MikroTik

tomislav91

i wanted to get a bit more down a cpu usage, and put this in this order some rules where local are my local subnets, and remote is ipsec remote subnets (without those lists i have a issues to connect to remote subnets its a verrryyyy slow) add action=accept chain=forward dst-address-list=Remote src-...

tomislav91

i solved it and put into variable

:global test ([:pick [/ip arp print as-value where mac-address~"^AA:BB:CC"] 0]->"address")

tomislav91

I want to pick all address which devices from ARP but i got only one IP :put [ip arp print where mac-address~"^AA:BB:CC"] Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete # ADDRESS MAC-ADDRESS INTERFACE 0 DC 10.11.138.130 AA:BB:CC:D7:08:35 lan_bridge 1 DC 10.11.13...

tomislav91

Hi guys, i want to automate script which are going to queue ip whenever is come to dhcp lease, reason is simple. I have a bunch of rotuers and one device is going to be on all that routers attached. So I dont want to queue it all 1 by one. I stuck here: I have part of good output for the appropriate...

tomislav91

Idea behind all is to use that ip and set a queue. Do u have idea how to use that IP and set it to queue

tomislav91

No, "~" is a matching operator. Use it instead of "=", not as a part of the expression - which may be as simple as "^B0:6E:BF", meaning any string that begins with "B0:6E:BF".

thats it! THANKS!!!!

tomislav91

You can use regular expressions with "~" operator -- https://wiki.mikrotik.com/wiki/Manual:S ... _Operators

i tried like this

put [ip dhcp-server lease get [find mac-address=B0:6E:BF~"^([0-9a-fA-F][0-9a-fA-F]

{5}([0-9a-fA-F][0-9a-fA-F])$" address]

but nothing.. Where i mistake?

tomislav91

Hi guys, i am having same device on many routers, can I somehow get IP when use only first 3 octets of mac address? put [ip dhcp-server lease get [find mac-address=B0:6E:BF:1D:A1:2D] address] this output me IP, but every device has different last 3 octet. Can I somehow trick this code to use whateve...

tomislav91

Is there some address list or rules for forbid users to connect via teamviewer?
i found some, but somehow it goes throguh.

tomislav91

I got sometimes my ipsec tunnel status expired or established but i cant ping from one subnet to another. Dont sure what causes it. When I disable/enable a couple of time, it works. Can I use maybe

/ip ipsec installed-sa flush

?

tomislav91

Yes, i am having a drop rule which drop address list. Yes, i wanted to say a many requests.
Problem wasnt in too much traffic on interface, problem is that icmp flood with many connections (arround 100k)

add action=drop chain=input comment="IN-Defend from Ping" src-address-list=ping-evil-people

tomislav91

Just to add this with my rules?
Can i block somehow connection with same source, but must be a large number of connection, because i dont want to affect my traffic

tomislav91

hi, can you redirect me on best way to defend against icmp packets which came to router, not only ping, or traceroute, and so on. i am having firewall rules add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=mylist add action=accept chain=output comment="OUT-Allow PMTU...

tomislav91

so genneraly i can add fasttrack when source is ip of server and destination is my local subnet that use that server every day and also add accept for same src and dest?
I just want to somehow speedup connection to my server, as fast as i can with filter.

tomislav91

does it play any role in faster connection between two subnets with this commands /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.3.0/24 add chain=forward action=fasttrack-connection connection-stat...

tomislav91

I cant get psu state, just empty field.

tomislav91

Hi, i found alert configuration manual on https://wiki.mikrotik.com/wiki/Manual:T ... ifications, and it is ok, working as charm, but i get for all services alert when router is down. I want only for ping, can I somehow change it?

tomislav91

Please list your configuration, so it's clear what is where... /export compact hide-sensitive # model = 951Ui-2HnD # serial number = 815708D04500 /interface bridge auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none /interface ethernet set [ find default-name=ether1 ] adv...

tomislav91

I am having a 10.106.0/24 local subnet in bridge for my devices, and some pc connected to wifi which subnet is 192.168.100.0/24. How can i manage to get a wifi 192.168.100.40 see local subnet or just one IP 10.10.6.50/24 I tried to add src nat masqaraude but not working add action=masquerade chain=s...

tomislav91

What really means phases from 1 to 3 in defence of brute force? After phase 3 ip is forwarding to address list which has been dropped via rule. But what really means phase 1 2 and 3? I have allways ip in addreess list from phase 1 and dissapear because of timeout. Never goes to phase 2 and 3 and fin...

tomislav91

I am having a firewall rules add action=jump chain=input comment="Jump to RFC SSH Chain" jump-target=\ "RFC SSH Chain" log=yes log-prefix=PSD add action=add-src-to-address-list address-list="Black List (SSH)" \ address-list-timeout=none-dynamic chain="RFC SSH Chain" comment=\ "Transfer repeated atte...

tomislav91

Winbox is to control the router and the router setup. It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique. Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around...

tomislav91

What about this?
https://rickfreyconsulting.com/basic-mi ... e-version/

I found basic firewall settings.
Can I add this to my routers?

tomislav91

If you need to use winbox from the outside you do not have many option. 1. VPN (best option) 2. Open Winbox but: a. change to other port than 8291 b. set an access list to reduce who can access it c. use port knocking d. setup some monitoring. example getting email every time some logs inn. Hi, i a...

tomislav91

To begin with, remove the value entered with "/ip services set winbox address=X.X.X.X/Y". That's just plain bad! Even if you're coming in from other offices, don't see it as coming in through the WAN port. You're coming in through a point-to-point link (L2TP/IPSEC, which is great) from an other LAN...

tomislav91

Winbox is to control the router and the router setup. It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique. If you want access to a LAN from the WAN side, then again if its to a specific server use DESTINATION NAT. In oth...

tomislav91

Hello, Do you realize that by giving your public IP address, you basically invited everybody to test your security? Make sure you have a strong firewall and have secured your router. Best regards, Sent from Tapatalk can you than tell me how to secure winbox port? I want access only within my local ...

tomislav91

I added to ip services winbox that address is my WAN IP.
But i cant access it.
Why?
I wrote this

set winbox address=x.x.x.x/29

tomislav91

Hi, i want to enable one and disable another policy.
Can you check it why give me error no such item?

ip ipsec policy set disabled=no numbers=2
no such item

I have policies
#1 and #2 in IPsec policy tab...

tomislav91

Thanks all for you replies! appreciate!!! I did it like this. Get in the first way, all dhcp lease, and than with some command filter only IP addresses grep -i -w kl locations.txt > locations1.txt;cat locations1.txt | awk -F " " '{print $2, $3}' > locations2.txt; sed 's/D//g' locations2.txt > locati...

tomislav91

I'm not familiar with sshpass but judging from the on-line documentation it will return stdout from remote process just like ssh does. You have two possibilities: you can take whole output from your script (I don't know how exactly does it look like, are data fields comma-separated within single li...

tomislav91

Because a dash was missing in what I wrote. Now I got home and tried using the Tab button:
Code: Select all
[me@MyTik] > put [ip dhcp-server lease get [find host-name=my-HP] address]
192.168.88.254

if I have more than one with same name, it throws me

invalid internal item number

tomislav91

If you're going to fetch lease info from linux box via ssh, then you can easily do filtering with some simple commands on linux box itself. One-liner that does the trick: WANTED=my-host-name; LEASES=$( ssh user@routerboard.my.domain '/ip dhcp-server lease { :foreach i in=[find (!dynamic && status="...

tomislav91

If you really do want the file name to be sourced from variable n as you suggest, you have to do what I wrote earlier. There is no file modifier to put , nor there is a way to make print print a single value. So you have to generate a file with any bogus contents: /routing print file=$n and then re...

tomislav91

:global n [ip dhcp-server lease get [find host-name=PC] address];/file print file=$n This line of code says: - set the value of a global-scoped variable named n to the ip address leased to device with hostname PC - print the list of existing files into a file whose name is retrieved from the global...

tomislav91

thanks for reply. Problem lies somewhere alse abvious. When sshpass this command ip dhcp-server lease print file=$n my script execute without problem. I use that variable n in later lines of code. But i dont need all dhcp lease, only with PC hostname, we solve that, but what is difference with that ...

tomislav91

Because a dash was missing in what I wrote. Now I got home and tried using the Tab button: [me@MyTik] > put [ip dhcp-server lease get [find host-name=my-HP] address] 192.168.88.254 thanks man! It works now. Only last problem, i must put that into file. sshpass -p $pass ssh -o $log -n $user@$h -p 41...

tomislav91

it throws me "no such item"

tomislav91

I got via

ip dhcp-server lease print where host-name="pc"

but you help me how to get only Ip address without unnecessary information from result of command?

tomislav91

Sorry, can you use another wording? It is not clear to me what you need. Ok, look, i have my dhcp lease on several computers. I want to get Ip address of hostname PC. SO i wrote a bash script that connect via ssh to mikrotik and run a terminal command. Problem is that I dont know how to get IP addr...

tomislav91

That looks to me as an insufficient indication to bash what it should handle and what not.. Try to place the whole command for Mikrotik into quotes and escape the symbols ",$,\ you need to make it to Mikrotik: sshpass -p $pass ssh -o $log -n $user@$h -p 4111 " /ip dhcp-server lease { :foreach i in=...

tomislav91

does it possible from that script to get only ip addresses with hostname i define?

tomislav91

sshpass -p $pass ssh -o $log -n $user@$h -p 4111 /ip dhcp-server lease { :foreach i in=[find (!dynamic && status="bound")] do={ :local activeAddress [get $i active-address]; :local activeMacAddress [get $i active-mac-address]; :local hostname [get $i host-name]; :put ($outputContent . "\n" . $activ...

tomislav91

can i get via terminal ip address of hostname only?

part of my script is

ip dhcp-server lease print file=$n

but this give me all dhcp lease addresses. can I find somehow ip of hostname="pc"?
My all devices have all the same hostname, and i need all ip addresses for all pc's.

tomislav91

It gives me error. It works directly to mirkotik but from ssh i cant do it.
Does it possible to resolve that issue?

tomislav91

How it possible to do it in one line of code in terminal this command i found here on forum /ip dhcp-server lease { :foreach i in=[find (!dynamic && status="bound")] do={ :local activeAddress [get $i active-address] :local activeMacAddress [get $i active-mac-address] :local hostname [get $i host-nam...

tomislav91

i need to change a several address from a mikrotik via terminal. I find how to change a ip address /ip address set [/ip address find address="10.0.0.1/24"] address=20.0.0.1/24 I need also to change /ip dhcp-server network add address=10.10.0.0/24 gateway=10.10.0.1 /ip pool add name=dhcp_pool1 ranges...

tomislav91

binding is not priority for now. Mikrotik reads hostname from a netbios name and it is ok.

Just curious how to make a script to make it easier. I will do it via bash, but how to search it in mikrotik terminal? If for example hostname is "warrior".

tomislav91

Hello, i was wondering does ti possible to have some script which will show a IP address from a hostame.
So if I have pcs and want ip of it, just to search by hostname "PC" and to find an ip.
I have several hostnames, and just want to make things quicker.

tomislav91

which version must i install and put it into router? it is a server.
In download section is more than 1 version

tomislav91

I manage to succeed something. I add in routes of these two routers in destinatiom address whole subnet of second router amd gateway set to l2tp, which I with main router have access to them. Do in my main router i have l2tp connection over ipsec. And now two routers can communicate and can see any...

tomislav91

i make virtual linux machine which connect through ssh to router and backup all..

tomislav91

i have also linux machines and no ping as well..

tomislav91

I manage to succeed something. I add in routes of these two routers in destinatiom address whole subnet of second router amd gateway set to l2tp, which I with main router have access to them. Do in my main router i have l2tp connection over ipsec. And now two routers can communicate and can see anyt...

tomislav91

no subnets are for the different routers, two routers and two subnets, each for router. These two routers are connected via vpn to the main router.

tomislav91

Hello, i have two routers in two different networks. 10.0.8.0/24 and 10.0.58.0/24 I want to manage that that two subnet see each other. I added ip firewall filter add action=accept chain=forward dst-address=10.0.58.0/24 and different in another router, but there is no connection between them. Where ...

tomislav91

How can I check which device consume most upload in my network? And which column should I look for.

tomislav91

why do u use script?

just use route

/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10

tomislav91

i think that u need is in Queue, than in simple queues click + sign and than choose target and bottom you have max limit. There you can do it, if this is what you want

tomislav91

can anyone give me idea what to try?

tomislav91

But i have connected to l2tp and have access to the internet. So l2tp is working, just i cant cant access to 88 where are switches

tomislav91

no? Must I?
And where to configure? ON my router where are switches connected?
I often use l2tp and all works just fine

tomislav91

I have connected to my router via l2tp. To that router is connect several switches with adresses in range 192.168.88.1-254. I set dhcp pool with that l2tp profile to range which switches are configured. But I cant see switches, i cant ping, but tp link easy smart configuration utility cant see them....

tomislav91

Hi guys, i wanted to have some monitor my network.
Configuration is next:
i have my main router and clients routers and i want to have some maybe windows-linux based web server to monitor my rotuers and traffic between (which app users open, downloaded, etc).

tomislav91

I have problem with connecting several switches. I have internet connection to one switch and want to share with all because there is no possibility to connect all,cable goes through wall. I connect main switch where is internrt connection from mikrotik router, on port 24 to port 23 of another switc...

tomislav91

https://drive.google.com/file/d/0Bxq9Ym ... JCYkk/view

Can I make a change of this function to test a more than 1 peek? At least 4, because maybe ping is 24ms,23ms,222ms,10ms, and alert me. I want to have alert, yeah, but when high ping is at leasst 4 passes.

tomislav91

Hi, can you please help me how to set if i need to my vlan1 see vlan2? How can I configure that?

tomislav91

i want to configure mikrotik to have a vlan and setup is : mikrotik port1 is WAN cable, and access to internet, port2 is configured dhcp pool 88.0/24 and bridged with port4 to have access via port2 to my laptop. Port 4 is connected in port 24 with smart swtich, and in switch port 8 is on my pc. Prob...

tomislav91

Hello, i am having an idea, but i think that is impossible :D So, whole idea is when my l2tp client change wan address i must that address put in ipsec in my mikrotik router. Can I make some script or you can help me, to notify me when some device l2tp client changed wan address? In case of l2tp cli...

tomislav91

I did it.
Just in add in services with your function and notification.

tomislav91

I have earlier post when take a function which all it does is that pop up me when ping is over 200ms (ping 8.8.8.8). I have a probe name ping with type ICMP, packet size 56, retry count 3 and interval 1000. Can I make a function or service that notife me. can I just in services with type "ping" just...

tomislav91

Or any other solution for my general problem, to get informed if router has bad ping to 8.8.8.8.
Yeah, I have internet, but when ping is 100,200,300ms it is slow and bad, and want to switch to another interface where is another isp provider. That's whole idea.

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. i can't test with values more than 20...

tomislav91

in agent is only default. it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. i can't tes...

tomislav91

in agent is only default. it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. Dude server...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)? This is a graphgra.png I cant see there is more than 100ms? ok. and our "default" agent is the mikrotik from that site (it also will have >100ms to 8.8.8.8) or it is dude serve...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)? This is a graphgra.png I cant see there is more than 100ms? ok. and our "default" agent is the mikrotik from that site (it also will have >100ms to 8.8.8.8) or it is dude serve...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)?

This is a graph

gra.png

I cant see there is more than 100ms?

tomislav91

glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster response also notifications to telegram come faster than e-mail i putted notification pop up, but when put a 10ms it give me pop up, but when 100ms there is no pop up. i don't use "popup", so i c...

tomislav91

Must I put an Agent to be like Device in drop down menu? It is a routers.

tomislav91

in error line - you deleted ) at the end i found it, and response with a bit delay notification popup. But it works. Thanks glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster response also notifications to telegram come faster than e-mail i putte...

tomislav91

sorry for that, but again parse error.. in error line - you deleted ) at the end i found it, and response with a bit delay notification popup. But it works. Thanks glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster response also notifications to ...

tomislav91

sorry for that, but again parse error..
in error line - you deleted ) at the end

i found it, and response with a bit delay notification popup. But it works. Thanks

tomislav91

look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know what to do if this devices are not RB or there are no RB in this site, but if it is mikrotik - as...

tomislav91

Is this that? How can I decide on which device this working? Or that work on all devices in Dude? look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know...

tomislav91

Is this that? How can I decide on which device this working? Or that work on all devices in Dude? look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know...

tomislav91

yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if you want to have a message when 200+ms then you have to make a probe for that also you should remember that you will monitor "ping" from dude to y...

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space: to=to@mail.co mf rom=from@mail.com I have updated it can you just tell me one thing. Server IP for email. What should I put here? If i want to send to gmail, i need to put gmail SMTP wan ip? #Mikrotik Ping more than 200ms to send mail #h...

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space:
to=to@mail.comfrom=from@mail.com
I have updated it

can you just tell me one thing. Server IP for email. What should I put here? If i want to send to gmail, i need to put gmail SMTP wan ip?

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space:

to=to@mail.comfrom=from@mail.com

tomislav91

Does it possible to get some modification of scripts to see external ip from another interface?

tomislav91

Hi, i found a script to get me an ext ip from interface { /tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt local ip [file get mypublicip.txt contents ] put $ip } Also find # Set needed variables :global extinterface "ether1-gateway" :global ExtIpListName "external-ip" :...

tomislav91

Hi,

i am having a failover over mikrotik router, and want to send me an email when ping to 8.8.8.8 over ethernet 1 / gw 1 send me an email? I am having script to send me email when there is no ping.

Search found 96 matches