This is supposed to have been fixed in v5.17 according to the change log : What's new in 5.17 (2012-May-28 12:34): *) files - fixed problem when directories disappeared after reboot on usb or sd flash; ... -> upgrade to latest version I haven't tried it myself though. If you do, please report back h...
Everything but the password is in clear text. It's a CHAP challenge, just like in Hotspot - before login you get a random string, you encrypt your password with MD5, using the provided random string as a salt, and send the result (with all this being done automatically by the client, of course). MD...
It seems that script policies are incorrectly applied. For example, according to the wiki, the hotspot passwords are considered sensitive information. However, a script without the "sensitive" category granted can still read and display hotspot passwords. See below. [admin@MikroTik] > /sys...
Thanks for your code, man you're fast, you must be dreaming in php! I had started on your idea when I saw that you added the code to your post, but I was only at the first couple of lines. I would probably have made it OK, except for the clever safeForScripting function to prevent code injection (I ...
Hello, I am afraid I need your help again with your API. My cunning plan for the "forgot password" functionality is that users will fill their username and email address, and if these match then they will be sent an email with their password (they can borrow a colleague's computer for a mi...
Success! I tried two other hosts who both were giving me a connection timeout error. Then on a hunch I moved the API service on the router to port 21, and modified the script accordingly: <?php namespace PEAR2\Net\RouterOS; error_reporting(E_ALL | E_STRICT); ini_set('display_errors', 'On'); require_...
Thanks for your help with the debug code. Here is the error message (I obfuscated my personal details): Client not created because of the following exception: exception 'PEAR2\Net\Transmitter\SocketException' with message 'Failed to initialize socket.' in /srv/disk8/xxxxxxx/www/mysubdomain.myhost.ne...
I am officially stuck. The code never returns from the Client instance creation: <?php namespace PEAR2\Net\RouterOS; require_once 'PEAR2/Net/RouterOS/Autoload.php'; echo 'OK1'; $client = new Client('192.168.0.1', 'admin'); echo 'OK2'; ?> When I load the page I see the OK1 just fine but not OK2, mean...
Yes I already did that and the host has php 5.3. Just now for testing purposes everything is in the public folder (the PEAR2 folder and the .php files with your password scripts). I will move PEAR2 later higher in the structure and put a command in your scripts to add the location in the include pat...
The other three are running without syntax error. It's hard to figure what's going on with the web host I am using because they do not offer a SSH interface, so all I was getting in guise of error messages was a blank page when trying to load the form... guess I'd be better off testing on a developm...
Dude, I think I found a few typos in your forgot password script (in red below): <?php namespace PEAR2\Net\RouterOS; require_once 'PEAR2/Net/RouterOS/Autoload.php'; $errors = array(); //Check if the form was submitted. Don't bother with the checks if not. if (isset($_POST['act'])) { try { //Adjust R...
The problem is your users need to login in order to have internet. And they need internet to access their email => Without login, how could they access their email? I understand that it would not be a viable option in lots of cases, but in my particular case, people who lost their password can simp...
Developing your own features on top of mikrotik is what gives your business value, otherwise you are no different from everyone else. Setting up a simple free radius lamp server takes less than 60 minutes, even less if you use a cloud server. Get the business logic off the mt and onto your own syst...
Awesome, thanks for that. It would have taken me forever to get there (if ever) given that my website programming knowledgeabilty is about nil. I will try to set this up this up as soon as I find some time, using your code. Simple and generic does it just fine. I can build on that. My first thought ...
Feklar, thank you very much for your reply. I am a bit embarrassed because I also posted for the same reason in the scripting forum (although the original question was a bit different, the underlying reason was the same as that of this post). I got replies similar to yours in the other thread, and a...
Well, in MikroTik's defense, a forgotten password feature isn't hard to implement if you have an external web server. You just place that server into a "walled garden", so that it can be accessed without a login, and link to it from the login page. The external server itself can do whatev...
It seems that for hotspots living on routerboards, there is no way to implement a self help forgot password / change password functionality for the hotspot users by customizing the html pages of the hotspot and invoke scripts to do the job. Therefore this functionality could maybe be built-in in fut...
Thanks for the reply. Damn, that is quite limiting! The reason I was asking is because I wanted to implement a "forgot password" functionality for my hotspot users. While I see in other threads that this has been done on PC's that run routerOS and have third party web servers and php capab...
*) files - fixed problem when directories disappeared after reboot on usb or sd flash good stuff, hopefully this fixes the disappearing micro-sd cards: http://forum.mikrotik.com/viewtopic.php?f=13&t=46144, will give it a go. I sent a detailed bug report about this problem a few months back, but...
To invoke a php script from a webpage, people use something like: <form name="form1" method="post" action="myscript.php"> Is it possible to invoke a RouterOS built-in script or API commands from a webpage? (for example on a Routerboard where php is not available, invoki...
Hello, I am looking for a way my hotspot users could recover their password from the login page if they forget it (type their user name and their password will be sent to their registered email) (this is for a routerboard, not routerOS running on a PC with for example PHP capabilities). I found this...
I see that some people here have a forgotten password functionality for their users. I have been unsuccessfully searching the forum and the wiki for some guidance on how to implement a system that would upon request email the password to a user's registered email address.
I have not solved this problem. If you Google ios and captive portal, you will find tons of links to similar problems, so it is not unique to Mikrotik. My users have also reported their devices not offering to save their login info in airports, hotels, etc. Looks like it's Apple again trying to be s...
Hello, My hotspot is running smooth, but I can't for the life of me figure out why the ipads and iphones running ios5+ do not prompt to save the login and password for future autofill. I checked and played with all the settings of these devices, they perfectly happily save login info for gmail, yaho...
Below same stuff I wrote to support. Anyone else has experienced this kind of issue? I am using a 4GB Sandisk Ultra Mobile micro SD card and have my user manager store for the hotspot setup on it. Read below. See a few bugs? Looks like your disk drivers need a serious overhaul. With the details belo...
I am using lists (inside the "port-knock" chain). However if you let the next knock be anything without locking and resetting the knocking process on a wrong knock, then potentially an attacker could knock at all the ports 3 times in 5 seconds and get through the process successfully just...
Nice try but fragment-offset is zero for both packets, and the first 28 bytes of the first packet are identical to the 28 bytes of the second packet and one is in the rx direction and the other in the tx direction, so I doubt they are two fragments of a single packet. Also the last 18 bytes of the f...
Well at least for me it is mysterious. I send a single UDP packet from my laptop to the router, and the sniffer sees two. One rx: no problem with the existence of that one, since I sent it and I can see it traverse the firewall. But what is the score with the (smaller) tx one? Where is it coming fro...
FWIW, here is how I built my port-knock chain, to impose that each packet has to be in sequence and correct. If not, the src-ip is added to the k-fail list, which prevents another try for 30 seconds by the jump rule (no need for the limit that was in the OP): 8 ;;; Port knock test chain=input action...
OK my bad, the limit feature works fine, I had a "rogue" firewall rule that I used for testing yesterday and forgot to disable, and it was matching the same packets as the ones I put the limit on, giving me the wrong impression. Also, I did not really have duplicate UDP packets, although t...
I am using lists (inside the "port-knock" chain). However if you let the next knock be anything without locking and resetting the knocking process on a wrong knock, then potentially an attacker could knock at all the ports 3 times in 5 seconds and get through the process successfully just ...
Hello, I am trying to setup port knocking on my 450G. I am seeing duplicate UDP packets at my WAN interface (to anticipate questions: yes, I am sure that I am sending only one UDP packet as per wireshark running on my test machine, and when I test from the LAN with the same laptop only one UDP packe...
OK, while we're at it, I don't understand how the anti-spam rules do their job: add chain=forward action=jump jump-target=restrict-ip ... add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy" add chain=smtp-first-drop src-address-lis...
Well at some point you're going to have to get a terminal, otherwise there is nothing you can do other than reflash and start from scratch. Try with Telnet or the serial console. If you manage to get a terminal, you can try to uninstall some packages you don't need (like the dude) to regain some spa...
I assume you are talking about disk space, not memory space? If you don't mind loosing your user manager database, delete it: - check in stores and remove the user manager store - check in files and make sure the store was deleted - check your other files and see which ones are taking space Not real...
^^ Problem with the above is that I just setup test rules in the iptables of my dd-wrt home router (which does NAT). The rule logs packets in the forward table, which have come in through the public interface and still have the public IP for dst-addr... no match! Also have a rule there which logs pa...
As I understand it, on NATed network destination address for packets coming into wan port is always router's public address, so mentioned rule cannot be used since it will drop every packet. OK, I think I got mixed up by this (from the Wikipedia article on NAT ): When a reply returns to the router,...
Hello bump please, this is a simple question, is there any reason why the bytes in/out numbers are not available when viewing the connections under firewall, whereas they are when viewing connections made via the http proxy server?
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop \ comment="Drop everything that goes from public interface but not to local address" disabled=yes #check this well! The above rule is for not nat-ed hosts! I am stuck on this one. Why woul...
Let me rephrase this: the facility of accounting for traffic through a particular tcp or udp connection exists in RouterOS. It is used in the firewall rules via "connection-bytes". It is also available for the connections made by the proxy server under /ip proxy connection. Questions: 1) w...
OK I have now reinstalled my SD card in the 450G. I managed to slide two layers of paper underneath the SD card in the slot. I also pulled back the card about 1mm from the end of the slot. So far so good, 12 hours and the disk is still present. I moved the user-manager and web-proxy stores to the SD...
Thanks for that. Yes, in the meantime I figured out that the "transparent proxy" tick box and the NAT rule are pretty much doing the same thing when it comes to proxying. Also see here , at the bottom of the page, firewall rules 10, 11 and 14. Concerning the ssh problem, I ended up tracing...
Again reviving an old post, sorry :D I am running userman, hotspot, web proxy (not caching though), dhcp, dns on an all-in-one 450G "pumped up" SOHO router. Getting about 35000 sectors written per hour :shock: If I am not mistaken, one sector on the NAND is 16kB, so that would be about 546...
Hello, I am trying to figure out how to do the following: - categorize and mark connections in mangle (using predefined connection type and/or layer 7 rules) - record (log) connections in a single report including the following information: 1) src/dst IP and port (bonus: corresponding hotspot user n...
Actually I was also reading this post and it's the same for me, I have to open the case, pull the card, and reinsert it to get it to reappear. Rebooting alone does not bring it back. I can see no reason why that would be, other than the card not being physically properly seated in the slot. Maybe a ...
Google mikrotik layer 7, first hit: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 Second hit: http://wiki.mikrotik.com/wiki/Basic_traffic_shaping_based_on_layer-7_protocols Search forum topics titles for layer 7: http://forum.mikrotik.com/search.php?keywords=layer+7&terms=all&author=&a...
OK I got my first 450G up and running. Basically using it as a pumped up home/SOHO all in one router, WAN IP on ether1-gateway and LAN on bridged ether2-5. I set up a hotspot on it, do user accounting with userman, and I use the integrated web proxy on port 8080 to transparently do some filtering an...
Sorry to revive an old post, but I see this problem has been around for a long time now. I am trying to use a 4Gb Sandisk Mobile Ultra SDHC with my 450G (latest RouterOS version). This particular card is listed in the Wiki as supported hardware for the 450G and I have exactly the same problem as des...
Hello, I am a noob and a bit confused by the filter chain traversal of the packets of the hotspot authenticated clients. In a normal basic setup, the packets not directly destined to or originated from the router traverse the FORWARD chain. So basically packets to and from clients traverse the FORWA...
Ticking the box I believe adds in an extra step in the hotspot process that tells it to forward the traffic onto the proxy internally, so you don't really see a firewall rule created for it. Support would need to clarify exactly how it works because that functionality is not exposed to us. But in e...
You would need to enable the proxy and set up the rules in there for authenticated guests from the proxy menue. The walled garden uses the same functions as the proxy, but it only applies to unauthenticated guests. Also don't forget to set up a firewall to protect the proxy from the internet, other...
Enable the hotspot and enable the transparent proxy on a profile basis. This will force people to use the proxy. The downside to this though is that it will not work with HTTPS traffic, the transparent proxy only works with HTTP. If you need the end users use a transparent proxy for HTTPS traffic a...
Wow, thanks for the lightning fast response (on a Sunday!).
Another thing to wrap up my order: can you confirm that all versions of the 450G can run on 12Vdc, and that this is recommended as opposed to higher voltages?
Hello, I am new here, and new to routerboard/routerOS, so first, hello to all. For a little background, I am not an IT pro, but I am administering small size networks on oil rigs, which have severe bandwidth limitations and far too many users (including the usual bandwidth hogs who spend their lives...