Feature requests

Fri Jun 17, 2016 5:43 am

Route availability base on an remote IP.
...
It would help very much in regards to failover.

You can do it using a recursive next hop/net watch.

teddyhsu · Mon Jun 20, 2016 11:52 am

Hi,

I need a sequence number for ip hotspot wall-garden and wall-garden ip list on winbox.
It can be very useful on debug wall-garden list issue.

Cha0s · Mon Jun 20, 2016 3:52 pm

Route availability base on an remote IP.

I would like to have route availability based on some other IP. Let's say you add a new option below Check Gateway that would be something like check another gateway (my gateway's gateway for example) or just any other IP like 8.8.8.8. And if that IP becomes unavailable over that specific route it can make it unreachable/inactive so other route with higher Distance can became in charge. Check Gateway option does not work when your provider puts router on your premises. And if provider's router loses connection to it's remote router, you still have your gateway (because you have a router on your premises) and so for you, gateway is reachable, but you actually don't have internet access and that route looks good.

It would help very much in regards to failover.

+1

I know that currently this can be achieved by using Netwatch and some scripting but it would be much easier if it were available directly on the route's properties.

Chupaka · Mon Jun 20, 2016 4:33 pm

I know that currently this can be achieved by using Netwatch and some scripting but it would be much easier if it were available directly on the route's properties.

it is available even without scripting: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

Cha0s · Mon Jun 20, 2016 4:39 pm

Thanks, I wasn't aware of that!

Still, it would be easier to just be able to define what IP to probe for a specific route, rather than having to create extra static routes and play with scope to achieve this (if I understand the wiki page correctly)

toodark · Tue Jun 21, 2016 12:35 pm

nginx package/service

I'd really like to have an nginx server inside (or at least as an add on package) in routeros. It opens up endless possibilities for application level based forwarding, reverse proxying, caching etc. I believe it's also useful for home users when they have only a single public ip: this way internal http based services could be easily mapped into a single ip.
I'm aware that one might achieves this by installing an openwrt meta package then install nginx into it, but I feel that would be a huge waste of resources.
thanks

Tue Jun 21, 2016 9:30 pm

Thanks, I wasn't aware of that!

Still, it would be easier to just be able to define what IP to probe for a specific route, rather than having to create extra static routes and play with scope to achieve this (if I understand the wiki page correctly)

Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.

freemannnn · Tue Jun 21, 2016 9:47 pm

I want a color like blue when queue is in burst mode

Cha0s · Tue Jun 21, 2016 10:12 pm

Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.

The idea is that for the 'ping address' you define on the route, the pings to it will always go through that route's gateway address/interface.
If that route's gateway/interface is unreachable/down then the 'ping address' shouldn't get routed via any other route (even if there is another route to it). Otherwise it would be useless apparently (as you described).

In terms of the linux kernel and its networking, yes, obviously there needs to be a /32 route to that 'ping address' via that gateway/interface, and I would also add a second 'unreachable' route with distance 2 so that it won't get routed via another less specific route when the first route is down.
But all that could be handled/abstracted by routeros iteself in the background and not shown in /ip route (that would be confusing otherwise).
And all that in a way that those /32s don't interfere with other traffic to that IP (ie different/hidden routing tables).

The end result would be less work for the end user/admin, less room for errors and a much cleaner/intuitive configuration.

It believe it shouldn't be that difficult to implement.
But I wouldn't really mind if it weren't (since it can be achieved by other means, as mentioned already).
I just find it a useful feature

Besides, many things were added over the years that could be implemented via scripting or other methods and simplified our lives. Just to name a few: dns names on vpn intefaces, interface lists, dynamic dns client, automatic tcp mss clamping on tunnels, automatic ipsec setup on tunnels, etc, etc, etc).
Did anybody object to those because they already had scripts for them?

I know I didn't (even if it took me a looong time to replace my already stable scripts to those new features - which are very useful of course!)

Wed Jun 22, 2016 3:56 am

Oh I'm ALWAYS in favor of making things 'just work right' via the usual config, especially overy scheduled scripts.

I think the suggestion is a good idea. I was simply adding to the other comment that a netwatch can accomplish the goal - noting that even specifying a remote ping target requires one more piece.

If implemented, I would expect to see a dynamic static /32 route in the routing table, and a dynamic secondary /32 blackhole.

parham · Wed Jun 22, 2016 11:58 am

I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.

Wed Jun 22, 2016 2:11 pm

I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.

RouterOS is for routing, DPI is part of a UTM or NGFW solution.

MikeFF · Thu Jun 23, 2016 12:21 am

I hope they can add two things for the new RouterOS versions

One, Is that the OVPN client could support UDP connections, this because the OpenVPN servers in Linux (used plenty in all over the world) use this as default, and it will be pretty good feature to choose one of those in the config

Two, support TLS connections trough OVP Client, ussing ta.key for authentication, this is a very good security feature that is used also in OpenVPN.
No hand shake, no risk to be hacked or steal the certificates.....

I hope you can consider my suggestions.

Thanks a lot

lavv17 · Fri Aug 26, 2016 1:07 pm

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-marks" parameter stopped working.

Is it possible to create a template for the dynamic simple queues which are created for PPPoE users, so that I can specify some parameters like "packet-marks" or "queue" or "parent" there?

Chupaka · Fri Aug 26, 2016 1:56 pm

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.

what do you use them for?

Zorro · Sat Aug 27, 2016 5:47 pm

I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.
RouterOS is for routing, DPI is part of a UTM or NGFW solution.

i would call that bullshit.
you can't leave "bare naked" even backbone( even within private, isolated corporate network of), let alone border and etc. proportions are differ and hardware resources to cruch them, but generally thats Essential ANYWHERE. and anyone who underestimates that - will get hard/harsh lesson, im afraid.

lavv17 · Tue Aug 30, 2016 12:03 pm

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
what do you use them for?

I want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.

Chupaka · Tue Aug 30, 2016 5:11 pm

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
what do you use them for?
I want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.

create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queues

p.s. if you won't set any limits on that queue, don't forget to change at least something (like queue type) for this queue to actually work

lavv17 · Mon Sep 05, 2016 11:26 am

create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queues
p.s. if you won't set any limits on that queue, don't forget to change at least something (like queue type) for this queue to actually work

Cool! It seems to work. Much simpler and (as I suspect) faster. Thanks a lot!

Mon Sep 05, 2016 11:56 am

Fasttracking that traffic you want to be excluded from queues is much more efficient.
But keep the exclusion queue for the cases when some connections couldn't be fasttracked.

mpreissner · Mon Sep 05, 2016 5:46 pm

Please add support for EAP types on VPN connections as you do for wireless. Without EAP support, many security features such as NAP enforcement (using Microsoft NPS as RADIUS) won't work. Specifically, we need support for PEAP and EAP-MSCHAPv2 to get NAP working.

Also consider allowing the ability to set the NAS-Port-Type RADIUS attribute for VPN connections. Currently, ROS sends a NAS-Port-Type of Async for VPN connections. While this might be appropriate for a Dial-Up PPPoE, it is not appropriate for non-Dial-Up VPN connections, and would give us more flexibility in configuring access policies when using Microsoft NPS as a RADIUS server.

kimdobranski · Mon Sep 05, 2016 10:42 pm

When setting up a radius server, I *really,really,really* need these

1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.

2) i would like the option of putting a DNS instead if an IP (ie. radius1.myradiusserver.com, radius2.myradiusserver.com) in the address field.

kimdobranski · Mon Sep 05, 2016 10:45 pm

Need the WAN MAC address of the ROUTER (not the client) available as a hotspot variable.

Chupaka · Tue Sep 06, 2016 12:20 am

1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.

just add one more Radius Server entry with the same settings

DmitryAVET · Tue Sep 06, 2016 10:53 am

please add custom name for MAC-adresses and some detailed info about wireless client, like in ubnt unifi

lavv17 · Tue Sep 06, 2016 12:28 pm

Fasttracking that traffic you want to be excluded from queues is much more efficient.
But keep the exclusion queue for the cases when some connections couldn't be fasttracked.

I have turned off connection tracking for most connections (using raw table), so it won't be efficient in my case.

opteron · Tue Sep 06, 2016 5:04 pm

Hi There,

We are using a Supermicro 5018 MLNT4 (https://www.supermicro.com/products/sys ... -MLTN4.cfm) with onboard C2000 SoC I354 Quad Nic.
This nic is not supportes... PLEASE ADD THE DRIVERS !

mpreissner · Wed Sep 07, 2016 1:33 am

Hi There,

We are using a Supermicro 5018 MLNT4 (https://www.supermicro.com/products/sys ... -MLTN4.cfm) with onboard C2000 SoC I354 Quad Nic.
This nic is not supportes... PLEASE ADD THE DRIVERS !

You're best bet there is to install a hypervisor on that server and run the CHR rather than the standard x86 ROS. Not only will you be able to use the onboard NICs, but you'll also be able to use more than 2GB RAM, and set up multiple instances so you can run in high availability.

That being said, you should have researched hardware compatibility before buying a server.

SystemErrorMessage · Mon Sep 12, 2016 1:25 am

DNScrypt for those filtering ISPs and for added DNS security.
Allowing the installation of software and user made libraries (perhaps java?)
Switch based STP variants and fixing route learning (all devices connected to CRS lose internet connectivity but not LAN when changing port router uses).

I know these have been asked for but for DNScrypt nothing is being said anything about despite a significant number of request (even consumer routers are using it).

Mikrotik needs to be ahead when it comes to network related features compared to what openwrt and consumer routers offer. Cant call yourselves a cisco alternative if its missing features. it doesnt need to come with printer and file sharing in the box (but software from others if can be installed can provide this feature).

joca · Mon Sep 12, 2016 4:07 pm

There is a possibility UPnP create firewall rules Only For Private ips ?

lavv17 · Mon Sep 12, 2016 4:12 pm

I'd like to have a new feature: "graceful reboot".

Things to do before actual reboot:
1. disconnect ppp users (while not accepting new ones)
2. transition vrrp to backup state
3. disable external bgp peers
4. wait for routing convergence

Without these, there is a time frame when traffic loops and/or goes to a black hole; ppp users experience an abnormal connection termination.
Currently I have a script to do it, but it would be better to have it in the RouterOS.

hoop-banger · Tue Sep 13, 2016 1:06 pm

This one is related to winbox. Please make internal taskbar in winbox that show opened windows.

Please see attached picture, taskbar is added in photo editor.

Staj · Wed Sep 14, 2016 8:49 am

DHCP Half-Bridge. LTE support is all well and good but without it, makes it hard to integrate into existing networks.

2dfx · Thu Sep 15, 2016 4:55 pm

Hi all!
What about grouping rules in Winbox like in Microsoft TMG?
It's will be a great features!

See "Web Access Policy Group"

ppereira · Thu Sep 15, 2016 6:27 pm

1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
just add one more Radius Server entry with the same settings

Hi guys,

Using it like this , the next radius server will be used only when the first did not answer.

There is a way to configure it to be distributed the radius events ... like i configure 4 radius server .. and all radius traffic be process / 4 ?
Client 1 -> radius 1
Client 2 -> radius 2
Client 3 -> radius 3
Client 4 -> radius 4
Client 5 -> radius 1 ....

got it ?

I´m not saying that the actual way it works is bad or good i´m just thinking that could be nice have this option.

SiB · Fri Sep 16, 2016 12:51 pm

Add more details into System > History like:

More details in Action, the "filter rule changed" is to short, enter the details of the rule
Action Tab should write about "Delete/Insert/Add/Move 5 rules" with description like chain/comment/etc.
If I work on SafeMode then the history entry should be have a flag SafeMode - I know what will be safe or drop

kimdobranski · Sat Sep 17, 2016 12:44 am

1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
just add one more Radius Server entry with the same settings

I created a second Radius Server with identical settings and changed the ip to an IP that is actually held by the same server, then i disabled the first entry, but mikrotik reports "Radius Server not responding". When i check the radius server logs, it show its authenticates correctly.

The radius server is set to listen on all ips and that is working, but for some reason the mikrotik is not receiving the response after the radius authenticates.

lavv17 · Mon Sep 19, 2016 3:08 pm

Hello!

Nice features to have:
1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
2. NAT parameter to-addresses could refer to an IP pool.

LeoCombes · Tue Sep 20, 2016 6:34 pm

DHCP accounting through Radius

Would be nice if the routerOS dhcp-server allow logging with radius accounting.
We use dhcp-server from mikrotik (no radius auth) and we need have a log of each IP we offer to each client and when, through radius.

NOTE: accounting != auth

Accounting send "log" for each IP address leased or unleased to Radius server, regardless if IP address is served from external radius server or internal mikrotik DHCP server.

http://forum.mikrotik.com/viewtopic.php?f=19&t=85721

payam124 · Fri Oct 14, 2016 3:56 pm

CloudFlare is about removing its API version 1 which allowed users to use get-only requests to modify settings.
I used an script + cloudflare free account to run my dynamic DNS

now in their new API, it is required to send header and ... https://api.cloudflare.com/#dns-records ... dns-record

it would be great if curl support become available

another reference: http://forum.mikrotik.com/viewtopic.php?t=108480

Harlong · Wed Oct 19, 2016 8:12 am

In any scripts for WAN failover, there's some difference for ipv4 and ipv6. When we test some host with /ping, we should know, what protocol (4 or 6) we use. For now, the only solution is to hardcode ipv4 or ipv6 addresses into script, hostnames can not be used, because we can not control, which address will be returned from :resolve.

So, it would be great, if :resolve command will have a parameter to resolve only ipv6(AAAA), only ipv4(A), or both(ANY).

Kevo · Mon Nov 07, 2016 12:13 am

Could we get a quickset mode for travel router. I'd like to have a mode that let's someone take a map lite and go to quickset and use it to log into the hotel wireless and have wireless repeater mode setup with an SSID they can log into for their devices. Ethernet could be setup with an option for local device access or hotel internet access if wired access exists in the room.

Right now there isn't really a mode that fits and it seems to require some manual config that is beyond the scope of what I would expect to train a traveling sales rep to deal with. Maybe there's a simpler method I'm overlooking. If so, someone please point it out to me.

Wyz4k · Tue Nov 08, 2016 4:59 am

Feature request: Wireless scan save-file should include all info

The current implementation of interface wireless scan 0 duration=5s save-file=temp.txt does not contain all of the information that you would see if you simply did a interface wireless scan 0 duration=5s.

More info: http://forum.mikrotik.com/viewtopic.php?f=1&t=114410

saaremaa · Wed Nov 09, 2016 7:39 pm

Support Radius attribute "Delegated-IPv6-Prefix"

soomanyquestions · Thu Nov 10, 2016 9:39 pm

It would be useful and cool to see aggregate statistics in the Graphing tool instead of just each individual interface. It should probably be quite easy to add cause all the data is allready there.

jiminneworleans · Thu Nov 10, 2016 10:58 pm

I'd like to see more buttons in general. Seriously though it would be nice to have a few simple firewall scripts one could choose upon first configuration based on common home or small office scenarios for the cloud routers. I find myself excessively concerned over imagined gaping holes in my firewall scripts.

tomasi · Sat Dec 03, 2016 11:14 pm

Is there any chance of a Zabbix agent .npk listening on port 10050?

lavv17 · Mon Dec 12, 2016 4:59 pm

Yet another feature request:

add netwatch options to send TCP port probes (e.g. check if port 80 is open on a server for load balancing)

rwf · Fri Dec 30, 2016 2:21 am

We operate a lot of hotspots, using an external AAA/RADIUS solution.
It needs a NASID from the Mikrotik, and unfortunately Mikrotik sets this using ROuter Identity field.

The problem is that this limits us to one hotspot per router which is a huge waste of resources. We sometimes have to put 3 routers at a location to run multiple hotspots.

Can it be added that we place the NASID in the Hotspot Profile, and if it is blank it uses the router identity instead. That way it performs as it does now, but those of us who need different NASIDs can choose to do so.

What do y'all think?

tri · Sun Jan 15, 2017 1:38 pm

hi

I'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).

If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.

freemannnn · Sun Jan 15, 2017 7:21 pm

how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.

Sob · Sun Jan 15, 2017 8:33 pm

Small improvements:
1) First column is for rule numbers, logging indicator would better fit in second one, which is sort of status column already.
2) Add a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets. Before this very nice feature that any rule can be also logging rule was added, I used to make a duplicate rule for the one I was interested in, turned it into logging rule and put it before original one. The huge advantage was that it could be enabled/disabled by just one click. With these new non-dedicated logging rules, it requires 3-4 clicks. It may not seem as too much, but it is a little annoying.

easy-log.png

Chupaka · Mon Jan 16, 2017 2:25 am

I'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).

If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.

just create a bridge (call it Loopback1

) and assign address to it

how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.

Right Click -> Show Columns -> Log. Voila!

Add a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets.

as a workaround you may enable logging in the rule and then just press 'Undo' to disable it after a few seconds

mada3k · Mon Jan 16, 2017 11:12 am

I'm quite satisfied for the most part, but there is some things i miss from higher-end platforms.

Firewall rules "grouping" (example: https://sc1.checkpoint.com/documents/R7 ... 103603.png)
Configuration sync to other devices (eg. firewall-rules/lists, dhcp/dns-objects)

Sob · Mon Jan 16, 2017 9:02 pm

Right Click -> Show Columns -> Log. Voila!

You're right, it's there. But not visible by default and too far at the right and "lost" between other columns when enabled. Since logging is useful option available for all rules, IMHO it would deserve more prominent place. But ok, it is usable this way.

And about the toggle button, I might want to quickly not only turn logging off, but also to turn it on, so I think it would be very convenient to be able to do it using only one click. And there's plenty of space for one additional button in button bar.

tri · Wed Jan 18, 2017 8:10 pm

I'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).

If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
just create a bridge (call it Loopback1 ) and assign address to it

True dat. Thanks. Actually realized this almost immediately after posting. Still, for whatever reason, in Linux there is a dummy interface in addition to bridge. I wonder if there is some overhead involved.

tri · Wed Jan 18, 2017 8:15 pm

I often miss "copy rule" feature in web management firewall setup. What I'd like to be able to do, is to create a new rule from the existing one so that instead of starting from blank (as in "Add New") I would start with the data of an existing rule.

While this might be really useful especially for firewall rules, I think it could also be nice e.g. in PPP and some other segments too.

//Rinne

savage · Wed Jan 18, 2017 8:59 pm

If it hasn't been mentioned yet... In the wireless access-lists, you can provide the VLAN ID and VLAN Type for the client's traffic to be taged. In the registration table however, this information is not displayed. So once a client connects, you have no idea to which VLAN the traffic is going (especially when VLANs are assigned via AAA).

Can we include the VLAN information in the registration tables please?

tri · Thu Jan 19, 2017 4:06 pm

It would be extremely useful in many cases to have a ppp interface dynamically created form the ppp secret (when more than one connection is allowed and/or there is no explicit server binding) to be automatically added to a named interface list when it's created and removed when it's deleted.

Basically there is no need to limit this to dynamically generated interfaces. It might as well apply to a static interfaces if there is an explicit server binding. In any case it would be a property in PPP secret. Something like "Add interface to list: <menu-of-existing-interface-lists>".

I'm sure this would be hugely useful for many users.

Railander · Thu Jan 19, 2017 4:16 pm

did a quick search and only found a very old thread.

Add OID for SFP-specific port information such as:

Rx Power
Wavelength
Link Length
Connector Type
Vendor Name
Vendor Part Number
Vendor Revision
Vendor Serial
Manufacturing Date.

AlexeyIlinsky · Fri Jan 20, 2017 8:42 am

Hello it would be good to have optional Radius servers round robin rotation, not only from top to the bottom.

And in Tr069 we (in our configuration) feel like router identity would be useful information in inform update requests.

If that attribute would be writable that it would be easier to change router identity in initial provisioning instead of walk-around with .alter script download containing /system set identity..

2dfx · Thu Jan 26, 2017 12:24 am

Please add the ability to specify more than one server. for OpVPN and SSTP
And check box "remote random"

Thanks!

shortcircuitonline · Thu Jan 26, 2017 1:54 pm

i m looking into future hardware if possible i hope one day mikrotik can produce some thing like this

cpe with 2 wlan or more wlan cards and same on base station side to
advantages as under:-
bonding to increase speed
may b fail over 2 different base stations or more
different frequency
different channels like 10/20/30/40
and more possibilities are there

shortcircuitonline
raj singh

Dmitriy34 · Fri Feb 03, 2017 9:29 am

Hello.

How about accept RADIUS Attribute "Class" in CoA requests?

msatter · Fri Feb 03, 2017 1:31 pm

Not only being able to extend the timeout in address lists but also being able to reduce the timeouts by entering a lower timeout by a action in a firewall rule.

ckleea · Sat Feb 04, 2017 9:16 am

Is it possible to add /ip cloud ddns to x86 ROS? It is already available in routerboard hardware and I think it should be extended to x86.

Thanks

Sat Feb 04, 2017 1:53 pm

Is it possible to add /ip cloud ddns to x86 ROS?

This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.

ckleea · Sat Feb 04, 2017 4:16 pm

Is it possible to add /ip cloud ddns to x86 ROS?
This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.

I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct

Sat Feb 04, 2017 4:19 pm

I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct

No, you don't. Software ID is not the same as hardware serial number.

saaremaa · Mon Feb 06, 2017 11:37 am

Please implement this command:

/ip service set dns address=192.168.0.0/24 disabled=no

savage · Mon Feb 06, 2017 12:33 pm

Please implement this command:
Code: Select all
/ip service set dns address=192.168.0.0/24 disabled=no

+1 MT by default being a open resolver is a HUGE pita. You can't expect an ISP with thousands of customers to protect them all, and you can't expect thousands of Mikrotik users to know how to protect their router either. I know of multi 10GB/s ISPs that went down completely due to MT being used in DNS amplification attacks.

Yes, you can block it in firewall, but as soon as you do you loose piles of features (ala fastpath/fasttrack/connection tracking/etc). Silly that other services can be protected by /ip services, but not CRITICALLY VULNERABLE services, such as DNS, SMB, Proxy, Socks, etc. which is known to be used in exploits and DDoSes.

Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.

expert · Mon Feb 06, 2017 12:54 pm

Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.

Afaik factory default is 192.168.88.1/24, but I agree. On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc. It also does not support modern features like DNSSec, so I would rather go with Ubound or Knot running on dedicated host.

savage · Mon Feb 06, 2017 1:22 pm

On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc.

As is NTP Servers (ntp server magically disappeared from ROS in some version), web proxy, socks (really now, who still uses socks?), smb, and I'm sure other things too. Unfortunately, that seems to be what consumers want. Just really wish we could have all these things in separate packages so that we don't have to always have them installed.

Most of these services, belong on proper servers yes. I'm all for moving all these things (at the very least) to a meta router image, which is completely separated from ROS and installed at will, not by default. Userman is separated, dude is separated, I fail to see why the other stuff can't be made separated as well.

Sob · Mon Feb 06, 2017 8:27 pm

NTP server was always separate package, as long as I remember. Other stuff could be moved into one (or more) too, but there probably isn't good enough reason to do it (not counting your peace of mind

). If you don't enable any of it, all this stuff does is taking few hundreds kilobytes of disk space at most.

And of course consumers want it, it's because it's useful for them. If you're big ISP, it does not make any sense to run e.g. DNS resolver on RouterOS (not in its current state with very limited features, that's for sure). But if you're home user or small office, then it's the exact opposite. Keeping dedicated machine for this stuff is huge overkill. Current routers are pretty powerfull and can easily handle all these little extras and still manage to stay bored.

Btw, I think SOCKS is very underrated. It works with TCP and UDP, support both outgoing and incoming connections, supports authentication, can be used as IPv4/IPv6 proxy, and still it's very lightweight. It may not sound as much now, since almost everyone took different path, but this all was available since 1996 (year of SOCKS5 RFC). Why things like HTTP CONNECT caught on instead of this is beyond me. It still has some fans.

Arcticfox · Mon Feb 06, 2017 11:31 pm

Can you make a small feature for mAP devices such as USB-NIC?

savage · Tue Feb 07, 2017 9:50 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules

Tue Feb 07, 2017 10:07 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules

This has been requested, and confirmed by Mikrotik for routing filters in v7.

savage · Tue Feb 07, 2017 10:13 am

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules
This has been requested, and confirmed by Mikrotik for routing filters in v7.

Oh fantastic! So, when can I get V7 then

lavv17 · Thu Feb 09, 2017 2:50 pm

Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.

So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.

P.S. Thanks to msatter who pointed out the existing

dst-address-type=local

option.

msatter · Thu Feb 09, 2017 3:25 pm

Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.

So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.

There is the option:

src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address type:

unicast - IP address used for point to point transmission
local - if address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices

And this one can also be used if you have an dynamic WAN address.

agomes · Thu Feb 09, 2017 4:47 pm

It will be good if RouterOS will have integrated brute force protection and filter.
It does

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Nice!

Larsa · Thu Feb 09, 2017 10:54 pm

Another good one, IMHO...

Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.

This gives us the ability to very easily match entire ASNs in firewall rules
This has been requested, and confirmed by Mikrotik for routing filters in v7.

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?

Chupaka · Fri Feb 10, 2017 12:44 am

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?

yes

Wyz4k · Fri Feb 10, 2017 12:59 am

It will be good if RouterOS will have integrated brute force protection and filter.

Most definitely! The current "implementation of brute force protection" is a joke. A counter on port visits as opposed to actually checking whether the login succeeds or not.

Larsa · Fri Feb 10, 2017 11:37 am

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes

Great, any chance we'll see acl's (filter groups) as well?

Chupaka · Fri Feb 10, 2017 2:51 pm

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes
Great, any chance we'll see acl's (filter groups) as well?

what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?

lavv17 · Fri Feb 10, 2017 3:00 pm

There is the option:
src-address-type (unicast | local | broadcast | multicast; Default: )
local - if address is assigned to one of router's interfaces

Cool, thanks! I'll use this feature.

Larsa · Fri Feb 10, 2017 3:27 pm

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes
Great, any chance we'll see acl's (filter groups) as well?
what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?

The ability to utilize grouping of for example firewall filters is a matter of making network management more manageable and perspicuous, thus this is especially useful in complex environments. If you're familiar with Cisco ACL Object Groups you probably know what I mean...

Ref: Cisco IOS: Object Groups for ACLs

Rolek · Fri Feb 10, 2017 11:16 pm

Hi!

HotSpot Status page sometimes is not necessary

> ip hotspot user profile set open-status-page=
always http-login never

Larsa · Sat Feb 11, 2017 2:19 am

RoS v7 wishlist 2017-02-11

I’m rather new to the MT-world since about a year ago and it’s probably way too late to influence R&D at this stage but anyhow, here is my wish list for v7:

- A good object oriented scripting language with a small “footprint” for embedded system such as Lua (eLua), Python, Squirrel, TinyC, Tcl, JavaScript, AngelScript, Picobit, Forth
- Object oriented interfaces for all hardware resources and network related elements for example:

Ethernet eth1 = router.hardware.ether1;

eth1.ip.address = “192.168.0.1”;
eth1.status = enabled;

log (“Eth1 - current speed: “ + eth1.speed);

- Script libraries.
- Event triggers on all objects that have properties that may change.
- Object groups for acl’s, routing policies, interfaces, queue, etc.
- Enhanced debugging/tracing that can show the whole packet path through all chains, queues and possible stops.
- Simplified interface for queue management in complex environments.
- Virtual hardware interface for direct attached AP's, BaseBox SXT LTE, etc in order to check and control important properties and subscribe to real time events like link status etc.
- Pluggable interfaces and protocols to preserve resources.
- Pluggable controller to enable Software Defined Networking.
- Fast and structured storage like sqlite for scripting purposes..
- The ability to develop and run third party pluggable add-ons running on a sandboxed environment (e.g. Linux Docker) for supplementary services like:

hotspot management
accounting and billing
two factor authentication
OpenVPN AS
performance tools
enhanced management services
storage providers
move User-Manager and Netwatch here

- API using standardized interfaces and RCP techniques such as, or similar to:

JSON/REST
CORBA RPC
ONC RPC
DCE RPC

- Encrypted key storage for storing passwords used in scripts, certificate private keys, etc.
- Security enhancements

Two factor authentication for management access and VPN tunnels.
Password (or possible ACL) protected files and settings
LDAP integration for management access.
Real brute force protection

- Network Monitoring and Management

- Pluggable module for Network Management (NMS) with support for:
OpenFlow/NetFlow (SDN)
RMAN2
CIM/WBEM (SBLIM)
SNMPv3 with enhanced security
Enhanced MIB-II trees
SNAP traps for all manageable objects (both hw and sw)

- Various protocol enhancements: IKEv2, OpenVPN UDP + options like ZLE/EAS/TLS-AUTH etc, 2FA, DNSSEC, IPSEC/VT, NAT64.
- Multiple MAC’s and IP’s per ethernet/sfp interface.

Work out a new license model and divide the above into different level of capabilities that will also make it possible to run on less powerful devices.

Sob · Sat Feb 11, 2017 4:47 am

Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?

Larsa · Sat Feb 11, 2017 1:22 pm

Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?

Well, most definitely not before 2020 if they choose to develop everything from scratch.

It's actually possible to create a working prototype with most of the features from the wishlist on a small device like the Raspberry Pi in just a couple of days. And yes, you obviously need to configure everything manually the typical Linux way through shell scripts and edit tons of files. But it's quite doable and I've done it my self although the configuration process was definitely the major obstacle. You could probably even use a RB to implement your own prototype: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard

Hopefully they'll implement RoS v7 on a new and flexible platform using frameworks such as XDP/eBPF/NFtables, pluggable kernel modules for example communication and management protocols, and using Linux Docker as sandbox environment for third party add-ons. And there are plenty of open source protocol stacks that can act as base for further work. An example of a company that make heavy use of open source is Brocade and you can even find the complete src for the old Vyatta Vrouter. If R&D at MikrotIk choose this way of working they can initially implement the basic functionality quite fast and work their way up in the food chain so to speak.

There's nothing new under the sun and everything is up for grabs but hopefully they'll make it happen!

Sob · Sat Feb 11, 2017 4:20 pm

The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.

Larsa · Sat Feb 11, 2017 6:15 pm

The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.

Yeah, the prototype is usually just a part of a POC they probably did ages ago. If they are smart, they'll release a version that will match the functionality in v6 and continues from there when things have stabilised. One thing is for sure, the folks at marketing will have to cope with all the people that have extremely high expectations of v7 and that believes it will solve all problems in the world!

Anyhow, I would guess that much of the work is put on developing their own nftable bytecode compiler/decompiler "engine" that needs to be tightly integrated into the user interface. In general it's a quite big step to move from iptables to nftables but in the long run, the operation and management of the development projects will become greatly simplified in regards of correcting bugs and adding new features.

And they will of course need to integrate new protocol stacks that's not part of the standard kernel but I really hope they'll avoid develop new protocols themselves and instead put all effort in integrating open source or licensed software...

Larsa · Sat Feb 11, 2017 6:42 pm

Btw, are there currently any big showstoppers in regards of bugs or missing features that would actually force people to pick other vendors even if they preferred MT?

SystemErrorMessage · Sun Feb 12, 2017 12:40 am

All i want is for mikrotik routerOS for routerboards at least to have all the features that both consumer and prosumer routers have and many features that industrial routers have as well. By that i mean in consumer routers in the config you can use domains in some of the configuration which is resolved when used rather than stored as an IP. If you look at openwrt and what linux based consumer routers can really do if you get into the linux bit and start adding and changing config files, it really makes those routers flexible. Mikrotik routerOS is only flexible with what you see infront of you, being able to add rules but you cant do really complex things without having to deal with MT's script and scheduler which tends to get broken and fixed multiple times. Last month i updated to 6.37 and it broke the scheduler and the OpenDNS update script timed out. Updated to lastest firmware today for the TILE and while the scripts work now the scheduler still doesnt work. I use the commands you would use in the command lines to run multiple scripts from 1 schedule which worked till i updated to version 6.37.

craterman · Mon Feb 13, 2017 9:07 am

RFC 3021

Larsa · Mon Feb 13, 2017 9:46 am

RFC 3021

What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...

dukejjjj · Wed Feb 15, 2017 8:17 am

I have a suggestions

ip firewall connections add new columns like IP Geo / country / ISP .... information

dattl · Thu Feb 16, 2017 11:24 am

Hi,
First: I love Mikrotiks, I have allready 60+ pieces brought out to a lot of Customers.
One litte thing that would be very handy for me is:

IPSec Policy with ADDRESSLIST

feature instead of 1 policy per subnet on same VPN-Peer, as I have 1 customer with around 150 subnets and this is a total overkill for searching throug policis.
The Mailfirewall there is a Sonicwall and this supports subnetgroups for VPN-Policies. So the similar thing would be addresslists in Mikrotik.

Thank you for youre great work!
Best
-Dattl

SDFadfasdfadsf · Sun Feb 19, 2017 2:47 am

RFC 8092 BGP Large Communities implementation Feature Requested 2016090522001073

timeline available?

JanezFord · Thu Feb 23, 2017 12:58 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

Thu Feb 23, 2017 1:14 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

JanezFord · Thu Feb 23, 2017 8:30 pm

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Thank you, I will look at your suggestion ... but anyway I find it would be way more user friendly to have for example a "Locate" button in Routerboard menu instead of having to program scripts for such a task.

JF.

anuser · Mon Feb 27, 2017 5:40 pm

What about enhancing CAPSMAN:
- centralized upgrade for RouterBoot (button for "/system routerboard upgrade") would be nice.
- "Right click" into remote CAPs list and directly connect to one of the CAP device itself
- management of all routerboards, also without wifi

CerpinTaxt · Wed Mar 01, 2017 3:16 am

Usermanager:
Currently, maintaining users via web browser provides more information than can be obtained using the CLI directly on the router (e.g. Total time left/Till Time can be seen on browser, but not Winbox) this makes using the API to get this information impossible. Could this be added in the output of

/tool user-manager user print

or even

/tool user-manager user print detail

would be great. The CLI should have everything a GUI has (plus more?!)

gilson · Sat Mar 04, 2017 10:02 pm

While using Winbox, I always missed the ability to allow to mark and copy form the log panel to clip board, as well a Find box. It would be very useful.

Wyz4k · Mon Mar 06, 2017 3:04 am

The ability to copy and paste data more easily.
1) Selected text from the log to the clipboard.
2) From random tables into the clipboard in csv format.

hyperpaccket · Mon Mar 06, 2017 6:15 am

More than 2GB of ram for the X86 Build.

JanezFord · Fri Mar 10, 2017 2:39 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

mlow · Fri Mar 10, 2017 11:43 pm

RFC6939 for the DHCPv6 relay.
Would be extremely useful for doing MAC address based DHCPv6 reservationsRFC4649

exploit · Mon Mar 13, 2017 7:55 am

1. I believe that you need to add ability to associate an IP address with two different mac-addresses. This allows you to give the same network address to a device that connects at different times from different interfaces (for example, ethernet or Wi-Fi in laptops)
This feature is implemented in dnsmasq (for example, dhcp-host=38:B1:DB:38:B4:23,28:d2:44:d0:e0:3e,192.168.0.111)

2. I do not receive the network route specified in the profile of the l2tp client. This topic was previously discussed in your forum: viewtopic.php?t=56079
This feature is implemented in SoftEther

Thus, both possibilities requested by me are technically feasible.

meckanix · Wed Mar 15, 2017 4:29 pm

Can we add a VRF setting to the DHCP relay so that the relay can be used within a VRF?

neticted · Fri Mar 17, 2017 1:18 pm

I use wireless roaming feature and I have set Signal range in Access list to kick clients with low signals.

It works fine for most of the time but sometimes some clients got kicked frequently even with good signal.

After some time of monitoring this issue I concluded that problem is that it happens that client momentarily is received with low signal, and Mikrotik kicks it at once.

If I set lowest allowed signal to very low, client does not get kicked. But, that ruins whole idea of roaming as then clients stay connected to node even with very low signal.

My proposal is to introduce option to set hysteresis (delay) to kicking clients if signal is out of specified level range. Goal is to kick client if it really has low signal for some time not just because it is measured low for a moment.

lavv17 · Wed Mar 29, 2017 3:41 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

savage · Wed Mar 29, 2017 3:44 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

And IPv6 filter on dst-address doesn't work at all in Winbox

Wyz4k · Thu Mar 30, 2017 4:09 am

Bridge-like filtering (L2) for Mesh.

lavv17 · Tue Apr 04, 2017 12:34 pm

It would be nice if routing updates were more atomic. Currently converging BGP full view can lead to temporary routing loops. They last for a minute or two.

My setup consists of 3 CCR1036 routers facing different providers; iBGP between each pair of them. When a router boots up, a temporary loop can be created for a pair of minutes.

Also I'd like to repeat my plea of a graceful reboot option: viewtopic.php?f=1&t=45934&p=556840&hili ... ul#p556840

Nee · Tue Apr 11, 2017 5:03 pm

1. dstnat for output chain - i.e. to route Mikrotik's DNS requests to different DNS servers / interfaces
2. hardware ipsec acceleration for processors, which support it (i.e. RB3011) - maximum ipsec performance is the must for many modern configs, imho

Wyz4k · Thu Apr 13, 2017 8:11 am

Please add a button to clear the log. It's practically impossible to try and debug routers over crappy connections when just attempting to load the log causes the connection to break. If I could periodically clear the log it would reduce the traffic enough for the connection to remain viable.

I've tried the methods listed on the forum and they no longer work.

OnixJonix · Thu Apr 13, 2017 10:32 am

Please come up with CAPS logs explanation!!!!
Stuck with capsman problems - see problems in log files, but not sure what it mean an what direction look for!!

for example:
caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

Thu Apr 13, 2017 11:39 am

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

OnixJonix · Thu Apr 13, 2017 1:08 pm

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

No certificates at all!! Maybe thats the problem??

Thu Apr 13, 2017 1:33 pm

No certificates at all!! Maybe thats the problem??

Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

felipelinkmais · Thu Apr 13, 2017 9:31 pm

Will be nice if mikrotik create a new OLT package.. to turn any mikrotik device with sfp slot in one GPON/EPON OLT.

OnixJonix · Tue Apr 18, 2017 8:25 am

No certificates at all!! Maybe thats the problem??
Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

Have ~50Caps - in Capsman Radio list shows all, and in the list no dublicated macs!!! This was my first gues, but seems there everything is ok!!

Wyz4k · Tue Apr 18, 2017 10:34 am

Please make it possible to change the comment associated with a connection without it restarting said connection.

Wyz4k · Wed Apr 19, 2017 6:39 am

Could we get the LAC (local area code) also being displayed in in the info box for 3G/4G modems? This information is required to locate the sim. Currently the cellid is being displayed and it's possible to determine MCC and MNC. See http://cellidfinder.com/

scus · Wed Apr 19, 2017 3:54 pm

In case that public key authentication is used (and passwords are disabled) the SSH server should drop the connection immediately if no public key is provided by the client (instead of asking for a password and denying access even if a valid password is provided). There should also be a configuration option to allow password authentication in addition to public key authentication.

I have thousands of failed login attempts (from different IPs), all trying to login as admin, user, test, etc. using passwords...

juliokato · Wed Apr 19, 2017 5:06 pm

[Active Users (Admins)]
Is there any way to cut the connection of a remote admin.
Amazing how this feature does not exist!

Wed Apr 19, 2017 9:21 pm

Do you want to be cut off by a hacker?

juliokato · Thu Apr 20, 2017 3:25 pm

Look this:
How do I delete previous sessions stuck in an easy way?

macsrwe · Fri Apr 21, 2017 9:29 pm

Hi,

Please add feature that will allow me to add DNS name instead of exact IP address. I need this to connect 2 or more MKT routers (PPTP connection) if they are connected to internet thru ADSL and theirs IP addresses are dynamic. I hope that you understand what I am saying and that we can expect this feature in new ROS.

bye,

i think that this should be global. anywhere you specify a dns name it should be resolved.

Yes, but not immediately - it should be stored as a DNS name and resolved in real time. For example, it's pointless to resolve /tool email server once and store it as a numeric address, which is why ROS will store it as a name. However, /system watchdog resolves the same server once and then stores it as a number, which is wrong. Also, you don't want things to fail because they can't be resolved immediately when you are configuring a router on a workbench and it has no connection to your network.

macsrwe · Fri Apr 21, 2017 9:34 pm

Please make it possible to change the comment associated with a connection without it restarting said connection.

This would be good for both /int wireless access and /int wireless connection; also the "add to access list" and "add to connection list" operations, where you already know that the resulting entry will not be incompatible with the connection that already exists, because it is being generated from that connection.

macsrwe · Fri Apr 21, 2017 9:38 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.
Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

Many of the newer, lower-cost devices have no beepers.

I have come to rely on the beepers for so much diagnosis (esp. SXT setup) and I really miss them. I would pay the extra buck.

horhay · Fri Apr 21, 2017 11:44 pm

Help us old keyboarders out and add ALT tags to menu and buttons.

This way we can use ALT C for a Close button or ALT O for OK.

skuykend · Sat Apr 22, 2017 3:59 am

During an Export of /Interface/Ethernet/Switch/Ports it would be nice to have it use a [ find default-name=xxxxx ] like the /interface ethernet export instead just the set#.

Andrew08 · Sat Apr 22, 2017 10:32 am

Ip dns port support
So for example we can use 208.67.220.220:443

biatche · Sat Apr 22, 2017 4:39 pm

Requesting for neater and more readable exports

currently:

export compact
/something1
some config
/something2
some config

suggestion:

export compact
/something1
some config

/something2
somet config

spacing them out improves readability a lot.

Zero3K · Sun Apr 23, 2017 1:33 am

It would be nice if there was an option to display a box containing the Ethernet and DHCP Clients (with the Mac, IP, and how long it has been online) connected to it in the Quick Set page.

tawhwat · Sun Apr 23, 2017 5:29 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!

The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

juliokato · Sun Apr 23, 2017 7:26 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!
The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

+1

biatche · Mon Apr 24, 2017 8:02 pm

please, MSTP & PVRSTP next version...

sparker · Tue Apr 25, 2017 9:49 am

+1
Really need, please!

biatche · Wed Apr 26, 2017 5:55 am

request: a default set if IPv6 firewall rules with IPv6 enabled be default

Wyz4k · Wed Apr 26, 2017 6:46 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

pass example:
:local macAddress "00:11:22:33:44:55"
:local interface [/ip neighbor find where mac-address=$macAddress]

pass reason:
gives exact same result as :local interface [/ip neighbor find where mac-address="00:11:22:33:44:55"]
contains only interfaces that have that MAC address

Chupaka · Thu Apr 27, 2017 2:08 am

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

setup some VPN tunnel between the routers

then you may ping inside the VPN, or just use VPN Interface state to detect remote failure

Chupaka · Thu Apr 27, 2017 2:15 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

that's because the variable name "identity" is the same as parameter name "identity". the following code works correctly:

:local id "testRouter"
:local interface [/ip neighbor find where identity=$id]

by the way, use the following is also correct:

:local interface [/ip neighbor find where $identity=$id]
:local interface [/ip neighbor find $identity=$id]

Wyz4k · Thu Apr 27, 2017 5:39 am

Thank you, I will try it out!

doneware · Thu Apr 27, 2017 9:37 pm

this one can be quite neat if someone is into parental control

https://datatracker.ietf.org/doc/draft- ... -clientid/

the code is there in dnsmasq since 2.76

Wyz4k · Fri Apr 28, 2017 3:58 am

Can we get standard 802.11s support? https://wiki.mikrotik.com/wiki/Manual:I ... e/HWMPplus indicates that the HWMP+ protocol is based on 802.11s draft but is not compatible with it.

kalaposl · Fri Apr 28, 2017 1:00 pm

I would love if I could run a script as a firewall action.

doneware · Sat Apr 29, 2017 12:25 am

I would love if I could run a script as a firewall action.

this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

macsrwe · Sat Apr 29, 2017 2:27 am

I've been waiting over five years for /system upgrade upgrade-package-source to allow specification of its password parameter on the command line instead of demanding it interactively. This one deficiency makes Flashfig entirely useless to us and makes initializing every one of our MikroTik CPEs a multi-step manual process. I've been told this is done for "security," but every other password, encryption key, secret, etc. can be set from the CLI except this one (which is a relatively minor "security" function at best), so I'm not buying that argument. How hard can this be, guys?

nordex · Sat Apr 29, 2017 8:14 pm

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

Wyz4k · Mon May 01, 2017 4:10 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.

biatche · Mon May 01, 2017 6:07 am

request switch vlan support on RB750Gr3

doneware · Wed May 03, 2017 10:57 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.
where i do see the quite a bit of flexibility, but it is a fundamental change how the PF code is organised. say we're just fine with a serialised code execution on a single core if it comes down to handle a flow, but that doesn't mean that cpu cycles are there to be wasted on unoptimised execution. also for me is not clear whether the script should be run in a non-blocking or blocking manner. all in all, since its just a set of interpretable code, it would be quite unpredictable whether it is to be executed parallelised or not. the result would be varying delay that could potentially affect (read: ruin) TCP throughput.

i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

i think this fulfils your requirements of "hands shall not be bound", but also provides enough safeguarding for the "not so creative/unexperienced" users, whose forwarding performance would be seriously degraded by running code based on firewall rule matches. and for the RouterOS developers its always a give-and-take situation, where to go, what to risk: provide a very versatile toolset where you can do anything, which can (and most probably will) result a thousands of trouble-tickets and sad faces when used inappropriately, or leave it to be solved by the excessive creativity of the few ones who actually do require it. they need to think in the dimensions of megapackets per seconds for a while, and "tinkering" does not fit into the scope no more. and there is a whole world outside of RouterOS, a lots of tools that may be used to contribute to its original functionality, we just need to think outside the box.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

Wyz4k · Wed May 03, 2017 4:54 pm

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.

Yes, the method that you describe of using a firewall rule and logging is an option, but potentially something that can become really messy really quickly.

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

doneware · Wed May 03, 2017 5:52 pm

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

seems we have to leave it to Mikrotik guys do decide which way to go

Wyz4k · Thu May 04, 2017 7:46 am

seems we have to leave it to Mikrotik guys do decide which way to go

Indupitably

Wyz4k · Wed May 10, 2017 8:11 am

Please add the ability to ping / ssh / telnet / other from the ip dhcp-server screen in winbox. This is already offered from the wireless registration page.

Any chance we could get the ability to form simple socket connections / ssh from the router in a script? Currently it's really one sided in that it's possible to connect to the router, but not possible for the router to automatically connect to other things.

makstex · Thu May 11, 2017 7:25 am

Please add compression for the OpenVPN client.

Wyz4k · Thu May 11, 2017 9:16 am

Could we get a proper AT command + reply interface?

Sending down AT commands in the info string and then having them randomly overwrite some output as a response is far from ideal.

On that same topic, it would be great if the /interface ppp-client info section can be rewritten to go away and read all the data and then come back with the data instead of having to be polled repeatedly hoping to get all the data after x polls.

felipelinkmais · Thu May 11, 2017 4:34 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

teddyhsu · Fri May 12, 2017 2:25 pm

I hope I can create a counter only supout file, that only take process information and count connections and users.

When my routerboard have more then 100K connections and 2000 users, making supout file will take more 2 hours and bigger then 1GB.
The heavy loading reboot is very hard to debug.

Wyz4k · Sat May 13, 2017 3:38 pm

I would like to request the required changes in order to allow 3G/LTE signal strength to be monitored on a continual basis without interrupting the signal - see https://forum.sierrawireless.com/viewto ... 108#p41108

Mon May 15, 2017 12:20 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

macsrwe · Tue May 16, 2017 10:11 pm

/ip firewall address-list has a creation-time field that is read only, although it appears in the add box. It would be quite handy if that were writeable at add time, such that the entry would take effect at whatever date and time is entered. This would allow us to schedule changes in account behavior at a future date without having to be sure to log in on that date to make it happen.

SiB · Wed May 17, 2017 10:14 am

Now I must create the same few rules in FILTER ICON again and again in many place of WinBox (I use AutoIt to do it like workaround)
PLEASE ADD the SAVE option for filtering rules.
I will be creating prifile filters like, dhcp with dynamic only, Arp static only, Contrack show network1, conntrack show net2 - You gotta idea. Open filters and select own save before filters rules - perfect.

CsXen · Wed May 17, 2017 11:19 am

Hi.
I know, that Mikrotik dropped the mipsle platform support... I know... but..
Please, backport two fantastic changes to mipsle, specifically to RB532.
1. WPS client mode.
2. EAP-PEAP-MSCHAPv2

Please, make a "routeros-mipsle-6.32.5" package with these features to make our old routers happier.

Thanks and best regards: CsXen

Vooray · Tue May 23, 2017 10:39 am

Please, add /31 mask on p2p support (rfc3021).

freemannnn · Mon May 29, 2017 3:12 pm

it would be nice in capsman interfaces tab a column with how many devices are connected per cap.

Murmaider · Mon May 29, 2017 8:46 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.

5nik · Thu Jun 01, 2017 12:58 pm

Please add support for DHCPInform for PPP link. It is usefull for Windows VPN clients (push additional info such as domain name, classless routes etc.). Now I must redirect DHCPInform request from PPP to external DHCP server.

Pilson · Fri Jun 02, 2017 9:40 pm

Please add support for setup l2tp client source portselection - set port by maunal, or set random port. Something like /interface l2tp-client set l2tp-out1 src-port=port_number, or src-port=random. It would be a very useful feature, especially if multiple l2tp clients + ipsec establishes connections from local network via one NAT address.
Thanks.

aacable · Sat Jun 10, 2017 8:35 am

'Unmetered Content' / to bypass local servers from radius accounting.

maznu · Sun Jun 11, 2017 1:45 am

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

craterman · Sun Jun 11, 2017 11:07 am

Please add:
- Incremental SPF
- IP FRR (RFC5714) and microloops (RFC5715)
- LFA (RFC5286) & Remote LFA (RFC7490)

And it would be really great if you add:
- RSVP FRR (RFC4090)
- MRT (RFC7812)

Sob · Sun Jun 11, 2017 7:13 pm

About the WireGuard idea, are you a time traveller writing to us from future?

I almost got excited, but at present time, things don't look so bright yet:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:

After version 1 is finalized, an RFC will be written and standardized.

maznu · Sun Jun 11, 2017 7:23 pm

About the WireGuard idea, are you a time traveller writing to us from future? :)

Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)

drivebydex · Wed Jun 14, 2017 11:53 pm

Please add in capsman registration table "active host name" and "active address"! THX

ajack46 · Thu Jun 22, 2017 3:51 pm

Providing Compression for the OpenVPN client, would be something i would wish for.

biatche · Sat Jul 01, 2017 10:45 am

1. add /ip route check-gateway-ping-interval
2. ability to customize fasttrack rules a little bit. more dual wan friendly. right now i cannot figure out a way to have fasttrack with both ipsec and multi wan, although it does appear possible if its just one extra feature.

th0massin0 · Sat Jul 01, 2017 4:34 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

biatche · Sat Jul 01, 2017 9:59 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better

biatche · Sat Jul 01, 2017 10:01 pm

/tool fetch keep-result (yes | no; Default: yes) If yes, creates an input file.

rename this to save-tofile or something.... from what i am seeing, keep-result appears to save the output to disk. or is it input? i've no idea anymore.

MT could possibly hire an englishman to straighten the terms out.

th0massin0 · Mon Jul 03, 2017 1:22 am

Could you please describe how did you worked out port forwarding in dual wan environment with fasttrack?

platitude · Tue Jul 04, 2017 11:59 pm

DNSCrypt feature request topic has been started in 2012! Your customers waiting it about 5 years and still no support from you. Looks like you are not interested in customer's data privacy at all. Now open your eyes, read the message and satisfy us.

biatche · Sun Jul 09, 2017 2:42 am

add tool: tcp/udp open port tester.

pe1chl · Sun Jul 09, 2017 12:34 pm

Feature request: move all configuration related to one physical interface to another.
E.g. you have a router with two hardware switches or with ports inside/outside switch.
You have configured e.g. ether8 which is on switch2 with all kinds of options (address, dhcp server, firewall config, etc)
and you decide it would be better to move all this to ether4 which is on switch1, e.g. because you want to free up a port
that is on switch2, to do hardware switching to the other ports on that switch. It would be convenient when this could
be done with a single command, just like an interface can be renamed with a single command and it is reflected everywhere
in the config. After issuing that command and plugging the cable from port 8 to port 4, all functionality would remain the same.
For practical purposes (what would happen to the config that was on port 4), maybe the easiest implementation would
be in the form of "swap interface configurations" What was on ether4 will be on ether8 and vice-versa.

msatter · Sun Jul 09, 2017 2:21 pm

When adding an adress in large adress-list is a PITA when an address already exits. The the script is stopped an you can work with on-error to seek sequential through the list use set to update it timeout on the dynamic address. This takes ages when you have to seek each time.

On the moment you get collision it would be a pleasure to be able to directly use set on that entry to set the expire time in the on-error.

cental63 · Sun Jul 09, 2017 6:22 pm

I find that Userman is a really good choice to build a hotspot service for a company, but i think, as installer, that there is something missing, few things like embedded sms verification (and not the script), and the one that i found more interesting, make the userman database readable (just think about a company with a newsletter). All could be added to make userman like a serious radius server (chr would allows more performance for anought clients). more competitive !
Thats all

Regards from an Italian user

schadom · Sun Jul 09, 2017 7:56 pm

Please add the 'Comments' column and the 'Add/Edit Comment Button' which is currently missing in WinBox 3.11 under

Routing =>BGP => Networks
Routing => BGP => Aggregates

Interestingly it is available in Routing => OSPF => Networks, but missing in all of the other tabs
While I personally prefer the CLI for configuration, WinBox is nice to get a quick overview.

Thanks

Wyz4k · Thu Aug 10, 2017 1:39 pm

Please add SMB support to the fetch tool or the ability to limit FTP accounts to specific folders to the FTP server. The SMB server is considerably more advanced than the FTP server on Mikrotik and makes it easier to limit clients to a specific folder.

pe1chl · Fri Aug 11, 2017 12:16 pm

/queue tree elements can now only match on "packet marks", when multiple packet marks are specified they are OR'ed.

Please add the capability to also match on the "packet priority" field, and make it an AND match with the packet marks.
(so if a queue tree element is specified with both packet marks and a priority, it will only be used when one of the specified packet
marks is present AND the priority field of the packet is as specified)

Alternatively, introduce the option of doing an AND match on packet marks. It is already possible (although cumbersome)
to add packet marks based on the packet priority field.

dgrenetz · Wed Sep 13, 2017 2:31 am

We are deploying Mikrotik virtual appliances to centralize and replace several disparate VPN solutions. We need a way to hand out our domain suffix to VPN clients so they won't have to use Netbios broadcast to resolve names. Currently, without domain suffix setting, accessing hosts by hostname takes about 5 seconds longer than it does on our existing legacy VPN solutions. I Googled the issue and see people complaining about this all the way back to 2010. However I do not see it anywhere in this Feature Request thread. Longstanding issue - please help!!
David

diasem · Tue Sep 19, 2017 1:22 am

Normis add /31 address for PTP links.

Chupaka · Tue Sep 19, 2017 10:23 am

Normis add /31 address for PTP links.

/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3

vytuz · Tue Sep 19, 2017 3:09 pm

Do You maybe have in plans to make more detailed user group list? Different user access to i.e. wireless, firewall filter, nat rules, ip addresses, dhcp and etc. I imagine it may be hard to add databases and additional cunfiguration to every configuration field. Maybe any possibility to add at least additional wireless user option. Clients sometimes wants to change wifi name, password, but we do not want to allow to change other options with given password.