personally welcome more updated/actual Active queues in RouterOS to handle/combat/prevent Network congestion. rather than static/notorious RED algo/type present already, which unsuable for production for number of reasons.
for example, RRED would be nice. aswell as other adaptive, attack/flooding-proof variants of AQM.
also bout moving RouterOS from vanilla Linux kernels to Zero Overhead Linux gossips - is actually such plans, yet ?
(this thing http://www.tilera.com/sites/default/fil ... aper_0.pdf meant, to be exact/specific)
also finishing/completing BFG routing implementation (auth and echo ?) also may be handy.
You can do it using a recursive next hop/net watch.Route availability base on an remote IP.
...
It would help very much in regards to failover.
+1Route availability base on an remote IP.
I would like to have route availability based on some other IP. Let's say you add a new option below Check Gateway that would be something like check another gateway (my gateway's gateway for example) or just any other IP like 8.8.8.8. And if that IP becomes unavailable over that specific route it can make it unreachable/inactive so other route with higher Distance can became in charge. Check Gateway option does not work when your provider puts router on your premises. And if provider's router loses connection to it's remote router, you still have your gateway (because you have a router on your premises) and so for you, gateway is reachable, but you actually don't have internet access and that route looks good.
It would help very much in regards to failover.
it is available even without scripting: http://wiki.mikrotik.com/wiki/Advanced_ ... _ScriptingI know that currently this can be achieved by using Netwatch and some scripting but it would be much easier if it were available directly on the route's properties.
Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.Thanks, I wasn't aware of that!
Still, it would be easier to just be able to define what IP to probe for a specific route, rather than having to create extra static routes and play with scope to achieve this (if I understand the wiki page correctly)
The idea is that for the 'ping address' you define on the route, the pings to it will always go through that route's gateway address/interface.Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.
RouterOS is for routing, DPI is part of a UTM or NGFW solution.I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.
what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
i would call that bullshit.RouterOS is for routing, DPI is part of a UTM or NGFW solution.I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.
I want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queuesI want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
Cool! It seems to work. Much simpler and (as I suspect) faster. Thanks a lot!create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queues
p.s. if you won't set any limits on that queue, don't forget to change at least something (like queue type) for this queue to actually work
just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
I have turned off connection tracking for most connections (using raw table), so it won't be efficient in my case.Fasttracking that traffic you want to be excluded from queues is much more efficient.
But keep the exclusion queue for the cases when some connections couldn't be fasttracked.
You're best bet there is to install a hypervisor on that server and run the CHR rather than the standard x86 ROS. Not only will you be able to use the onboard NICs, but you'll also be able to use more than 2GB RAM, and set up multiple instances so you can run in high availability.Hi There,
We are using a Supermicro 5018 MLNT4 (https://www.supermicro.com/products/sys ... -MLTN4.cfm) with onboard C2000 SoC I354 Quad Nic.
This nic is not supportes... PLEASE ADD THE DRIVERS !
Hi guys,just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
I created a second Radius Server with identical settings and changed the ip to an IP that is actually held by the same server, then i disabled the first entry, but mikrotik reports "Radius Server not responding". When i check the radius server logs, it show its authenticates correctly.just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
Right Click -> Show Columns -> Log. Voila!how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.
as a workaround you may enable logging in the rule and then just press 'Undo' to disable it after a few secondsAdd a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets.
You're right, it's there. But not visible by default and too far at the right and "lost" between other columns when enabled. Since logging is useful option available for all rules, IMHO it would deserve more prominent place. But ok, it is usable this way.Right Click -> Show Columns -> Log. Voila!
True dat. Thanks. Actually realized this almost immediately after posting. Still, for whatever reason, in Linux there is a dummy interface in addition to bridge. I wonder if there is some overhead involved.just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correctThis has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
No, you don't. Software ID is not the same as hardware serial number.I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct
/ip service set dns address=192.168.0.0/24 disabled=no
+1 MT by default being a open resolver is a HUGE pita. You can't expect an ISP with thousands of customers to protect them all, and you can't expect thousands of Mikrotik users to know how to protect their router either. I know of multi 10GB/s ISPs that went down completely due to MT being used in DNS amplification attacks.Please implement this command:Code: Select all/ip service set dns address=192.168.0.0/24 disabled=no
Afaik factory default is 192.168.88.1/24, but I agree. On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc. It also does not support modern features like DNSSec, so I would rather go with Ubound or Knot running on dedicated host.Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.
As is NTP Servers (ntp server magically disappeared from ROS in some version), web proxy, socks (really now, who still uses socks?), smb, and I'm sure other things too. Unfortunately, that seems to be what consumers want. Just really wish we could have all these things in separate packages so that we don't have to always have them installed.On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc.
This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
Oh fantastic! So, when can I get V7 thenThis has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
dst-address-type=local
There is the option:Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.
So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.
And this one can also be used if you have an dynamic WAN address.src-address-type (unicast | local | broadcast | multicast; Default: )
Matches source address type:
unicast - IP address used for point to point transmission
local - if address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices
Nice!It doesIt will be good if RouterOS will have integrated brute force protection and filter.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Most definitely! The current "implementation of brute force protection" is a joke. A counter on port visits as opposed to actually checking whether the login succeeds or not.It will be good if RouterOS will have integrated brute force protection and filter.
Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Cool, thanks! I'll use this feature.There is the option:src-address-type (unicast | local | broadcast | multicast; Default: )
local - if address is assigned to one of router's interfaces
The ability to utilize grouping of for example firewall filters is a matter of making network management more manageable and perspicuous, thus this is especially useful in complex environments. If you're familiar with Cisco ACL Object Groups you probably know what I mean...what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Ethernet eth1 = router.hardware.ether1;
eth1.ip.address = “192.168.0.1”;
eth1.status = enabled;
log (“Eth1 - current speed: “ + eth1.speed);
Well, most definitely not before 2020 if they choose to develop everything from scratch.Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?
Yeah, the prototype is usually just a part of a POC they probably did ages ago. If they are smart, they'll release a version that will match the functionality in v6 and continues from there when things have stabilised. One thing is for sure, the folks at marketing will have to cope with all the people that have extremely high expectations of v7 and that believes it will solve all problems in the world!The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.
What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...RFC 3021
feature instead of 1 policy per subnet on same VPN-Peer, as I have 1 customer with around 150 subnets and this is a total overkill for searching throug policis.IPSec Policy with ADDRESSLIST