Community discussions

MikroTik App

Search found 3021 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11
by msatter
Mon Mar 11, 2024 11:23 am
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 282
Views: 44000

Re: v7.15beta [testing] is released!

@Amm0 Read the file in chunks, put each chunk into an array. Then filter the array to obtain higer processing speed. Mikrotik can make that work in the background so that the load is not too high. You have to wait then before the complete list is read in. Now it cuts each line into two parts and dom...
by msatter
Mon Mar 11, 2024 1:02 am
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 282
Views: 44000

Re: v7.15beta [testing] is released!

@Amm0, default support for big files read from storage. RegEX is indeed all being used to recognize different types of entries and extract only what is needed. That it should be 0.0.0.0 "or NXD" is a parameter that could be separated from what is set in the file. Example of a domainPosix: ...
by msatter
Thu Mar 07, 2024 9:50 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 264
Views: 72323

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

You are not the first one: viewtopic.php?t=98804 and then the setup did not gain enough support to be continued.
by msatter
Thu Mar 07, 2024 9:44 am
Forum: Scripting
Topic: How do I protect source code from being pirated?
Replies: 29
Views: 1196

Re: How do I protect source code from being pirated?

If decode is remote then decoding needs external access. That needs that the connection to be up.
by msatter
Mon Mar 04, 2024 9:53 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 282
Views: 44000

Re: v7.15beta [testing] is released!

Also new feature - IP/DNS/Adlist: https://help.mikrotik.com/docs/display/ROS/DNS#DNS-Adlist Why is it called "Adlist" when in fact it is a method to add a hosts(.txt) file? Sure that is a trick that some people use to block access to certain domain names, but that is not the primary purpo...
by msatter
Mon Mar 04, 2024 4:21 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 2891

Re: IKEv2 mtu issue

@anis You and sindy are the only ones active here so please, don't qoute so much.
by msatter
Sun Mar 03, 2024 7:02 pm
Forum: General
Topic: Block All countries except ...
Replies: 8
Views: 472

Re: Block All countries except ...

If the allow list is smaller than the block list, then allow followed by a general block entry. This has nothing with what I am saying. CIDRs are changed any month and the real trustee here is only RIPE. OK, more simple then. Which list would be larger? Three countries or all countries minus three ...
by msatter
Sun Mar 03, 2024 1:16 pm
Forum: General
Topic: Block All countries except ...
Replies: 8
Views: 472

Re: Block All countries except ...

If the allow list is smaller than the block list, then allow followed by a general block entry.
by msatter
Tue Feb 06, 2024 1:04 am
Forum: General
Topic: How good is PCC with a 1:2 ratio
Replies: 16
Views: 1217

Re: How good is PCC with a 1:2 ratio

Multiple outgoing connections have different SRC-ports so that will divide the streams. For bandwith tests it will work, real life is a different story. VPN loves multiple connections because ROS can spread the load over more cores of the CPU. So if you have 4 cores and 2 connections then you could ...
by msatter
Tue Feb 06, 2024 12:50 am
Forum: General
Topic: RAW FORWARD chain [SOLVED]
Replies: 5
Views: 437

Re: RAW FORWARD chain [SOLVED]

You can create a chain with his name. TS created a chain with the name "forward" in RAW.
by msatter
Sun Feb 04, 2024 12:33 pm
Forum: Scripting
Topic: How should the local variable be called in if? [SOLVED]
Replies: 11
Views: 767

Re: How should the local variable be called in if? [SOLVED]

{
:if ([:len [/file find name=1.txt ]] > 0) do={
:local q [/file get "1" contents]
} else={
/file print file=1
:delay 2
:local q 0
}
:log warning [$q] ;
}
by msatter
Fri Feb 02, 2024 11:18 am
Forum: General
Topic: How to block URL with / or sub page
Replies: 1
Views: 216

Re: How to block URL with / or sub page

They use dynamic URL so there is no way to filter that. Also you are here wrong asking for such option because that could 'only' be done in a browser.
by msatter
Wed Jan 31, 2024 12:32 am
Forum: General
Topic: How good is PCC with a 1:2 ratio
Replies: 16
Views: 1217

Re: How good is PCC with a 1:2 ratio

Image

Did you use eth1 to optimise bandwith from the CPU?
by msatter
Mon Jan 29, 2024 8:45 pm
Forum: General
Topic: How good is PCC with a 1:2 ratio
Replies: 16
Views: 1217

Re: How good is PCC with a 1:2 ratio

So you have 3 times one Gbps speed and it is divided as 1/3 and 2/3. Then you should only connection-mark one third (0/3) of the total traffic and not touch the 2/3 traffic by using PCC. You are so only marking the traffic going through the 1 Gbps connection and all unmarked traffic should then be r...
by msatter
Thu Jan 18, 2024 2:19 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 35528

Re: Forum moderation volunteers

Quoting shoold to be used limited, especially when you are first responder to that specific post. Then even do not qoute and just reply directly.
by msatter
Tue Jan 09, 2024 12:33 am
Forum: Scripting
Topic: Why is this so hard???
Replies: 24
Views: 3694

Re: Why is this so hard???

You have to put extra lines between the code parts so they are displayed separate.
by msatter
Mon Dec 18, 2023 6:44 pm
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 28
Views: 4057

Re: Default password Frustration

Is there a hell for labelprinters?
by msatter
Sat Dec 16, 2023 2:01 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253342

Re: v7.13 [stable] is released!

This AM i upgraded my CCR1009 from version 7.12.1 to version 7.13 now getting the following error when running a script Download from https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv to RAM FAILED: Fetch failed with status 206 The same script was working fine under 7.12.1 and earli...
by msatter
Tue Dec 12, 2023 12:37 pm
Forum: Wireless Networking
Topic: Mikrotik is blocking few sites
Replies: 8
Views: 2240

Re: Mikrotik is blocking few sites

When using PMTU you only want look at the returning packets and outgoing are not of interest. So I filter on the interface. Using an interface list settable in the second tab of interfaces. ;;; WireGuard PMTU in chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn prot...
by msatter
Fri Dec 01, 2023 6:53 pm
Forum: General
Topic: DNS exact match with regex [SOLVED]
Replies: 4
Views: 3333

Re: DNS exact match with regex [SOLVED]

(^|\\.)mikrotik\\.(com|local)$

Mikrotik alone is not a domain but a hostname, also seen in the hosts file
by msatter
Fri Nov 24, 2023 10:03 pm
Forum: RouterBOARD hardware
Topic: Access OLT Terminal From Mikrotik CCR??
Replies: 2
Views: 2283

Re: Access OLT Terminal From Mikrotik CCR??

I don't think that is possible as the terminal in Winbox only connects to localhost.
by msatter
Wed Nov 22, 2023 11:19 am
Forum: General
Topic: wireguard peer client-* properties [SOLVED]
Replies: 10
Views: 2141

Re: wireguard peer client-* properties [SOLVED]

You have to understand that WG is a tunnel and so everything is double.

One set for the tunnel and one for the traffic inside that tunnel.

If you read UDP in the explaination then it describes the tunnel.
by msatter
Sat Oct 14, 2023 7:15 pm
Forum: Wireless Networking
Topic: mikro tik has the worst routers ever!!
Replies: 2
Views: 1428

Re: mikro tik has the worst routers ever!!

The last line should be one of the first. Mikrotik brought this on themselves and the customer is scratching his/her head.
by msatter
Thu Oct 12, 2023 1:59 am
Forum: Beginner Basics
Topic: scrips
Replies: 1
Views: 757

Re: scrips

Please write in English. English the required language on this forum.
by msatter
Thu Oct 05, 2023 12:53 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 2296

Re: The predicted demise of "tls-host=" firewall filters is near!

I just check if the canary domain is inactive but it it is still there and giving a NXDOMAIN as resolve. So Firefox is clearly not obeying it anymore because they have their head somewhere else all the time. dig use-application-dns.net ; <<>> DiG 9.16.12 <<>> use-application-dns.net ;; global option...
by msatter
Thu Oct 05, 2023 12:20 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 2296

Re: The predicted demise of "tls-host=" firewall filters is near!

Or just block based on IP or IP address ranges. Just like always because for years we knew this was coming. The problem is that you cannot block services that run on large CDN or other server farms like Google's in that way. When you even can find all addresses used by Youtube, you may find that th...
by msatter
Thu Oct 05, 2023 12:13 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 2296

Re: The predicted demise of "tls-host=" firewall filters is near!

Sorry Normis, I don't want to spy on myself and I don't want to be spied on by others. So DOH is in a internal network a curse and I wrote many times before that DOH is made for war time or for regimes that don't give a sh.. about the rights of their citizen. I seem to live also under that kind of r...
by msatter
Thu Oct 05, 2023 12:59 am
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 2296

Re: The predicted demise of "tls-host=" firewall filters is near!

Till the next itteration where they switch it on again. Better use a third party to be sure that I am still the boss on my own devices.
by msatter
Wed Oct 04, 2023 9:28 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 2296

Re: The predicted demise of "tls-host=" firewall filters is near!

Or just block based on IP or IP address ranges. Just like always because for years we knew this was coming. You can also block the IP addresses of the DOH servers like I did today when Firefox always want to inform dooh.cloudflare.com that I just started the browser. And yes, I disable DOH in Firefo...
by msatter
Wed Oct 04, 2023 9:10 pm
Forum: Scripting
Topic: ROS 7.x - Get address not working [SOLVED]
Replies: 4
Views: 2090

Re: ROS 7.x - Get address not working [SOLVED]

Works fine here: :put [ /ip address get [/ip address find interface="ether2" ] address ]

Using: MikroTik RouterOS 7.12beta1
by msatter
Sat Sep 30, 2023 10:52 pm
Forum: General
Topic: Mangle and Fasttrack [SOLVED]
Replies: 7
Views: 1258

Re: Mangle and Fasttrack

Mangle, PCC and fastracking works fine as long you work cleanly. Fastracking in Firewall comes after Mangle, so Mangle has more influence. BTW you can also mark tot fastrack traffic in Mangle. Remember that once marked fasttracked some traffic will go the slow way to allow checks and changes. Second...
by msatter
Fri Sep 29, 2023 12:42 pm
Forum: Scripting
Topic: String lengths [SOLVED]
Replies: 3
Views: 1889

Re: String lengths [SOLVED]

The problem is not the variable but that fetch retrieves up 64KB and then you have to use chunking if you want more data.
by msatter
Thu Sep 28, 2023 12:46 pm
Forum: General
Topic: Export, Print, Get...everything?
Replies: 9
Views: 1038

Re: Export, Print, Get...everything?

Are those not dynamic data and generated on the each connect?
by msatter
Wed Sep 20, 2023 12:41 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

@amm0 do you remember my implementation of this. I added a help/info line that was displayed underneath and the next input field was shifted down and displayed directly under that help/info.

So if you want to use pre-input as help/info then better ask for that extra line being displayed.
by msatter
Tue Sep 19, 2023 11:13 pm
Forum: Scripting
Topic: Regex search in String Issue [SOLVED]
Replies: 26
Views: 3554

Re: Regex search in String Issue [SOLVED]

My version: { :local strstart ";find;" :local data [:tostr {"id":"12345678","hostname":"find","type":"A","priority":"0","destination":"55.77.233.244","deleterecord":false,"sta...
by msatter
Tue Sep 19, 2023 8:08 pm
Forum: Scripting
Topic: Regex search in String Issue [SOLVED]
Replies: 26
Views: 3554

Re: Regex search in String Issue [SOLVED]

First you find the location of "find" in and then take that position and find again from the beginning the last "ID before that position.

Use :pick to find the location.
by msatter
Mon Sep 18, 2023 10:38 pm
Forum: Scripting
Topic: Regex search in String Issue [SOLVED]
Replies: 26
Views: 3554

Re: Regex search in String Issue [SOLVED]

Wrong approach. Look in this forum for how NordVPN data is extracted from a json record.

Update: link to topic
viewtopic.php?p=900540&hilit=nordvpn+json#p900540
by msatter
Sun Sep 17, 2023 4:43 pm
Forum: General
Topic: Mikrotik SUCKS
Replies: 82
Views: 12000

Re: Mikrotik SUCKS

It seems popular to attack the person that complains instead of taking it serious....... So you're telling us that you listen and help in the same way, with the same joy and same will a person who comes to you saying "Msatter, you SUCK" and another one saying "Msatter. I have a probl...
by msatter
Sun Sep 17, 2023 11:06 am
Forum: General
Topic: Mikrotik SUCKS
Replies: 82
Views: 12000

Re: Mikrotik SUCKS

It seems popular to attack the person that complains instead of taking it serious.......

We have here persons that work indirect for the government that act the same and attack and supress opinions from citizen. I get the same feeling here, as with that.
by msatter
Fri Sep 15, 2023 6:36 pm
Forum: Beginner Basics
Topic: cli: customize columns for print
Replies: 2
Views: 901

Re: cli: customize columns for print

I think it retrieves the host from active hostnames in leases of the DHCP server by matching the MAC.
by msatter
Fri Sep 15, 2023 1:03 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11274

Re: Very high CPU usage on PCC Loadbalancing with 7.x

You are writing that think the PCC are taking to much CPU in v7 wiithout any showing us your PCC lines?

It is then difficult to tell you what can be improved.
by msatter
Thu Sep 14, 2023 8:18 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11274

Re: Very high CPU usage on PCC Loadbalancing with 7.x

In RouterOS there is no routing cache anymore. That might have a impact in a high load setting.
by msatter
Thu Sep 14, 2023 12:17 pm
Forum: General
Topic: Packet sniffer - where it sniffs?
Replies: 6
Views: 2706

Re: Packet sniffer - where it sniffs?

If you want to be specific where and what to sniff then better use sniffer in Mangle. When pinging from local through to WireGuard then that traffic passes the sniffed Output twice. Once exiting as ping out and then as being encrypted, and not recognizable as ping anymore. /ip firewall mangle add ac...
by msatter
Wed Sep 13, 2023 9:54 pm
Forum: Beginner Basics
Topic: Goodwe inverter disconnects regularly
Replies: 2
Views: 1180

Re: Goodwe inverter disconnects regularly

I know GoodWe very well and the WiFi module is not great. Instead of restarting the inverter or push the button on the stick I restart the cAP Lite that I use only for the inverter. And the network cable goes to a switch (POE). I read the the status of the inverter through Node Red and if no respons...
by msatter
Sun Sep 10, 2023 1:01 am
Forum: Scripting
Topic: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage
Replies: 6
Views: 2029

Re: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage

Nice scipt Amm0 and it is two to three times faster than the others. I took the liberty to make the loop even faster and only print the times in only nanoseconds. { :local getconncounts do={ :local startConns [:timestamp] :local connsnapshot [/ip firewall connection print proplist=protocol as-value]...
by msatter
Sat Sep 09, 2023 5:36 pm
Forum: Scripting
Topic: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage
Replies: 6
Views: 2029

Re: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage

And a special one, but here I don't see an improvement in speed but maybe with a huge table it will work faster: { :global udpCount; :global tcpCount; :global icmpCount /ip firewall connection :set $udpCount 0; :set $tcpCount 0; :set $icmpCount 0 :local start [:tonsec [:timestamp]] :foreach k,line i...
by msatter
Sat Sep 09, 2023 2:42 pm
Forum: Scripting
Topic: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage
Replies: 6
Views: 2029

Re: Having the "where" filter in scripting signifantly increases the execution time and increases CPU Usage

total - just counted (tcp/udp/icmp) = other connection type. Saves you one complex line (fourth one) And the script: { :local icmpCount [/ip firewall connection print count-only where protocol="icmp"] :local tcpCount [/ip firewall connection print count-only where protocol="tcp"]...
by msatter
Wed Sep 06, 2023 9:27 pm
Forum: Beginner Basics
Topic: in.addr.arpa
Replies: 5
Views: 1574

Re: in.addr.arpa

Those are reverse domains (PTR) and looking at the IP address they arealso local 192.168.x.x
by msatter
Tue Sep 05, 2023 8:06 pm
Forum: General
Topic: DNS exact match with regex [SOLVED]
Replies: 4
Views: 3333

Re: DNS exact match with regex [SOLVED]

regex101.com and have a try.

https://regex101.com/r/QPWjwE/1
by msatter
Thu Aug 31, 2023 10:32 pm
Forum: General
Topic: Using PCC more efficient
Replies: 4
Views: 1598

Re: Using PCC more efficient

The concept is great! But there is an error in the post (probably resulting from cut-paste) is that the second example still has PCC lines 2 to 4. so the correct rules would be (assumes that all packets start as not conn-marked): PCC 4/0 ===> connection mark gateway-25 if not marked ==> connection ...
by msatter
Wed Aug 30, 2023 10:12 pm
Forum: General
Topic: Using PCC more efficient
Replies: 4
Views: 1598

Using PCC more efficient

I see often PCC being defined for every part that should be separated. I see the following lines for example 25% for one gateway and 75% for the second gateway. Then I see these kind of PCC rules: PCC line 1: pcc 4/0 ==> connection mark gateway-25 if not already connection marked PCC line 2: pcc 4/1...
by msatter
Wed Aug 30, 2023 4:19 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

Yeah, but then it is still at the top of the checklist when working with SFP equipment in Mikrotik devices.
by msatter
Wed Aug 30, 2023 12:11 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

...nothing changed. This is the FIRST thing to try when a (x)SFP's is not coming up in a Mikrotik.

I recommended in the past, to disable auto negotiation by default.
by msatter
Wed Aug 30, 2023 1:16 am
Forum: Scripting
Topic: Log Parser - Event Trigger Script
Replies: 5
Views: 5951

Re: Log Parser - Event Trigger Script

Thank for digging up this gem.
by msatter
Tue Aug 29, 2023 10:32 am
Forum: General
Topic: Pcc with pppoe behind brigde really slow
Replies: 8
Views: 1951

Re: Pcc with pppoe behind brigde really slow

Let me leave this here. PCC 33%/66% connection distribution add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge connection-state=new dst-address-type=!local new-connection-mark=Link-300-conn passthrough=yes per-connection-classifier=src-address:3/0 add action=mark...
by msatter
Sun Aug 27, 2023 12:46 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

And then, you are on a Beta version. Thing get broken all the time by developers so that not weird at all.

Report it support and they will try to fix that...and try also to not break someting else doing that. ;-)
by msatter
Sun Aug 27, 2023 4:36 am
Forum: Scripting
Topic: "/system package get system version" does not work anymore
Replies: 5
Views: 2190

Re: "/system package get system version" does not work anymore

Use the power of the TAB.......
:local sysver [/system package get routeros version];
by msatter
Sat Aug 26, 2023 9:01 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

Miktotik seems to have a special "Testing department" for this and they update the lists on a regular basis as you can see in the Docs history: https://help.mikrotik.com/docs/pages/viewpreviousversions.action?pageId=13500447 Sadly the SFP sections are not recently being tested or updated. ...
by msatter
Sat Aug 26, 2023 1:45 am
Forum: General
Topic: Detect internet function
Replies: 4
Views: 1237

Re: Detect internet function

Because it bypasses those, as Mikrotik programmed it. Hoping that the port opened is statefull.

Port 5678/UDP is also the Neighbours port to see other Mikrotik routers.
by msatter
Fri Aug 25, 2023 10:50 pm
Forum: Scripting
Topic: cant get cpu temperature in script [SOLVED]
Replies: 5
Views: 2902

Re: cant get cpu temperature in script [SOLVED]

Have a read overhere: viewtopic.php?t=198614
by msatter
Fri Aug 25, 2023 8:08 pm
Forum: General
Topic: Destination Host Unreachable on local network unless packet sniffer is running
Replies: 10
Views: 1874

Re: Destination Host Unreachable on local network unless packet sniffer is running

IPv4 FastTrack is active if the following conditions are met: no mesh, metarouter interface configuration; sniffer, torch, and traffic generator are not running; "/tool mac-scan" is not actively used; "/tool ip-scan" is not actively used; FastPath and Route cache is enabled under...
by msatter
Thu Aug 24, 2023 11:15 pm
Forum: Scripting
Topic: Script input from console ... works!
Replies: 9
Views: 6360

Re: Script input from console ... works!

All variables are :local and as soon the script has ende those are destroyed. To make those :global replace :local with :global. The {} allows in terminal to run it as one script. Otherwise every line intepreted on it's own and all variables are destroyed after pressing Enter.....unless you use :glo...
by msatter
Thu Aug 24, 2023 11:12 am
Forum: Beginner Basics
Topic: Documentation for CLI follow, follow-only and follow-strict
Replies: 8
Views: 2603

Re: Documentation for CLI follow, follow-only and follow-strict

Indeed, follow-strict does not add any thing different than print already do. It might be interesting to replace it with a option to limited the number of lines shown, beginning from last. follow-last=10 -> shows the last ten lines (.id) from the otherwise printed text. See here for an example for /...
by msatter
Thu Aug 24, 2023 12:36 am
Forum: Beginner Basics
Topic: Documentation for CLI follow, follow-only and follow-strict
Replies: 8
Views: 2603

Re: Documentation for CLI follow, follow-only and follow-strict

Follow should be there to rever to the other two, and strict could be interpreted as fixed, not changing.

I can't think of an other name that would be better in combination with follow.

follow-till-now follow-fixed follow-prev follow-past follow-....
by msatter
Wed Aug 23, 2023 4:13 pm
Forum: Forwarding Protocols
Topic: Mikrotik officel PCC Video
Replies: 5
Views: 2234

Re: Mikrotik officel PCC Video

It distributs connections and how much traffic is going to flow over a connection is not known in advance.

https://m.youtube.com/watch?t=200&v=nlb ... e=youtu.be
by msatter
Wed Aug 23, 2023 12:25 am
Forum: Beginner Basics
Topic: Documentation for CLI follow, follow-only and follow-strict
Replies: 8
Views: 2603

Re: Documentation for CLI follow, follow-only and follow-strict

Just by trying:
follow       -> tail -f
follow-only  -> tail --lines 0 -f
follow-strict -> tail
by msatter
Mon Aug 21, 2023 12:23 am
Forum: Scripting
Topic: Netwatch script to report downtime?
Replies: 3
Views: 2323

Re: Netwatch script to report downtime?

By the way, uptime is the time the router has been powered on. When you power-off the router, then even if you could store the global, it will be erased on reboot.
by msatter
Sun Aug 20, 2023 10:45 pm
Forum: General
Topic: DNS CACHE TRIGGER SCRIPT
Replies: 8
Views: 1726

Re: DNS CACHE TRIGGER SCRIPT

Nope.
by msatter
Sun Aug 20, 2023 9:13 pm
Forum: General
Topic: DNS CACHE TRIGGER SCRIPT
Replies: 8
Views: 1726

Re: DNS CACHE TRIGGER SCRIPT

If you want to conrtol all DNS entries then use Static DNS and disable the way to a upstream DNS server.

Stopping DOH used by a client. You can only stop that, if you know the IP address of the DOH server(s) that is being used.
by msatter
Sat Aug 19, 2023 12:04 pm
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5486

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

That all was already exchanged. Connection tracking has no power in this.Firewall it, but how when all are behind a NAT. You might then block on scr-port. Best is session control and on change on user check every active connection if it still has the rights to be connected. So it does not have to be...
by msatter
Fri Aug 18, 2023 8:26 pm
Forum: Scripting
Topic: script to delete files.
Replies: 1
Views: 1893

Re: script to delete files.

Shows you your problems: { :local t [/system clock get time] :put "time: $t" :local logskeep 31536000000 :foreach f in=[/file find] do={ :local fileTime [/file get $f creation-time] :put "filetime: $fileTime" :if (($t - $fileTime) > $logskeep) do={ #/file remove $f } } } Shows ti...
by msatter
Fri Aug 18, 2023 7:53 pm
Forum: Beginner Basics
Topic: Rule to remove from address list
Replies: 9
Views: 1530

Re: Rule to remove from address list

If your using a script that runs quickly to do port knock, then the timeout don't have to be so long (e.g. 30s). If you lowered that you'd reduce the window. But there is no "remove from address-list" firewall action, so you're up against that. And there is no action=script in firewall ei...
by msatter
Fri Aug 18, 2023 12:13 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122494

Re: v7.12beta [testing] is released!

In the build it's :tonsec NOT ":tosec", but seems to work:
:put [:tonsec [:timestamp]]                           
1692285621621
Why they did not name it just :toepoch then if it is sec or nsec would be covered.
by msatter
Mon Aug 14, 2023 12:20 am
Forum: Scripting
Topic: Global environment variable is disappearing after logout
Replies: 7
Views: 4983

Re: Global environment variable is disappearing after logout

I remembered this from the Wiki / manual:
GlobalWarning.JPG
by msatter
Sun Aug 13, 2023 4:06 pm
Forum: General
Topic: SFP Temperature is 255C after Router OS upgrade [SOLVED]
Replies: 12
Views: 2723

Re: SFP Temperature is 255C after Router OS upgrade [SOLVED]

@mada3k Thanks and that is something for Mikrotik to adapt in ROS. If returned value == 255 then SFP does not have a temperature sensor. At least Mirkrotik thought of able setting the trigger value to 256 so that you can overwrite the warning. Devices with a fan still get the value 255 C and try to ...
by msatter
Sun Aug 13, 2023 11:41 am
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

I can vow that atleast I have no prior knowledgement of any programing models. ;-) Just adapting on my way.
by msatter
Sun Aug 13, 2023 11:29 am
Forum: General
Topic: SFP Temperature is 255C after Router OS upgrade [SOLVED]
Replies: 12
Views: 2723

Re: SFP Temperature is 255C after Router OS upgrade [SOLVED]

If you don't have fans in your device you don't hear them running on MAX speed.
by msatter
Sun Aug 13, 2023 12:29 am
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

Perhaps when you hit a use cases like that it’s time boot up a linux based NOS: highly introspectable, debuggable and with an arsenal of mature programming languages. You're asking too much, for the most part we don't need this and if we did, having event driven scripts would allow us to also do th...
by msatter
Sun Aug 13, 2023 12:23 am
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

having event driven scripts would allow us to also do this. It's for sure flexible, but raises a lot of question. E.g. given a series of related events, what is the proper order? If your action on an event leads to it being re-triggered, then what? If you have multiple actions on an event, how to d...
by msatter
Sat Aug 12, 2023 11:42 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

For instance, I want to know if a port drops from 1000 to 100. I can poll though through a script routinely, but it would by much nicer to just have that logged change trigger a script. ie, this is something that happened to a port, and it was a speed change. make a script subscribed to 'ethernet p...
by msatter
Sat Aug 12, 2023 10:26 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

@Amm0 I am open to any suggestions and that also forced me to look deeper in the CLI and then saw an example that I did not understand before for a long time. Am I the first one that discovered the potential of this bit of code that MT just left there to be discovered? To me, MQTT is only polling an...
by msatter
Sat Aug 12, 2023 6:17 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

A lot of users wish to do something, when a rule is hit in the firewall. That is now possible because you can log it. If you can log it then you can create an event trigger for that. Create a rule and activate logging on the rule and set log-prefix to lets say "IamHit". The you scan the lo...
by msatter
Sat Aug 12, 2023 5:37 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

You can now write any event catcher you want. You can use the path directly if available, the log or history. Maybe even more and I think MT is even using this themselves, in the background. This still very granular and no event timestamps control avaiable and no .id to know which setting has exactl...
by msatter
Sat Aug 12, 2023 4:21 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

The execute is there to wrap the print and code. You can't press CTRL-C when it is still following and running in a script. I moved the termination of execute to the top, so that any new start, will first terminate any existing same running event script. Now you can set in scheduler that the event s...
by msatter
Sat Aug 12, 2023 2:22 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

And watching the log and being able to script on a change: # activate reading the .id from global :global eventPathLogTopicContainer # remove previous running event scripts (:execute) :do { /system script job remove $eventPathLogTopicContainer } on-error={:log error "Script .id eventPathLogTopi...
by msatter
Sat Aug 12, 2023 2:15 pm
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5486

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

So after read and lot of testing I can disconnect a user locally at the moment the change is made in /user. Because the change is made in /user the script is watching that and not /user/active: # activate reading the .id from global :global eventPathUser; # remove previous running event scripts (:ex...
by msatter
Sat Aug 12, 2023 12:41 am
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

I liked the implementation idea by pe1chl, it's llike doing a tail -f on the log. Agree. And, "tail -f" == "print follow" ... but there is no pipe | in RouterOS... So, print supporting a "do=" go a long way, IMO... /log print follow do={ :put "$.dead $.id $.nextid...
by msatter
Thu Aug 10, 2023 9:07 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

@Amm0: I don't know how Mirkrotik has implemented follow on print, and that could be an testing environment before taking the big leap before going system wide. Then you could create a script that is executed when the same has is added to the pint command line featuring following an extra parameter ...
by msatter
Thu Aug 10, 2023 8:43 pm
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

Re: [PROPOSAL] Event driven scripting

I did not want to fall back on existing routines because that will complicated things. If you want to have existing routines trigger scripts then a extra unique number has to be present that for example logging from a firewall rule. This already beyond the current proposal I made. I want to keep is ...
by msatter
Wed Aug 09, 2023 4:50 pm
Forum: Announcements
Topic: v7.11rc is released!
Replies: 195
Views: 47937

Re: v7.11rc is released!

@pe1chl This will show all topics you started and with this it would be easy to check I don't understand what I would need to check and what you are trying to solve. This shows how important it is to always quote the (part of) the article you are replying to. My reply to you was posting #116 and yo...
by msatter
Wed Aug 09, 2023 4:30 pm
Forum: General
Topic: Closing of the Beta forum
Replies: 6
Views: 1085

Re: Closing of the Beta forum

Only in the Beta period I would post over there, however since a while I see v7 as current and v6 as legacy. When I post about v6 then I put that in the posting while, before that I put that I was using v7 in my posting. I have still some devices on v6. The closing of active topics is not nice but y...
by msatter
Wed Aug 09, 2023 12:31 pm
Forum: Announcements
Topic: v7.11rc is released!
Replies: 195
Views: 47937

Re: v7.11rc is released!

@pe1chl This will show all topics you started and with this it would be easy to check: https://forum.mikrotik.com/search.php?keywords=&terms=all&author=pe1chl&sc=1&sf=firstpost&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search Replace pe1chl by strods or n...
by msatter
Wed Aug 09, 2023 11:47 am
Forum: General
Topic: [PROPOSAL] Event driven scripting
Replies: 34
Views: 3973

[PROPOSAL] Event driven scripting

While working with scripting in ROS we have to revert to scheduler have a script being executed in a interval or on startup. This leaves time before a script can detect a change and make the its own changes in the setting or give a warning to the user. My proposal is to give each path/option a uniqu...
by msatter
Wed Aug 09, 2023 10:51 am
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5486

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

I found it very disturbing that this tread was closed while I was still very active with this, even while the problem did not effect me directly. Mikrotik could activate short time, the options to logout removed users/disabled users automaticly. First in local and other services. An other thing is s...
by msatter
Wed Aug 09, 2023 10:35 am
Forum: Announcements
Topic: v7.11rc is released!
Replies: 195
Views: 47937

Re: v7.11rc is released!

There is someting like I think I found a bug and like to know if any others have the same expierence on that. Sometimes I was just "holding it wrong" and got info to solve my "bug". The forum is a good filter for bugs, before escalating to actual reporting it as a confirmed bug t...
by msatter
Tue Aug 08, 2023 11:48 am
Forum: Scripting
Topic: Useful scripts
Replies: 116
Views: 294685

Re: Useful scripts

Some script lines to logout non-existing/deactivated users and sessions that are left open for a long time. This now apply to only local sessions (terminal). Disconnect users that are are removed as user: :foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"...
by msatter
Tue Aug 08, 2023 2:20 am
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5486

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

@Amm0, thank for finding that and it indeed closes the terminal (CLI) in the Winbox of the user that does not exits anymore. Disabled user is an other possible option. This is can select the correct user to be booted from the terminal. Winbox seems to cache stuff and with that it can reconnect. :for...
by msatter
Mon Aug 07, 2023 1:57 pm
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5486

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

I wrote a small script that detect logged in users that do not exist in /users: ::foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"name"]) do={} else={:put "Warning: found a removed user(s) being still be logged in: $[:tostr [/user/active get $i...
by msatter
Sat Aug 05, 2023 11:16 am
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 2989

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You should give pe1chl the credits for giving you tips on the fasttrack rule.
by msatter
Fri Aug 04, 2023 6:55 pm
Forum: General
Topic: Router OS V7 TCP Retransmission vpn site to site two mikrotik
Replies: 23
Views: 2159

Re: Router OS V7 TCP Retransmission vpn site to site two mikrotik

@Amm0 that is a good point and who is answering on the other side, the server/client or the router. When the router answers then on behalve then the VPN connection is
not used.

@all
Run the MTU adjuster on the returning traffic and check that the ICMP can also reach the client on the inside.
by msatter
Fri Aug 04, 2023 6:44 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 2989

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You missed the first question and the second one. I already stated why I think it's a MTU problem.

But you are free to request support from Mikrotik themselves by mailing them on support@mikrotik.com
by msatter
Fri Aug 04, 2023 12:25 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 2989

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You state re-transmissions then the question is your network sending out the request, or the other side because it did not got an acknowledgement from you? Secondly did you see any traffic hitting the MTU rule I gave? With this one you don't need to state a wished MTU and it will adapt to the MTU si...
by msatter
Thu Aug 03, 2023 9:06 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 2989

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

When TCP connections are taking long or even not complete then think of MTU problems. For that I have the following rule in Mange: add action=change-mss chain=forward comment="WireGuard & IKEv2 Sync" in-interface-list=PMTU-IN log-prefix=MSS new-mss=clamp-to-pmtu \ passthrough=yes proto...
by msatter
Wed Aug 02, 2023 7:56 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4618

Re: find addresses with same octets

Doing this for years now, the list is contains now almost 2200 /24 ranges collected since September 2021.

Underneath the log when a range is placed on the block list when reaching the set limit which is set to three.
PermBlock.JPG
The last address ranges added to the block list:
PermBlock2.JPG
by msatter
Wed Aug 02, 2023 4:14 pm
Forum: General
Topic: SFP Temperature is 255C after Router OS upgrade [SOLVED]
Replies: 12
Views: 2723

Re: SFP Temperature is 255C after Router OS upgrade [SOLVED]

Yes. Yours and submit a support request with Mikrotk.

viewtopic.php?p=1008211#p1008211
by msatter
Tue Aug 01, 2023 2:48 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4618

Re: find addresses with same octets

I have to admit to see all those postings was funny, while I already posted here the script for that, years ago.

But then, I would out of place to post a direct link.
by msatter
Mon Jul 31, 2023 10:17 am
Forum: General
Topic: Automatically initiate WireGuard connection
Replies: 18
Views: 1797

Re: Automatically initiate WireGuard connection

The tunnel is one and the connection is two.
by msatter
Sun Jul 30, 2023 11:08 pm
Forum: General
Topic: Automatically initiate WireGuard connection
Replies: 18
Views: 1797

Re: Automatically initiate WireGuard connection

25 Seconds is the same as the advised keep-alive for WireGuard.
by msatter
Sat Jul 29, 2023 12:45 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 104441

Re: v7.11beta [testing] is released!

I assume the wrong interface is the first WAN. Traffic answered on behalf by the router is related. In a earlier topic it was just dropped or set to TTL:0

viewtopic.php?p=1010043
by msatter
Fri Jul 28, 2023 8:33 pm
Forum: Announcements
Topic: CVE-2023-30799
Replies: 14
Views: 29276

Re: CVE-2023-30799

Example: I hire a expert to setup my router. That person needs access on admin level and that person could gain "super-admin" level and makes changes that are not logged and normally not allowed. When the temp. account is deleted the changes stay in place. My impression from what I read he...
by msatter
Fri Jul 28, 2023 2:43 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4618

Re: find addresses with same octets

Ok. ;-)
by msatter
Thu Jul 27, 2023 9:51 pm
Forum: Announcements
Topic: CVE-2023-30799
Replies: 14
Views: 29276

Re: CVE-2023-30799

Thanks. :-)
by msatter
Wed Jul 26, 2023 9:22 pm
Forum: General
Topic: L7 regex to block IKEv1 connections
Replies: 1
Views: 445

Re: L7 regex to block IKEv1 connections

RegEx is a mask that is moving over an "text" and can be hooked to the end of the beginning but not on a specific point in a "text".

A dot is a single position so ^..... ....v1 (55 dots in total) provides you the location of the 56 position. Or if supported ^.{56}v1
by msatter
Wed Jul 26, 2023 8:34 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67626

Re: v6.49.8 [long-term] is released!

... it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothing in the release notes. No, post #22 above probably sums up the status completely (not mentioning 6.4 8 .7 does mean something). But since 6.49.8...
by msatter
Wed Jul 26, 2023 3:49 pm
Forum: Announcements
Topic: Click here
Replies: 35
Views: 9332

Re: Click here

All for the views. ;-)
by msatter
Wed Jul 26, 2023 2:03 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67626

Re: v6.49.8 [long-term] is released!

As stated in the CVE - "MikroTik RouterOS stable before 6.49.7...". Yes, 6.49.8 is built on 6.49.7. Thus it includes the same fix.

I visited a lonely page that feels completely neglected by Mikrotik: https://blog.mikrotik.com/security/ also supplies RSS feed for Mikrotik.
by msatter
Tue Jul 25, 2023 7:53 pm
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 133691

Re: Built in function library

@mike548141 It is even simpler:
@> /system/hardware print
bad command name hardware (line 1 column 9)
@> /system/hardware/print 
syntax error (line 1 column 17)

Try
 /system/routerboard print
by msatter
Tue Jul 25, 2023 1:06 am
Forum: General
Topic: Poe catching fire?
Replies: 3
Views: 697

Re: Poe catching fire?

Looks like lighting and Mikrotik have a product for that protects: https://mikrotik.com/product/rbgesp GESP is Gigabit Ethernet Surge Protector that can be used to protect the network from lightning or surge damages. Here’s what a typical use-case would be like. You have a mast with some antennas. A...
by msatter
Mon Jul 24, 2023 12:20 pm
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 133691

Re: Built in function library

@mike548141 When you have commands that could not work on every device then you can avoid errors by using do {} on-error={} :do { /system/hardware } on-error={ :error "error: script not executable on this device " } :do { /system/hardware } on-error={ :log "error: script X not executa...
by msatter
Thu Jul 20, 2023 2:44 am
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3166

Re: Structured IPv6 Address

This assumption by me was wrong. The value is treated as a boolean and then 0 = false and any other number is true.
by msatter
Thu Jul 20, 2023 1:06 am
Forum: General
Topic: Wireguard Wizard - 7.11b4
Replies: 27
Views: 2916

Re: Wireguard Wizard - 7.11b4

@own3r1138

When completely manual then there should still be a sanity check applied and also any DNS stated checked, that the returned IP is matching any of the local addresses of that router.
by msatter
Thu Jul 20, 2023 12:53 am
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3166

Re: Structured IPv6 Address

nil is a bit more complex, when I thought about it later: > :local a false; :put [:typeof $a] bool > :local a ; :put [:typeof $a] nothing > :local a nil ; :put [:typeof $a] str > :local a [:toip 192.168.88.999]; :put [:typeof $a] nil > :local a [:toip 192.168.88.1]; :put [:typeof $a] ip So to me &qu...
by msatter
Wed Jul 19, 2023 10:30 pm
Forum: General
Topic: Something NEEDS to be done about the default passwords
Replies: 169
Views: 13195

Re: Something NEEDS to be done about the default passwords

Thinking out of the box here. When the board is not matching the case then you have this problem. Did you check if the replied MAC is still as the one on the box, after a reset?
by msatter
Wed Jul 19, 2023 7:20 pm
Forum: Scripting
Topic: Delete all files in a folder (and make an exception)
Replies: 10
Views: 2630

Re: Delete all files in a folder (and make an exception)

/file/remove [find name~"flash/\\.xyz\$"]
Update: thanks Amm0 and I removed the first "/" and added a \ before $.
by msatter
Wed Jul 19, 2023 4:36 pm
Forum: General
Topic: Wireguard Wizard - 7.11b4
Replies: 27
Views: 2916

Re: Wireguard Wizard - 7.11b4

Well done, Although It would be awesome if Mikrotik could implant the WG Wizard in the main Wireguard section so one could use it for peer config generation like what we have now in OVPN. Then WG needs more enties to do that. The external IP-address/domain and the allowed address range to be able t...
by msatter
Wed Jul 19, 2023 3:46 pm
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3166

Re: Structured IPv6 Address

Some scripting tips (v6/v7): :toip6 returns a valid IP address and if not valid it returns "nil" which is an :if compare the same as "false/invalid", first a direct usage and the second one is a indirect usage. FROM: if ([:typeof $address] = "nil") do={ :error "\&q...
by msatter
Wed Jul 19, 2023 2:56 pm
Forum: Beginner Basics
Topic: need advise on none dynamic and none static in mangle [SOLVED]
Replies: 2
Views: 1096

Re: need advise on none dynamic and none static in mangle [SOLVED]

Hi not my 'friend', From the manual: Value of none-dynamic (00:00:00) will leave the address in the address list till reboot Value of none-static will leave the address in the address list forever and will be included in configuration export/backup https://help.mikrotik.com/docs/display/ROS/Filter#F...
by msatter
Tue Jul 18, 2023 7:41 pm
Forum: General
Topic: feature request: src/dst-addr-type connected
Replies: 2
Views: 362

Re: feature request: src/dst-addr-type connected

What did I just read!?
by msatter
Tue Jul 18, 2023 1:48 pm
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2714

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

@4lphanumeric five is indeed just a number abd I could have chosen two or any number higher. It just allows to block a specific up to five times before starting again as long the dst/src address is on the list syncreset. All traffic goes througha VPN so my ISP only sees the outside off a tunnel and ...
by msatter
Tue Jul 18, 2023 2:48 am
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2714

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

Think about it you sitting, and waiting for the correct bus. one, is take the first bus and if you not get on that bus you have to wait again for bus six or then eleven.... two, get on the second bus and if you don't catch that one, take bus seven or even twelve.... It is not timing out, you hide (d...
by msatter
Tue Jul 18, 2023 12:39 am
Forum: Forwarding Protocols
Topic: Suggestion: Hooks to Scripts on /routing/filter/rule actions
Replies: 10
Views: 2410

Re: Suggestion: Hooks to Scripts on /routing/filter/rule actions

This is the sample function for adding to an address-list in filter/mangle/raw rules: :global ruleAddresToList do={ /ip firewall address-list add list=$listName address=$Address timeout=$Timeout } This is then the call to the function with the name "ruleAddresToLIst" from a rule to add and...
by msatter
Mon Jul 17, 2023 11:33 pm
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2714

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

The first reset will be matched and and dropped in a period of 5 seconds. The next four will be accepted or accepted because the address-list entry has timed out. By adding more nth you can filter more reset replies. Underneath the first two reset replies are dropped within 5 seconds. /ip firewall r...
by msatter
Sun Jul 16, 2023 11:26 am
Forum: Beginner Basics
Topic: Forward secondary IP to web server
Replies: 4
Views: 1011

Re: Forward secondary IP to web server

Thanks for the disclaimer. ;-)

Try with line 8 in NAT disabled.
by msatter
Thu Jul 13, 2023 1:23 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624886

Re: Feature requests

Second request on bigger variables. Using fetch I can write a bigger file to disk in one go. But then I can't read those back when the file is bigger than 4KB, despite the variable in not a limiting factor anymore in ROS. This could be first one, so the request above for direct download in variable ...
by msatter
Thu Jul 13, 2023 12:26 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624886

Re: Feature requests

Now the 4096 byte limit on variables is lifted and variables are now limited by the amount of available memory. https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=47579229&selectedPageVersions=29&selectedPageVersions=28 :too fetch is still limited to 64512 bytes when using...
by msatter
Thu Jul 13, 2023 10:46 am
Forum: Scripting
Topic: $INQUIRE - prompt user for input using array of questions + $CHOICES
Replies: 21
Views: 3093

Re: $INQUIRE - prompt user for input using array of questions, ft. inline functions (>[])

Press TAB for options or F1 for help: @ > [:terminal/ .. -- go up to root cuu -- move cursor up el -- erase line inkey -- read key style -- set output text style Small menu example with active help and (audio) feedback on error: { :local readKeyString do={ # written by msatter 2020-2021 # keyFlag sh...
by msatter
Thu Jul 13, 2023 10:03 am
Forum: Scripting
Topic: $INQUIRE - prompt user for input using array of questions + $CHOICES
Replies: 21
Views: 3093

Re: $INQUIRE - prompt user for input using array of questions, ft. inline functions (>[])

If you look at the input screen as a CRT TV then you can redrawn the page with the lines and entered data once on confirmed line, or even every key. Then you can correct previous entered data by using the cursor buttons by using the [:te cuu] for example to go up after redrawn page. The page with li...
by msatter
Thu Jul 13, 2023 12:01 am
Forum: Scripting
Topic: Max size of variables still at 4096!? Anwser is NO
Replies: 5
Views: 3499

Re: Max size of variables still at 4096!? Anwser is NO

Example script of reading a file from a webserver directly into a variable and generate a address-list from it. # Turris Import by Blacklister # 20210823 new version that directly download from a http(s) server # 20230712 new variable length allows to read big files in one go { /ip firewall address-...
by msatter
Wed Jul 12, 2023 10:07 pm
Forum: Scripting
Topic: Max size of variables still at 4096!? Anwser is NO
Replies: 5
Views: 3499

Max size of variables still at 4096!? Anwser is NO

I was browsing through help.mikrotik and noticed the removal of the notice in scripting about limit for variables in RouterOS. https://help.mikrotik.com/docs/pages/viewpreviousversions.action?pageId=47579229 v. 29 Apr 04, 2023 16:13 Testing Department Remove deprecated note on variable size limit. N...
by msatter
Wed Jul 12, 2023 8:34 pm
Forum: General
Topic: Weird log message in Mikrotik RB2011
Replies: 2
Views: 434

Re: Weird log message in Mikrotik RB2011

They are warnings and not error.
by msatter
Wed Jul 12, 2023 12:10 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

Then show that to us. Don't sit on it.....share.
by msatter
Tue Jul 11, 2023 11:39 pm
Forum: The User Manager
Topic: default admin account
Replies: 3
Views: 2628

Re: default admin account

No you not doing anything wrong. It is protecting you from locking yourself out of the router. You first have to create or have a second user with full access, and as you have already done. Then set the Admin to read, apply, expire the password and then disable it. I prefer to expire the password af...
by msatter
Tue Jul 11, 2023 10:50 pm
Forum: The User Manager
Topic: default admin account
Replies: 3
Views: 2628

Re: default admin account

You can disable it, after taking away any rights to make changes.

Newer router come with a default password printed on the device so you need to register that also for each router.
by msatter
Tue Jul 11, 2023 10:36 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

Thank Mikrotik for making the path in v7 backward compatible with v6.

I learned yesterday a new way to find active setings in v6, so still things to be found in v6. Please use the suggestion about the TAB and you can do your scripting yourself the next time.
by msatter
Tue Jul 11, 2023 2:41 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

If Unimus execute line by line you could use this for v6 and v7: # v6 & v7 compatible /ip firewall nat #shows enabled rules with no src-addres-list :foreach r in=[find where !disabled !src-address-list] do={:put [get $r]} # shows disabled rules with a src-address-list :foreach r in=[find where d...
by msatter
Tue Jul 11, 2023 2:08 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

@idgolstein All you need to know, is stated when you start terminal in Winbox. MikroTik RouterOS 6.49.2 (c) 1999-2021 http://www.mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments[i][/i] [Tab] Completes the command/word. If the input is...
by msatter
Mon Jul 10, 2023 9:22 pm
Forum: Scripting
Topic: timeout value in address list
Replies: 9
Views: 2274

Re: timeout value in address list

ROS v6: :foreach item in=[find list=<LIST NAME> timeout~"."] do={:put [get $item]} :foreach item in=[find list=<LIST NAME> !timeout] do={:put [get $item]} Flags: X - disabled, D - dynamic # LIST ADDRESS CREATION-TIME TIMEOUT 0 ;;; test test 7.7.7.7 jul/10/2023 19:46:53 1 D test 1.1.1.1 jul...
by msatter
Mon Jul 10, 2023 3:39 pm
Forum: Scripting
Topic: timeout value in address list
Replies: 9
Views: 2274

Re: timeout value in address list

Again, check status not value! With timeout: /ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> timeout] do={:put [get $item]} Without timeout: /ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> !timeout] do={:put ...
by msatter
Fri Jul 07, 2023 3:04 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 782

Re: why Input & Output rules (Please help)

It seems to be clear now.
by msatter
Thu Jul 06, 2023 12:53 am
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 35528

Re: Forum moderation volunteers

Air Force One must then have routers installed with ROS 7.10 for quite some time. They now have a special stairs in the back of the plane. Far away from the routers in the front of the plane. Hope it helps. Update: good news , RouterOS 7.10 was not the cause of the tripping on the stairs. Potus also...
by msatter
Wed Jul 05, 2023 10:03 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 782

Re: why Input & Output rules (Please help)

Then what is your problem? You wrote in the OP that all was working. IN = external new traffic incoming OUT = traffic generated by the router itself or encrypted traffic als generated by the router (policy) FORWARD = internal network to the outside and there you have your PCC lines. Connection marki...
by msatter
Wed Jul 05, 2023 5:42 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 782

Re: why Input & Output rules (Please help)

Post can't be deleted.
by msatter
Wed Jul 05, 2023 1:16 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 782

Re: why Input & Output rules (Please help)

Dear Sir, why do I need to add input and output rules in Mangle for PCC LoadBalancing? but without these rules, my PCC Loadbalancing working fine. ip firewall mangle add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=y...
by msatter
Thu Jun 29, 2023 9:09 pm
Forum: General
Topic: Partial match on address lists - exist? or feature request?
Replies: 6
Views: 734

Re: Partial match on address lists - exist? or feature request?

That would be possible if address lists could be grouped. Mikrotik did not add that to ROS so it is not possible. But looking at your example, use one name for both entries. The second one with a timeout will stop existing in the listing when the counter reach zero. Strange that you did not test tha...
by msatter
Thu Jun 29, 2023 3:26 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 104441

Re: v7.11beta [testing] is released!

@mantouboji for a client the IP address does not to be renewed until TTL expires. So what is the TTL of your DNS registration? WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then...
by msatter
Thu Jun 29, 2023 1:47 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 104441

Re: v7.11beta [testing] is released!

@mantouboji for a client the IP address does not to be renewed until TTL expires. So what is the TTL of your DNS registration? WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then ...
by msatter
Wed Jun 28, 2023 3:23 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 35528

Re: Forum moderation volunteers

I think someone pressed the "stow" button on the cats: https://cdn.teslanorth.com/wp-content/uploads/2023/06/cats-dish.jpg I have only a "stew" button overhere. Let's see what it does.....oh no, poor animals...in China they would now call dinner!! In Guangdong and Guangxi provin...
by msatter
Wed Jun 28, 2023 11:30 am
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 35528

Re: Forum moderation volunteers

You can't do three clicks without seeing a cat. They are a real pest.
by msatter
Tue Jun 27, 2023 8:04 pm
Forum: General
Topic: The "best" load balancing method for poor men ?
Replies: 19
Views: 1775

Re: The "best" load balancing method for poor men ?

Then pe1chl gave you your answer. Choose only src or dst addres so keep the outgoing IP address seen by the loadbalancer/server on the other side. There cause is not at your side but on the other side forcing you have the same IP address. That is why I use a address-list named fixed-VPN for those si...
by msatter
Tue Jun 27, 2023 1:14 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

Changed the title back to ICMP only as I did many tests and was unable to replicate TCP/UDP packets leaking so I suspect I probably saw those show up when I was messing around with configs. I do continue to see the related ICMP packets being dropped as per the original scenario I outlined above. No...
by msatter
Tue Jun 27, 2023 12:54 pm
Forum: General
Topic: The "best" load balancing method for poor men ?
Replies: 19
Views: 1775

Re: The "best" load balancing method for poor men ?

PCC with "both addresses and ports" I used many times works like a charm but breaks https connections. Then I included !port443 into pcc rules but, since almost all traffic today is https, this mechanism is deprecated. What is nowadays the best load balancing/aggregation method to share m...
by msatter
Mon Jun 26, 2023 4:34 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP/TCP/UDP) Marked for Wireguard Tunnel

Thanks for confirming this and for the correction. The position of the rule is in filter fine and it is then just before SRC-NAT is applied. In NAT there is since ROS 7 also an input and output chain so you can detect there also if something is leaking from by router self.
by msatter
Mon Jun 26, 2023 1:34 pm
Forum: RouterBOARD hardware
Topic: hEX Router Reset button broke off
Replies: 14
Views: 3914

Re: hEX Router Reset button broke off

Just contact you seller about this. The switch seems to be surface soldered. Removing the loose switch from the case should not void your warranty because you made sure this way that no further damage was done when using the hEX. Better would be not have used the hEX again before contacting the hEX....
by msatter
Mon Jun 26, 2023 11:53 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP/TCP/UDP) Marked for Wireguard Tunnel

I had till now not any related traffic going out so testing is not possible here. Can you put this log line in and check if this is detecting the same packets. It is a Postrouting and allow any last minute routing by routing adjustment to be done. It looks only a traffic coming form your router itse...
by msatter
Sun Jun 25, 2023 5:42 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

@wisroute thanks and then invalid will catch that. Unmarked is traffic that is not present in connection tracking. add action=change-ttl chain=prerouting connection-state=invalid,untracked in-interface=wireguard log=yes log-prefix=KillInvalidInWG new-ttl=set:0 passthrough=no invalid - a packet that ...
by msatter
Sun Jun 25, 2023 4:18 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

So the packet return is flagged related and so you can combine that with that it is generated by the router self on behalf of the disconnected client. Then you can kill that packet returning anywhere, by killing it. Routing in Mangle is not available on output so that avenue is closed. /ip/firewall/...
by msatter
Sun Jun 25, 2023 3:48 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

I assume the the parsed code is executed from the root and not from inside the path.
by msatter
Sun Jun 25, 2023 3:42 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

I have the same rule and and yours routes traffic coming in through WiFi. Output is local so you have to match on the connection-mark you set. In Mangle output you can route it or kill it by setting TTL to 0.
by msatter
Sun Jun 25, 2023 2:03 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

Converted to code: :put [:parse ":foreach r in=[/ip/firewall/nat find where !disabled !src-address-list] do={:put [/ip/firewall/nat get $r]}"] (evl /foreachcounter=$r;do=;(evl (evl /putmessage=(evl (evl /ip/firewall/nat/get))));in=(evl (evl /ip/firewall/nat/findwhere=$chain;$action;$jump-t...
by msatter
Sun Jun 25, 2023 1:16 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3338

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

Very interesting, could you test this in Mangle if the output counter increases? /ip/firewall/mangle add action=mark-packet chain=input in-interface-list=WireGuard new-packet-mark=encrypted passthrough=yes add action=passthrough chain=output out-interface-list=!WireGuard packet-mark=encrypted passth...
by msatter
Sat Jun 24, 2023 11:01 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

:put (/ip/firewall/nat get [find where !disabled !src-address-list]) It's shorter, did't know you can use negation here. But this line is not working when multiple rules are found, you can't use get from list, must be in loop and must be surrounded with [] to even execute. :put ([/ip/firewall/nat g...
by msatter
Sat Jun 24, 2023 6:22 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

I meant for Asus routers. Wrong forum I see now. Sorry. ;-)
by msatter
Sat Jun 24, 2023 1:27 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

Indeed it needs a script to be generate the data file. On import you just import the file that contains a helper to process the data and put it in the correct place in ROS.

That's makes it ideal for distribution of data to many routers.
by msatter
Sat Jun 24, 2023 1:14 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

You can read BIG files when you put the script for reading the data in the same file. Using a variable as call to the function, allows to import data as it was used with addresslists. Every variable is a new call of the function and so it will be repeated till there are no more vatiables left. It wi...
by msatter
Fri Jun 23, 2023 12:58 pm
Forum: Beginner Basics
Topic: INFO: MikroTik new default device password practice
Replies: 23
Views: 3124

Re: INFO: MikroTik new default device password practice

This is great that Mikrotik is catching up. An extra prominent note in the box that this device has been improved an is using a non blank password. This a possitive note about improving security. It could also be integrated in ROS so that in the login screen displays default a pointer/instruction wh...
by msatter
Fri Jun 23, 2023 1:22 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5014

Re: get a list of enabled NAT rules with no src address list

Why that complicated, treat the fields as having also a state:
/ip/firewall/nat/print where !disabled !src-address-list

:put (/ip/firewall/nat get [find where !disabled !src-address-list])
by msatter
Fri Jun 23, 2023 1:01 am
Forum: General
Topic: Can someone give me the command line, to delete pppoe-out1
Replies: 16
Views: 1396

Re: Can someone give me the command line, to delete pppoe-out1

When you go in terminal to pppoe and then press TAB or F1 then it will show the available options. You can use set or edit to change a specific field.

Then you can add that to line you have in your script without the remove ofcourse.
by msatter
Thu Jun 22, 2023 5:00 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

Not overhere on ROS 7.10 I'm also on 7.10 > /system/routerboard/print routerboard: yes model: D53G-5HacD2HnD serial-number: XXXXXXXX firmware-type: ipq4000L factory-firmware: 7.1beta5 current-firmware: 7.10 upgrade-firmware: 7.10 > :execute ":put ([/interface lte at-chat lte1 wait=yes input=\&...
by msatter
Thu Jun 22, 2023 4:50 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

If you want to restore the stored data or transfer to a differen router then selective path exporting and exporting is the simple way. I don't know how thatworks with LTE or SMS because I don't have that. In this posting is mentioned that extension does not need to be RSC. https://forum.mikrotik.com...
by msatter
Thu Jun 22, 2023 4:37 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

:execute ":put ([/interface lte at-chat lte1 wait=yes input=\"AT+CMGL=4\" as-value ]->\"output\")" file="sms"
Works also with .txt extension in file param, then it will not append .txt to filename.
Not overhere on ROS 7.10
by msatter
Thu Jun 22, 2023 2:12 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

@optio Why still self limit to 4096 bytes!? Many people here walked into this limitation for many years and some found little gems in RouterOS which works around problems. One of those is ":execute" Lets keep it simple, this will store the output of a command or script to a file like it w...
by msatter
Thu Jun 22, 2023 12:42 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

@optio Why still self limit to 4096 bytes!? Many people here walked into this limitation for many years and some found little gems in RouterOS which works around problems. One of those is ":execute" Lets keep it simple, this will store the output of a command or script to a file like it wa...
by msatter
Wed Jun 21, 2023 9:36 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

This was the startingpoint: https://forum.mikrotik.com/viewtopic.php?p=819118 I think that it is more correct to continue in this topic, and not in the one where the link is. I tried doing something like this: :local sms [/system script get "sms.txt" source]; :put $sms But it gives an err...
by msatter
Tue Jun 20, 2023 5:19 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

This was the startingpoint: viewtopic.php?p=819118
by msatter
Tue Jun 20, 2023 12:21 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7396

Re: The maximum size of a read/written file.

You can read large files by not using a script to read the file but put the script in the file in a form of a function and import the RSC file.

Exporting large files is possible and rename it then to an RSC file so they can be imported again.
by msatter
Mon Jun 19, 2023 1:36 pm
Forum: Beginner Basics
Topic: Is it possible to provide dst-nat action in prerouting chain?
Replies: 3
Views: 847

Re: Is it possible to provide dst-nat action in prerouting chain?

Assuming you are matching on a domain/url, I would use connection marking instead of packet marking.

This because not every packet contains that domain/url.
by msatter
Thu Jun 15, 2023 10:40 am
Forum: Announcements
Topic: v7.10rc is released!
Replies: 183
Views: 52198

Re: v7.10rc is released!

"!) " could be used to indicate a new functionality and might not be fully developed. "Adding" should be te first step and later you can use "update".

!) added:
^!) update:
<!) retracted:
>!) fixed:
*) = bugfix
-*) = retracted bugfix
+*) = fixed bugfix
by msatter
Sat Jun 10, 2023 12:29 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1220

Re: Outbound from 5060 port

/ip firewall nat add chain=srcnat action=src-nat to-ports=5060 protocol=tcp src-address=192.168.0.0/24 dst-address=5.49.132.66 dst-port=5060 add chain=srcnat action=src-nat to-ports=5060 protocol=tcp src-address=192.168.0.0/24 dst-address=5.13.25.125 dst-port=5060 Because your src-address is a rang...
by msatter
Fri Jun 09, 2023 11:57 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1220

Re: Outbound from 5060 port

You have changed it now in your OP, it now states that it is your not actual public address.

It is also a good thing, to use non existing public IP adresses in postings to avoid that an other router is being tried to be compromised based on data stated by you.
by msatter
Fri Jun 09, 2023 10:46 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1220

Re: Outbound from 5060 port

Please remove your PUBLIC IP from your posting. This is in your own interest.
Thx, but don't worry, this is fake addresses.
Then you lied in your opening post stating "My external address is".
by msatter
Fri Jun 09, 2023 8:30 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1220

Re: Outbound from 5060 port

Please remove your PUBLIC IP from your posting. This is in your own interest.
by msatter
Fri Jun 09, 2023 2:11 pm
Forum: General
Topic: How to get Facebook & Youtube IP Address list
Replies: 2
Views: 1316

Re: How to get Facebook & Youtube IP Address list

You can look if you get a result with whois on a linux system:

Facebook
whois -h whois.radb.net '!gAS32934'

Youtube
whois -h whois.radb.net '!gAS36561'
whois -h whois.radb.net '!gAS15169'
whois -h whois.radb.net '!gAS43515'
whois -h whois.radb.net '!gAS36040'
by msatter
Thu Jun 08, 2023 12:06 pm
Forum: Scripting
Topic: How do I use global variables in Netwatch?
Replies: 1
Views: 1614

Re: How do I use global variables in Netwatch?

You could use a work around by using static DNS, Layer7 or comments depening of the type variable to store.

Use a repeating schedule to update the values from Global and back.
by msatter
Thu May 25, 2023 2:04 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

Is the "Select all" from a code block working for anyone? It only sends me to the top of the topic..
I don't think that this ever worked anyway..
That is correct. The link underneath is just to the topic itself.
by msatter
Thu May 25, 2023 1:52 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

If MikroTik does not give us back prosilver, I would like to now way. What do they loose by having it as an option? I have used prosilver at this forum for 5+ years..... . . forum.mikrotik.com##.announcements.forumbg This I can not use, since it also remove announcements for the announcement forum ...
by msatter
Thu May 25, 2023 12:23 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

I also use uBlock to hide the tongue-in-cheek videos on the Mikrotik site. uBlock is literal a lifesaver, so you have choice in your own browser. The lines I collected here during the past years. ! https://forum.mikrotik.com/ forum.mikrotik.com###wrap > .transparent.main-header forum.mikrotik.com###...
by msatter
Wed May 24, 2023 1:55 pm
Forum: Announcements
Topic: Announcement regarding CVE-2023-32154
Replies: 23
Views: 28409

Re: Announcement regarding CVE-2023-32154

Source: https://www.zerodayinitiative.com/advisories/ZDI-23-710/ ADDITIONAL DETAILS 12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto. 05/09/23 – ZDI asked for an update. 05/10/23 – The ZDI re-disclosed the report at the vendor’s request. 05/10/23 – The ZDI informed the ...
by msatter
Wed May 24, 2023 1:10 pm
Forum: Announcements
Topic: v7.10beta [testing] is released!
Replies: 249
Views: 51116

Re: v7.10beta [testing] is released!

Question not answered about how many times it retries, or if interface still needs to be toggled to re-establish a connection after IP change.. As long as it fails to resolve, seems to me the way it will work. There is no max times mentioned so it keeps trying...... .....every retry counts as one i...
by msatter
Wed May 24, 2023 12:56 pm
Forum: Announcements
Topic: v7.10beta [testing] is released!
Replies: 249
Views: 51116

Re: v7.10beta [testing] is released!

@EdPa can you give more details about "wireguard - retry "endpoint-address" DNS query on failed resolve;" How many times will it retry? Does this solve our problems with dynamic ips on peers where we need to re-toggle tunnel to fix it after IP change? I am using RoundRobin from ...
by msatter
Tue May 23, 2023 11:46 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

1st world problems..
Atleast for what is left of it.
by msatter
Tue May 23, 2023 11:42 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change



we reverted to Canvas
Also if you are not logged-in.......?
Thanks for fixing this.
by msatter
Mon May 22, 2023 3:14 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

Unfortunately, we have found, that the "Canvas" skin that was used here for many years, was causing the PHP issues. It is no longer maintained by the author. Until we can find a new / maintained skin, we have defaulted to the standard PHPBB skin. If it is very bad, make suggestions to wha...
by msatter
Mon May 22, 2023 2:33 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11011

Re: EDITED Forum THEME / SKIN change

canvas <--> pro silver

I selected Canvas, instead of pro silver, after my eyes started hurting. It was then again as before!?
by msatter
Mon May 22, 2023 2:26 pm
Forum: General
Topic: Routing table ignoring routing mark
Replies: 7
Views: 4746

Re: Routing table ignoring routing mark

What is the difference between IPsec tunnel mode and IPsec transport mode? IPsec tunnel mode is used between two dedicated routers, with each router acting as one end of a virtual "tunnel" through a public network. In IPsec tunnel mode, the original IP header containing the final destinat...
by msatter
Mon May 22, 2023 2:06 pm
Forum: Announcements
Topic: MikroTik joins the Fediverse
Replies: 46
Views: 32318

Re: MikroTik joins the Fediverse

https://blog.mikrotik.com/ is the blog still valid place for security updates? (where to follow, rss still enabled, or are there better places to get notifications, if something goes wrong?) Yes. There have been no security incidents lately, this is why there is nothing new there. That went fast: h...
by msatter
Fri May 19, 2023 12:33 pm
Forum: Announcements
Topic: MikroTik joins the Fediverse
Replies: 46
Views: 32318

Re: MikroTik joins the Fediverse

Hear hear! Creating side channels looks good for your 'friends' or management but this forum should remain the working horse for communications and exchange of ideas and knowledge. All the social stuff is just a distraction, which some people seems to need to know that they exist. Take it away, the...
by msatter
Fri May 12, 2023 11:55 am
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 43837

Re: FORUM MAINTENANCE: Password reset will be needed

This is my signature: [IN READ-ONLY MODE] Loving my freedom and so, no PayPal, no TikTok, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Running: RouterOS 7.7 and 7.2.1 / Winbox 3.37 64bits It states that Google is one of the bad boys. If it only was ...
by msatter
Thu May 11, 2023 8:19 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 43837

Re: FORUM MAINTENANCE: Password reset will be needed

"Your signature contains 233 characters.The maximum number of allowed characters is 1."

I must have missed the memo on that too.
by msatter
Thu May 11, 2023 6:49 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 43837

Re: FORUM MAINTENANCE: Password reset will be needed

I got notifiactions for the first time ever.....from three years ago.

Update: it advises each time to sent an e-mail to support because off a general error. Better leave it off then.
by msatter
Thu May 11, 2023 12:13 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 43837

Re: FORUM MAINTENANCE: Password reset will be needed

What are the reasons to dislike Discourse?
The reason is, oneday you can't post anymore, then you can again and not then anymore.....forever.

Discourse exclude people and don't give a damn about that. If you don't move, Discourse will leave you behind.
by msatter
Thu May 11, 2023 11:11 am
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 43837

Re: FORUM MAINTENANCE: Password reset will be needed

Has MikroTik ever considered moving the forums to a more modern solution than phpBB? I know of several forums that were able to migrate from phpBB to Discourse fairly easily, and it has some very nice features.. OOOOOOOOOOOH NOOOOOOOOO NOT DISCOURSE!!!!!! PLEASE PLEASE PRETTY PLEASE HAVE MERCY WITH...
by msatter
Wed May 10, 2023 2:24 pm
Forum: General
Topic: ⚠️WARNING: RouterOS v7.10+ will break all scripts based on [/system clock get date] or other date(s)
Replies: 63
Views: 12790

Re: ⚠️WARNING: RouterOS v7.10+ will break all scripts based on [/system clock get date]

If Mikrotik was only a just a bit smarter then they had introduced with new format a new variable containing the new date format.

Someting like: [/system clock get isodate]

Just my two cents....
by msatter
Tue May 09, 2023 4:44 pm
Forum: Announcements
Topic: Newsletter #113 | May 2023
Replies: 103
Views: 41911

Re: Newsletter #113 | May 2023

Marketing seems to go of the rails.
by msatter
Thu Mar 02, 2023 11:29 am
Forum: Announcements
Topic: Newsletter 111
Replies: 24
Views: 19514

Re: Newsletter 111

I am pleased that manuals are at least written more clearly.
by msatter
Thu Mar 02, 2023 1:45 am
Forum: Announcements
Topic: Newsletter 111
Replies: 24
Views: 19514

Re: Newsletter 111

Interesting wording, "permantly remove", me thinking "break off" would be a better wording for that.

Or do you need a hacksaw to remove permantly, those parts?
by msatter
Sun Jan 08, 2023 1:08 am
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1241

Re: Percentage IN PCC Load Balancd [SOLVED]

You can be the judge on that.
by msatter
Sat Jan 07, 2023 10:30 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1241

Re: Percentage IN PCC Load Balancd [SOLVED]

@chechito: really? Secondly, that is 80:20

Simpler, 5/4 to Wan2 what is left to Wan1.
Do you now get, how it can work?

Bye
by msatter
Sat Jan 07, 2023 5:19 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1241

Re: Percentage IN PCC Load Balancd [SOLVED]

Even simpler: 1/3 goes to two and the rest goes to one. You so only need one PCC line that marks traffic for routing2 and the rest you just mark for routing1 as long it is not marked earlier for routing2. add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=WAN_C...
by msatter
Sat Jan 07, 2023 1:35 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1241

Re: Percentage IN PCC Load Balancd [SOLVED]

66% = 1/3->1 2/3->1 3/3->2
by msatter
Thu Jan 05, 2023 1:49 am
Forum: General
Topic: DNSSEC
Replies: 43
Views: 23453

Re: DNSSEC

If you have a resolver that handles DNSSEC in front of RouterOS it won't return an IP address when the DNSSEC it invalid. Cache poisoning can also happen on the client. The AD flag could be stored to indicate a valid DNSSEC or AD is False to to indicate why IP is not returned. RouterOS has a basic D...
by msatter
Fri Dec 16, 2022 12:11 pm
Forum: General
Topic: export one firewall address list out of many
Replies: 10
Views: 3935

Re: export one firewall address list out of many

A little teaser of the options available and it is a complete eco system that produces address-list in RSC format that is standalone and has the script and list integrated in one file. Ideal for distribution. The script is over 200 lines including many comments. :set $helpText " Backup function...
by msatter
Wed Dec 14, 2022 11:05 pm
Forum: General
Topic: export one firewall address list out of many
Replies: 10
Views: 3935

Re: export one firewall address list out of many

RouteOS can perfectly fine export one address-list out of many with a script, on it's own. And import them also again.

You just have to put the effort into it to write the script.

Bye
by msatter
Tue Dec 13, 2022 11:19 pm
Forum: RouterOS beta
Topic: Feature request: overwrite addresslist entries
Replies: 10
Views: 2758

Re: Feature request: overwrite addresslist entries

Rename address-list -> import new list -> rename renamed address-list to current address-list -> remove renamed address-list still/only containing the double entries. Does not work for me, supposing I rename address-list by set list="new-name" [find list="old-name"] Renaming sto...
by msatter
Tue Dec 13, 2022 9:57 pm
Forum: RouterOS beta
Topic: Feature request: overwrite addresslist entries
Replies: 10
Views: 2758

Re: Feature request: overwrite addresslist entries

Rename address-list -> import new list -> rename renamed address-list to current address-list -> remove renamed address-list still/only containing the double entries. Très simple.

Bye
by msatter
Thu Nov 10, 2022 11:14 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 264
Views: 72323

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Try without defining a delimiter. So omitting it.
}
        :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
        :log info "Address list <$description> successfully updated"
        }
by msatter
Wed Oct 05, 2022 9:53 pm
Forum: Scripting
Topic: invalid internal item number [SOLVED]
Replies: 13
Views: 4796

Re: invalid internal item number [SOLVED]

I use a regualar expression to match. That is the ~ sign instead of a = . The searched interface name has to be also unique or there will no match. If you have two PPPoE (pppoe-in pppoe-out) then matching on pppoe does not cut. You have to match on the difference and the shortest one is "in&quo...
by msatter
Mon Oct 03, 2022 11:03 pm
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2275

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Wow guys, having a bad day?

Apologies for the Google link, posted this question from my mobile after it came up in my feed.
It was not mainly directed at you.....
by msatter
Sun Oct 02, 2022 9:08 pm
Forum: General
Topic: Issue in scripting [SOLVED]
Replies: 8
Views: 1537

Re: Issue in scripting [SOLVED]

;log has to be :log....twice
by msatter
Sat Oct 01, 2022 12:37 pm
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2275

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

If you put up a link, have atleast the decency to remove all Google tracking shit!
https://www.bleepingcomputer.com/news/security/ethernet-vlan-stacking-flaws-let-hackers-launch-dos-mitm-attacks/
by msatter
Mon Sep 26, 2022 10:49 am
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2152

Re: Using NoTrack for WireGuard tunnel

"So all in all - you can use notrack for a Wireguard tunnel, but only where no NAT is required, so typically for a site-to-site one." I see RouterOS handling this without a problem. This is my intepretation. Router as WG client, router initiates a UDP connection to server through NAT, Rout...
by msatter
Fri Aug 26, 2022 12:14 am
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2152

Re: Using NoTrack for WireGuard tunnel

I addressed the tunnel and not the actual traffic going through that tunnel. You still have complete control if traffic is going to be encrypted traveling through that tunnel or not and will take an other path. RouterOS handles the tunnel and that explains that I despite the tunnel being fasttracked...
by msatter
Thu Aug 25, 2022 9:58 pm
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2152

Using NoTrack for WireGuard tunnel

I noticed that fasttracking the tunnel of a WireGuard connect did not matter and the dummy counters did not increase. So that traffic is being split of and handled directly. Then I remembered that was also done for IPSEC: However, this can add a significant load to the router's CPU if there is a fai...
by msatter
Sun Aug 21, 2022 1:33 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 9
Views: 4493

Re: The "output" chain and VRFs/routing marks

useful information
Instead you could use bookmark in your browser. Right-click the posting date line an select add bookmark.
by msatter
Thu Aug 18, 2022 1:13 am
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 45600

Re: v7.5beta [testing] is released!

Sadly I can't reproduce that:
/ip/dns/static add address-list=mikrotik match-subdomain=yes name=mikrotik.com type=FWD 
:put [:resolve www2.mikrotik.com]
159.148.147.252
Nothing is added to the address-list mikrotik.
by msatter
Wed Aug 17, 2022 10:55 pm
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 45600

Re: v7.5beta [testing] is released!

I'm usually good at spotting what things are for, but I'm gonna need some help here. If I do: /ip/dns/static add address=192.168.88.10 address-list=dnstest name=device.local ttl=600 Nothing happens at first. Then when router's DNS resolver receives query for device.local, address list "dnstest...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 11