MikroTik

msatter

https://forum.mikrotik.com/viewtopic.php?f=9&t=171135&p=836472&hilit=fetch+upload#p836472 Warning! the source directory and target directory must be the same and rxist. So this is not going to work /disk/file.txt --> /file.txt. See: https://forum.mikrotik.com/viewtopic.php?f=9&t=1549...

msatter

You can write BIGGER files, they really huge...files. ;-) with :execute https://forum.mikrotik.com/viewtopic.php?f=9&t=130448&p=819118&hilit=file#p818939 and here with print environment https://forum.mikrotik.com/viewtopic.php?f=9&t=167594&p=823889&hilit=environment+print+fil...

msatter

On which version of routerOS are you and there was an change in 6.48:

*) ipsec - refresh peer's DNS only when phase 1 is down;

To avoid having the used IP address being out-of-sync with the currently used address. This was a problem with DNS using a very short TTL.

msatter

On $bound it is used in DHCP script.

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client

msatter

That is encouraged by me because my only interest is to avoid that other to discover the wheel all over again. My search took many months and few support request, Sindy helped me out with this.

msatter

I can't stand Amazon stuff anymore, however I posted earlier about other fans.

viewtopic.php?f=3&t=132258&p=811123&hil ... ng#p811167

msatter

I think you should look at examples of IPTV that also use two vlans next to each other.

msatter

Why 3 wires? I see a + and - on the previous diagram what is the third soldered spot for, closest to the back of the chassis?? I suppose one could check if they are powered by hooking up a multimeter? I wonder if that capacitor close by (11 oclock)is affiliated or not........... The third pin is th...

msatter

The second screen is a simple export from terminal yes my network is 10.0.0.0/24. I missed the word template in the second screen so the 0.0.0.0/0 is correct. You have to check what is wrong on a other place in the NordVPN setup. You can leave my line in there to avoid any MTU problems. There is an...

msatter

I wrote dst-address and that should be src-addres and it this one: src-address=10.6.2.22/32 How do generate the second screen, because it does not match the first screen? And is 10.0.0.0/24 your internal network? Please change you personal IP address from your posting above! sa-src-address=XX.XX.XXX...

msatter

/ip ipsec policy set 0 group=NordVPN proposal=NordVPN add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0 add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN \ src-address=0.0.0.0/0 template=yes First dst-address=0.0.0.0/0 should contain the entry point if the tunnel. Th...

msatter

Screenshot_20210219_190901.jpg

I assume the pads in the red squares are connected and in the blue circle you see the fan connectors with some componend soldered.

This is the 1009 with a bigger case and two internal power supplies.

msatter

If you are looking for the fan soldering pads and looked at the bigger versions of the 1009 which share the same boards. Just looking at pictures on the internet. Screenshot_20210219_184150.jpg There are no components around those pad so likely also no power on the pads. I would advise a power sourc...

msatter

Screenshot_20210219_121343.jpg

msatter

No and forum also not know that. But you can add a small fan on outside to suck air out close to the position of the SFP. https://www.cdr.pl/galerie/m/mikrotik-cloud-core-rout_9166.jpg Seen from the back. Front right side. Powering the fan externally. If you also using those HOT copper network SFP p...

msatter

OK, so before going ahead and ordering cooling equipment I was taking a look at the board for the CRS326-24G using the high res image on the MT website. I cannot see where the connector for the fan is. Can anyone mark it for me on here? From a previous post I had understood that the board was ready...

msatter

OK, so before going ahead and ordering cooling equipment I was taking a look at the board for the CRS326-24G using the high res image on the MT website. I cannot see where the connector for the fan is. Can anyone mark it for me on here? From a previous post I had understood that the board was ready...

msatter

I like to use 3/1 - 1/1 and 1/1 can be omited because it catches all just as no PCC would do. Set passthrough=no
This will give you 33% on wan 1 and 66% on wan2.
4/1 - 1/1 gives a 25% - 75% split. etc.

When passthrough is needed then use 3/0 - 3/1 - 3/2 Wan 1 - 2 - 2 (33% - 66%)

msatter

My Dreambox satellite receivers are running DreamOS ;-)

msatter

Decrease maximum concurrent queries. It limits, so TCP can keep up.

msatter

You do not need the marking in Mangle because NAT is doing the work here and you don't need the extra marking.

https://wiki.mikrotik.com/wiki/Manual%3 ... squerade_2

Marking is needed if both ISP gateway's are on the same ether port.

msatter

In terminal you can set the update interval.

 /ip cloud> p;rint
          ddns-enabled: no
  ddns-update-interval: none
           update-time: no

Maybe Mikrotik could make a disable "call-home" in QuickSet to disable all earlier mentioned calls, in one go.

msatter

System - Clock - Auto Timezone: set it to manual in the next tab.

msatter

Using search delivered a starting point: viewtopic.php?f=3&t=122395&p=775840&hil ... fp#p780464

msatter

A fix for SIP related issue is not included in this release, but it is available in the 6.49beta11. If an upgrade to the testing version is not available, try disabling MNDP in neighbor discovery settings, see command below: /ip neighbor discovery-settings set protocol=cdp,lldp i just disabled the ...

msatter

Many thanks. My IKEv2 download speed increased by over 100 Mbps to almost the maximum download speed I have. It was lower in 6.48 than the previous versions of ROS.

msatter

I would expect lower than 10. Your range values should be mentioned in the datasheet of the module.

As you write it works fine and the other module even goes lower.

msatter

Luckily you managed to disengage the Caps-Lock key in the end.

msatter

The 1.25/2.5 Gbit/s indication is the interface connection between the SFP and the router. The 1 Gbit/s is the interface between the SFP and the fiber. So all is working correct. Your RX power is a bit high and are all connectors all pushed full in. Update: I now see that there are ones that transmi...

msatter

I have just tested it but I did not manage to obtain anything other than NXDOMAIN from the internal domain server. Sorry.

msatter

I have never used that but a search on the internet gave the general workings of a SRV record.

Yes, if you use the srv target.

msatter

In the srv you don't put an IP but the domain name of the server serving both ports.

srv site1.lan 32400 --> A siteserver.lan 10.10.10.10
srv site2.lan 20020 --> A siteserver.lan 10.10.10.10

msatter

This device always puzzled me. I see it a kind of NTU with POE, to be used on 'remote' locations.

Eth2 and the SFP are either one and you use the Eth2 or the SFP.

msatter

Because routing is not used it is indeed free to be used as the trigger for the killswitch. I am using several VPN providers and connections so mark IKEv2 traffic with a single routing mark and the distrubution is done be connection marking.

This gives a lot of flexability in the end.

msatter

This formum and this blog: https://blog.mikrotik.com/security/

There is also an RSS feed: https://blog.mikrotik.com/rss/?cat=security

msatter

RAW is introduced to be able to block traffic before it hits connection tracking and so avoid high CPU usage.

UDP/Mangle/Filter need connection tracking and so using the CPU big time.

msatter

You mark connections in Mangle with the connection mark op the VPN connection.You have so full control of which traffic is going throuh the VPN based on type, port, dest/src address or domain through a addres-list.

msatter

You could consider Class C+ gpon from FS. It has a temperature range of -40 to 85 Celcius, normal is 0 to 70 Celcius. https://www.fs.com/de-en/products/64168.html msatter Thanks for the post. Have you tested this product ? No, but you can ask them for for a sample. https://www.fs.com/sample_applica...

msatter

You could consider Class C+ gpon from FS. It has a temperature range of -40 to 85 Celcius, normal is 0 to 70 Celcius.

https://www.fs.com/de-en/products/64168.html

msatter

You can only filter on the IP address of theclient. If your router is also providing DHCP to the clients then it should be possible.

msatter

SHA-384 was already supported earlier but then only through the CLI. Now also through Winbox.

The sixt of January 2021 the table in the Wiki was updated for the RB4011 and here the link to that table:

https://wiki.mikrotik.com/wiki/Manual:I ... celeration

msatter

https://mikrotik.com/products/group/swi ... 248%22}}#!

msatter

viewtopic.php?f=2&t=171082

msatter

All the good to everyone and stay virus free in 2021. An to ROS, stay bug free and that you soon succeed for you seventh level exam.

msatter

This will generate a lot of random things.

viewtopic.php?f=9&t=169030&p=830719

msatter

I expected something more like this.

msatter

Hot wine...is then not the alcohol already evaporated?

msatter

Is it something like Pi-hole filtering the domains and block domains not allowed to return 0.0.0.0 IP-address? The problem of the addresses in the log of the DNS server is normal. In the eyes of the DNS server the router is talking to him and can't see the IP address of the client. If you would use ...

msatter

Look at it differently. Change the rules to to redirect if the clients are making the requests not to you own DNS.

!10.10.10.1 assuming that is your own DNS.

msatter

/ip firewall connection remove [find where reply-dst-address~"1.2.3.4"]

msatter

It is for sync that is needed and RouterOS does not know where to sent those returning packets to. Those packets are now sent to where they are expected and being processed to lower the MTU till no, please lower the MTU are send anymore. IKEv2/IPsec significantly increases the security and privacy o...

msatter

Use duckduckgo.com and you will find: Accessories Package includes the following accessories that come with the device: EU/US Switching Power Supply DC ⎓ 24 V 1.5 A 36 W 87.4% VI 150 cm RA DC plug. K-60 fastening set. DIN965, M3x6 . Mounting kit 4011 rm bracket. There are two included in the K-60 ba...

msatter

I see in the use cases the following line which is obsolete if you do that directly in IPSEC Policy. It is this line in mangle: # Reduce MSS (should be about 1200 to 1400, but 1360 worked for me) /ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-ad...

msatter

Try using "ISP 1" and "ISP 2" Nice to see you back....so soon. Greetings matter, I tried to do it with the scripts that you told me by disabling the interface, but it did not work for me, I think that with the use of recursive ways I can achieve that the failover is done and eve...

msatter

Try using "ISP 1" and "ISP 2"

Nice to see you back....so soon.

msatter

OK.

{
:if ( [/ping 8.8.8.8 interface= "ETHERT 2" count=6 ] = 0) do={/ip route disable [find comment=ISP2]}
:if ( [/ping 8.8.8.8 interface= "ETHERT 2" count=6 ] != 0) do={/ip route enable [find comment=ISP2]}
}

msatter

So if you say this works: :if ( [/ping 8.8.8.8 interface= "ETHERT 2" count=6 ] = 0) do={/interface disable numbers=1} Then the following should work if you add the comment label "ISP2" to the route going to your second provider. ETHERT 2 is not disabled this way, this because you...

msatter

No reporting of posts possible in this tread?!

msatter

You can't. If you don't have an active connection to the internet you can't ping anything on the internet.

Please stop with creating postings about this and have a read of what others suggested in answer to your many postings on this.

msatter

On the subject of export- On my RB4011 it does complete, it just takes an average of 21 minutes. The only errors on the export are: #error exporting /routing/bfd/authentication #error exporting /routing/bfd/configuration But export terse compact file=$fileName does finally complete. See the answer ...

msatter

Visual of the posting above:

As soon you enable the SFP, one of the 1Gbit get reserved for traffic on the SFP. Leaving half the speed for the Ethernet.

Vlan happens in the CPU so it has a big impact.

msatter

Try with UDP starting at 7000 instead of 10000.

msatter

viewtopic.php?f=23&t=157048

msatter

Well yeah, it seems that I have no other option but to build a test environment for this. And if it turns out that DNS rr is not utilized for failover, then it will have been a waste of time. :-(

At least, you have learned something after that. :-)

msatter

No, this was discussed in the 7.1beta3 thread a few days ago.

msatter

Round Robin in on the server side and not the client side. RouterOS is here a client.

msatter

:set $myVar "my value";

msatter

This is still present and had this when enabling/disabling logging in RAW rules.

viewtopic.php?f=1&t=165248#p813064

The first rules counter had a life of their own.

msatter

Hope this will also stop the router crashing when you change the MTU of an interface. I appreciate your test reports as we seem to be having the same issues. I'm with Bell in Canada and they also use baby jumbo frames on a SFP ONT with PPPoE. So I see the same crashing and MTU issues you are seeing...

msatter

Updated my HAP AC2 from beta2 to beta3 and the device is constantly rebooting at about 1 minute of uptime. There was only one critical log entry, the device restarted because of a kernel failure. Downgraded back to beta2. Please report this to support@mikrotik.com and attach either a supout file fr...

msatter

256MB of memory: https://mikrotik.com/products?filter&s=c&f=[%22integrated_wireless%22,%22indoors%22]&a=[%22arm%22]&r={%22ram%22:{%22s%22:%22253%22,%22e%22:%22317%22}}#! More than 256MB of memory: https://mikrotik.com/products?filter&s=c&f=[%22integrated_wireless%22,%22indoor...

msatter

Hope this will also stop the router crashing when you change the MTU of an interface. Update: I could change de MTU but sadly not the one I wanted to. The PPPoE dropped back to 1480 and manually I could set it to 1492 to a bit be closer to the 1500 that I can use in 6.48. Routing was changed (expect...

msatter

This can be adapted to write global variables to a file: https://forum.mikrotik.com/viewtopic.php?f=9&t=167594&p=823889&hilit=environment+print+file#p823683 I advise to only do variables and not scripts due to the 4096 bytes limitation. If you mark functions with the wordpart func in the...

msatter

msatter

Write variables in scheduler startup script is a better option than writing variables in l7 rules and other crazy stuff.

Can we have a scheduler restart/shutdown then?

msatter

Allow someone to hold your hand on this.

https://mikrotik.com/consultants

msatter

Hrmm maybe? I downloaded the .zip file with 'all extras' for arm and scp'd the .npk files as normal and validated they were all there and the right size. When that didn't work after two attempts of scp and reboot, I tried the winbox method and it showed download complete and rebooted, but again fai...

msatter

Mikrotik cares but the Beta has problems with booting the Tile architecture so not released yet.

If your Chateau has problems the ask support if you can have Beta 3 already.

msatter

Maybe this interferes: upgrade - do not try installing packages if download was not completed

msatter

When you on it, ask also for Beta 3 for your router.

msatter

If uou don't want to do it yourself with help of the documentation you can try this page to find someone to do it for you:

https://mikrotik.com/consultants

msatter

Good luck with contacting an administrator. Messaging is switched off again. It could be that your posting got reported and they are deleted...manually or "automatic". ps. you posted this in scripting and that is not right place post this. I posted in scripting because that’s the forum th...

msatter

Good luck with contacting an administrator. Messaging is switched off again.

It could be that your posting got reported and they are deleted...manually or "automatic".

ps. you posted this in scripting and that is not right place post this.

msatter

The day after 9-11 this year, the passwords were reset and members had to provide a new password.

You must have missed that....by a few months.

viewtopic.php?f=21&t=166059

msatter

There is indeed no way to see which version of boot you're using in backup mode. You can look at the factory firmware and then deduct that the backup boot has the same version. This should be valid since Mikrotik synced the version numbers of the boot/firmware and the RouterOS version. Your are righ...

msatter

You signature is outdated. https://forum.mikrotik.com/viewtopic.php?f=9&t=169030 On your question: https://help.mikrotik.com/docs/display/ROS/RouterBOARD If to use the backup RouterBOOT. This is only useful if the main loader has become corrupted somehow and cannot be fixed. So that you don't ha...

msatter

*) certificate - properly flush expired SCEP OTP entries [SUP-31328] The flushing works , but when flushed it is made not visible in Winbox until you generate a new OTP hash manually refresh by changing windox in Winbox. It is possible to generate OTP with a lifetime of zero minutes in Terminal and ...

msatter

I have put a updated version in the second post of this tread. Removed some bugs, corrected typos and changed some incorrect code. Streamlined the removal of generated OTP hashes so that the generated hashes that became obsolete are removed directly. Introduced a dedicated variable $decimalUP to hav...

msatter

Create a way to delete the generate hash while the auto-removal is still broken in my version of RouterOS: :local createOTPHash [/certificate scep-server otp; ([generate minutes-valid=0 as-value]->"password") [:foreach i in=[find -1] do={:set $lastHash $i}; :do {remove $lastHash} on-error=...

msatter

You should never ever use index numbers in scripts. These are just temporary and refer to the last print.
To remove all certificates use this:
Code: Select all
/certificate remove [ find ];

You can use print in a script by adding without-paging and as stated using numbers is not the best way to do this.

msatter

Please open a new topic about this because this thread is about Useful scripts and you want something specific. You could also use search because this is talked about many many times and yes you can use HUGE lists, but you have to prepare them first on a computer and then import it. See: https://for...

msatter

You need to :put $userinput, not :put $read :) :put $userinput is also empty for me after asked for a value (v6.47). If you get actual code then use an extra pair square brackets. :local userinput [$read]; :put [$userinput]; or use :set, instead of local/global :set [userinput [$read]]; :put $useri...

msatter

Source: https://forum.mikrotik.com/viewtopic.php?f=9&t=152632&p=796712&hilit=63+kb#p759427 # Written by Shumkov # Adapted by blacklister # 20201025 { /ip firewall address-list :local update do={ :do { :local result [/tool fetch url=$url as-value output=user]; :if ($result->"download...

msatter

If it is bigger than 63KB then that is not possible in RouterOS.

msatter

Some other ways to check:

([:len $z]=0) works also for array
([:typeof $z] ~ "(nil|nothing)")
I did not knew the =[ ] and that one could replace the :len one for me.

msatter

Should I see traffic when I torch the bridge acting as blackhole for the VPN when it is going up or down? The only traffic I saw was ARP. When I re-enable my own killswitch lines (dst 100.69.69.69) then those lines in NAT do catch traffic. Looking in /IP routing the PPPoE-out has a distance of zero ...

msatter

The code has been updated in posting two of this thread. I added a simple help to code and I could insert it locally in the global function $genpassword because it was less than 45 lines of code including the help text. You can display help by typing: $genpassword -help and displaying the version nu...

msatter

You could try this as scipt running (Terminal) after the router has booted and see if that helps: { disable sfp-sfpplus1 :delay 50ms enable sfp-sfpplus1 } My scipt-code in PPP Profile for not obtaining a MTU of 1500: { :delay 4s /interface :if (([pppoe-client monitor pppoe-out as-value once]->"...

msatter

I understand that as of a few winbox versions ago , the entries in the log window were truncated to not take up more than a single line (and there were some users requesting this). however im not clear on how this is a better solution than the prior multi line log window entries (where you could al...

msatter

I made a second update to the code and added the option to only mix a supplied string (minimal length 4) and the code was already is in the genpassword script. To make this also directly available a small function was added next to the already exisisting genpin and dummyhash to call it directly and ...

msatter

Thanks Jotne and the ";" presence is known and it is due to I tried to find why I could not put the code in :global. In the end it was due to me using multiple TABs to structure the code. I will propose the code to Mikrotik and hope that the will have look at it and be so nice to provide a...

msatter

I am affraid that is is a troublesome undergoing. It started 4 years ago:

viewtopic.php?f=3&t=104109&hilit=vdsl

msatter

################################################################################################### # Written for RouterOS from Mikrotik # Written by Msatter (alias on forum.mikrotik.com) # only for non commercial use # version 20201125-2.58 DO NOT FORGET TO UPDATE ALSO THE :global version undernea...

msatter

I have completed the script to generate different types of random ranges of characters, numbers or combinations from those. A One-Time-Password hash generator in RouterOS is used to have randomness to be used in the generator. Calling the function is quite flexiable and the ordering of the parameter...

msatter

Mixing the base strings is complete after bring on the backburner while I wrote a menu script. Also aound a much faster and absolute way to remove the obsolete OTP hashes.I first had a for next removing the "numbers" one by one. This did not work always and with more that thirdteen thousan...

msatter

It seems I had them because I had to scare away people looking at their phone wandering into the garden. Never seen them personally so it was a complete surprise to me that I had them in my garden. Those invisible creatures. Not much running scripts here and sometimes the VPN maintainers flashes by....

msatter

If there is a second return the that one should supersedes the earlier one and the last one the only one retuned. It is then behaving as variable, which can have only one value.

We have already :error which stops all scripts/and functions.

msatter

A file up to 64KB can be read in one go to an array.

.RSC files can be much larger and I hsve not found yes a limitation other than the memory of the router itself.

I am still searching for a way to include code as insert and not in script or global.

msatter

The short answer is yes, it is possible. The problem is making a regex that covers half the internet...
It's like saying that achieving world peace is possible, the problem is just finding how to make all people like each other.

Till .*$

;-)

msatter

Not nice to say that about Bidon. Go and was your mouth. Are you drunk?? Not judging, but hopefully not configuring any MT devices jajajajaja I don't drink alcohol only smell it when I disinfect my hands, and that is not enough to get drunk and it is also not the right type of alcohol to use intern...

msatter

Thanks SiB and I did not see any other that :returns cuts away from the function despite there could be more instructions to process. Or did I missed it? It has it's chams because you can go in the middle exit a function this way without being concerned about code underneath. It brings the feeling b...

msatter

I have the problem that :return acts like an :error and terminates the function and does not execute the last command till the end of the function "}" From the Wiki: Starting from v6.2 new syntax is added to easier define such functions and even pass parameters. It is also possible to retu...

msatter

Let RouterOS do this for you and look at how you normally enable and disable lines.

You are now collecting the lines and that is not needed.

msatter

Not nice to say that about Bidon. Go and was your mouth.

msatter

/ip firewall filter disable [:find comment~"Yoeptube"]; This is in ROS script.

Replace Yoeptube with you use and it can also a partly match like tube because of the ~ instead of a =

msatter

Really! Old syntax don't support parameters :global fold [:parse ":put \"$param\""] :global fnew do={:put "$param"} :put "Old" $fold param="params work" :put "New" $fnew param="params work" > /system script run test-params Old Ne...

msatter

Hi all,

Let me also share my scripts collection with you - maybe you will find few of them helpful or useful as they are to me;)

https://github.com/gbudny93/RouterOS_Useful_Scripts

Greg

Easier append array: viewtopic.php?p=819886#p728850

msatter

BTW, I managed to wipe environment when a Array was by mistake looped and the memory start to fill up and after about 20MB it would clear and start again to fill up. In Winbox the environment screen was wiped and in red was displayed something "NOTHING FOUND". Then filtering would engage o...

msatter

I had a look at 2D array. They are not easy and I stepped in a few beartraps and maybe I even need some new functions to handle them easier. Some things are easier to archive but it is a lot to learn and test. Update: I have converted it from array with a key to a 2D array. Work great and it was a f...

msatter

You are right, it does resize badly on small displays. We will work on that.

And it gone. Hoping that mobile device friendly mode will be back soon!

msatter

I want to return the key in a array and don't want to use the "foreach k,v in $ar" method. :local ar {"Abcdef"="b";c="d"}; :local a [:tostr [:pick $ar 0 1]]; :put [:pick $a 0 ([:find $a "="])] [:tostr [:pick $ar 0 1]]; is putting out the key and the ...

msatter

That will still have one long line, but at least you can drag that window until you see it all. So it's a way, but definitely not good way, just slighly better than nothing. It would be best to optionally support both horizontal scrolling and line wrapping. On scripts, I don't remember where, if yo...

msatter

You'reInHotWaterJoe.

msatter

:put is there show humans, an :if does not need to see it, it knows what the result is without seeing. The connections table is table that is shown and you best use "print" to find a value. I had to use also a :pick, which is scanning the lines till it finds what is sought and cut is out. ...

msatter

You can't use put there:

:if (:put ([/ip firewall

Use:

/ip firewall connection remove [find where dst-address="15.15.15.1:9987"]

msatter

Should line 17 be like this? :set ($arrayString->"mixedpin") "8923176504" ; :set ($arrayString->"mixednumbers") "8923176504" ("mixednumbers" -> "mixedpin") Thanks, I think I will do away with static mixed and replace that by dynamic mixing...

msatter

That would be great and Mikrotik could also use the encryption engine to hash the password generated, with a salt added to it. Then the admin only has to store the hash and the salt. I have busy on a scripts and when syntax and error checking it is wise to not be in the root but off-root (like: /ip)...

msatter

You are right, it does resize badly on small displays. We will work on that.

First looks great. Many thanks for the mobile view!

Update: :-) ....reads like a old fashion manual, but better.

msatter

I did not see a way to reduce the MTU except for the SYNC. NAT is not a problem because a tunnel is used. UDP/4500.

Despite my IKEv2 is eorking great and MSS is never triggered I have sometimes problems retrieving TLS certificates when browsing.

msatter

As written much earlier that does not work with telnet. You need to use SSH and yhese dsys we use RSA instead of DSA.

msatter

Adapt:

viewtopic.php?f=9&t=167594&sid=481cee8f ... 75#p823683

msatter

Of course You can do anything with a network of Mikrotik routers if you put a big computer next to them and use PHP/PERL/Delphi/Putty/Whatever to control them using API/Telnet/FTP; But thats not the power of Mikrotik. It's the only router that I know of (apart from a LInux box) that can be scripted...

msatter

Before you can use the (rules) line numbers you first have to fixate them in a script. print without-paging; # to have a correct location of numbers in the table Then determine the dynamic lines to skip. :local dynamicLines [:len [ find dynamic]]; :do { add place-before=($dynamicLines) action=..... ...

msatter

There are several ways to do this and I have written a backup and restore especially for interchanging between different routers. The focus is on keeping the filesize as low as possible. It is close to RC and I was distacted by other projects so it went down the pile of other things. If you want you...

msatter

Very interesting and they look very good.

msatter

Tried 6.48beta48 L2TP IPSec using certificates is still broken for my clients. Searched the forums, but haven't found any resolution. My L2TP/IPSec clients failed after 6.47, was able to downgrade back to 6.46.6 and everything worked ok again. Did you already contact Mikrotik support on this? e-mai...

msatter

Update: I see that all omit this "/" and this works if you are already in the root of the menus. I always put a "/" in front to be sure I land where I need, every time, where ever I am. Thank you, i add the "/" to the first line but with the same result. All lists cant...

msatter

Quick check. The first line you are changing to / ip firewall address-list but you not copied the needed a "/" in front when already being already in a menu. Update: I see that all omit this "/" and this works if you are already in the root of the menus. I always put a "/&qu...

msatter

It is indeed a bit confusing. Original there was one address-list named blacklist and the desciption/comment separated the different imported address-list.

Please post the scipt you use then can have a look at it.

msatter

Can you post what Sindy ask you to post? Looking at the picture I don't see a ptoblem but often a picture does not show all. An export will. Update: I am now behind a Winbox and to me only the line in IPsec-Policy works and disabling it and enabling a MSS change line in Mangle does not work for me.....

msatter

Hi
i tryed the different scripts but get on all lists "Address list <name of the list> update failed"
CCR1009 v6.46.7
What could be wrong?
-faxxe

Do you have by any chance spaces or special characters in the names of the lists?

msatter

Have you done the click/tap post preview test on this site?

@Sindy *ffffff is the .id of the default. I do not know if that is needed anymore. This because of auto sort that implemented not that long ago.

But then auto sort could be taking care of that now and that would make it much much simpler.

msatter

An other further development. Made it so that only the names and strings are hard-coded and all depending on those are dynamic. The default string should be named "default" and that is the only variable/key that is hard-coded. It was a lot of work for someone who inexperienced in programmi...

msatter

OMG, it works now! Thank you so much! I actualy saw earlier your linked topis and by advice there, I tryed to press "Preview" my written post, and it opens in very short time, so I had no doubt in MTU. Obviously, I did not done this throughly. Thanks again, but beware; More questions are ...

msatter

See: viewtopic.php?f=2&t=161967#p824619

Your line should work but maybe 1382 is still to big for your connection. Try again with 1200 and the work your eay up.

Or try the better sollution. for IKEv2.

msatter

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0 place-before=1

Replace 168.192.88.0/24 by your own local network.

viewtopic.php?f=2&t=154449&p=763404#p763404

msatter

You could go for a LC connector on both sides of the cable. If you use the panel then use what already have and that SC connectors and if the SFP comes with a LC connector then use the cable LC-APC as the two posters above also suggested. SC/APC = Green and SC/PC = Blue and this picture shows the di...

msatter

An other step and the strings are stored in a array so that selection is easier and is now also a function that can be called with extra parameters: $genpassword {length} {string} {string} {string} -- length is size of the password, string can be normal, mixed, letters, mixletters, numbers, mixnumbe...

msatter

Your're welcome and many thanks Jotne for the clean up. All those ; in just to be sure that it would not complain about those missing in other settings. The / was there to go to the root of the menu. It could be adapted to meet minimal password requerements by having several compose of strings and n...

msatter

I assume by "streched" that have two cable that are connected in the middle by a adaptor? That is normally called "extended". 200 meter military grade, can be even put in the ground, cost about 160 Euro and armoured around 110 Euro. If you all indoor and protected a fibre cost ar...

msatter

You need two different SFP. Example one R1310nm T1490nm and the second one R1490nm T1310nm and one fiber. You can use a standard fibre and you can also get Armoured fibre cables that are robuster. Or even military grade ones. Length can be adjusted to the length you need + extra by clicking the cust...

msatter

Simple password generator based on Mikrotik OTP. # generate password: { :set $pwdLength 10; # From this string the password is formed. :set $pwdComposedOff "!&()*+/0123456789:;<=>@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz{}"; :set $pwdLoops ((255 + [:len $pwdComposedOff]) ...

msatter

That did not work for me and the generated passwords stay in the list despite it has counted down to zero. OTP.jpg It is not that easy to remove those passwords and the problem is that sometimes the generated password is not yet displayed in the list. Then I get the error that the item does not exis...

msatter

And removes the full password directly after generating it.

{
:local hash ([/certificate scep-server otp generate minutes-valid=0 as-value]->"password");
/certificate scep-server otp remove [:find $hash];
:local pwd [:pick $hash 0 8];
:put $pwd;
}

msatter

Hello Could you please share the updated script for ddos and TCP syn flood protection for mikrotik This script is made for a special kind of DDOS and is optimized as much as I am possible to do. In many cases psd is your friend when TCP is used to avoid loading connection up. UDP or other protocols...

msatter

This is a part of bigger script and I share this as a building block to provide help on parameters in a simple way, for a function. It can display the whole help text if you only enter $myFunc -help and if only a specific help on a parameter is needed then $myFunc 1parameter -help. Providing help on...

msatter

@DarkNate try Nth 3-1 2-1 - which is the same as 3-1 3-2 3-3 and I think, less processor intensive. Nth 3,1 - 2,1 is likely not the same as Nth 3,1 - 3,2 - 3,3 and if I remember correctly from some MikroTik presentation files, it has to be in that order for either PCC/Nth where 2 means two WAN, 3 m...

msatter

Then, you don't know up-front how much traffic will go over a marked connection. I could look in NAT which connection, had not much traffic yet and then prefer that link. In real time, that is only possible if Mikrotik implement a distribution by clean switching of the source port. Maybe that is alr...

msatter

Mikrotik is switching from the Wiki to the Help pages and I can't read it good brcause the rext area is very narrow. Examples and tables have to be scrolled horizontal all the time. I have to tap the two vertical bars in the left column and directly after that the book icon that is then displayed. O...

msatter

Even stronger. Most user don't know that their IKEv2 is leaking during the connection is coming up. I use marking all IKEv2 traffic with a routing mark which in NAT is redirected to nothing. This in NAT is not static nor are the connection marking in Mangle. It is a complex script handeling that for...

msatter

When we mark-connection using Nth, it marks the connection based on the Nth classier which is more random (more deeper) as it's per packet (of that particular unmarked connection), hence increasing the chances that the connection to passthrough to the next mangle rule. A connection is a connection ...

msatter

Dude, in the real world connection tracking ( or connection NTH ) is the best way for browsing the internet. NTH is predictable and a listener knows which connection is used next to sent the packet. I am using this for my web browser and a new connection, even to same site, uses a 'unpredictable' pa...

msatter

="disk1/$backupfile"

msatter

You can activate safe mode before starting the script and at the end of the script you deactivate the safe mode and so making the changes permanent. In environment you can see if that script is still running. You can check if the with a schedule if the script/special user is taking to long and the r...

msatter

There are two diodes D1 and D3 close to the power connector.

You can also try PPoE in if you have the cable for that.

msatter

:local AgregateMask 24 :local AgregatedList :local i :local j :local net :local ReversMask (32-$AgregateMask) :foreach i in=$list1 do={ :foreach j in=$list2 do={ :put "$i and $j" :set net (($i>>$ReversMask)<<$ReversMask) :set net ($net . "/$AgregateMask") :if ($j in $net) do={ :...

msatter

Those devices are released to be used with new bridge setup, that replaced the Master-Slave default, in RouterOS 6.xx and higher. Hardware switching (HW) is only active on the first bridge in ROS 6.xx+

msatter

A while ago I created a write-up about NTH;
viewtopic.php?f=2&t=159174&p=781975

msatter

Reading pure IP adresses is possible up to 64KB large files.

viewtopic.php?f=9&t=152632

I am on the moment busy to create backup/restore for adresslists present in the router and it will export a .RSC file that smaller than the normal export.

msatter

I see nothing wrong and the Common Name is mikrotik.com and that is also present in the SAN:

DNS Name: *.mikrotik.com
DNS Name: mikrotik.com

msatter

Sounds right.

msatter

No, or you have to make your own cables.

msatter

Ask before you buy if you will receive revision 2 of the device.

viewtopic.php?f=2&t=149062&p=820138#p817223

msatter

Friday is not a good day being the start of the Mikrotik weekend.

Sorry, couldn't resist.

msatter

Many many many thanks! I was looking for a way to write LARGE files for a long long time. This also works in the 6.4X version of ROS. You can test your code easier in the Terminal and here I save a very lean import file for an address list: :execute {:put "script - function - comment"; /ip...

msatter

:global domail do={/system script run wrme} on-error={log warning "Mail could not be send"};

$domail;

https://wiki.mikrotik.com/wiki/Manual:S ... #Functions

msatter

Showing only the interfaces where the default names contain "sfp": :foreach i in=([/interface ethernet find default-name~"sfp" ]) do={ :local iterfacename [/interface ethernet get $i default-name ] :/interface ethernet monitor $iterfacename once without-paging } And a bit shorter...

msatter

I think MK should offer mesh cages for extra cooling. Normis could do it with a 3D printer while he is sleeping!!

Clinging it? ;-)

msatter

Try a fixed value of 1280 as MTU in mangle.

msatter

No when I look at the subject of this thread. There is a workaround wich can be used till the fix by Mikrotik trickels down to the other versions.

The topic linked to is tackling a different problem of ROS not able return a icmp 3-4 to the correct client when using IKEv2.

msatter

This I am using to read up to 64KB from a file. Sadly always the first up to 64KB from a file. :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" < 64) do={ :local data ($result->"data") If a file is bigger then that, then the result is not tran...

msatter

What if you use multiple array's in the foreach? Till now I read/stores up to 64KB files using one array.
When one array is full then switch to the next one.

msatter

False statement there about what passwords were "declared invalid". 1. My password had lower case and upper case characters + numbers and I also had to reset it. 2. I doubt that any forum stores passwords the way you think that are stored, it should be (almost) impossible to recover the p...

msatter

It is not possible to use ordering sequence numbers in a script! These are only valid in terminal sessions, and only after a print command. When you do a print on the terminal, it shows you the lines with the numbers and at the same time builds a table of numbers and the corresponding line. Then yo...

msatter

The "print without-paging" (runs in script) and comment tagging I have used in the past, however I am doing it differently by using "find dynamic" rule as list generator and it works as dream. I think it will also work when no dynamic rules are present and then it would be 0+2=2 ...

msatter

If you use the search function you will find several topics about this. You can even scroll throught the script after it displays where the syntax is incorrect and correct it. Past in tertminal after pressing F5 (clearing window). Put your code between { and } and it will be not executed so you can ...

msatter

When I look at your result, the order is the same as you pushed it in, so try it in reverse order and see what the result is then.

msatter

The build-time refects the build-time of the software and not the hardware.

msatter

If there is no specific mention of the revision then you can assume that you have the first revision. Look also at the factory firmware number can be an indication but then you have to know the version that was shipped with the second revision.

msatter

Please stop implementing/releasing things at the end of the week or in the weekend because we have to wait then till the next week starts before Mikrotik can start fixing things!

msatter

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge. Yes, that would be logical. Mikrotik fought the Logic and Mikrotik won. Flawless victory. Lost buyers of...

msatter

And it sticks out so you can grab it, to take it out again.

msatter

Communication could use improvements on the side of Mikrotik. It is not lying but just not telling. - the fixed version was ready last week but that was not communicated with the CVE publishers. - in this thread Mikrotik should have written, "it was fixed last week and fix was released today&qu...

msatter

You can optimize it a bit if you leave out the check and logging and then I can compress the write to one line: :foreach i in=[/ip dns cache find name~"(facebook|youtube)" ] do={ :do {/ip firewall address-list add address=[/ip dns cache get $i data] list=restricted comment=[/ip dns cache g...

msatter

That was in 2012 and now 'they' use HTTPS instead of HTTP.

msatter

Files up to 64KB can read into an array.

viewtopic.php?f=9&t=152632&p=759468&hilit=cidr#p759468

msatter

Poultry hope to find
Llama found
glasses needed

msatter

I have looked at your other thread. You stated that you created a interface vpn with address 10.121.241.126. You need to use NAT then to set she source address because otherwise the packet can't find the way back to your VPN starting point. By directly routing you also set a route back. This not my ...

msatter

That was easy. :-)

msatter

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound The only secure documented method of sending mail via Googles SMTP servers for non-GSuite users is via smtp.gmail.con:587 with TLS I can't get anything on port 587 for gmail.com https://network-t...

Search found 2050 matches