You can do it using a recursive next hop/net watch.Route availability base on an remote IP.
...
It would help very much in regards to failover.
You can do it using a recursive next hop/net watch.Route availability base on an remote IP.
...
It would help very much in regards to failover.
+1Route availability base on an remote IP.
I would like to have route availability based on some other IP. Let's say you add a new option below Check Gateway that would be something like check another gateway (my gateway's gateway for example) or just any other IP like 8.8.8.8. And if that IP becomes unavailable over that specific route it can make it unreachable/inactive so other route with higher Distance can became in charge. Check Gateway option does not work when your provider puts router on your premises. And if provider's router loses connection to it's remote router, you still have your gateway (because you have a router on your premises) and so for you, gateway is reachable, but you actually don't have internet access and that route looks good.
It would help very much in regards to failover.
it is available even without scripting: http://wiki.mikrotik.com/wiki/Advanced_ ... _ScriptingI know that currently this can be achieved by using Netwatch and some scripting but it would be much easier if it were available directly on the route's properties.
Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.Thanks, I wasn't aware of that!
Still, it would be easier to just be able to define what IP to probe for a specific route, rather than having to create extra static routes and play with scope to achieve this (if I understand the wiki page correctly)
The idea is that for the 'ping address' you define on the route, the pings to it will always go through that route's gateway address/interface.Well, even with the option to ping some specific address (other than the GW) you would still need to create a /32 route that forces the test target via a particular interface, or else the route will flap as the GW points to failed link, ping fails, route changes to backup path, ping starts working (via backup), primary route re-activated, pings fail, etc etc etc.
RouterOS is for routing, DPI is part of a UTM or NGFW solution.I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.
what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
i would call that bullshit.RouterOS is for routing, DPI is part of a UTM or NGFW solution.I don't know if anyone requested adding DPI or User activity monitor but anyway can we have this feature Please.
I want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queuesI want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and add the packet mark to all dynamic queues. Now it is not working. Please advise.what do you use them for?Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.
Cool! It seems to work. Much simpler and (as I suspect) faster. Thanks a lot!create a queue for local traffic and put it on the top. it will catch all local traffic, and all the rest will be caught by 'personal' queues
p.s. if you won't set any limits on that queue, don't forget to change at least something (like queue type) for this queue to actually work
just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
I have turned off connection tracking for most connections (using raw table), so it won't be efficient in my case.Fasttracking that traffic you want to be excluded from queues is much more efficient.
But keep the exclusion queue for the cases when some connections couldn't be fasttracked.
You're best bet there is to install a hypervisor on that server and run the CHR rather than the standard x86 ROS. Not only will you be able to use the onboard NICs, but you'll also be able to use more than 2GB RAM, and set up multiple instances so you can run in high availability.Hi There,
We are using a Supermicro 5018 MLNT4 (https://www.supermicro.com/products/sys ... -MLTN4.cfm) with onboard C2000 SoC I354 Quad Nic.
This nic is not supportes... PLEASE ADD THE DRIVERS !
Hi guys,just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
I created a second Radius Server with identical settings and changed the ip to an IP that is actually held by the same server, then i disabled the first entry, but mikrotik reports "Radius Server not responding". When i check the radius server logs, it show its authenticates correctly.just add one more Radius Server entry with the same settings1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.
just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
Right Click -> Show Columns -> Log. Voila!how about adding an icon "L" next to each firewall-mangle-nat rules that this rule is "logged" so you can see easy what is logged and not.
as a workaround you may enable logging in the rule and then just press 'Undo' to disable it after a few secondsAdd a button to easily toggle logging for rule. I often need logging rules that I only quickly turn on and off again, to catch just a few packets.
You're right, it's there. But not visible by default and too far at the right and "lost" between other columns when enabled. Since logging is useful option available for all rules, IMHO it would deserve more prominent place. But ok, it is usable this way.Right Click -> Show Columns -> Log. Voila!
True dat. Thanks. Actually realized this almost immediately after posting. Still, for whatever reason, in Linux there is a dummy interface in addition to bridge. I wonder if there is some overhead involved.just create a bridge (call it Loopback1 ) and assign address to itI'd like to see a dummy network interface like one available in generic Linux kernel (http://www.tldp.org/LDP/nag/node72.html).
If all physical interfaces are DHCP it might simplify things to be able to assign a static addresses to an internal interface to make routing and firewall rules simpler.
This has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correctThis has been asked here many times before. Mikrotik usually answers that /ip cloud depends on RouterBOARD serial number, so it can not be just added to x86 as it is. And there are no plans to work on any alternative solution.Is it possible to add /ip cloud ddns to x86 ROS?
No, you don't. Software ID is not the same as hardware serial number.I also have a mikrotik serial number for my ROS installed on my x86 hardware. Their logic is not correct
/ip service set dns address=192.168.0.0/24 disabled=no
+1 MT by default being a open resolver is a HUGE pita. You can't expect an ISP with thousands of customers to protect them all, and you can't expect thousands of Mikrotik users to know how to protect their router either. I know of multi 10GB/s ISPs that went down completely due to MT being used in DNS amplification attacks.Please implement this command:Code: Select all/ip service set dns address=192.168.0.0/24 disabled=no
Afaik factory default is 192.168.88.1/24, but I agree. On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc. It also does not support modern features like DNSSec, so I would rather go with Ubound or Knot running on dedicated host.Would like every service MT runs (SMB, Socks, Proxy, DNS, etc.) to all have ACLs in /ip services AFAIK, and would be good to have it 'locked down' by default to say 1921.68.1.0/24 seeing that the default IP on hardware devices is 192.168.1.1/24.
As is NTP Servers (ntp server magically disappeared from ROS in some version), web proxy, socks (really now, who still uses socks?), smb, and I'm sure other things too. Unfortunately, that seems to be what consumers want. Just really wish we could have all these things in separate packages so that we don't have to always have them installed.On the other hand, DNS on MK is totally obsolete service. Running DNS service on internet gateway is fundamentally a security risc.
This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
Oh fantastic! So, when can I get V7 thenThis has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
dst-address-type=local
There is the option:Filtering packets in chain=input can affect srcnat. So it would be nice to limit filtering to local routers's IP addresses. But it would be hard to maintain such a list of addresses, if the router's configuration is changed from time to time.
So here goes a feature request: an automatic address-list "local-router" (or similar name) which is generated automatically from the local IP addresses of the router.
And this one can also be used if you have an dynamic WAN address.src-address-type (unicast | local | broadcast | multicast; Default: )
Matches source address type:
unicast - IP address used for point to point transmission
local - if address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices
Nice!It doesIt will be good if RouterOS will have integrated brute force protection and filter.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?This has been requested, and confirmed by Mikrotik for routing filters in v7.Another good one, IMHO...
Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists.
This gives us the ability to very easily match entire ASNs in firewall rules
yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Most definitely! The current "implementation of brute force protection" is a joke. A counter on port visits as opposed to actually checking whether the login succeeds or not.It will be good if RouterOS will have integrated brute force protection and filter.
Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Cool, thanks! I'll use this feature.There is the option:src-address-type (unicast | local | broadcast | multicast; Default: )
local - if address is assigned to one of router's interfaces
The ability to utilize grouping of for example firewall filters is a matter of making network management more manageable and perspicuous, thus this is especially useful in complex environments. If you're familiar with Cisco ACL Object Groups you probably know what I mean...what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need?Great, any chance we'll see acl's (filter groups) as well?yesIs Route-Filter equivalent (or similar) to the Cisco Route-Maps?
Ethernet eth1 = router.hardware.ether1;
eth1.ip.address = “192.168.0.1”;
eth1.status = enabled;
log (“Eth1 - current speed: “ + eth1.speed);
Well, most definitely not before 2020 if they choose to develop everything from scratch.Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020?
Yeah, the prototype is usually just a part of a POC they probably did ages ago. If they are smart, they'll release a version that will match the functionality in v6 and continues from there when things have stabilised. One thing is for sure, the folks at marketing will have to cope with all the people that have extremely high expectations of v7 and that believes it will solve all problems in the world!The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS size. So while I hope to see some of your suggestions make it into v7, I think a lot of others can be just distant dream for v8 or so.
What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...RFC 3021
feature instead of 1 policy per subnet on same VPN-Peer, as I have 1 customer with around 150 subnets and this is a total overkill for searching throug policis.IPSec Policy with ADDRESSLIST
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
Thank you, I will look at your suggestion ... but anyway I find it would be way more user friendly to have for example a "Locate" button in Routerboard menu instead of having to program scripts for such a task.This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.
/tool user-manager user print
/tool user-manager user print detail
Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
And IPv6 filter on dst-address doesn't work at all in WinboxHello!
RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).
Please, make ipv6 route lookups fast as well.
You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
No certificates at all!! Maybe thats the problem??You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?No certificates at all!! Maybe thats the problem??
Have ~50Caps - in Capsman Radio list shows all, and in the list no dublicated macs!!! This was my first gues, but seems there everything is ok!!Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?No certificates at all!! Maybe thats the problem??
Yes, but not immediately - it should be stored as a DNS name and resolved in real time. For example, it's pointless to resolve /tool email server once and store it as a numeric address, which is why ROS will store it as a name. However, /system watchdog resolves the same server once and then stores it as a number, which is wrong. Also, you don't want things to fail because they can't be resolved immediately when you are configuring a router on a workbench and it has no connection to your network.i think that this should be global. anywhere you specify a dns name it should be resolved.Hi,
Please add feature that will allow me to add DNS name instead of exact IP address. I need this to connect 2 or more MKT routers (PPTP connection) if they are connected to internet thru ADSL and theirs IP addresses are dynamic. I hope that you understand what I am saying and that we can expect this feature in new ROS.
bye,
This would be good for both /int wireless access and /int wireless connection; also the "add to access list" and "add to connection list" operations, where you already know that the resulting entry will not be incompatible with the connection that already exists, because it is being generated from that connection.Please make it possible to change the comment associated with a connection without it restarting said connection.
Many of the newer, lower-cost devices have no beepers. I have come to rely on the beepers for so much diagnosis (esp. SXT setup) and I really miss them. I would pay the extra buck.Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.
JF.
JF.
export compact
/something1
some config
/something2
some config
export compact
/something1
some config
/something2
somet config
+1I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!
The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.
The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.
The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"
setup some VPN tunnel between the routersThe problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.
The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"
that's because the variable name "identity" is the same as parameter name "identity". the following code works correctly:Please add the ability to do a where query in [] with any valid-variable.
fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]
fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.
:local id "testRouter"
:local interface [/ip neighbor find where identity=$id]
:local interface [/ip neighbor find where $identity=$id]
:local interface [/ip neighbor find $identity=$id]
this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks
there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.this would degrade the packet forwarding performance in an unpredictable but disastrous way.I would love if I could run a script as a firewall action.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)
seems we have to leave it to Mikrotik guys do decide which way to goYou do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.
Indupitablyseems we have to leave it to Mikrotik guys do decide which way to go
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.
After version 1 is finalized, an RFC will be written and standardized.
Spoiler alert: Trump gets impeached!About the WireGuard idea, are you a time traveller writing to us from future? :)
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/FasttrackQueues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
Normis add /31 address for PTP links.
/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3
... and routing table/vrfIt will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
Netwatch can trigger a script.Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
It might be nice to have an option for color in the logs.Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)
An please, put a "find" option to log.
Best regards: Xen
You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?
How about instead we look to the future: WireGuard https://www.wireguard.io
Clients for every major OS, modern cryptography, and the performance looks pretty amazing:
Screen Shot 2017-06-10 at 23.44.39.png
I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.It should be very simple to add support for selecting the bits of the IPv6 RA
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
I'd like to re-request the function of rinetd.
Never heard of that before, but I did similar things in the past using "netcat" ("nc")I'd like to re-request the function of rinetd.
https://boutell.com/rinetd/
http://brewformulas.org/Rinetd
You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).
HOW???A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.
Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.
This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.it would be great if it would at least remember my settings between routers
But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as
Next time before connecting to new router pick saved session.
.The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
This is what I have been asking for several times over the years. It's good someone else now asks again.- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.
Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..Hello
to disable DNS attacking
please add listen address on better from use ip firewall filters
/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y
Regards
All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.
Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.
You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
Do you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
There are some non port 53 DNS configurations/uses.Is there any DNS server on port other than 53?..
The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)There are some non port 53 DNS configurations/uses.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.
It is not a limitation of those routines, but of the maximal length of a variable content.file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!
I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.Is there any DNS server on port other than 53?..
1.3.6.1.4.1.9.9.150.1.1.1.0
/interface pppoe-server print count-only where service=service5
You can have this info from the radius server. (if used)Feature Request:
Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when usingCode: Select all1.3.6.1.4.1.9.9.150.1.1.1.0
Mikrotik routers as BRAS/BNG/PPPoE Server.
If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.
To workaround we can use this:BUT it should be a nice feature to add to SNMPCode: Select all/interface pppoe-server print count-only where service=service5
/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255
i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.phpIs there any DNS server on port other than 53?..
vote +1 for dstnat in output chainCurrent RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
dst-nat not working in output chain, AFAIKDo you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
So, you'll need to enter encryption password each time router reboots?Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.
1+Please, implement bandstearing for wifi, especially in CAPsMAN.
Please, add support 802.1x for wire interfaces.
Yes! +1, pretty please?Please, add support 802.1x for wire interfaces.