MikroTik

psamsig

quite inconsistent

In what way? I was personaly going for the max 10 second avg over a 20 second periode, and picking the 'true' 10 second avg should at most be a matter of taste? (and so is 1000 and 1024 as long you are consistant in what you comape with)

psamsig

http://wiki.mikrotik.com/wiki/RouterBOOT_changelog

Upgrade is not automatic, you need to push 'Upgrade' in WinBox (System->Routerboard) and then do a reboot.

psamsig

You can not use absolute numbers in script, that is only for terminal. You have to 'find' what you want to set. :global a /ip hotspot user :set a [get "00:27:0E:03:C4:21" bytes-out] /ip hotspot ip-binding :if ($a= "15730745") do={ set [find mac-address "00:27:0E:03:C4:21&quo...

psamsig

find has no output, only a return value, try this instead:

:put [/ip dhcp-server lease find]

psamsig

I am pretty sure the problem lies with the :for i from=0 to=( go with :foreach i in= instead. Item indexing in script/scheduler works different than in console. Not sure what the script tries to accomplish, but here is my shot on a slightly more readable version: /interface wireless registration-tab...

psamsig

There are breaks between the IPs, it is in UNIX format, so only terminated by a \n, not \r\n as Windows expect. Script almost worked, but would end in an endlless loop, if it didn't break on the IPv6 adresses (at least on mine, since I haven't IPv6 activated). Here is one that work: /file { :local f...

psamsig

Did you enable the scheduler? (I scripted it disabled).

The script you posted searched for more than 2 (e.g. 3 or more) identical names, that pat I didn't change.

psamsig

I have tried to tidy the script up a bit, but have no hotspot running, so it isn't tested /system scheduler add comment="\C7\E3\D3\DF \CD\D1\C7\E3\EC" disabled=yes interval=1m name=\ "NetCut((shadysoft))" on-event="NetCut((shadysoft))" start-time=\ startup /system scrip...

psamsig

First guess, don't put code in on-event, put it in a script. I used to (some what) work, but never been good practice.

psamsig

Apart from the typo I just fixed, there shouldn't be any syntax errors. If you have only cherry picked, then write the pick like this:

:local Sms [:pick [/tool sms inbox find] 0];

psamsig

I rewrote it slightly, to make it more readable, but it should be fairly obvious to see what you need to change. I haven't tried it, since I have no SMS device to try it out on. I don't know what the delays are good for so i kept them, and not sure either what the set receive-enabled=yes; is good fo...

psamsig

This will rename and un-slave all ethernet interfaces /interface ethernet { :foreach eth in=[find] do={ set $eth name=[get $eth default-name] master-port=none; } } No worry about renaming, it is only a label for your reading pleasures. It won't affect firewall, routing, etc., it will however affect ...

psamsig

:global SmsMsg [/tool sms inbox get value-name=message number=0];

Never ever use numbers directly in 'get' statements, they are only meant for use in console (as returned from a print), in scripts you get the number with 'find'. I'll be happy to rewrite it for you if needed.

psamsig

I'm all for teaching good practice, the reason I commented in the first place. Putting multiple statement in on line separated with semikolon would sure work, but personally I am not a fan of multi statement lines, they are no easy read. All down to taste of course.

psamsig

No you do not need to use :global instead of :local, only if run from the console, since each statement is then treated as independent scope, unless it is part of a common block (i.e. in {}) { :local myname [/system identity get name] /tool fetch upload=yes mode=ftp address=x.x.x.x src-path="$m...

psamsig

You can't do L7 to direct NAT, it is to late since the TCP connection is already established. My best idea would be to make a redirect on one of the two servers, to an URL including a port number e.g. http://mysecondserver.com:81 and then add a NAT for that to the second server. Not pretty but i wor...

psamsig

You need to change protocol to tcp. OpenVPN can be either TCP or UDP, in RouterOS only TCP is supported.

psamsig

Any interface with an address will have at least one route, if you get a default route (0.0.0.0/0) you just need to uncheck ' Add default route'. I don't know of any particular problems with PPTP in 5.26 (but on the other hand I don't use it myself), but a potential problem could be MTU, try loverin...

psamsig

Static or dynamic interfaces?

psamsig

This may help you in the right direction: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=telkom1 new-connection-mark=telkom1 \ passthrough=no add action=mark-routing chain=output connection-mark=telkom1 \ new-routing-mark=route1 passthrough=no ...

psamsig

You need to use connection-marks instead of packet-marks, it is the outgoing packet (as part of a connection) you wanna mark for routing.

psamsig

I have no idea what you try to do when $tx < $fconetent, but here goes: /interface { :local tx :local fname :foreach s in=[find] do={ :set tx [get $s tx-byte] :set tx ($tx / 1048576) :set fname [get $s name] :set fname ("Mostafa_".$fname.".txt") /file { :local f [find name=$fname...

psamsig

What about default-route=yes on the pptp-client?

psamsig

Use comments and filter with that:

[find comment="ThisOne"]

or combine:

[find target-addresses~"^192\\.168\\.1\\." comment="ThisOne"]

of course you can use name as well:

[find name~"contain this text"]

psamsig

I have no experience with BGP, but here is a go: /routing bgp peer { :local priPeerState [get [:pick [find name="Primary"] 0] state] :local secPeer [:pick [find name="Secondary"] 0] :local secPeerDisabled [get $secPeer disabled] :if ($priPeerState != "established") do={...

psamsig

~ is regex, so escape accordingly:

[find target-addresses~"^192\\.168\\.1\\."]

Also be aware that syntax has changed for RouterOS 6 (at least in 6.19):

[find target~"^192\\.168\\.1\\."]

psamsig

/ip firewall address-list {
    :foreach i in=[find list=blocked] do={
        :log info [get $i address]
    }
}

psamsig

/ip hotspot user {
    :local gigabyte 0
    :foreach i in=[find] do={
        :set gigabyte ($gigabyte + [get $i bytes-out])
    }
    :put $gigabyte
}

psamsig

Read about 'lease-script' here http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server and http://wiki.mikrotik.com/wiki/Manual:Scripting

psamsig

You need a NAT accept rule to pass through the LAN to LAN traffic, so it doesn't get masqueraded. Router 1: /ip firewall nat add place-before=0 action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 Router 2: /ip firewall nat add place-before=0 action=accept chain=srcnat disabled=no dst-a...

psamsig

You can not use item numbers in scripts (i.e. get 5). If the interface you want to monitor is called 'thisOne' you should change this: :global txdata [/interface get [find name="thsisOne"] tx-byte]; :global rxdata [/interface get [find name="thsisOne"] rx-byte]; Unless this scrip...

psamsig

I know this is an old tread, but since it was never answered and it is the first hit when you look for one, I'll post my own findings: /tool { :local txAvg 0 :local rxAvg 0 bandwidth-test 1.2.3.4 duration=20s direction=both user=BTestClient password=******** do={ :if ($txAvg < $"tx-10-second-av...

psamsig

Then what about this then: /ppp active { :foreach i in=[find name=bill] do={ :foreach ip in=[get $i address] do={ /ip firewall address-list { :local o [find list=clients comment=bill] :if ([:len $o] = 0) do={ add list=clients comment=bill disabled=no address=$ip } else={ :if ([get $o address] != $ip...

psamsig

The one i posted find all ppp connections by 'bill' and it adds the IP-address of these to a address-list names 'clients' with the comment 'bill' in case the don't already exists, and logs a message in case they do. I don't get your third case. Is it to remove entries from the address-list of ppp co...

psamsig

A slightly more efficient version: /ip dhcp-server lease { :foreach i in=[find] do={ :local leasedIp [get $i address] /queue simple { :if ([:len [find target=("$leasedIp/32")]] = 0) do={ add name=$leasedIp target=$leasedIp max-limit=1000000/2000000 } } } } Since you are at 6.x, there is a ...

psamsig

Not quite clear to me what you try to achieve, but her is a go: /ppp active { :foreach i in=[find name=bill] do={ :foreach ip in=[get $i address] do={ /ip firewall address-list { :if ([:len [find address=$ip comment~"bill"]] > 0) do={ :log info ($ip . " already exists in address-list&...

psamsig

You have a curly bracket to much, remove it and it should work.

Change:

           :log info "Unotelly: Updated with IP $currentIP"
       }
   }  else={

to:

           :log info "Unotelly: Updated with IP $currentIP"
   }  else={

psamsig

Well you are right that you can false positive matches, but not with something like www.localtaxi.com, only with something like local.com or www.local.com (the \x05 part makes sure of that). I have tried a few ways to enhance it, and this filter even them out: /ip firewall layer7-protocol add name=&...

psamsig

Haven't tested the following, had no router with user-manager at hand. /tool user-manager user { :local p [find actual-profile="200MBN" || actual-profile="500MBN" || actual-profile="1GBN"]; :if ([:len $p] > 0) do={ enable $p; /log info "night user enabled successfu...

psamsig

Sure it is. Something like this should do the work. Requests comes in on 'ether1' aimed for the router and all requests for *.local will be redirected to 1.1.1.1 /ip firewall layer7-protocol add name="DNS .local" regexp="\\x05local" /ip firewall mangle add chain=prerouting protoc...

psamsig

What was wrong with

:delay 1h

psamsig

I have it working too. Did you remember to change your AD to allow passwords to be stored using reversible encryption?

EDIT: AND changed your password afterwards.

psamsig

Add a static route as suggested, but don't add a gateway address, specify the interface that covers the policies src-address as gateway.

psamsig

Try this one on 6.18 (wont work on versions < 6.x)

:foreach reci in=[/ppp active find] do={
    :do {
        /interface monitor-traffic $reci once do={
            :log warning $reci
        }
    } on-error={
        :log warning ($reci . " disappeared")
    }
}

psamsig

Something has changed that I can't put my finger on, but if you run your original script on earlier versions, the output looks very different and it takes forever to complete. If you make one little adjustment, it seems to run equally well. My guess is that the different behavior gives at PPP connec...

psamsig

/system identity { :local orgIdentity [get name] :local newIdentity :for i from=0 to=([:len $orgIdentity] -1) do={ :if ([:pick $orgIdentity $i] = "/") do={ :set newIdentity "$newIdentity-" } else={ :set newIdentity ($newIdentity . [:pick $orgIdentity $i]) } } :if ($orgIdentity !...

psamsig

As long as you don't run it shortly before midnight, this should work:

start-time=([/system clock get time] + 00:00:02)

psamsig

If the variables is only used within a script, they should be declared local and not global.

psamsig

I have a program that uses multicast to address 231.0.0.1 to inform other instansces of the same program on other machines in the network of certain events. Now i have a situation where the program is running in two different networks (lets call them 192.168.0.0/24 and 192.168.1.0/24), connected thr...

psamsig

I still haven't found a solution.

psamsig

With fewer exemptions worth mentioning, never ever assume any entry numbers, they are more often than not, non-sequential.

psamsig

The reason I answered was that I have just resently seen something quite similar, when tracking problems with a HTTP based webservice, and in my case I got rid of it (without really understanding the root cause) by changing the HTTP session from 'Connection: Keep-Alive' to 'Connection: Close'. I wro...

psamsig

My guess would be that the connection has timedout in the connection-tracking (IP -> Firewall -> Connections push 'Tracking') that handles NAT, there are quite a number of timeout settings in there to play with, but so far I haven't really found any good description of what and why (and why not) to ...

psamsig

One thing to try was not having 'Send initial contact: Yes' in both ends.

psamsig

Never use numbers unless you are in the console, and have then from a print , in scripts you use [find <something>]. The are very few exception to this rule. and as you have seen your self, it may work i one situation, but not nesseserely in an other, thats why you never use numbers in scripts. Ther...

psamsig

It must be conflicting with an other policy, on its self, it seems ok.

psamsig

If DI is your requirement, then this should work:

/ip address remove [find dynamic=yes invalid=yes]

psamsig

Try this:

:global sysmanping
:if ($sysmanping=0) do={ :log info "test ok" }

psamsig

As soon as at least one slave is connected, the master port gets a running state and 'link-ok' status, rate will be '10Mbps' and full-duplex will be 'no'. I am trying to make a script to find possibly misconfigured ports/switches (mostly half-dubplex), but the master port gives me false positives, w...

psamsig

Wrong interface, in your case use eth02.LAN

psamsig

Add a static route on each router, you don't need to a specific gateway, just the desired interface.

psamsig

It is considered bad practice to use index numbers i scripts, use some kind of [find=..] instead. But if I understand you correct, then on of the failing lines, in both cases, is the with ipsec, and that doesn't make sence, apart from reading something about a problem witn a [find] on its own, I don...

psamsig

From the thread it seems to be related to DPD, and cases where the Cisco end drops a SA, but MT router doesn't tries to negotiate a new. Try lower your DPD, both interval and failures (dpd-interval=2m dpd-maximum-failures=5), start with 20s/1. You could also ask somebody in Cisco-land, if it really ...

psamsig

Did you happen to read the answer on same question?

http://forum.mikrotik.com/viewtopic.php ... 34#p340974

psamsig

I have never seen an IPSec router that didn't had its quirks, especially when connecting to other brands, and RouterOS isn't an exception, but on the other hand I have hundreds of tunnels running rock steady, with a RB at least in one end. Post complete IPSec configuration, both ends, you have to ru...

psamsig

@Jacka: Post your configuration (peer, policy and proposal). What equipment is in the main office? Are lifetimes/lifebytes equal on both ends? Are you using DPD? Do you use Netwatch to keep trafic running?

psamsig

You only need the route if you want/need the router itself to send trafic through the tunnel (like Netwatch). To be honest it was a suprise to me too, and also to others if you search the forum, but it is just how RouterOS works. You get a SA for each direction, so two is normal (with swaped src/dst).

psamsig

In other words, you missed the $ in front of the variables. But since we are in the process of rewriting the original, here is how I would have put it: /ip firewall address-list { :local resolvedIP [:resolve time.windows.com] :local o [find comment=time.windows.com] :if ($resolvedIP != [get $o addre...

psamsig

Make the firewall rule that add to an address list, schedule a script to run ever so often and check if something has been added to that list, if that's the case, then remove entry (entries) and do your thing.

psamsig

There is a difference, but only in the CPU class, 'Device' just helps you pick the right one. At the moment there is four different CPUs (mipsbe, mipsle, powerpc, x86), and one more seems to be on ots way.

psamsig

/ip firewall address-list remove [find name="name_of_addresslist"]

psamsig

Try give this a spin: /system script add name="Restart ether0" \ source=":global runningRestartEther0\r\ \n:if ([:len \$runningRestartEther0] = 0 || \$runningRestartEther0 = 0) do\ ={\r\ \n /interface {\r\ \n :set runningRestartEther0 1\r\ \n :local o [find name=\"ether0\"]\...

psamsig

Try make the policies level to 'unique' instead of 'require'

psamsig

Well, I was to lazy to test it, this is tested and should work: /interface { :local arps [:len [/ip arp find interface=ether1]] :local wlan [find name=wlan1] :local inact [get $wlan disabled] :if ($inact = true && $arps > 0) do={ set $wlan disabled=no } else={ :if ($inact = false && ...

psamsig

According to http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP : At this point (when pptp client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local ...

psamsig

Here is something that may get you going, I would suggest it being scheduled to run evey 5-10 seconds. /interface { :local arps [:len [/ip arp find interface=ether1]] :local wlan [find name=wlan1] :local state [get $wlan disabled] :if ($state = true && aprs > 0) do={ set $wlan disabled=false...

psamsig

There is no need for making a NAT rule for GRE, the PPTP helper takes care of that, and as long you use standard port 1723, the helper will kick in automatically. I just tested a similar senario, with a MikroTik router acting as PPTP server behind yet a MikroTik router with the NAT rule, and with a ...

psamsig

6 ADC 255.255.255.224/32 10.34.17.44 4_RMC 0 The IP adress for this interface 4_RMC is configuret wrong, someone put a netmask (and that is almost never used in RouterOS) as network. This is how it is now: /ip address add address=10.34.17.32/32 interface=4_RMC network=255.255.255.224 this is how it...

psamsig

These all do the same: /ppp active remove [find name="main-2] { :local cpename "main-2"; /ppp active remove [find name=$cpename] } { :local cpename "main-2"; :local o [/ppp active find name=$cpename] /ppp active remove $o } /ppp active { :local cpename "main-2"; :l...

psamsig

Ah, I missd the problem

:local ifstr [/interface get [find name=$ifname]];

should be

:local ifstr [/interface find name=$ifname];

psamsig

How very odd, the NTP package changes the default bootup date, so the second script should be changed to the following: /ip dns static { :local o [find name=clock.localhost] :if ([:len $o] > 0) do={ :local datetime [get [:pick $o 0] comment] /system clock { :if ([:len $datetime] > 0 and [:pick [get ...

psamsig

$ifstr wil contain an array of ids, $idstr will hold the first entry of these They can be used either way: /interface set $ifstr disabled=yes /interface set $idstr disabled=yes or /interface remove $ifstr /interface remove $idstr In your current example it will be the same (since there at most can b...

psamsig

The most common problem (in the MikroTik end) would be the lack of an exception in /ip firewall nat to accept the VPN trafic before it hits the general masquerading rule. For the configuration in the posted example it would be something like this: /ip firewall nat add place-before=0 action=accept ch...

psamsig

works fine, thank you so much.

That's what karma is for

psamsig

4w2d is how 30d 00:00:00 got exported, and if you need it to be every 5th day, then just write 5d

psamsig

Try this, at least I got this working on 5.18, I don't have access to a 3.30:

/ip proxy access remove [find src-address="192.168.3.1" dst-host="domena"]

psamsig

/system script add name=Reboot source="/system reboot"

/system scheduler add name=Reboot on-event=Reboot start-date=aug/07/2012 start-time=05:00:00 interval=4w2d

psamsig

/ip proxy access remove [find src-address=192.168.3.1 dst-host=domena]

psamsig

In the script that switches ISP put this: /ip firewall connection remove [find protocol="udp"] , it will remove any NATed udp 'conncections'. P.S. In case you use ROS 5.12+ then try a /export compact instead next time. P.P.S. It is a bad idea to put commands/script code directly in a netwa...

psamsig

Or maybe MT could stop graphs from being updated until NTP is synchronised. +1 Quite a few things should get postponed until NTP is synchronised, e.g. I have often noticed that an IPSec VPN gets established before a response from NTP kicks in, so the tunnel has to get recreated after just a few sec...

psamsig

Create this as a script and run it with a scheluder. This may be hard on the NAND, so schedule accordingly, but frequence will be the 'precision' of the saved clock. /ip dns static { :local o [find name=clock.localhost] :local datetime /system clock { :set datetime ([get date] . " " . [get...

psamsig

Many thanks !!!

That's what karma is for

psamsig

 /interface wireless set [find interface-type="virtual-AP"] default-authentication=no hide-ssid=yes

psamsig

I have had my fair share of e-mail problems, but it always comes down to misconfiguration (firewall in either end, spamfilter frontend and so on), never RouterOS. And as mentioned already, I have 5.19 sending mails like a charm.

psamsig

Works fine for me. You did notice that parameters changed a bit between 4.11 and 5.19 right?

psamsig

Out of curiosity, and in case you still have the test setup running, how does it perform with MD5 instead SHA1?

On earlier occasions, tests have shown that RouterOS gets surprisingly high differences between MD5 and SHA1 (not so surprisingly in the favor of MD5)

psamsig

Works for me with a user belonging to a group with only ftp, winbox and read

psamsig

I still urge you to write to MikroTik support, don't expect them to pick up from the forum. The problem with all tunnels being renegociated when adding/removing peers can't I remember seeing myself, and reports about it is old (2+ years). I even tried on a 5.18 box with 449 enabled peers and current...

psamsig

Apart from that the box should handle this by it self, this may be a work around: /ip firewall filter add action=jump chain=input dst-port=500 jump-target="IPSec sluice" protocol=\ udp add chain="IPSec sluice" dst-limit=1,5,src-address add action=drop chain="IPSec sluice&quo...

psamsig

I would contact support. 250 tunnels on a RB1100AHx2 doesn't sound unreasonable.

I'm no queue expert, but I wonder if limiting trafic to UDP/500 would be a (short term) solution, but you need someone else to help you there.

psamsig

What version of ROS, although not documented, it seems some work has been done on later versions, I am currently on 5.18. Have you turned on ipsec logning (e.g. /system logging add topic=ipsec ...), I used to, but in 5.x it has become extreamly verbose, so I use topics=ipsec,!debug now. What DH-grou...

psamsig

Do you have 'Send Initial Contact' enabled on all the peers in the RB1100AHx2?

psamsig

Have you looked at http://www.mikrotik.com/aboutus.php?

psamsig

10.20.0.32/28 is covered by 10.20.0.0/24, so if you you haven't added a priority, the first one created wins.

psamsig

Make a new scheduler that runs this scrip at startup: /system scheduler { :local o [find name="Job to be run at startup and every 24h after that"] :if ([get $o disabled] = no) do={ set $o disabled=yes } :local today :do { :delay 3 :set today [/system clock get date] } while=([:pick $today ...

psamsig

/ip hotspot walled-garden { :local gardenList (\ "www.wifiportal.co.uk"\ , "www.candengo.co.uk"\ , "www.apple.com"\ , "www.paypal.com"\ , "www.paypalobjects.com"\ , "paypal.112.2O7.net"\ , "*.paypal.com"\ , "*.paypalobjects....

psamsig

100+ tunnels should be no problem on that box. I have experience with QNO, but here is what I would play around with in your situation. You have different phase 2 timeouts (3600 seconds is not 30 minutes) Don't set 'Send initial Contact' (I only set it in the 'client' end) Don't set 'NAT Traversal' ...

psamsig

/32 IS a single IP address. It may be that WinBox allows you to enter a single IP, but if you try to enter a terminal and do an export of your IPSec peer configuration, you will see that the script language uses (and requires) the net address notation.

psamsig

Because it expect not an IP address but a net address. So address=10.0.0.1/32 should do the trick.

psamsig

:local xName "total"
:if ([:len [/queue simple find name=$xName]] = 1) do={
    :put "found"
}

or if you need the index of the queue

/queue simple {
    :local i [find name=$xName]
    :if ([:len $i] = 1) do={
        :put "found @$i"
    }
}

psamsig

My script is called from different places, scheduler and netwatch.

And all you have to do is make a script that contains all you otherwise would have in NetWatch and call that sctipt instead.

but this workaround isn't solution in my case.

Did you try?

psamsig

I have had the same problem, I solved it by moving the up-/down-script lines to two named scripts and call them instead:

/tool netwatch
add comment="" disabled=no down-script="Netwatch VPN down" host=10.0.11.1 interval=1m timeout=1s up-script=\
    "Netwatch VPN up"

psamsig

Use netwatch to trigger a tunnel: http://forum.mikrotik.com/viewtopic.php?f=2&t=49016

psamsig

You don't need any logging for it to do it's main purpose, rebooting on high load, you can even remove all lines starting with ':log'

psamsig

/ip firewall address-list remove [find]

is all it takes to clear address-list

psamsig

flood-ping has the following values: sent, received, "min-rtt", "avg-rtt" and "max-rtt"

:local maxRtt; /tool flood-ping 1.1.1.1 count=10 do={:if ($sent = 10) do={:set maxRtt $"max-rtt"}}; :put $maxRtt;

psamsig

It is really silly to have it break a script, and if that wasn't enough, these breaks leads to memory leaks. So it is quite absurd that this hasn't been dealt with yet, I resently found a post here on the forum that some kind of try/catch was being cosidered, but that was two years ago, so I wouldn'...

psamsig

This should make a pretty good start, save as a script and schedule it as frequent at you wish, it prevents multiple concurrent runs by it self (RouterOS wont) :global scriptRunning :if ([:len $scriptRunning] = 0) do={ :set scriptRunning "1" :local staticIP "10.0.0.1" :local infN...

psamsig

'/log find' not '/log print', remember a '\' with all '?' in strings. :global lastTime; :local currentBuf [/log find buffer=VPN]; :if ([:len $currentBuf] != 0) do={ :local currentLineCount [:len $currentBuf]; :local lastItem [:pick $currentBuf ($currentLineCount - 1)]; :local currentTime [:totime [/...

psamsig

Please see attached performance comparision of RB450 and RB450G using openssl test:
http://open-wrt.ru/forum/viewtopic.php?id=22323

That rules out 1) and 3) (slower but not terribly) and leaves '2) sha-1 hashing algorithm implementation used is badly optimized for mipsbe' ?

psamsig

:for i from=0 to=2 do={ :if ($i < 2) do={ :log info "True" :if ($i < 1) do={ :log info "True 2" } else={ :log info "Not True 2" } } else={ :log info "Not True" } } works like a charm, only reason the original post should fail I can come up with, is the lackin...

psamsig

Not sure if last post was an indication that you fixed the problem, or that you didn't get my point, but in case of the latter:

psamsig

255.255.255.128 is the network mask, it is NOT what goes under network, here you should put 200.x.x.128.

psamsig

Post '/ip address' configuration, it seems like you have entered something wrong, on your screen dump you have a route for 255.255.255.128, that doesn't seem right!

psamsig

Someone resently brought this little cutie to my attention: { :local avgRtt; /tool flood-ping 1.1.1.1 count=10 do={ :if ($sent = 10) do={ :set avgRtt $"avg-rtt" } } :put $avgRtt; } you can get min (min-rtt), max (max-rtt) or average (used above) times, or even lost packets (recived - sent)...

psamsig

/system script {run "script1"; run "script2"}

psamsig

Try this, worked for me when I had the same problem: /system script add name="Upgrade bootloader" source="/system routerboard upgrade" and in your original script, subtitute /system routerboard upgrade with /system script run "Upgrade bootloader" it was the only way I c...

psamsig

I haven't found the 'right' way to do this, and too have had several different brads of VPN routers that had no problem with a setup like that. On RouterOS I have solved it so far, by access the router through the external IP (from the inside net), of course that gets slightly complicated unless you...

psamsig

Try

/system routerboard settings set memory-frequency=?

psamsig

Only address space covered by a policy can go through a tunnel, so you need covering policies or multiple tunnels, expect best performance with A-B, B-C and A-C tunnels though.

psamsig

1. site, Wan 1.1.1.1, Lan 10.1.1.0/24, getting VPN access to 10.2.2.0/24 and 192.168.2.0/24 from 10.1.1.0/24 /ip ipsec proposal add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none /ip ipsec peer add address=2.2.2.2/32:500 auth-method=pre-shared-k...

psamsig

This should do the trick: { :local gatewayStatus [:tostr [/ip route get [:pick [find dst-address=0.0.0.0/0 active=yes] 0] gateway-status]] :local i [:find $gatewayStatus " reachable " -1] :local interface :if ($i > 1) do={ :set interface [:pick $gatewayStatus ($i + 11) 255] } :put $interfa...

psamsig

Im not sure I understand what you mean when you ask where I found the constructs ?

The other day you asked about /interface monitor-traffic do={} and this is about /tool flood-ping do={}, and I just haven't seen these do={}'s used in that manner before, and as I said, they are not well documnted.

psamsig

do={} is executed at start, end and at every 'interval', and you only want the last :local maxRtt; /tool flood-ping 66.xxx.xxx.4 count=10 do={:if ($sent = 10) do={:set maxRtt $"max-rtt"}}; :put $maxRtt; Where do you find these odd constructs, I can't seem to find any documentation for them!

psamsig

/tool e-mail send to="my@email.not" subject="Test" body=".\r\n."

works for me on 3.29, 4.10, 4.11 and 5.0rc9.

psamsig

I belive you are talking about an ipsec VPN, and if so, then you can't route any other trafic than what the policies allow (e.g. a tunnel defined as 192.168.5.0/24 - 192.168.1.0/24 can not pass trafic to or from 10.10.0.0/24). It is possible though, to have more than one policy per peer, at least be...

psamsig

This is tested to work on 3.29, 4.10 and 5.0rc9 (all I have access to) /interface ethernet { :foreach i in=[find] do={ :local infName [get $i name] :local sysName [/system identity get name] /interface monitor-traffic $infName once do={ :log info ("Interface,$sysName,$infName,$"rx-packets-...

psamsig

Here is what I use: /ip ipsec { :foreach i in=[peer find comment~"^\\+.*"] do={ :local curPeerIP [peer get $i address] :set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]] :local dnsName [peer get $i comment] :set dnsName [:pick $dnsName 1 [:len $dnsName]] :local dnsAddr...

psamsig

Yes to both, especially the second. But both should be easy tested. Try use a wrong PSK and see if the messages change.

psamsig

If you are going to revise this anyway, then consider: 1) implicit conversion of both left and right side of the operator, this is consistent with behavior elsewhere (e.g. "1" + 1 = 2) 2) allow the left oprator to be implicit conveted from ip to ip-prefix (e.g. 1.1.1.1 -> 1.1.1.1/32) combi...

psamsig

Am I the only one who has some trouble with this operator? According to the Wiki the format is like: :put (1.1.1.1/32 in 1.1.1.0/24) which should return true, and I have confirmed that it does, but it is very picky on its types :put ("1.1.1.1/32" in 1.1.1.0/24) returns 'false'. :put [:type...

psamsig

1) Yes, SHA is MikroTik is SHA-1, so thats not the problem.

2) I have no experience with aggressiv mode and the use of FQDN, so I can't advise you on that, but 'debug HASH mismatched' sounds like some of shared information, between the two routers, like PSK, IP and/or FQDN doesn't add up.

psamsig

No it doesn't look right, try enable ipsec logging

/system logging action add memory-lines=100 memory-stop-on-full=no name=ipsec target=memory
/system logging add action=ipsec disabled=no prefix="" topics=ipsec

and check the log.

psamsig

I have the very same problem and haven't found any real solution for it yet. So far i have 'solved' it by using the address of the WAN interface to access the router, even from the inside, and also used it for DNS address, it works, but ain't pretty.

psamsig

Add a route to 192.168.1.0/24 on you LAN interface

e.g:

/ip route add disabled=no dst-address=192.168.1.0/24 gateway=Lan

that will make Netwatch work

psamsig

The IPsec subsystem gets unstabel and craches on a regular basis when you reach 100-120 tunnels, true for both RB1100 and PowerRouter 732 with RouterOS up to and including 4.11, haven't tried ROS 5 yet, but since 'nothing is changed unless it is stated in the change log' then I see no need to. So st...

psamsig

i noticed that the moment i run the script manually it sends the emails but what i cant understand is if i run it again it sends the same users a email.Is it not supposed to remember that it sent a email to that person and not send a warning again? Yes it was, but you dropped the line that handled ...

psamsig

all daemons out there work out of the box with a standard SOHO router I tend to disagree on that, no router, SOHO or otherwise, I have ever layed my hands on, come with preconfigured inbound NAT, at most they may come with preenabled UPnP (shiver). Never the less, it should be easy enough (especial...

psamsig

If you want to paste code from a script into a termnial window (aka CLI), you often have to wrap in a {} block, e.g.: { :local str "Hello world" :put $str } this way you get it to run as when run as a script. Here is an alternative to your script for inspiration: /ip firewall address-list ...

psamsig

Your question makes no sense in english, and apperently no one speaks spanish. If you had tried to translate it back to spanish you would have gotten: Hola, mi consulta es la siguiente, necesito un script para iniciar la programación de un jack estéreo de todos los 15 días como si no, todos los mese...

psamsig

Really no need to use :global, and i think your problem is that the 'interface get' requires that it is run in the root context (where as '/interface get' is not) /interface {:local iname; :foreach i in=[find type=pptp-in] do={:set iname [get $i name]; :put $iname}} or as I would format it: /interfa...

psamsig

If you want to trigger the tunnel from the box itself, you need to add a route, read http://forum.mikrotik.com/viewtopic.php?f=9&t=35348

psamsig

Turns out that all my troubles with IPSEC are related to (unresolved) issue with Eth1.

Where is this stated, I can't find any information, is this officially acknowledged?

psamsig

So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.

Did this ever get confirmed and/or resolved?

psamsig

Here is a take on it: /interface ppp-client { :local deviceID [/system resource usb get [find ports=0] device-id] :local content [/file get [find name=test.txt] contents] :local contentLen [:len $content] :local deviceFound false :local lineEnd 0; :local line ""; :local lastEnd 0; :do { :s...

psamsig

http://wiki.mikrotik.com/wiki/Log_Parse ... ger_Script

psamsig

To delete global_variable:

/system script environment remove [find name="global_variable"]

psamsig

This should work: # Name : Average CPU Load # Set up the scheduler to run this at a 1 second intervals (Sample Rate) # Set info logs to echo to Terminal in System Logging # # maxsamples is the number of cpu-Load samples to keep # Experiment with this value to incease or decrease the number of sample...

psamsig

I think the problem was in the matching of the target address, it lacked the '/32' suffix /queue simple { :for i from=1 to=254 do={ :local o [find target-addresses=("192.168.10." . $i . "/32")] :if ($o != "") do={ :if ([get $o total-bytes] > 1048500) do={ set $o max-lim...

psamsig

Great idea, and I am thankful for being told about the requirement of the route, it has been rather frustrating that I cound't figure out how to initiate a tunnel from the router itself.

/pds

psamsig

I'll second this as well, it shouldn't really be that complicated to implement.

Search found 161 matches