MikroTik

msatter

Hello Could you please share the updated script for ddos and TCP syn flood protection for mikrotik This script is made for a special kind of DDOS and is optimized as much as I am possible to do. In many cases psd is your friend when TCP is used to avoid loading connection up. UDP or other protocols...

msatter

This is a part of bigger script and I share this as a building block to provide help on parameters in a simple way, for a function. It can display the whole help text if you only enter $myFunc -help and if only a specific help on a parameter is needed then $myFunc 1parameter -help. Providing help on...

msatter

@DarkNate try Nth 3-1 2-1 - which is the same as 3-1 3-2 3-3 and I think, less processor intensive. Nth 3,1 - 2,1 is likely not the same as Nth 3,1 - 3,2 - 3,3 and if I remember correctly from some MikroTik presentation files, it has to be in that order for either PCC/Nth where 2 means two WAN, 3 m...

msatter

Then, you don't know up-front how much traffic will go over a marked connection. I could look in NAT which connection, had not much traffic yet and then prefer that link. In real time, that is only possible if Mikrotik implement a distribution by clean switching of the source port. Maybe that is alr...

msatter

Mikrotik is switching from the Wiki to the Help pages and I can't read it good brcause the rext area is very narrow. Examples and tables have to be scrolled horizontal all the time. I have to tap the two vertical bars in the left column and directly after that the book icon that is then displayed. O...

msatter

Even stronger. Most user don't know that their IKEv2 is leaking during the connection is coming up. I use marking all IKEv2 traffic with a routing mark which in NAT is redirected to nothing. This in NAT is not static nor are the connection marking in Mangle. It is a complex script handeling that for...

msatter

When we mark-connection using Nth, it marks the connection based on the Nth classier which is more random (more deeper) as it's per packet (of that particular unmarked connection), hence increasing the chances that the connection to passthrough to the next mangle rule. A connection is a connection ...

msatter

Dude, in the real world connection tracking ( or connection NTH ) is the best way for browsing the internet. NTH is predictable and a listener knows which connection is used next to sent the packet. I am using this for my web browser and a new connection, even to same site, uses a 'unpredictable' pa...

msatter

="disk1/$backupfile"

msatter

You can activate safe mode before starting the script and at the end of the script you deactivate the safe mode and so making the changes permanent. In environment you can see if that script is still running. You can check if the with a schedule if the script/special user is taking to long and the r...

msatter

There are two diodes D1 and D3 close to the power connector.

You can also try PPoE in if you have the cable for that.

msatter

:local AgregateMask 24 :local AgregatedList :local i :local j :local net :local ReversMask (32-$AgregateMask) :foreach i in=$list1 do={ :foreach j in=$list2 do={ :put "$i and $j" :set net (($i>>$ReversMask)<<$ReversMask) :set net ($net . "/$AgregateMask") :if ($j in $net) do={ :put "$j in $net" :if...

msatter

Those devices are released to be used with new bridge setup, that replaced the Master-Slave default, in RouterOS 6.xx and higher. Hardware switching (HW) is only active on the first bridge in ROS 6.xx+

msatter

A while ago I created a write-up about NTH;
viewtopic.php?f=2&t=159174&p=781975

msatter

Reading pure IP adresses is possible up to 64KB large files.

viewtopic.php?f=9&t=152632

I am on the moment busy to create backup/restore for adresslists present in the router and it will export a .RSC file that smaller than the normal export.

msatter

I see nothing wrong and the Common Name is mikrotik.com and that is also present in the SAN:

DNS Name: *.mikrotik.com
DNS Name: mikrotik.com

msatter

Sounds right.

msatter

No, or you have to make your own cables.

msatter

Ask before you buy if you will receive revision 2 of the device.

viewtopic.php?f=2&t=149062&p=820138#p817223

msatter

Friday is not a good day being the start of the Mikrotik weekend.

Sorry, couldn't resist.

msatter

Many many many thanks! I was looking for a way to write LARGE files for a long long time. This also works in the 6.4X version of ROS. You can test your code easier in the Terminal and here I save a very lean import file for an address list: :execute {:put "script - function - comment"; /ip firewall ...

msatter

:global domail do={/system script run wrme} on-error={log warning "Mail could not be send"};

$domail;

https://wiki.mikrotik.com/wiki/Manual:S ... #Functions

msatter

Showing only the interfaces where the default names contain "sfp": :foreach i in=([/interface ethernet find default-name~"sfp" ]) do={ :local iterfacename [/interface ethernet get $i default-name ] :/interface ethernet monitor $iterfacename once without-paging } And a bit shorter by skipping the usa...

msatter

I think MK should offer mesh cages for extra cooling. Normis could do it with a 3D printer while he is sleeping!!

Clinging it? ;-)

msatter

Try a fixed value of 1280 as MTU in mangle.

msatter

No when I look at the subject of this thread. There is a workaround wich can be used till the fix by Mikrotik trickels down to the other versions.

The topic linked to is tackling a different problem of ROS not able return a icmp 3-4 to the correct client when using IKEv2.

msatter

This I am using to read up to 64KB from a file. Sadly always the first up to 64KB from a file. :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" < 64) do={ :local data ($result->"data") If a file is bigger then that, then the result is not transferred to the array...

msatter

What if you use multiple array's in the foreach? Till now I read/stores up to 64KB files using one array.
When one array is full then switch to the next one.

msatter

False statement there about what passwords were "declared invalid". 1. My password had lower case and upper case characters + numbers and I also had to reset it. 2. I doubt that any forum stores passwords the way you think that are stored, it should be (almost) impossible to recover the plaintext p...

msatter

It is not possible to use ordering sequence numbers in a script! These are only valid in terminal sessions, and only after a print command. When you do a print on the terminal, it shows you the lines with the numbers and at the same time builds a table of numbers and the corresponding line. Then yo...

msatter

The "print without-paging" (runs in script) and comment tagging I have used in the past, however I am doing it differently by using "find dynamic" rule as list generator and it works as dream. I think it will also work when no dynamic rules are present and then it would be 0+2=2 add place-before=("$...

msatter

If you use the search function you will find several topics about this. You can even scroll throught the script after it displays where the syntax is incorrect and correct it. Past in tertminal after pressing F5 (clearing window). Put your code between { and } and it will be not executed so you can ...

msatter

When I look at your result, the order is the same as you pushed it in, so try it in reverse order and see what the result is then.

msatter

The build-time refects the build-time of the software and not the hardware.

msatter

If there is no specific mention of the revision then you can assume that you have the first revision. Look also at the factory firmware number can be an indication but then you have to know the version that was shipped with the second revision.

msatter

Please stop implementing/releasing things at the end of the week or in the weekend because we have to wait then till the next week starts before Mikrotik can start fixing things!

msatter

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge. Yes, that would be logical. Mikrotik fought the Logic and Mikrotik won. Flawless victory. Lost buyers of...

msatter

And it sticks out so you can grab it, to take it out again.

msatter

Communication could use improvements on the side of Mikrotik. It is not lying but just not telling. - the fixed version was ready last week but that was not communicated with the CVE publishers. - in this thread Mikrotik should have written, "it was fixed last week and fix was released today". It is...

msatter

You can optimize it a bit if you leave out the check and logging and then I can compress the write to one line: :foreach i in=[/ip dns cache find name~"(facebook|youtube)" ] do={ :do {/ip firewall address-list add address=[/ip dns cache get $i data] list=restricted comment=[/ip dns cache get $i name...

msatter

That was in 2012 and now 'they' use HTTPS instead of HTTP.

msatter

Files up to 64KB can read into an array.

viewtopic.php?f=9&t=152632&p=759468&hilit=cidr#p759468

msatter

Poultry hope to find
Llama found
glasses needed

msatter

I have looked at your other thread. You stated that you created a interface vpn with address 10.121.241.126. You need to use NAT then to set she source address because otherwise the packet can't find the way back to your VPN starting point. By directly routing you also set a route back. This not my ...

msatter

That was easy. :-)

msatter

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound The only secure documented method of sending mail via Googles SMTP servers for non-GSuite users is via smtp.gmail.con:587 with TLS I can't get anything on port 587 for gmail.com https://network-t...

msatter

Else go the SMTP/25 way.
Plain text / no encryption?

I think that it is only the checking on Mikrotiks side that is disabled. Used it before on IKEv2 connections of which I had no certificates installed.

msatter

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound....if I am correct.

Use this server: aspmx.l.google.com and if not works try it with TLS off.

Else go the SMTP/25 way.

msatter

CRL seems only be possible for certificates you generate on your Router.

This what I remembered reading your posting: viewtopic.php?f=21&t=163482&p=805719&hilit=crl#p805719

msatter

I have tested it and I can use ping from the tools menu and I put in the routing mark and source addres and I can block traffic by blackholing it. Setting: distance=1 dst-address=0.0.0.0/0 routing-mark=test gateway=pppoe-out Export: /ip route add distance=1 routing-mark=test gateway=pppoe-out type=b...

msatter

I think that you also need this file:

http://crl.globalsign.net/root-r2.crl

Source:
https://www.tbs-certificates.co.uk/FAQ/ ... CA_R2.html

Hope it works?

msatter

I have gone to my computer and looked up the used certificate, both are using the same root cert depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign . The root cert is on the first line. I am not a expert on this and Mikrotik checking a cert is a also a PITA. openssl s_client -conn...

msatter

Delivering a e-mail to them is a PITA and the best chance is using the relay.

In the middle of the linked page is a PEM file and have a look at that.

I can't test anything being on my tablet.

msatter

The number of IP addresses are limited but the names are "endless".

https://discourse.pi-hole.net/t/how-do- ... be/253/145

msatter

Have you tried: smtp-relay.gmail.com

msatter

There are no certificates present by default in Mikrotik routers so you have to install them to use TLS.

https://support.google.com/a/answer/6180220?hl=en

msatter

The forum was moved and the day after that the 'forum' cache was cleared by Mikrotik and so all older passwords not containing a capital and number were declared invalid. https://forum.mikrotik.com/viewtopic.php?f=21&t=166059 You have to reset your now invalid password and create a new one with the ...

msatter

Darn I had to change my password because it needs now a capital and a number in it after the cleaning of the PHP/forum cache, I assume. Before that I could login. If you have a problem during login you can contact the board administrator....yeah works great. The board administrator contact page has ...

msatter

Ehmmm I recovered my card by formatting it in a photo camera. Then could use it again.

Found my posting about that: viewtopic.php?f=2&t=149609&p=736646&hilit=card#p736646

msatter

Assertive?

msatter

So, are we having a Mikrotik weekend?

msatter

I was talking source address-list. ;-)

Input would "lock" you out of the router. Forward would lock you out from the world outside the router.

BTW your avatar is donkey and not a llama who have no upper theeth. Llama was expected.

msatter

If you are on source addresses then don't forget to include yoursef or you will have to use MAC communication to the router to control it.

msatter

So, on 9-11 we are going to update the forum. Great timing.

I remember it as yesterday that we sat in front a small TV in the firm with the staff looking, with disbelieve what was happening in New York.

msatter

It will bit earlier when you are on CET at 11:00 or GMT 10:00 (both still on summertime)

Advantage it will also be ready on a earlier time. ;-)

msatter

LOUD! It hurts my ears.

msatter

I see it again on on my other router.

Half hidden bottom line when the counter in the bottom bar is a even number, when the counter is a uneven number window will scroll up making all lines visible again.

msatter

Only when the first one does not answers several times (about 15 times) then the second DNS is used till that one does not answers.

Each client uses it's own counter. If your Mikrotik is the sole DNS for the clients then you have one counter.

msatter

The titile stated that the connection are killed because of the short TTL of the DNS resolve. You have problem that your VPN connection is slowing down and that is a different problem.

msatter

i have same problem with surfshark ikev2 , every few second killing ikev.. the getting new 1

hope mikrotik fix it.

Did you read the thread?

msatter

{ :local fileName :foreach fileCounter in=[/file find name~"routeros-mipsbe"] do={ :set $fileName [/file get $fileCounter name] :do { /tool fetch mode=ftp upload=no address=x.x.x.x port=x user="x" password="x" src-path="/$fileName" dst-path="/$fileName" keep-result=yes :log info "Copied file: $file...

msatter

My adaptation needs a extra "}" in the last line.

You have to check what value is in $fileName:

:set $fileName [/file get $fileCounter name]; :put $fileName;

So you can check if yuo have to also a "/" in front of the src-path

src-path="/$fileName"

msatter

{ :local fileName; :foreach fileCounter in=[/file find where name~"routeros-mipsbe"] do={ :set $fileName [/file get $fileCounter name]; /tool fetch mode=ftp upload=no address=x.x.x.x port=x user="x" password="x" src-path=$fileName dst-path=$fileName keep-result=yes } I can't test it and it is way o...

msatter

I only brought forward a logical error.

The next error you make is using foreach and it's counter is changed in the loop to an other value.

Thirdly, you can't use variable names that are already used by RouterOS.

You should check you code better and make you variable names unique.

msatter

Hello, Could you please provide me your script, as Im working on my own with no success, below my script: :local filename; :foreach filename in=[/file find where name~"routeros-mipsbe"] do={ :set $filename [/file get $file name]; /tool fetch mode=ftp upload=no address=x.x.x.x port=x user="x" passwo...

msatter

Another issue that I see now I use 3.27 for a while (but I think it has been introduced in 3.22 or later): When the log window is displayed, and the number of lines in the window is not a whole number, new log lines at the bottom are not readable. They become readable when the window is scrolled do...

msatter

Fixing MSS for forward packages /ip firewall mangle add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn tcp-mss=1453-65535 There is a better way than this just limiting to a MTU of 1360 There is a problem of RouterOS not sending the ICMP 3-4 to the client using a IKEv2 conne...

msatter

Of course, tried it with two different Mikoritik product and different fw version, everywhere do the same. In other branded network device (like TPlink, Dahua) works well but no more in Mikrotik. Three pieces of SFPs was in the device while firware upgrade was running, all of these do the same. Did...

msatter

Did you tried that SFP in a other device? It could be read error.

Or did you downgraded to the previous version to see if the SFP worked again?

msatter

viewtopic.php?f=9&t=135112&p=798010&hil ... e#p798010

:terminal style ......

msatter

If Mikrotik had made a short manual then that could have avoided some irritations. I would love to see that Mikrotik would update their opening post with information that came forward in posting in that thread. And not have the users find out on their selves where that additional information can be ...

msatter

All the traffic, that is not local (switched), on eth1-eth5 share a 1Gb/s line. The SFP has its on dedicated 1Gb/s line. I think bonding won't help you and as I wrote, local traffic is switched and does not need to go through the CPU unless is routed or exits through the SFP and vise versa. Exit poi...

msatter

I assume it is working now?

msatter

I faced the same problem. When I downgraded to 3.34 everything works fine... When I update to Winbox v3.25, on the Hotspot>Active tab, everything is ok, the connection is ok. But in the event when turn to Hotspot>Host tab, everything is gone wrong, everybody in the hotspot has been disconnected, th...

msatter

I run close to 500 down and 600+ on the up on my 4011. So the 4011 is not the problem. There could be a bottleneck from you ISP to the VPN server you use from NordVPN. MTU can be a problem and you can test that by pressing the preview button when you are creating a posting here. Slow or no preview t...

msatter

Hmmmm Winbox traffic makes more sence to me than Winbox network traffic . The Wiki label indeed shows that the green box is only shows traffic between the addressed router/device and Winbox. However it can be mistaken as CPU , not in any way accurate, because that also increases to generate the traf...

msatter

It's still not about CPU: https://forum.mikrotik.com/viewtopic.php?f=2&t=27814&p=134483#p134483 That was more than a decade ago and that it is a long time. I can reproduce every time at any time so Mikrotik must be playing a cruel trick on me. The with multiple core processors a little total load o...

msatter

Do anyone experience opening the address-list in Winbox causes the cpu to get loaded? I mean the green graph keeps spiking per second and the cpu stucks at 1%-2% without throughput load. Even turning off all entries in address-list it still happens also turning off all my firewall and mangle rules....

msatter

An example and it contains the assumption that the IP address is labeled address but it data in real: :foreach i in=[/ip dns cache all find where name~"tiktok" && static=no] do={ :local tmpIP [/ip dns cache get $i data] if ([:len [/ip firewall address-list find where address=$tmpIP list=tiktok-hosts...

msatter

A it's the other - and + keys that we normally use. Never thought of that being different but clearly it is here.

It now works even on a keyboard with a numeric keypad using the other keys. While holding the CTRL key you tend to use the outer - and + keys on the keyboard.

msatter

Testing testing testing if the weekend is over.

Update: it's over and it works again. :-) or :-( depending on your view.

msatter

Try this:

:foreach i in=[/ip dns cache find name~("facebook"|"youtube") type="A"]

msatter

I believe that I can speak for many wishing you a fasttrack recovery.

msatter

You misunderstood my question. It was aimed towards administrators, it was meant like who of the admins does care... I wrote in a other thread that it was a typical "Mikrotik weekend" just like when I am ill...always in the weekend....and not from intoxication as one of your smart-asses is going to...

msatter

You could. Atleast if you get to terms with the different function op a Operating system and Firmware. OS is ROS snd version 46.7.1 Firmware is used to start the router and ROS is running on top off that. Those two can have different versions like a older BIOS in your PC and running the latest Windo...

msatter

Typical Mikrotik weekend:

viewtopic.php?f=2&t=165539&p=813775#p813775

msatter

viewtopic.php?f=2&t=165539&p=813775#p813775

msatter

Simple:

https://download.mikrotik.com/winbox/3.24/winbox64.exe
https://download.mikrotik.com/winbox/3.24/winbox.exe

etc.

msatter

Hello, setting a local dns name with the static ip of the manually found ip adress of the surfshark.vpn-server is working... but i didnt find any information how to setup the scheduled script to renew this static dns by RB start and when dropping the line f.ex.... any idea ? shogunx can you maybe c...

msatter

I have opened a support ticket with Surfshark, they are slow but the do respond. So far they have not been very helpful though, just asking me to try different DNS servers and send them screenshots of ipleak.net. funnily enough, I worked out a similar work around as msatter suggested regarding the ...

msatter

That, if I understand correctly what you mean, would have to search through all available locations in config three, and I'm not sure if they are unique enough for this to work well. If nothing else, you have same subgroups in /ip and /ipv6. Pressing TAB will show you then /ipv6 firewall nat. Only ...

msatter

Slash at the beginning works in older versions too. Question is about slashes in between, instead of original spaces. To be clear, I don't have anything against them, I'm used to spaces, but I can get used to slashes too, it's no big deal. I'm just wondering why are slashes better (I guess MikroTik...

msatter

When submitting a posting or change then I get a redirect to forum.mikrotik.com:80 and the posting/change is made but I don't get returned to the expected page anymore. When I remove ":80" in the URL then I get an page that I expected. An error occurred during a connection to forum.mikrotik.com:80. ...

msatter

/I Do Like This - so I get to the correct place without bothering what place I am right now.

msatter

What is the advantage (uses of), "* added support for DNS names in address type fields;" ? It is a very nice addition and makes it easier to use external IP addresses in rules/line without first to have resolve it manually. It is a one-time-resolve and if you have to use dynamic then a addresslist ...

msatter

It seems then that we have to wait till after this weekend before we know what Mikrotik means with that.

I noticed that the CTRL+ or CTRL- did not work with me.

msatter

What is the advantage (uses of), "* added support for DNS names in address type fields;" ? It is a very nice addition and makes it easier to use external IP addresses in rules/line without first to have resolve it manually. It is a one-time-resolve and if you have to use dynamic then a addresslist ...

msatter

Cname can only point to an other entry in the static DNS of your router. External gives that error "failure: dns name exists, but no appropriate record". I am a long time requester for having a minimal TTL in the options of the DNS but it was a long an fruitless quest. In the meantime I have a own D...

msatter

What is the advantage (uses of), "* added support for DNS names in address type fields;" ? It is a very nice addition and makes it easier to use external IP addresses in rules/line without first to have resolve it manually. It is a one-time-resolve and if you have to use dynamic then a addresslist ...

msatter

You could have used search on the first and second one:

viewtopic.php?f=2&t=158115&p=777401

msatter

Inside the on-error you can use :if-do-else so check if the description is presentin the current country-list and if not adapt your message.

msatter

Upgraded my RB3011 this morning to 7.1beta 2. I reset the router before upgrading and only configured it with a WAN connection to upgrade to Beta2. Upgrade seemed to go okay so I set about configuring it correctly. First issue was renaming an interface (ether1 renamed to WAN) would result in a rebo...

msatter

ROS: 7.1beta2

2) Unable to set peer Endpoint port in winbox. CLI works

4) IPv4 routes are deleted immediately after disabling (winbox)

Number two was already mentioned in this thread. Number four is cosmetic and on re-entering the route window they are displayed as disabled.

msatter

I just noticed the the manual by Rick Frey also states the 51820 UDP port and maybe he tried already.

Update: it appears that UDP/51820 is the default server port for Wireguard.

msatter

Thank you for letting us know. There is by the way a thread where you can more specific:

viewtopic.php?f=1&t=165248

msatter

Request: make it possible to ignore the provided dynamic DNS by the VPN providers, also for WireGuard?

msatter

I can't test it myself on the moment. I have installed the NordVPN client to see which port NordLynx (Wireguard version by NordVPN) and I got destination port UDP/51820 each time.

Could someone having a NordVPN account test if the 7.1beta2 can connect to NordVPN?

msatter

smatter...I had to look that one up ;-)

msatter

Mikrotik did not put out any kind of documentation on Wireguard except it was now in 7.1beta2.

Any documentation, even in a general topic, over Wireguard on a Miktotik is welcome.

msatter

That easy ;-) I was expecting some kind of DateAdd kind of function.. Thx! It was not that easy for me because the .id appeared not correct so I had a search and a peek at a other script: https://forum.mikrotik.com/viewtopic.php?f=9&t=151953&p=804911&hilit=%2Flog+get#p804911 My version now is compa...

msatter

:put [/log find time>([/system clock get time]-15m)];

This will show you the .id of the log-lines in the last 15 minutes but I am out on the moment to have the lines printed. Maybe someone else can do that or I will do that a later moment.

msatter

Just tried this version and had to go back to 6.4x. Bug [SUP-15464] which is partly fixed in 6.4x is still present in 7.1x (retain correct MTU PPPoE through a SFP on a 4011) restarting the SFP does not help. Changing the MTU manually on a interface crashes the router (tested it on a 4011 and 750-Gr2...

msatter

So I switched off my DPD on the client-side (I am using VPN a provider) and that worked, the Side is now staying initiator. I saw the renew of the connection and the state column in Active Peers stated something like: message 1 renew and it stayed about 15 seconds that way and then it stated establi...

msatter

My Winbox crash on start, is gone with Beta 27. This happened when I added/deleted/changed a column to any viewing box. Many thanks.

msatter

You want to switch back your local resolver is active again. I check if the domain "pi.hole" resolves and a external DNS server does know that domain. To avoid the stopping of the script I used also the :do but at the beginning. When the internal DNS does not react or throws a not found then the scr...

msatter

As earlier written by me I have the same behaviour but then after between 15 and 35 minutes.

Like you I made a log but that did not show anything sticking out. It only happens with one VPN provider. It happens on my on my 4011 and hEX-S so platform independable.

msatter

You are not alone with this: viewtopic.php?f=3&t=132258&p=811167#p727994

I did not know that the fans would ref up to 8500RPM andthat must be a lot of noise.

msatter

Have look at these: https://www.blacknoise.com/site/en/prod ... m.php#tab1

The 317 hasfour leads and that is to regulate the rotating speed. The I linked to has only three leads.

msatter

Switch Fasttrack off.

msatter

That one is totally passive cooled. You see even a sticker on top of the SFP cage that may block one of the venting holes. I used a small 12V fan that is powered by byte tapping in on the 12V poser supply for my 4011...he is on diet you see. I use plugs for putting screws into a wall and this one ar...

msatter

Pictures you can find all over the internet. duck.com or yandex.com and press on the word/button "images" and before you search on the exact product name of you 1009 like: CCR1009-7G-1C-1S+PC The SFP cages have holes in the top that let hot air out and you should not cover all with heatsinks. Also a...

msatter

Using a non 6.48 is no problem. It is a problem caused by 6.48beta12 and it does corrupt the saved sessions by Winbox. I use Winbox 3.24 64 bits.

msatter

I want to change the shown collumns in Winbox and that it survive than the current session. Not blowing up in my face each time so that I have to restore a back session and start from scratch. My orignal session was destroyed by 6.48 so I had to use one from a different router to have atleast some c...

msatter

More than a month without an update of the 6.48 beta. That is a long time.

msatter

Great news. Really good to see that you solved it on your 'own'.

msatter

Do you stll have your modem in bridge mode (modem only)?

msatter

:local downquotamb [:tonum [:pick $comment 0 3]]
:local downquota ($downquotamb * 1000)

Something like that. I can't test it on the moment but this what the manual stated.

I did not know that I had an other brother.

msatter

:tonum and () instead of [] for arithmetic stuff.

msatter

Kewl, literally, so the fan sucks air from inside the unit to the outside?
How do you power the fan?

There are two fan connectors. I assume the two little fans als suck the air out of the router but a higher sound level.

msatter

ROS 6.48Beta23 should bring fix for CRS354 switches. And it is "unpublic" release.... Do you know if there is also a Beta48 fix for the crashing Winbox (64) the next time after you alter any columns in Winbox? Before testing backup your Winbox config files because the one altered has become unusable.

msatter

what about 6.48Beta23 ??

Context?

msatter

Any MikroTik device with active cooling that has SFP+ ports can now be used without installing any optical fiber, just plug the S+RJ10 and your network can be upgraded to 10 Gbps, making it ready for the next generation of RJ45 hardware. From the product page and do you have a active coolded device...

msatter

RB1100AHx4 does not upgrade.

RB1100AHx4b7.1.PNG

See: viewtopic.php?f=1&t=163957#p808620

msatter

Did you find the temperature of the SFP combined with the RB760igs too high when using it? It felt very hot, unable to touch it

viewtopic.php?f=3&t=132258&p=670687&hil ... nk#p671105

msatter

This rather specific and you better open a separate topic about that. You have tell which way of communication you want to use and which specific information you want to know. With what wrote you can make any selection and if some similar lines have to be treathed differently only marking them in co...

msatter

You removed your previous posting and this will do what you asked for. Replace the lists on lines with only one of them active and and the last code line set all the lines that have no address-list already present. { /ip firewall nat set [find action=masquerade chain=srcnat src-address-list!="" dst-...

msatter

How do you recognize those different NAT lines? You can put several "set" lines in a sequence however that will make things much more tricky. I have added a extra set to my earlier post which only changes lines where there are no src-address-list active on the moment. Tip: you can set a identifier t...

msatter

{ /ip firewall nat set [find action=masquerade chain=srcnat] src-address-list="AllowedSrc" dst-address-list="AllowedDst" } My guess and have RouterOS do the work. If dst/src address already exists then those are overwritten by the new values. If you only want to apply to lines that have no src-addr...

msatter

Work in progress:
https://help.mikrotik.com/docs/
Still updated but going to be replaced by link above:
https://wiki.mikrotik.com

msatter

From the datasheet; 1Mbit SRAM for packet buffer.

msatter

This is the script: { :while ([:len $output]!=0) do={ :if ([:pick $output 0 [:find $output "\n"]]~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") do={ :do {:put ([:pick $output 0 [:find $output "\n"]].$cidr)} on-error={} } :set $output [:pick $output ([:find $output "\n"]+1) [:len $output]] } ...

msatter

Use mangle to mark routing and then you can route that marked traffic.

msatter

:toip is a better try because you have IP addresses.

This might work to find the IP address and you have to adapt it yourself.

([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}")

msatter

To avoid the weekly to be the same also add the weeknumber to one of the values.

Or change the runtime of the script by adding the weeknumber to the seconds of the interval time at the end of the script.

:local $weeknumber=(calculate weeknumber[1-52]);
set scriptname interval=(7d - $weeknumber)

msatter

Adapt this: https://forum.mikrotik.com/viewtopic.php?f=2&t=161384&p=797016&hilit=value#p797016 And have a look at the wiki linked to. update, adapted it for you: :put ([:pick [/ip firewall address-list print as-value where list=Facebook address=31.13.67.20] 0]->"timeout") :pick start his search for ...

msatter

That suggesting was made to detect an error easier by having only one point of failure. Then you posted your config where looked for connection-marking in Mangle and found none.

The Wiki page linked to by Kams19 explains it in detail.

msatter

If using connection-mark then you still have to mark traffic in Mangle.

msatter

I have the same behavior of changing from initator to responder but then with a VPN provider. Itis only happening with Pure-VPN and not with other providers. It is happening between 15 and 35 minutes after connect. The only thing that is different is that the Source Address is public instead of priv...

msatter

( ) use these two to be able to add.

So, like this:
Code: Select all
:local currenttime ([/system clock get time]+110s)
thanks a lot.
it just works )

It has all to do with the ( )

msatter

( ) use these two to be able to add.

So, like this:

:local currenttime ([/system clock get time]+110s)

msatter

What was the question again?

msatter

You could create a global variable linked to the $user with the creation date.

A two field array would do.

msatter

It is good that you lowered your voice at the end.

msatter

No jumpers but buttons.

https://help.mikrotik.com/docs/pages/vi ... andjumpers

msatter

Is it wrong that I'm highly amused by this?

That depends on your perspective.

msatter

Any thoughts on this question?

viewtopic.php?f=3&t=151046#p806892

msatter

I was looking at that just yesterday. During PPPoE connecting the mrru is send to RouterOS and in my case that is 1596. Then RouteOS send a few times a packet of 1480 to the next hop (ISP). Router OS leaves it there and use the 1480 mtu. Only after I disable and enable the fiber connection the 1500 ...

msatter

To be fair, he did include "please" this time.

No shit!

@Sob....spank me.

msatter

Maybe it eats pieces of shit. Trolls may like that to eat.

ps. only real, shit should be fed.

msatter

I made a adapted version to read an address list that was exported and contains disabled entries. As you can see you only need to leave the "yes" and remove the labels put in in an export. The file size goes from exported plus 1MB to under 500KB. Update: adapting to if a comment is provided (Now tes...

msatter

msatter I also lost direct Winbox access to my 4011RM which is behind the the hEX-S and now only able to connect through Romon. The configuration did not change and Winbox just flashes by on my screen. For the safety I revered to 6.47 on my hEX-S. Update. The TikAPP can access the 4011 directly wit...

msatter

My bad, I though the HEX could make use of its lower speeds, If not then use this one which does up to 1.25 https://mikrotik.com/product/S-RJ01 The hEX-S has special design that cut one of the two lanes to the CPU as soon as you insert a SFP module. The 5 ports get one lane and the SFP the other la...

msatter

Another very outside possibility is this device....... Its an RJ45 cage that can accept up to 10gig over Cat 7 for short distances. Thus you could potentially get your internet connection at speed - assumes you have an SFP+ port on your router, and that the ont/modem has ethernet jacks capable of s...

msatter

GPON is a minefield and even Mikrotik quit on this.

Contact CarlitoxxPro if he can be help you. This is for Spain but made to work in Mikrotik and configured.

viewtopic.php?f=3&t=116364&p=805558#p805558

msatter

This is the script (.rsc) I use: :global listname "RougeDNSname" :local i do={:global listname; :do {/ip firewall address-list add list=$listname timeout=35w3d13h13m56s address=$1} on-error={:log warning "$listname addresslist, domain already exists: $1"} } :do {/ip firewall address-list remove [fin...

msatter

Thanks Sindy, saddly it is not that simple with scripts. I can't add static entries using a script, least as far I know. These entries have max. timeout and Mikrotik disabled a time ago that then the became static. The dynamic allows to mix static and dynamic in one list. The only the non static ent...

msatter

I solved the puzzle and two entries seems to be some how sticky. When successful removing sometimes two entries remains. This will remove the domains in one go. I have to exclude the resolved IP addresses on removal: :local listname "mikrotik-test" :do {/ip firewall address-list disable [find where ...

msatter

I had an other try and first I disabled the resolved IP addresses and then remove. That worked. [user@MikroTik] /ip firewall address-list> :put [find list=mikrotik-test] *37f091f;*37f0921;*37f0922;*37f0925 These are the dynamic domain entries and the resolved IP addresses. After disabling the entrie...

msatter

When I add more than one domain to a addresslist then I can only remove one at a time and then it states no such item (4) . Using remove then it will only remove the last added item to the addresslist . [user@MikroTik] /ip firewall address-list> add list=mikrotik-test address=mt.lv [user@MikroTik] /...

msatter

VK is a kind of Facebook.

https://en.m.wikipedia.org/wiki/VK_(service)

msatter

Nobody cares about the "reduced resell value" because of the sector writes count. Who advertises de sector writes count when selling their hardware? Is that a thing? realy? Selling a cheap MikroTik, cheaper? how much "resell value" loss are we talking about? If you decided to ditch that device you ...

msatter

Good that the false reporting of sector writes is finally fixed. This did reduce the resell value of the Mikrotik device you own greatly.
Really? Nobody ever asked me for this...

You poor thing. Do you feel left out now?

msatter

Good that the false reporting of sector writes is finally fixed. This did reduce the resell value of the Mikrotik device you own greatly. Do You think it was "false reporting" ? Maybe it was "true reporting", but now (and before) something is hidden... Mikrotik states increased "sector writes" repo...

msatter

Good that the false reporting of sector writes is finally fixed. This did reduce the resell value of the Mikrotik device you own greatly.

msatter

You are welcome and I is not only my work but work of many others to distill this to the most lean solution. Mikrotik could take this and make it possible to enter the name of the list, the timeout and if you want to clean the old list first so that you can add a list to a already existing list. To ...

msatter

:do {...} on-error={}; # The local variable "i" is a function and is called by $i. $1 inside the function contains the IP-address from that line. :local i do={ :do {/ip firewall address-list add list=Probe-China timeout=35w3d13:13:56 address=$1} on-error={:log warning "IP already exists: $1"} } # Fi...

msatter

I addressed that in the first two sentences. When using DoH you loose the 'backup' server option.

msatter

DoH is a one horse only with Mikrotik. So DoH or normal DNS.

My advise is to use DoH in the webbrowser or in countries or with ISP providers that repressive. This in non-repressive countries/ISP you are only feeding the big firms with our private data.

msatter

@msatter What feature sets are you using in the versions with the flash write counter issue that are preventing you from just rolling back to a version without this issue?

I am sorry, but I won't go for that.

msatter

There seems to be testing but internal. We start 6.48 at version beta twelve. The flash write counter is a big problem despite it not be actual writes. It will decrease the resell value of your router because the write counter is extremely high due to this bug. This bug alone should have been tackle...

msatter

See:

I had that same message on my hEX-S, so I manually uploaded the firmware file.

@nkourtzis: It happened even before any reports were made so not likely that the files have been removed.

msatter

msatter Do you have custom set of packages installed and wireless package is not installed? 648beta12-pack.JPG I also lost direct Winbox access to my 4011RM which is behind the the hEX-S and now only able to connect through Romon. The configuration did not change and Winbox just flashes by on my sc...

msatter

Can you please send the supout.rif file from your device to support@mikrotik.com? And on the 4011RM and the hEX-S the same error message: 648beta12-error.JPG 13:04:38 system,error,critical error while running customized default configuration script: expected end of command (line 1310 column 53) 13:...

msatter

This is a bit quick and dirty but it shows the the servers supporting Wireguard: { :local update do={ :global dataNordVPN :local data $dataNordVPN :do { :put "Reading and displaying from the JSON file, the values for the $valname field:" :while ([:len $data]!=0) do={ :set $fieldname ($valname."\":\"...

msatter

If I may... the $update url= beginning of the last three lines is there twice (copy-paste went wrong?), but more important, there is a risk that the response will be different each time you read it. So as you read it into a variable anyway, you can just parse the data from the same response for eac...

msatter

You're welcome. It more a bit of playtime for me doing this. And at the same time improve my scripting. There can be a difference in matching the data due to time. My next step would be to loop through different requested fields. This will limits the returned values to only strings or numbers. Putti...

msatter

This version reads the file multiple times but can now be instructed to treat the wanted field, being a string or a number. { :local update do={ :do { :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" != "63") do={ :local data ($result->"data") :put "Reading and d...

msatter

And then you can extract extra information as IP address and the current load on the server. Notice that the "load" is not a string and then a comma is the end of the field. { :local recordname "hostname" :local valname1 "ip" :local valname2 "load" :local data ([ / tool fetch url="https://api.nordvp...

msatter

And I have shorted it and made it more flexible. You can now state the name of the field you want to be returned and it adapt the the length of that field. It is still basic but a good start to read from JSON files. # Written by Shumkov # Adapted by blacklister # rewritten to list VPN servers # 2020...

msatter

Having thought more about it, it looks that there could be two approaches to this in reading a JSON file like this. Your could go for only one value or just convert the JSON file up to 64KB in size to a array containing the values that is direct accessible by RouterOS. The last one is think the best...

Search found 1896 matches