Community discussions

Search found 294 matches

by Deantwo
Tue Oct 08, 2019 2:29 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 2913

Re: Why (not) use Hairpin NAT

One reason not to use hairpin NAT that I haven't seen anyone mention here, is that you lose some of your ability to log what people on the LAN are doing to your servers. Not so much a difference is how difficult it is to setup, but keep in mind that some other things are lost when you just source NA...
by Deantwo
Fri Oct 04, 2019 4:38 pm
Forum: SwOS
Topic: Switch identity character length and possible? bug
Replies: 5
Views: 945

Re: Switch identity character length and possible? bug

I am having issues setting identity of RB260GS. I wanted to set: LOCATION - OFFICE - DEVICEn The identity character limit is rather small for SwOS yeah. I don't know what exactly you need such a long and complicated identity for, but you might be able to add some of your information to the SNMP set...
by Deantwo
Fri Oct 04, 2019 4:30 pm
Forum: Announcements
Topic: SwOS version 2.10 released!
Replies: 39
Views: 13273

Re: SwOS version 2.10 released!

... @Stangelator , if your issue is not directly related to the new SwOS update (version 2.10), can you maybe take your issue to a new thread instead? Getting constant notifications from this thread about non-update related posts is getting a little annoying. Make a new thread in the SwOS section o...
by Deantwo
Wed Oct 02, 2019 12:48 pm
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 11
Views: 28478

Re: nslookup on Mikrotik

Yes, you have to assume that the DNS server that replied is the DNS server that you (or the router) specified. The [:resolve "microsoft.com"] is a script command, it is not really a troubleshooting tool. I have a number of scripts that relay on [:resolve "microsoft.com"] returning just a single IP-a...
by Deantwo
Mon Sep 02, 2019 10:01 am
Forum: Announcements
Topic: Newsletter #90
Replies: 53
Views: 16380

Re: Newsletter #90

New switches? So we might see improvements to SwOS?
*crosses fingers*
by Deantwo
Wed Aug 07, 2019 11:02 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34711

Re: v6.44.5 [long-term] is released!

Can you maybe update the security blog post to include this RouterOS version as a fix?
Here: https://blog.mikrotik.com/security/cve- ... 11479.html
by Deantwo
Mon Jul 01, 2019 4:36 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 12
Views: 7373

Re: v6.43.16 [long-term] is released!

Ditto on the recent Linux DOS vulnerabilities update - will Long-Term receive it and when. If not, please provide recommended Firewall filter rules. Thank you. The advisory linked to in the blog post suggest blocking TCP traffik with a low MSS, but doesn't mention what this "low MSS" is. So my gues...
by Deantwo
Wed May 22, 2019 4:07 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks! Bugfix v...
by Deantwo
Tue May 21, 2019 10:24 am
Forum: General
Topic: SSTP Interface Queue Type is invalid after upgrade
Replies: 3
Views: 1533

Re: SSTP Interface Queue Type is invalid after upgrade

Hello Did you get this work on 6.44? default queue type is default-small on 6.44 , i need to put all new dynamic interfaces on startup to ethernet-default or custom pfifo queue type Can you help me? Workaround for now: 1. empty queue tree rule /queue tree add comment=test name=queue3_test priority=...
by Deantwo
Tue May 14, 2019 12:08 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3277

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? I feel a little horrible for thinking the exact same thing when I saw a new long-term release. Is that really where we have gotten with long-term release...
by Deantwo
Fri May 10, 2019 4:51 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 8044

Re: v6.43.14 [long-term] is released!

Hi, we are experiencing the following bug: ...
Be sure to email support@mikrotik.com with the details.
This thread isn't really for bug reports, unless it is specifically related to this update alone.
by Deantwo
Fri Apr 12, 2019 2:38 pm
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 71603

Re: Winbox v3.18 released!

He should email it to support@hiscompany.com, because it's false positive on company's DPI side, MikroTik cannot do anything with that. Wouldn't that be himself? XD If P2P/File transfer is restricted in the company network, then it might cause problems with a lot of things. None of which would be M...
by Deantwo
Fri Apr 12, 2019 9:30 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 71603

Re: Winbox v3.18 released!

Winbox when downloading descriptors get stock. After some troubleshooting, I found that winbox is being blocked by P2P/File transfer restrictions in the company.
You should email that to support@mikrotik.com.
by Deantwo
Thu Apr 04, 2019 12:22 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 8044

Re: v6.43.14 [long-term] is released!

Just gonna leave a link to the MikroTik blog post here, so people can read about what this patch fixes.
Here: https://blog.mikrotik.com/software/cve- ... stion.html
by Deantwo
Thu Apr 04, 2019 11:18 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 12503

Re: v6.44.2 [stable] is released!

Hi Emils, Is this fix related to recent vulnerability issue that were going to go public on 9 April? Nice attempt at being subtle there. Wouldn't it have been better to email something like that to support rather than start a new vulnerability panic? ._. yes, see https://forum.mikrotik.com/viewtopi...
by Deantwo
Wed Apr 03, 2019 10:44 am
Forum: Scripting
Topic: Can't launch script from Netwatch
Replies: 14
Views: 5170

Re: Can't launch script from Netwatch

If you are using RouterOS 6.43.x, then you can simply use dont-require-permissions=yes.
See: viewtopic.php?f=2&t=134538#p720232
by Deantwo
Wed Apr 03, 2019 10:34 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18627

Re: v6.44.1 [stable] is released! - URGENT

@mativcp: After upgrade to 6.44.1 (Stable) CCR1009-7G-1C-1S+ STOP WORKINKG ... ill wait answer...Thanks in advance As it says in the opening post, you need to make a supout while the issue is present and send it to MikroTik support along with your report. RouterOS version 6.44.1 has been released in...
by Deantwo
Mon Apr 01, 2019 12:39 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9602

Re: v6.43.13 [long-term] is released!

I think there is a Bug that wasn't in 6.42.12: Running that command on 6.42.12 works: :log info ([/interface pppoe-client monitor pppoe-WAN as-value]->"status") It's not a bug it's a feature :) Now you need to add "once" after an interface name. This seems like some kind of joke. This change has br...
by Deantwo
Fri Mar 29, 2019 1:16 pm
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 801

Re: Multiple CA Certificates for OpenVPN

I wanted to ask the exactly same question now, so I'm rather bumping this up - is it possible to hawe two CAs? For the same reason - to slowly update from old MD5 certs to new ones?
I ended up just setting up a second MikroTik router. Closed the old router down here before new year.
by Deantwo
Tue Mar 26, 2019 4:19 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9602

Re: v6.43.13 [long-term] is released!

As 6.43 just recently replaced 6.42 long-term. radius - use MS-CHAPv2 for "login" service authentication; Please revert this change, or at least make this configurable. That is true, and yet another thing people upgrading from v6.42.12 to v6.43.13 will be unprepared for. But all is not lost. If you...
by Deantwo
Tue Mar 26, 2019 11:57 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9602

Re: v6.43.13 [long-term] is released!

So are there actually any changes between this long-term version and the v6.43.12 stable version? Really hard to tell from the changes, since as mentioned by others in this thread, there are even changes missing that were made in the v6.43 release thread. PS: Emailed support about adding the missing...
by Deantwo
Tue Mar 19, 2019 4:55 pm
Forum: General
Topic: to many winbox/dude sessions
Replies: 6
Views: 973

Re: to many winbox/dude sessions

/system scheduler { :local uptime [/system resource get uptime] :set uptime [:pick $uptime ([:len $uptime] - 5) [:len $uptime]] :local calculation (([:tonum [:pick $uptime 0 2]] + [:tonum [:pick $uptime 3 5]]) * 40) :set calculation [:totime $calculation] :set calculation (04:00:00 + $calculation) ...
by Deantwo
Tue Mar 19, 2019 11:04 am
Forum: General
Topic: to many winbox/dude sessions
Replies: 6
Views: 973

Re: to many winbox/dude sessions

I don't see any options to set or increase the limit of sessions. I didn't even know there was one. One thing you could do is spread the update checks out over a larger time period so all the requests don't come at the same time. Change your schedulers to have a start-time that depends on the router...
by Deantwo
Mon Mar 18, 2019 1:19 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polle...
by Deantwo
Tue Mar 12, 2019 7:09 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 362

Re: Connection tracking issue

Sounds like the same issue as described in viewtopic.php?f=2&t=127838&p=628464#p628464.
by Deantwo
Tue Mar 12, 2019 5:25 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Is enough only by upgrading the OS to safe version or MUST BE do netinstall? As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror , netinstall it. If your router hasn't been attacked, probe...
by Deantwo
Mon Mar 11, 2019 1:52 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 48
Views: 8819

Re: Netwatch deprecated ? [SOLVED]

This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now. https://forum.mikrotik.com/viewtopic.php?f=21&t=138995 What's new in 6.43 (2018-Sep-06 12:44): *) console - added "dont-require-permissions" parameter for scripts; *) console - added error ...
by Deantwo
Mon Mar 11, 2019 10:08 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36425

Re: v6.44 [stable] is released!

Not sure if you read the thread properly, however, we're also both and all of us are at least up to MTCRE. I also cannot share the config of our clients due to a Non-Disclosure agreement. This is companies that's been using these units quite a lot, we talk few thousands of the routers especially th...
by Deantwo
Tue Mar 05, 2019 1:20 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36425

Re: v6.44 [stable] is released!

Upgrading my RB750 from RouterOS 6.40.8 to 6.44 leaves all IPsec peers with "unknown" profiles. And it looks like any IPsec peer settings were lost since only "default" profile exist. Do I have to jump to another version first and then jump to 6.44? Gonna go test if it also happen if I upgrade to 6....
by Deantwo
Mon Mar 04, 2019 2:24 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furt...
by Deantwo
Mon Feb 25, 2019 9:01 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5961

Re: Security issue when Winbox exposed

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled? (of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled) The article says it's only agent, but I'd appreci...
by Deantwo
Mon Feb 25, 2019 2:57 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5961

Re: Security issue when Winbox exposed

Unless I am mistaken, this vulnerability is a lot less dangerous as long as your internal network isn't public knowledge. The attack shown in the article is an example that only works because he knows the LAN IP address of the vulnerable server and the type of server before doing the attack. I am no...
by Deantwo
Fri Feb 22, 2019 10:36 pm
Forum: Beginner Basics
Topic: How to connect from android app Mikrotik to RB2011?
Replies: 6
Views: 467

Re: How to connect from android app Mikrotik to RB2011?

I have a OpenVPN server on my router and the OpenVPN app. So I can connect to my router from the outside and then use the TikApp to control my router securely.
by Deantwo
Fri Feb 22, 2019 3:32 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 739

Re: Global variable dissapears?

/system script add dont-require-permissions=no name=script1 policy=\ reboot,read,write,policy,test,password,sniff,sensitive source=\ "/user add name=yy group=full \r\ \n:log info \"user added\"" /tool netwatch add down-script=script1 host=111.111.111.111 .... [admin@BGP_ruby_test] /tool netwatch> /...
by Deantwo
Fri Feb 22, 2019 2:50 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6606

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Fri Feb 22, 2019 2:43 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5961

Re: Security issue when Winbox exposed

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.
That is wonderful news, first good news I hear all day.
Can that please be added to the blog post maybe? I am sure more people will want to know this.
by Deantwo
Fri Feb 22, 2019 2:36 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5961

Re: Security issue when Winbox exposed

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure. With the WinBox service exploit we were told that an address whitelist on the service was enough to block anything bad. I am HOPI...
by Deantwo
Fri Feb 22, 2019 12:04 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6606

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Thu Feb 21, 2019 12:26 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 739

Re: Global variable dissapears?

https://forum.mikrotik.com/viewtopic.php?f=21&t=133272 What's new in 6.42 (2018-Apr-13 11:03): *) netwatch - limit to read, write, test and reboot policies for Netwatch script execution; Accessing global variables annoyingly require "policy" permission, which Netwatch script execution doesn't have a...
by Deantwo
Thu Feb 21, 2019 12:25 pm
Forum: Scripting
Topic: Script via Netwatch Don't Running
Replies: 3
Views: 429

Re: Script via Netwatch Don't Running

viewtopic.php?f=21&t=133272
What's new in 6.42 (2018-Apr-13 11:03):

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;
by Deantwo
Tue Feb 05, 2019 11:36 am
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 687

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

We got the new RADIUS server to work with MS-CHAPv2 and RouterOS v6.43. I'll bug my server guy to find out what he did on the server to make it work. I have one fun fact with backward compatibility, a router running <6.43 can still use a MS-CHAPv2 RADIUS, but only for WinBox login. Trying to open th...
by Deantwo
Mon Feb 04, 2019 3:51 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 687

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

I am told that the guide on the wiki/manual aren't much help anymore.
This: https://wiki.mikrotik.com/wiki/AAA_with ... _Directory

I sendt an e-mail to support about getting the guide updated and possibly some help with this.
by Deantwo
Wed Jan 30, 2019 5:13 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 687

Upgrade to MS-CHAPv2 RADIUS for >6.43

I am attempting to figure out the best way to upgrade from my old RADIUS server to a new MS-CHAPv2 RADIUS server. I would prefer a backward compatible solution, so routers running <6.43 can use the same configuration as >6.43. Googling for the answer seem to most of all just point me to a post I wro...
by Deantwo
Tue Jan 29, 2019 1:16 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Darman, how do you think an update will know what socks entries are legitimate and what are not? If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD Better idea: if the router is setup incorrectly/insecurely, brick it. But really, none of that is MikroTik's problem to s...
by Deantwo
Wed Jan 23, 2019 1:35 pm
Forum: Announcements
Topic: SwOS version 2.9 released!
Replies: 72
Views: 25789

Re: SwOS version 2.9 released!

reading that no IGMP (Snooping) Problems are know in the latest 2.9 Firmware release, made me a bit angry... As @becs just said; @RobertF and @abrodkin SwOS has supported IGMP v1,v2,v3 since v2.5, also many issues have been addressed since then and now in v2.9 there is an additional port option to ...
by Deantwo
Sat Jan 05, 2019 5:04 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac.... Check the architecture of the router, make sure you are using the correct file. Need more information to be able to help you....
by Deantwo
Fri Dec 28, 2018 12:37 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 4
Views: 1514

Re: The "output" chain and VRFs/routing marks

You are correct in thinking that the "output" chain is after routing decisions are made. But the "output" chain apparently has a "routing adjustment" phase, which I assume is used if the routing mark was changed. See: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 My current policy routing man...
by Deantwo
Wed Dec 19, 2018 11:06 pm
Forum: SwOS
Topic: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???
Replies: 10
Views: 2472

Re: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???

Looks like the Watchdog doesn't work in all cases. I have it enabled but the switch hangs for hours rather than rebooting.
Suggest you write to support@mikrotik.com with details so they can make a bug report and get it fixed then.
by Deantwo
Thu Dec 06, 2018 12:59 pm
Forum: Announcements
Topic: URGENT security reminder
Replies: 84
Views: 35070

Re: URGENT security reminder

Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay) Tools -> Traffic Monitor :) "If there's no traffic for the last 5 minutes - it's okay to upgrade" xD = never :D But they will stop complaining about the feature missing! xD How cute. We...
by Deantwo
Tue Nov 20, 2018 12:16 pm
Forum: General
Topic: Radius not work since upgrade to 6.43
Replies: 7
Views: 2060

Re: Radius not work since upgrade to 6.43

I reading in changelog of last version and I see this line: *) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); Pretty sure that specific line is not related to radius. Instead see v6.43 's !) radius - use MS-CHAPv2 f...
by Deantwo
Fri Nov 16, 2018 7:18 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 492

Re: IPsec Issues

I have an issues by configuring ipsec tunnel . the issue is the following The tunnel is established, nat bypass rule is also there but I'm unable to ping both local network. Please I need help Likely the same issue, and same information needed. What is your setup like? Diagram? What is your configs...
by Deantwo
Fri Nov 16, 2018 5:09 pm
Forum: Scripting
Topic: Script ended
Replies: 1
Views: 501

Re: Script ended

What is the error the script is giving?
by Deantwo
Fri Nov 16, 2018 4:54 pm
Forum: General
Topic: VLAN on a regular switch
Replies: 9
Views: 896

Re: VLAN on a regular switch

If the regular switch doesn't support VLANs, it might be easier to not use VLANs at all.
Or simply get a managed switch that do support VLANs.
by Deantwo
Fri Nov 16, 2018 4:52 pm
Forum: General
Topic: Two VLANS to another place. Voip + Data
Replies: 57
Views: 4310

Re: Two VLANS to another place. Voip + Data

Your VLAN configuration doesn't look totally correct.
Maybe this will help: https://wiki.mikrotik.com/wiki/Manual:L ... idged_VLAN

But if the routers are the only network equipment, then why use VLANs at all? Just make two bridges and route them normally.
by Deantwo
Fri Nov 16, 2018 3:13 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 492

Re: Routing via IPSec Tunnel

A diagram of your setup would make your question easier to understand.
Also your config would help a lot too.

If the subnets are accessible from each end, what is the issue?
by Deantwo
Tue Nov 06, 2018 11:21 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Hey caresss As mentioned by vecernik87 , MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks. The fact that the attacker is using MAC-Telnet or MAC-WinBox means that ...
by Deantwo
Fri Nov 02, 2018 11:02 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 71603

Re: Winbox v3.18 released!

Can anyone log to an older version of Mikrotik, through WinBox 3.18 ?
I am unable to login to a router running RouterOS v5.26 with WinBox v3.18, I just get an error saying "Error: could not fetch index".
But you didn't really specify how much older.
by Deantwo
Mon Oct 01, 2018 11:36 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

WestTexas : In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place. For example make them only accept WinBox connections from your specific public IP range. Or mak...
by Deantwo
Fri Sep 21, 2018 4:47 pm
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 71603

Re: Winbox v3.18 released!

Please add feature to auto-reconnect or just status-icon what give as info that routerboard is online now. https://image.prntscr.com/image/0QqQhCONT36QRp5LnSRpAA.png Sounds like a nice idea for a feature. But it is not directly related to Winbox v3.18, so you might want to make a new thread about it.
by Deantwo
Wed Sep 19, 2018 12:21 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 39198

Re: v6.43.1 [stable] is released!

What does this mean in details? *) winbox - fixed corrupt user database after specifying allowed address range (introduced in v6.43); Does this mean that in ROS lower than 6.43 address range not working? The "introduced in v6.43" means that it was a bug that was introduced (a.k.a. made) in RouterOS...
by Deantwo
Mon Sep 17, 2018 11:27 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Example is already in the manual: https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#RouterOS_auto-upgrade Ah very nice, thanks. But it would be nice if the example also included "set channel=bugfix", since that took me a moment to find. I can't even see the word "channel" being mentioned at ...
by Deantwo
Mon Sep 17, 2018 10:51 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

is there maybe a plan to add auto update option and set that as default option? There are many routers which will never be updated or until something real bad happens. The issue with doing that is that users won't know what is happening. For example if they notice their internet going down their fi...
by Deantwo
Thu Sep 13, 2018 5:17 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 8
Views: 1358

Re: Add emoji to the ssid name

With the suggestions here I've made the script a bit more user friendly.
Cool, but it does mean that it won't return an error if no interface is named that.
But I guess the user will just know that the SSID didn't change, so it likely is better in the end.
by Deantwo
Wed Sep 12, 2018 11:13 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

This is normal, if you open a Terminal. There is no hacker here.
I feel stupid for forgetting this detail... knew I was forgetting something.
Anyway, thanks for the confirmation.
by Deantwo
Wed Sep 12, 2018 10:50 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Sorry I don't understand that question. Try to re-phrase it. He is talking about what he said in https://forum.mikrotik.com/viewtopic.php?p=685673#p685509, a job is shown to be running, yet the configuration doesn't appear to have any scripts in it. But as I said, from the picture and config alone,...
by Deantwo
Wed Sep 12, 2018 10:22 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 8
Views: 1358

Re: Add emoji to the ssid name

Use this tool: https://r-1.ch/mikrotik-unicode-ssid-generator.php Oh my gosh that is awesome! 😂 Yes, I saw that but I'm not sure when and where should I add this command line "/interface wireless set X ssid="\65\78\61\6D\70\6C\65\20\F0\9F\92\BB" and how do I find my x value. Should this command lin...
by Deantwo
Wed Sep 12, 2018 10:03 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router. Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly. The manual page I linked you to has examples on how to do...
by Deantwo
Tue Sep 11, 2018 11:01 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

2. How I can I reinstall CHR license on new disk image? I suggest you email support@mikrotik.com with your license issue. I haven't access to email or account. Only disk image with self-updated license. Any other suggestion? Email support@mikrotik.com , they can help you with all your questions.
by Deantwo
Tue Sep 11, 2018 8:06 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

here is full export command (little obfuscated) /export # sep/11/2018 17:50:21 by RouterOS 6.43 # software id = # # # /interface gre add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1 add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1 /interface wirel...
by Deantwo
Tue Sep 11, 2018 2:36 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc. if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes? It's even happened in 6.42.1 or 6.42.3 Without knowing exactly what you had configured on...
by Deantwo
Tue Sep 11, 2018 10:08 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc. if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes? It's even happened in 6.42.1 or 6.42.3 Without knowing exactly what you had configured on...
by Deantwo
Thu Sep 06, 2018 6:08 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly. Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure. Yeah, if a guide starts by say...
by Deantwo
Thu Sep 06, 2018 3:07 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default. Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is a...
by Deantwo
Wed Sep 05, 2018 10:59 am
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 15272

Re: v6.40.9 [bugfix] is released!

I agree that the way the patch notes were written made it look way more urgent than it was. Compared to how the WinBox vulnerability was mentioned in v6.40.8 [bugfix] , it makes it looks like the CVE vulnerabilities were much more important. Changing the way you announce vulnerabilities in patch not...
by Deantwo
Thu Aug 23, 2018 4:01 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 89091

Re: Winbox vulnerability: please upgrade

How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions? You could use netinstall to reinstall them. See: https://wik...
by Deantwo
Tue Aug 21, 2018 10:42 am
Forum: SwOS
Topic: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???
Replies: 10
Views: 2472

Re: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???

There is not much information about the "watchdog" feature in the CSS326 SwOS manual. https://wiki.mikrotik.com/wiki/SwOS/CSS326#System Watchdog Enable or disable system Watchdog. It will reset CPU of the switch in case of fault condition I am guessing that the SwOS watchdog is not the same as the R...
by Deantwo
Wed Aug 15, 2018 1:24 pm
Forum: SwOS
Topic: rb 260gs - vlan native how to setup
Replies: 1
Views: 855

Re: rb 260gs - vlan native how to setup

https://wiki.mikrotik.com/wiki/SwOS/RB2 ... 0#VLAN_Tab

Try setting the port's VLAN Receive to "Any" and the Default VLAN ID to the desired native VLAN.
by Deantwo
Wed Aug 15, 2018 1:18 pm
Forum: SwOS
Topic: MSTP Support?
Replies: 2
Views: 1087

MSTP Support?

Since MSTP support has been added to RouterOS, is there any chance we will be getting it for SwOS too?

Currently trying to setup a CRS326-24G-2S+ (SwOS 2.7) and it only has RSTP, which makes it rather hard to make advanced VLAN networks.
by Deantwo
Wed Aug 15, 2018 12:51 pm
Forum: SwOS
Topic: BUG: Do not open the HOSTS tab and RSTP
Replies: 2
Views: 983

Re: BUG: Do not open the HOSTS tab and RSTP

Was having issues with RSTP tab not opening at all on v2.7.
Rebooting the switch fixed the issue.
by Deantwo
Wed Aug 15, 2018 12:42 pm
Forum: SwOS
Topic: CSS326-24G-2S+ RSTP doesn't work!
Replies: 1
Views: 813

Re: CSS326-24G-2S+ RSTP doesn't work!

Two of your pictures show no RSTP enabled on any ports, did you maybe forget to scroll down? Or are you just showing that there is no RSTP enabled on those at all? Do you have any VLANs configured? Your diagram and pictures aren't much help since you don't say what is what really in them. Your post ...
by Deantwo
Fri Aug 10, 2018 3:42 pm
Forum: General
Topic: VLAN Trunk without knowing/cofiguring all VLANS
Replies: 5
Views: 1059

Re: VLAN Trunk without knowing/cofiguring all VLANS

Is CRS317 SFP-SFPPLUS1 and CRS317 SFP-SFPPLUS2 bridged together? Is CCR1009 SFP-SFPPLUS1 and CCR1009 ETHER1 bridged together? If not then, talking about VLANs makes no sense. You only create VLAN trunks between two switches or between a router and a switch, but never between two routers. What you ne...
by Deantwo
Fri Aug 03, 2018 11:01 am
Forum: Forwarding Protocols
Topic: OSPF Router ID
Replies: 6
Views: 2660

Re: OSPF Router ID

The https://wiki.mikrotik.com/wiki/Manual:OSPF-examples page suggests making a loopback interface and giving it the router-id as an IP-address. Does the router-id have to exist as an IP-address on the router? If not then why can we configure the router-id at all? I assume that if you define a value ...
by Deantwo
Thu Jun 28, 2018 1:01 pm
Forum: General
Topic: [OPEN VPN] unique certificate for each secret or caller id
Replies: 2
Views: 343

Re: [OPEN VPN] unique certificate for each secret or caller id

I am guessing you want something like this:
https://serverfault.com/questions/35885 ... in-openvpn

Sadly there is no way to config something like that on the RouterOS OpenVPN server. The OpenVPN server in RouterOS is very limited.
by Deantwo
Thu Jun 28, 2018 12:09 pm
Forum: Beginner Basics
Topic: OpenVPN client does not work after update to 2.4.6
Replies: 6
Views: 4456

Re: OpenVPN client does not work after update to 2.4.6

Wouldn't it make more sense to ask on the OpenVPN forum? Since it was an OpenVPN update that broke it anyway. Here: https://forums.openvpn.net/viewforum.php?f=6 I had an issue with the upgrading from OpenVPN 2.3.10 to 2.3.11 a couple of years ago, and that was fixed in a RouterOS update. See: https:...
by Deantwo
Thu Jun 07, 2018 5:13 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 77797

Re: VPNfilter official statement

how to determine if my router is infected? Back in the Urgent security advisory , it was said that upgrading your RouterOS version would remove "the bad files" on the device. I have not heard anywhere that this is not the case for all RouterOS upgrades, so I would assume that it remove all unknown ...
by Deantwo
Tue May 29, 2018 10:54 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 77797

Re: VPNfilter official statement

Technical details of the worm here : https://blog.talosintelligence.com/2018/05/VPNFilter.html Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices. I am quite happy with how extremely easy it is to upgrade RouterOS on a MikroTik device...
by Deantwo
Sun Mar 25, 2018 2:31 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

So this is why have gotten notification emails from this thread all day. Sorry to hear you are shutting down Dave, but with what you explain it is understandable. I ended up making my own blacklist script last year, so I never actually used your service much more than as a test. But I at least want ...
by Deantwo
Tue Mar 13, 2018 11:48 am
Forum: General
Topic: RouterBOOT "auto-upgrade"!
Replies: 18
Views: 11179

Re: RouterBOOT "auto-upgrade"!

For example, just this week or so a change in 6.41 renumbered firmware to match the RouterOS release number. Except on older devices the upgrade firmware field showed up blank! This script would have looped forever, because the current firmware would never have matched the ("blank") upgrade firmwar...
by Deantwo
Tue Mar 13, 2018 10:38 am
Forum: General
Topic: Script adding upgrade source
Replies: 8
Views: 1819

Re: Script adding upgrade source

Found an interesting read on this subject.
It was said back in 2010 that you can set upgrade-package-source via the API.
Here: Re: upgrade-package-source
/system/upgrade/upgrade-package-source/add
I'll have to test this when I have time.
by Deantwo
Fri Mar 02, 2018 11:50 am
Forum: Scripting
Topic: How to write string to a file using script ?
Replies: 5
Views: 4968

Re: How to write string to a file using script ?

your script is not working Your comment is not helping. Jokes aside. Helps if you tell me how it isn't working or what is going wrong. You might need a delay between creating the file and changing the content. # Create a file with specific content. { # Variables. :local filename "test.txt" :local c...
by Deantwo
Wed Jan 17, 2018 4:11 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 1499

Re: Block WinBox discovery from specific address

I want to know if I can blockthe discovery from a specific address in my netwrok so the router will be 10.0.0.1/24 my netwrok is 10.0.0.0/24 but I will only see the it in winbox from 10.0.0.10-10.0.0.20 all other computers in the network that aren't this address will not see it From the sound of it...
by Deantwo
Wed Jan 17, 2018 3:45 pm
Forum: General
Topic: How to communicate two networks one device?
Replies: 8
Views: 630

Re: How to communicate two networks one device?

so ? Src. Address: 192.168.10.0/24 Dst. Address: 50.60.40.0/24 Dst. Address: 192.168.10.0/24 Src. Address: 50.60.40.0/24 Yes. /ip firewall filter add action=accept chain=forward comment="Allow connection between LANs" disabled=no src-address=50.60.40.0/24 dst-address=192.168.10.0/24 place-before=0 ...
by Deantwo
Tue Jan 09, 2018 4:35 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 1499

Re: Block WinBox discovery from specific address

It isn't good enough to just block neighbor discovery from an interface? It has to be a specific IP address?
/ip neighbor discovery set [find name=ether1] discover=no

Alternatively I'll ask why it is all on the same network if it has to be separate. Wouldn't it be easier to set up VLANs?
by Deantwo
Tue Jan 09, 2018 4:19 pm
Forum: General
Topic: Issue with Getting DHCP IP using Bridge interface.
Replies: 5
Views: 3475

Re: Issue with Getting DHCP IP using Bridge interface.

name="bridge2-LAN" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:5A:55:09 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m Did you add any ports to the bridge? name="dhcp1" i...
by Deantwo
Tue Jan 09, 2018 12:31 pm
Forum: General
Topic: How to communicate two networks one device?
Replies: 8
Views: 630

Re: How to communicate two networks one device?

that both a network and the other can access all its ports and ip addresses. That is the default on any router, there should be no issue with hosts on ether2 communicating with hosts on ether3. Unless you have firewall rules preventing the traffic. Or if the hosts are incorrectly configured on the ...
by Deantwo
Tue Jan 09, 2018 12:15 pm
Forum: General
Topic: double or triple NAT is bad?
Replies: 13
Views: 6092

Re: double or triple NAT is bad?

Old thread, but first google result on the topic. Another thing that makes many NAT routers a bad idea, is the fact each router preforming NAT will have to keep a NATing table. It will take your router time to check the NAT table every time it has to forward a packet. Not to mention that in theory y...
by Deantwo
Tue Jan 09, 2018 11:31 am
Forum: General
Topic: no IKEv1 peer config for x.x.x.x [SOLVED]
Replies: 1
Views: 2822

Re: no IKEv1 peer config for x.x.x.x [SOLVED]

I found the issue. This is because the router is receiving IPsec requests from routers that isn't expected. The central router doesn't have an IPsec peer for the connecting client router. The sere number of the log messages made me not even think about checking for old client routers with orphan IPs...
by Deantwo
Wed Jan 03, 2018 11:21 am
Forum: General
Topic: no IKEv1 peer config for x.x.x.x [SOLVED]
Replies: 1
Views: 2822

no IKEv1 peer config for x.x.x.x [SOLVED]

I just upgraded a central router that is running a lot of IPsec tunnels from RouterOS v6.36 to v6.40.5, but now I am getting a lot of IPsec log messages that don't quite make any sense to me. The tunnels appear to be working without issue, so it is mostly an annoyance. The log messages are: Jan/03/2...
by Deantwo
Thu Dec 28, 2017 1:30 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 4
Views: 4461

Re: Install SwOS on RouterOS [SOLVED]

It worked nicely. I even found the option in the System -> Routerboard -> Settings menu of WinBox in case someone don't like to use the terminal.

But yes, please add that information to the manual page.
by Deantwo
Wed Dec 27, 2017 8:58 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 4
Views: 4461

Re: Install SwOS on RouterOS [SOLVED]

Device already have RouterOS and SwOS, from RouterOS you can boot SwOS by typing in terminal:
/system routerboard settings set boot-os=swos
SwOS manual
It literatlly says that nowhere on the SwOS manual page. So thank you!
I will try it in the morning.
by Deantwo
Wed Dec 27, 2017 5:01 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 4
Views: 4461

Install SwOS on RouterOS [SOLVED]

How do I install SwOS on a CRS326-24G-2S+ that has RouterOS installed? I have downloaded the swos-css326-2.7.bin file, but I have no idea what to do with it. RouterOS does not seem to detect the file on boot like it does RouterOS NKP-files. So how do I do this? Can I do it remotely? Do I have to use...
by Deantwo
Tue Aug 15, 2017 12:41 pm
Forum: General
Topic: Feature request: Netwatch parameters extension
Replies: 7
Views: 2336

Re: Feature request: Netwatch parameters extension

Bump.

Fully featured ping-like Netwatch would be very nice.
For example:
  • src-interface
  • src-address
  • routing-table
Quite tired of having to make a static route just to specify a source IP address.
by Deantwo
Fri Jul 14, 2017 4:06 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 35032

Re: v6.39.2 [current]

Problem already solved in v6.40rc now DPD logs have ipsec,debug topics.
Ah awesome, thank you. I guess I haven't tried the newest version of the release candidates.

I didn't even know those logs were from the DPD, but with the snippit I just got I can see that it is.
by Deantwo
Thu Jul 13, 2017 8:26 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 35032

Re: v6.39.2 [current]

Not really sure where is the problem, if you do not want to see ispec logs, then remove/disable this entry add action=ipsec topics=ipsec,!debug That would leave the logging action unused. IPsec logging messages used to have the topic "info,ipsec", which meant they would show up in the info log. I h...
by Deantwo
Thu Jul 13, 2017 4:16 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 35032

Re: v6.39.2 [current]

IPsec is still creating a lot of what looks like debug log messages. I have had this logging for a long time, but with the newer versions of RouterOS it is now useless. /system logging action add memory-lines=100 name=ipsec target=memory /system logging add action=ipsec topics=ipsec,!debug Now I jus...
by Deantwo
Thu Jul 06, 2017 11:29 am
Forum: General
Topic: Certificate Thumbprint [SOLVED]
Replies: 1
Views: 317

Certificate Thumbprint [SOLVED]

I seem to be unable to compare the certificate fingerprint in RouterOS with the certificate thumbprint found in the Windows Certificate Store. I am not fully versed in what the difference is between the two, but I am guessing RouterOS simply doesn't have the same kind of identifier? Is certificate t...
by Deantwo
Fri Jun 23, 2017 12:06 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

Minor typo in the 4th line. ##### Update your path, is you are using a USB Flash or other storage I am thinking you meant to say " if you are using" By the way, why is the default path "disk1/dynamic.rsc"? Anyway, fun fun. I hadn't tried this before: jun/23/2017 10:50:44 system,error,critical router...
by Deantwo
Tue Jun 13, 2017 3:13 pm
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 1580

Re: Best Way to Change Static IP Address Remotely

Yeah, so I can set the WAN interface to have both the old and the new IP addresses at the same time. So in theory the ISP could just change the IP address of the gateway or whatever. Can you please elaborate on the scenario? I thought you were the ISP. I mean "suddenly change" as in the ISP change ...
by Deantwo
Mon Jun 12, 2017 1:01 pm
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 1580

Re: Best Way to Change Static IP Address Remotely

It is possible to set multiple IP addresses on an interface in RouterOS, and I can set a second default gateway that will be ignored because an active route to that IP (0.0.0.0/0) already exist. The key point here is distance Yeah, but having two routes with the same distance still seems to only ma...
by Deantwo
Mon Jun 12, 2017 12:49 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

Hello Dave, The script has the ?, when pasted in terminal it disappears. The log only has an entry of- script error: expected command name (line 1 column 1) The downloaded dynamic.rsc only has one line- All fields are required. Please update your script. That would mean that you need the current sc...
by Deantwo
Mon Jun 12, 2017 10:26 am
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 1580

Best Way to Change Static IP Address Remotely

I every so often get the task of preparing for a WAN IP address change on a remote router. Often the change happens outside of business hours, and we of course want the least amount of downtime. Failing at this could leave the router unreachable and require a technician to go to the location to manu...
by Deantwo
Mon May 22, 2017 1:44 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

1. Why there are 2 schedules? And if there are 2 it can't have the same name as in your example. /system scheduler add interval=1d name=UpdateBlackList on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \ start-date=jan/01/1970 start-time...
by Deantwo
Tue May 16, 2017 11:01 am
Forum: Announcements
Topic: v6.39.1 [current]
Replies: 158
Views: 36864

Re: v6.39.1 [current]

Upgrade 3x CCR1016-12G and my tunnels base on IPSec are down... I also upgraded a CCR1016-12G to RouterOS v6.39.1, and the IPsec tunnel stopped working. From what I could see in the Installed SAs , it was not receiving anything even though the other end was transmitting. Upgrading the router in the...
by Deantwo
Thu May 04, 2017 10:43 am
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 801

Re: Multiple CA Certificates for OpenVPN

Or is it maybe possible to have multiple Ovpn Servers configured on the same router?
by Deantwo
Tue May 02, 2017 5:06 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

I think it is going wrong with the URL containing (maybe unknown) variables. Out of curiosity, what does your router say to the following if you paste it in the terminal? :put [/system resource get board-name] :put [/system resource get version] :put [/system resource get total-memory] :put [/syste...
by Deantwo
Tue May 02, 2017 11:14 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

Can you give me an update URL without or with preset variables? ... I think it is going wrong with the URL containing (maybe unknown) variables. Like this? /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=750&version=6.39&memory=3355443...
by Deantwo
Tue May 02, 2017 10:43 am
Forum: Announcements
Topic: v6.40rc [release candidate] is released!
Replies: 231
Views: 45824

Re: v6.40rc [release candidate] is released!

*) ipsec - optimized logging under IPSec topic;
Hoping that means no more spammy "R_U_THERE" log messages.
Not sure when I can give this version a try though.
by Deantwo
Mon Apr 24, 2017 2:18 pm
Forum: General
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 11001

Re: v6.39rc76 [release candidate] is released!

I am still receive large amounts of spammy debug log messages while I have an active IPsec tunnel. 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec receive Informati...
by Deantwo
Wed Mar 22, 2017 10:46 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

You issue is that the router simply didn't complete the download. Today's download is 603k. If it's getting out off, you may want to see if your ISP is trying to proxy ssl connections. Ok yeah, maybe I was a little hasty to my conclusion. I am able to download the file just fine from the company ne...
by Deantwo
Tue Mar 21, 2017 9:44 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

Something seems to have gone wrong. I am receiving incomplete "dynamic.rsc" files, ending in the middle of an address-list entry add command. Example: # Generated on Mon Mar 20 04:00:54 PDT 2017 by Intrus Technologies /ip firewall address-list add list=dynamicBlacklist address=1.10.16.0/20 timeout="...
by Deantwo
Tue Mar 14, 2017 10:14 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

And, if you are interested, here are my filter rules: /ip firewall address-list add address=172.16.0.0/16 list=PrivateIPs add address=10.0.0.0/8 list=PrivateIPs add address=192.168.0.0/16 list=PrivateIPs Found a little error in your provided example firewall. Incorrect netmask for the 172 private r...
by Deantwo
Tue Mar 14, 2017 9:50 am
Forum: Announcements
Topic: v6.38.5 [current]
Replies: 66
Views: 25690

Re: v6.38.5 [current]

Shouldn't these log messages be part of debug topic? 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U...
by Deantwo
Thu Mar 09, 2017 5:13 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

As for the schedule, you will have to play with it. It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was "1970-01-01 00:00:00". RouterOS seems to have some issues with startup scripts, and I haven't had time to work out w...
by Deantwo
Thu Mar 09, 2017 4:45 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with "Intrus :: " this allows me to sort them and quickly track down problems. While it's not currently required, it really is the only method that I have to keep track of how many routers a...
by Deantwo
Thu Mar 09, 2017 4:33 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

When testing it I also found that the address-list entry timeout don't quite match up with what you say in the opening post. It states that the address-list entries are dynamic with a 48 hour timeout, but the file I am getting shows them having a 24 hour timeout. Shouldn't this at least be 25 hours...
by Deantwo
Thu Mar 09, 2017 2:35 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 106046

Re: Blacklist Filter update script

Looks like a very interesting system you got here. I know it has been running fine for soon 2 years I guess, but I do have a few small suggestions for your update script. You should escape the "?" in the URL ("\?") Add brackets around the script ("{ }") Add a ":put" with the script version for debug...
by Deantwo
Mon Jan 23, 2017 11:45 am
Forum: Scripting
Topic: Meaning of script
Replies: 1
Views: 610

Re: Meaning of script

/put "### Setting up hotspot ###" /ip hotspot add address-pool=[/ip pool get number=0 value-name=name] disabled=no idle-timeout=none interface=[/interface bridge get 0 value-name=name] name=hotspot-mywifi profile=profile-mywifi addresses-per-mac="" /delay 5s The " [/ip pool get number=0 value-name=...
by Deantwo
Mon Oct 17, 2016 1:32 pm
Forum: Scripting
Topic: count "unreplied" connections
Replies: 1
Views: 728

Re: count "unreplied" connections

I was just wondering about this myself.
It does not seem to be possible to find "unreplied" flags.
/ip firewall connection print count-only where unreplied
However find where assured is possible:
/ip firewall connection print count-only where assured
by Deantwo
Fri Sep 30, 2016 12:00 pm
Forum: Announcements
Topic: Winbox 3.6 released!
Replies: 25
Views: 9082

Re: Winbox 3.6 released!

*) fixed problem where initial configuration window was shown twice on first connect;
THANK YOU!
This will make mass configuration so much easier next time. ^^
by Deantwo
Thu Sep 29, 2016 12:46 pm
Forum: Scripting
Topic: Adding scheduler 'on-event' two line script problem.
Replies: 2
Views: 1141

Re: Adding scheduler 'on-event' two line script problem.

$api->comm('/system/scheduler/add', array( "name" => 'upgrade_system', "interval" => '5s', "on-event" => "/system scheduler remove upgrade_system. /system identity set name='system upgraded'" )); I am just about to attempt something similar in one of my applications, but your code here seems to be ...
by Deantwo
Mon Sep 19, 2016 5:05 pm
Forum: Announcements
Topic: v6.36.3 [current] is released!
Replies: 43
Views: 13519

Re: v6.36.3 [current] is released!

i've upgraded my RB433AH to v6.36.3 [current] is released, and know i see that the ports are on different group. ether1 PoE know is ether 2, ether2 know is ether1, just ether 3 is same. The new version did that or??? Thanks What version did you upgrade from? Did you confirm the default-names are th...
by Deantwo
Tue Sep 13, 2016 11:41 am
Forum: General
Topic: write a dynamic script?
Replies: 1
Views: 373

Re: write a dynamic script?

You should ask in the Scripting sub-forum instead. Or maybe a moderator can move this thread? Well, without a better example of the code you want to change, it will be a little hard to help. But it is possible to change a script using a script I guess. Something like this maybe: /system script :loca...
by Deantwo
Tue Sep 13, 2016 11:26 am
Forum: Scripting
Topic: How to add entries to SSH ACL
Replies: 2
Views: 714

Re: How to add entries to SSH ACL

To concatenate an element to an array, do this:
:put ({1;2;3} , 5 )
For more information, see: For your specific case, this should do:
/ip service
set ssh address=([get ssh address] , "2.2.2.0/24")
by Deantwo
Mon Sep 12, 2016 6:37 pm
Forum: General
Topic: looking for a little help
Replies: 3
Views: 602

Re: looking for a little help

yes but portting is not what we are trying. i have one ip (23.67.207.*) i need it to point our ip 23.67.207.* ------------------- 10.24.24.2 (dns) 10.24.24.3 (webber1) 10.24.24.4 webber2 10.24.24.5 webber3 10.24.24.6 webber4 Webber are server on our network, they have have to 443,80,25,etc open so ...
by Deantwo
Mon Sep 12, 2016 6:14 pm
Forum: Scripting
Topic: Netwatch...
Replies: 5
Views: 1075

Re: Netwatch...

Two default gateways with different distances do not always work as expected and has a few disadvantages: - you have to know the address of the default gateway and it has to be always the same If you are getting a default gateway via DHCP, you can specify the distance of it. For example: /ip dhcp-c...
by Deantwo
Fri Sep 09, 2016 9:45 am
Forum: Scripting
Topic: Wanting to send Backup to a VM running Linux needing help
Replies: 3
Views: 595

Re: Wanting to send Backup to a VM running Linux needing help

# FTP Backup (2014.10.21) { # Get and process time. :local timeString [/system clock get time] :set timeString ([:pick $timeString 0 2] . [:pick $timeString 3 5] . [:pick $timeString 6 8]) # Get and process date. :local dateString [/system clock get date] :set dateString ([:pick $dateString 7 11] ....
by Deantwo
Thu Sep 08, 2016 9:20 pm
Forum: Scripting
Topic: Wanting to send Backup to a VM running Linux needing help
Replies: 3
Views: 595

Re: Wanting to send Backup to a VM running Linux needing help

Setup a FTP server on the Linux machine and use the fetch command to upload the backup file. Like this: /tool fetch upload=yes mode=ftp address=1.1.1.1 user="USERNAME" password="PASSWORD" src-path="BACKUP.FILE" dst-path="BACKUP.FILE" See the wiki page for more details on how to use it. Here: http://...
by Deantwo
Thu Sep 08, 2016 4:50 pm
Forum: General
Topic: IPsec Between two Mikrotiks
Replies: 3
Views: 590

Re: IPsec Between two Mikrotiks

When you doing pings from router itself, specify correct source address. Like this: :ping 192.168.88.243 src-address=192.168.1.1 (If i got the IP addresses correct) Alternatively, try to ping from your computer rather than the router it self. Pinging from the router it self can cause some issues wh...
by Deantwo
Thu Sep 08, 2016 4:29 pm
Forum: Scripting
Topic: Second opinion on script
Replies: 2
Views: 593

Re: Second opinion on script

{ # Specify the BGP advertised subnet to check for :local subnet "10.2.0.0/20" # Specify the name of the VRRP interface to work with :local vrrpInterface1 "vrrp-v4" :local vrrpInterface2 "vrrp-v6" # Specify the priority the $vrrpInterface should get once the BGP routes are gone :local newPrio 50 # ...
by Deantwo
Thu Sep 08, 2016 4:15 pm
Forum: Scripting
Topic: Other variables pining
Replies: 4
Views: 603

Re: Other variables pining

Thank you for answering, but what I want is to get the average response time (avg-rtt)
I don't know if there is a way to get that.
But I know that it at least isn't possible with the ":ping" command, as I demosatred above.
by Deantwo
Thu Sep 08, 2016 10:25 am
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 1155

Re: Cancel Paste to Terminal [SOLVED]

I think I just found the ultimate answer to this question of mine. /quit Using this in the terminal instantly disconnects you and stops furter pasting. As an added bonus, it leave the terminal window open, so you can actually see what happened and even give feedback to the user. So I wrote this in m...
by Deantwo
Wed Sep 07, 2016 5:58 pm
Forum: General
Topic: failure on import config file
Replies: 7
Views: 1179

Re: failure on import config file

You could just use the menu instead of the terminal, it is a bit easier. Once you actually made it work, export the RoMON configuration. /tool romon export This will give you the commands needed to apply it on another router. Apart from that I can't help much more, since I actually don't know what t...
by Deantwo
Wed Sep 07, 2016 5:13 pm
Forum: Scripting
Topic: Other variables pining
Replies: 4
Views: 603

Re: Other variables pining

Using the ping command like that in the terminal only returns the number of successful pings. For example this: [admin@MikroTik] > :global test [:ping 8.8.8.8 count=5] SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 56 47 16ms 1 8.8.8.8 56 47 15ms 2 8.8.8.8 56 47 15ms 3 8.8.8.8 56 47 15ms 4 8.8.8.8 56 47 15...
by Deantwo
Wed Sep 07, 2016 4:55 pm
Forum: General
Topic: Undocumented feature (bug?) in script scheduler
Replies: 2
Views: 338

Re: Undocumented feature (bug?) in script scheduler

The name of the script was "disableNigthSurfing". When I changed the name of this script into "DenyNightSurfing", everything started to work fine. It is case sensitive, so maybe you had written "DisableNigthSurfing" in the scheduler? Without actually seeing the errored setup it is hard to know what...
by Deantwo
Wed Sep 07, 2016 4:45 pm
Forum: General
Topic: failure on import config file
Replies: 7
Views: 1179

Re: failure on import config file

"failure: can not have multiple enabled entries with same interface" Can't have two entries with the same interface. Sounds pretty self explanatory. Check is there isn't an entry defined with "interface=all" by default, and if there is, simply remove that line from your configuration. Alternatively...
by Deantwo
Wed Sep 07, 2016 12:54 pm
Forum: General
Topic: looking for a little help
Replies: 3
Views: 602

Re: looking for a little help

Does the router have a masquerade NAT rule?
Have you port forwarded to the servers?

For information, see:
by Deantwo
Tue Sep 06, 2016 4:50 pm
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 801

Multiple CA Certificates for OpenVPN

Is it at all possible to use two different certificates at the same time in RouterOS's Ovpn Server implementation? I am attempting to phase out an old CA and replace it with a new one slowly, but I can't seem to find a way to do this without using a second router. On the OpenVPN forum it was suggest...
by Deantwo
Tue Sep 06, 2016 4:02 pm
Forum: Scripting
Topic: How to write string to a file using script ?
Replies: 5
Views: 4968

Re: How to write string to a file using script ?

# Create a file with specific content. { # Variables. :local filename "test.txt" :local content "This is a test." # Create file. /file print file=$filename # Set file's content. /file set $filename contents=$content } Be aware that there is a maximum file size that RouterOS will allow you to access...
by Deantwo
Tue Sep 06, 2016 3:49 pm
Forum: Scripting
Topic: /system upgrade upgrade-package-source
Replies: 2
Views: 1495

Re: /system upgrade upgrade-package-source

It is impossible to do this using a script. The only ways to configure upgrade-package-source is by copy-pasting to terminal or using the WinBox interface. For more information, see: http://forum.mikrotik.com/viewtopic.php?f=2&t=26108 . To add it using copy-paste, do the following: /system upgrade u...
by Deantwo
Tue Sep 06, 2016 3:43 pm
Forum: Scripting
Topic: Netwatch...
Replies: 5
Views: 1075

Re: Netwatch...

Of course, the netwatch is able to reach 8.8.8.8 through the second ling, so it is "up" again. You cannot specify an out-interface using netwatch. It would be much easier to just make two default routes. Like this: /ip route add distance=1 gateway=1.1.1.1%Wan1 check-gateway=ping add distance=2 gatew...
by Deantwo
Tue Sep 06, 2016 3:33 pm
Forum: General
Topic: port forward lost source ip
Replies: 3
Views: 769

Re: port forward lost source ip

the port forward is ok but all ssh request have source ip 192.168.10.1 . is possible preserve original public ip that request ssh (ex 3.3.3.3 to 192.168.10.200) Sounds like your masquerade rule is the cause. You should only let the masquerade rule apply to traffic leaving your WAN interface. For ex...
by Deantwo
Tue Sep 06, 2016 2:56 pm
Forum: Scripting
Topic: failover two wan + routing policy
Replies: 4
Views: 1025

Re: failover two wan + routing policy

I woul use this script for failover  http://wiki.mikrotik.com/wiki/Failover_Scripting Is there any reason you aren't just using that then? Even more so the corrected version I already gave you. See: http://forum.mikrotik.com/viewtopic.php?f=9&t=109691#p544520 i need that all connection go to wan1 e...
by Deantwo
Mon Sep 05, 2016 1:07 pm
Forum: Scripting
Topic: c# api command to update the hotspot user pless
Replies: 1
Views: 598

Re: c# api command to update the hotspot user pless

Which C# API? Update a hotspot user in what way? What is it you want to change? The API commands you'll likely need is something like this: "/ip/hotspot/set" "=.id=" + userId "=password=" + newPassword "=email=" + newEmail ".tag=deantwowashere" The ".id" is used to specify what user you want to chan...
by Deantwo
Mon Sep 05, 2016 12:09 pm
Forum: Announcements
Topic: Winbox 3.5 released!
Replies: 20
Views: 9495

Re: Winbox 3.5 released!

I just finished configuring a large batch of routers, all of which opened two "RouterOS Default Configuration" dialog boxes.
This is not a new problem though, as it was also there before the v3.5 update.

Anyone else seeing this after resetting the configuration of a router?
by Deantwo
Mon Aug 29, 2016 2:06 pm
Forum: Announcements
Topic: v6.36.2 [current] is released!
Replies: 54
Views: 14976

Re: v6.36.2 [current] is released!

You should maybe move that wiki page to "Manual:Fasttrack" instead, the multiple instances of the word "wiki" looks silly. Or maybe "Manual:Firewall/Fasttrack" would be better?

Also, why doesn't the page explain how to disable fasttrack?
by Deantwo
Mon Aug 29, 2016 12:49 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 3464

Re: Scripting Ideas ??

Hi Sinan, i need help with this script: :local phone "android"; :local telefon value=[/ip dhcp-server lease find dynamic=yes host-name~$phone]; :foreach looping in=$telefon do={ :local mac value=[/ip dhcp-server lease get $looping value-name=active-mac-address]; /ip firewall filter add chain=forwar...
by Deantwo
Mon Aug 22, 2016 12:49 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

Ok, I seem to have found the issue . The old third-party certificate program that I have been using for the past 6 years doesn't actually check certificate KeyUsage bits. So in short, my CA doesn't have the KeyCertSign KeyUsage bit set! MikroTik, is doing the correct thing in disallowing my certific...
by Deantwo
Mon Aug 22, 2016 12:43 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

Ok, been doing some more research and testing of older RouterOS versions. RouterOS was seemingly not able to make/issue certificates before around version 6.10. The checkbox that was labeled "CA" seem to have just been "Trust" before it was renamed in version 6.3. I have attempted to import my CA on...
by Deantwo
Fri Aug 19, 2016 1:17 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

My current workaround has been to create a new self-signed certificate as CA and use that for all future certificate issuing, then leave the old imported CA along side it as backward compatibility until the day I can phase it out. Mmh, this may not be a valid solution anyway. It doesn't appear to b...
by Deantwo
Thu Aug 18, 2016 2:10 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

AFAIK you CAN generate a self signed CA, but you need to generate it on the router itself.
Then it will show up as a CA.
Yeah that is what I mean.

I can however create a self-signed certificate on one router, export it, and import it into another router while still have it keep the CA status.
by Deantwo
Thu Aug 18, 2016 12:28 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

But they still work. If you have a trusted CA imported as a simple certificate, it will still verify e.g. a remote SSTP certificate, it just will not show up as a CA. True, it has been working for a long time now like this. However now I actually want to use the certificate as a CA by issuing certi...
by Deantwo
Thu Aug 18, 2016 8:09 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: hotspot & queues user speed limit after x download scripts

I have just never used simple queues, and haven't had time recently to look into it.
I am however sure that someone else has done this before, or maybe simple queues can do this with built-in features?
by Deantwo
Tue Aug 16, 2016 10:12 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

hello Deantwo i hope ur fine
i have a request
can u do the same script for pppoe ?
What does PPPoE have to do with Hotspot Users?
But maybe, will have to look at it when I have time.
by Deantwo
Fri Aug 12, 2016 1:08 pm
Forum: General
Topic: Removing (deleting) issued certificates
Replies: 3
Views: 8379

Re: Removing (deleting) issued certificates

The wiki states this. Here: http://wiki.mikrotik.com/wiki/Manual:System/Certificates#FAQ No idea why it is like this. I can't create a new certificate with the same name as a revoked certificate, unless I renamed the revoked certificate first. But either way, this will end up cluttering the certific...
by Deantwo
Thu Aug 11, 2016 5:02 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Re: Making Imported Certificate into a Certificate Authority

Looking a little more around on the forum, and there really is no good search results for "Certificate Authority". Testing a little with my certificate and comparing it to a self-signed certificate on a MikroTik, I only see a difference between the two certificates on the "Key Usage" tab. More speci...
by Deantwo
Thu Aug 11, 2016 4:43 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 1155

Re: Cancel Paste to Terminal [SOLVED]

Anyway, this is a little off topic. ^^; Why is this off topic? When the reset-configuration would be able to import a .rsc file with slight problems, your whole issue of pasting text in a window would not exist! Ah, now I see what you mean. I have been thinking about that, but like I wrote above, t...
by Deantwo
Thu Aug 11, 2016 4:04 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 1155

Re: Cancel Paste to Terminal [SOLVED]

Not being able to import a .rsc file if it has even the slightest error is a problem that I have raised as an issue again, and the reply is that they are looking into a solution for that. Also a method of reporting errors in the processing (while continuing with the next statement) E.g. when you tr...
by Deantwo
Thu Aug 11, 2016 3:14 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 1155

Re: Cancel Paste to Terminal [SOLVED]

Embed your configuration and interruption code in a /system script and execute this script as last part of your to-be-pasted text. That would only work if the whole configuration script is error-free. Pasting to terminal gives you the advantage of allowing errors in the script, which can be useful ...
by Deantwo
Thu Aug 11, 2016 11:45 am
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 1155

Cancel Paste to Terminal [SOLVED]

I have a rather long initial router configuration script that is used to setup new routers. The script assumes that that router is void of any configuration and all you have to do is set a few variables at the top and then paste the whole script into the terminal. Some times the technician that is t...
by Deantwo
Wed Aug 10, 2016 5:03 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 8
Views: 2487

Making Imported Certificate into a Certificate Authority

After fiddling with how to actually import a certificate for a while, I am now ready to use it. Or so I thought. It turns out that MikroTik doesn't consider my certificate an "authority", even thought it has been used for that for a good number of years outside of MikroTik. The http://wiki.mikrotik....
by Deantwo
Wed Aug 10, 2016 4:39 pm
Forum: General
Topic: Importing PKCS#12 Certificate [SOLVED]
Replies: 1
Views: 1885

Re: Importing PKCS#12 Certificate [SOLVED]

I managed to import the certificate by... well... I actually didn't manage to import the PKCS#12 certificate, I had to instead use a PEM certificate. [admin@MK] > certificate [admin@MK] /certificate> import file-name=ca.pem passphrase=1234 certificates-imported: 1 private-keys-imported: 0 files-impo...
by Deantwo
Tue Aug 09, 2016 4:04 pm
Forum: General
Topic: Importing PKCS#12 Certificate [SOLVED]
Replies: 1
Views: 1885

Importing PKCS#12 Certificate [SOLVED]

I have a PKCS#12 certificate that I would like to import into my MikroTik router, but it simply fails with "decryption-failures: 1" and nothing else. I know the passphrase is correct, because I wrote it myself and am able to install the certificate on my windows computer without issue. I have been s...
by Deantwo
Wed Aug 03, 2016 12:12 pm
Forum: General
Topic: shared openvpn server with differents sub-network
Replies: 1
Views: 284

Re: shared openvpn server with differents sub-network

I use static IP addresses on my OpenVPN secrets, so there it is very easy to just make firewall rules to limit what each OpenVPN user can access. I have not attempted to use DHCP on OpenVPN tunnels yet, so I do not know if that is possible. But I think it would be possible if you just make sure that...
by Deantwo
Thu Jul 28, 2016 3:28 pm
Forum: Scripting
Topic: Problem with Script On Login
Replies: 4
Views: 975

Re: Problem with Script On Login

The issue seems to be that  $"mac-address " is a system variable, and system variable can act VERY odd. If you put it into a local variable right away it seems to work much better. Try this: /ip hotspot user {    :local macA $"mac-address"    :local dateToday [/system clock get date]    :put $macA  ...
by Deantwo
Thu Jul 21, 2016 11:50 pm
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 2509

Re: Run backup file by script

Here's mine.  Backup and export, and E-Mail both to one of my addresses.
I don't how that is related to OP's problem.
The OP is trying to do the opposite of what your script does.

I think.
by Deantwo
Thu Jul 21, 2016 3:52 pm
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 1636

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

When I write IP Tunnel or GRE Tunnel I mean: IP Tunnel or GRE Tunnel.
I honestly don't know how that would require further explanation or would suggest EOIP Tunnel.
I just don't know much about those two, and guess I was confused.
Anyway, I will look into it, thanks.
by Deantwo
Thu Jul 21, 2016 11:35 am
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 1636

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

Not with only that config, because it will only handle the traffic for that /30. But with that, you can add an IP Tunnel or GRE Tunnel interface with endpoints from that /30 on both sides, and then you have a plain interface that can route all IP traffic depending on the contents of the route table...
by Deantwo
Thu Jul 21, 2016 10:37 am
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 1636

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

To explain: you can add another IPsec policy (first) that specifies  172.16.14.0/24 as source and destination and has the setting action=none. I know OP figured it out, but I just wanna give a code sample so people knows what to do in the future. Since I just had the same problem yesterday. /ip ips...
by Deantwo
Wed Jul 20, 2016 11:39 am
Forum: Scripting
Topic: Help me to complete the script
Replies: 6
Views: 988

Re: Help me to complete the script

The script already has a loop but you pass the wrong info to the SMS tool. It should be phone-number=$r You are correct. But it also seems like the array isn't being defined correctly since the foreach treats it as one long string. Array elements have to be separated with semi-colons when being def...
by Deantwo
Wed Jul 20, 2016 11:30 am
Forum: Scripting
Topic: problem using mikrotik api
Replies: 1
Views: 490

Re: problem using mikrotik api

I am guessing you didn't read anything about how the MikroTik API works at all. If you are gonna be using the API, I suggest you give the manual page a read before continuing. You can find it here: wiki.mikrotik.com/wiki/Manual:API mikrtoik->comm('/ip/hotspot/active/remove/numbers=[/ip/hotspot/activ...
by Deantwo
Wed Jul 20, 2016 11:08 am
Forum: Scripting
Topic: failover script
Replies: 4
Views: 1353

Re: failover script

hello, thanks for suggestion... but the script don't work. I have this error: :set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2] syntax error (line 1 column 6) any suggestion? Did you define PingResult first? If you wanna use this script in the console, you need to add { } around t...
by Deantwo
Fri Jul 01, 2016 1:50 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 3464

Re: Scripting Ideas ??

but I would like to sent them to upstream provider blackhole :) Weird way of doing it, but ok. Try this: {    :local ddosedList [/ip firewall address-list find list=ddosed]    :foreach ddosedEntry in=$ddosedList do={        :local ddosedIp [/ip firewall address-list get $ddosedEntry address]       ...
by Deantwo
Fri Jul 01, 2016 11:08 am
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 3464

Re: Scripting Ideas ??

some script will take ddosed ip's from /ip firewall address-list and will add this to black hole like this /ip route add bgp-communities=1111:333 comment=ddosed distance=1 dst-address="$id/32" type=blackhole i would like to run this every 5min and it will check again if ip removed from ddosed it wi...
by Deantwo
Thu Jun 30, 2016 4:48 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 3464

Re: Scripting Ideas ??

can you help me for some scripting ?
What are you looking for?
by Deantwo
Thu Jun 30, 2016 9:56 am
Forum: Scripting
Topic: Music to my ears
Replies: 3
Views: 3329

Re: Music to my ears

Ooh looks awesome. But I probably shouldn't try those during work hours. ^^; All I have made is this: # Morse code: IDIOT { :local dot 200ms :local dash 600ms :beep length=$dot :delay $dot :beep length=$dot :delay $dash :beep length=$dash :delay $dot :beep length=$dot :delay $dot :beep length=$dot :...
by Deantwo
Thu Jun 30, 2016 9:47 am
Forum: Scripting
Topic: Customer have a power for change his password
Replies: 7
Views: 991

Re: Customer have a power for change his password

You could make your own PHP script that uses the MikroTik API.

See: But unless you are a web developer, it may be easier to go with the Usermanager as normis said.
by Deantwo
Thu Jun 30, 2016 9:34 am
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 2509

Re: Run backup file by script

The full command as below /user add name=admin1 group=full /system backup  save name=emac dont-encrypt=yes password=P@ssword /system ssh address=192.168.88.1 user=admin1 "/system backup load name=emac.backup password=P@ssword Run fine in terminal command, but cant to use "/system ssh" from a script...
by Deantwo
Wed Jun 29, 2016 4:13 pm
Forum: Scripting
Topic: Automated Script for Checking PPPoE Client Status
Replies: 2
Views: 5574

Re: Automated Script for Checking PPPoE Client Status

At a glace it would seem like the first script (DSL CHECK STATUS START) goes into an endless loop until it detects a failure, and that is without haven't fully looked at how the flow goes if it does detect a failure. Looking at the "System -> Scripts -> Jobs tab" menu must be scary. Why are you doin...
by Deantwo
Wed Jun 29, 2016 4:03 pm
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 2509

Re: Run backup file by script

I do not believe if it possible to use "/system shh" from a script" since it will prompt for a password. Much like the same issues with  upgrade-package-source . Running a script containing: /system ssh 127.0.0.1 "/ip address print" user=admin Seems to fail silently. The log throws an error when I a...
by Deantwo
Wed Jun 29, 2016 2:33 pm
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 1868

Re: Global variables and user permission Policy

if possible, it would be a nice idea to try that solution. # Load variables from static DNS. :global bandwidthsource :global switchseconds :if ([:len $bandwidthsource] = 0 || [:len $switchseconds] = 0) do={    /ip dns static {        :set bandwidthsource        :set switchseconds        :local code...
by Deantwo
Wed Jun 29, 2016 11:14 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

Something as simple as: :global stat "test" :log warning $stat :beep Seem to fail to actually create the global variable. Almost as if it is treated as a local variable. This seems to just fail to run: :set stat "test" :log warning $stat :beep Even if the global variable exist. So is there some spec...
by Deantwo
Wed Jun 29, 2016 10:59 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

Ok, Finally got to test it using the API, and I am able to reproduce your issue. But I have to fiddle a little with users and permissions to test it fully. Script I am using: :global stat {    :if ($stat=1) do={        :set stat 0        :beep length=1    } else={        :set stat 1        :beep len...
by Deantwo
Wed Jun 29, 2016 10:41 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

The $s are correct, the "if" statment however was missing a space. How comes the following statements (with and without $ ) are both correct? {:set $stat 0} {:set stat 1} I don't know, but according to the manual and my experience, when you set or define a variable you should not prefix it with a $...
by Deantwo
Wed Jun 29, 2016 9:50 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

I try the run a script with API and the variable is modify by the script.. not to use api to modify the  variable ... I went by the title of your thread when I quoted that, sorry. So are you even sure that the script is even run? What is the code you use to run the script? To run a script in one of...
by Deantwo
Wed Jun 29, 2016 9:46 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

:if($stat=1)  do={:set $stat 0} else={:set stat 1} Not sure it is important, but the use of $ sign here looks inconsistent. The $s are correct, the "if" statment however was missing a space. This works: :global stat { :if ($stat=1) do={:set $stat 0} else={:set stat 1} :put $stat } .I miss a "blank"...
by Deantwo
Wed Jun 29, 2016 8:33 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

What permissions does the API user have?
What permissions does the script have?
Which user is the owner of the script?

We just talked about this in another thread.
Here: http://forum.mikrotik.com/viewtopic.php?f=9&t=109696
by Deantwo
Wed Jun 29, 2016 8:31 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 2305

Re: Can't change Global variable with API

What about
/set
=name=status
=value=1465304159
(assuming the variable already exists)

or
/global
=name=status
=value=1465304159
(if it doesn't)
by Deantwo
Wed Jun 29, 2016 8:20 am
Forum: Scripting
Topic: Script read variable after reboot
Replies: 3
Views: 1017

Re: Script read variable after reboot

You could save the counter in a comment somewhere.
by Deantwo
Wed Jun 29, 2016 7:40 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

Can you make me Script. Can disable active port in dhcp-client ?
Suggest you make a new thread and give more details as to what you mean.
by Deantwo
Wed Jun 29, 2016 2:39 am
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 1868

Re: Global variables and user permission Policy

Script seems harmless and simple. One thing you could do is save the two variables as a static DNS entry instead. Simply make the first oct 127, "bandwidthsource" as the comment and "switchseconds" as the last oct, then save it as "whatever.localhost". I'll give a code example in the morning if you ...
by Deantwo
Tue Jun 28, 2016 4:18 pm
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 1868

Re: Global variables and user permission Policy

It would be useful to know which version of RouterOS you are using. What part of your script is it that fails? Scripts, global variables and schedulers all have an "owner". This owner is commonly set to the user that created the object, or the last user that edited the object. In older versions of R...
by Deantwo
Tue Jun 28, 2016 3:56 pm
Forum: Scripting
Topic: Script runs on terminal but not from Scheduler
Replies: 4
Views: 815

Re: Script runs on terminal but not from Scheduler

The "numbers" parameter is used to specify which routing entry to alter, and it actually works. Wrong. It only works if print command has previously been issued in the same console session (and in the same context), and is expected to fail otherwise. The print command [temporarily] assigns these nu...
by Deantwo
Tue Jun 28, 2016 3:17 pm
Forum: Scripting
Topic: Script runs on terminal but not from Scheduler
Replies: 4
Views: 815

Re: Script runs on terminal but not from Scheduler

The "numbers" parameter is used to specify which routing entry to alter, and it actually works. The problems is that the route that have the ID number 2 may change. If what you want to change is always the default gateway, I suggest doing this instead: :if ([:ping 8.8.8.8 interface=ether1-Cyta_Route...
by Deantwo
Tue Jun 28, 2016 10:08 am
Forum: Scripting
Topic: failover script
Replies: 4
Views: 1353

Re: failover script

Yeah, it seems that the find statement returned non-static route entries. Why would "[/ip route find static]" return non-static route entries? Try replacing all "static" with "!dynamic" and it may work. Like this: # ------------------- header ------------------- # Script by Tomas Kirnak, version 1.0...
by Deantwo
Mon Jun 27, 2016 8:05 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: RE: Re: how to make user bytes out statistics calculate with active user

I can make a script for you to change his profile to slower one after kicking him out what u want can be done but it is not easy .. Dears Please i want trying this script When the users have 2 giga(example) the scriot change it to another slow profile The above two scripts I posted do this. Here: h...
by Deantwo
Thu Jun 23, 2016 4:14 pm
Forum: Scripting
Topic: Start via script
Replies: 2
Views: 634

Re: Start via script

after reset? ... asks if I want to accept the factory setting, this prevents running script? If the router has been factory reset, then there is nothing on the router. Files are however not deleted. You can make the router import a script file after resetting the configuration. Similar to the "/imp...
by Deantwo
Thu Jun 23, 2016 3:54 pm
Forum: General
Topic: IPsec Dead Peer Detection Best Practice
Replies: 3
Views: 4363

Re: IPsec Dead Peer Detection Best Practice

What model of central router you use?
Not sure how that is important to know for a question about best practice.
But sure, central route is:
  • RB1100AHx2
The satelite-routers mainly consist of:
  • RB750
  • RB2011iL
by Deantwo
Mon Jun 13, 2016 5:06 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

Ok, with all that nonsense settled. Try this AYcoo: # Checks if limited users has reached the limit, if they have then set them to be limited slow state. # Run this script every few minutes. /ip hotspot user { # Variables:     :local limitedProfile "Limited"     :local limitedSlowProfile "LimitedSlo...
by Deantwo
Mon Jun 13, 2016 5:03 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

Maybe try not to use variables with the same name as internal properties and variables.
Yeah, that is my guess.
I have just never had an issue with this before.
No clue why it is acting this weird about it either.

An error message would be lovely in this case, "cannot use reserved variable name".
by Deantwo
Mon Jun 13, 2016 4:52 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

Tested code from the last post on v6.34.5. Works as it should. I am testing on v6.35, but having weird result from the foreach while the loop variable is named "user". If I change the name of the variable to "t" it works as expected. Can you try this: I have two users "user1" and "user2" Both users...
by Deantwo
Mon Jun 13, 2016 4:14 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user to limit user download

[localhost] /ip hotspot user> # Variables: [localhost] /ip hotspot user> :global limitedProfile "Limited" [localhost] /ip hotspot user> # Code: [localhost] /ip hotspot user> /ip hotspot user { {...     :local userList [find profile=$limitedProfile] {...     :foreach user in=$userList do={ {{...    ...
by Deantwo
Mon Jun 13, 2016 3:52 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user

i have two routers i tested it in both , can any one try this maybe he will get difference result  Can you try running this and giving me the result if it fails? # Variables: :global limitedProfile "Limited" # Code: /ip hotspot user {    :local userList [find profile=$limitedProfile]    :put $userL...
by Deantwo
Mon Jun 13, 2016 3:15 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user

Things I don't know is rather the "hotspot active user" byte values are for that one session or a total for that user. For example if a user login, download 5 bytes, then logout and login again and then download another 7 bytes. what will each counter say? My guess is that the "hotspot user" user w...
by Deantwo
Mon Jun 13, 2016 10:58 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 5366

Re: how to make user bytes out statistics calculate with active user

I don't have a way to test "hotspot active user" values, hence why the script I wrote uses the "hotspot user" values. From what I can see "hotspot active user" has a "user" value with the username of the user. So making the script check that user and/or log out that user shouldn't be that hard. Thin...
by Deantwo
Thu Jun 02, 2016 5:50 pm
Forum: Scripting
Topic: Order Simple Queue by IP Addresses
Replies: 9
Views: 1686

Re: Order Simple Queue by IP Addresses

a script to order a Simple queue by ip adrresses? What do you mean by "order"? You mean you want to print them sorted by IP address? Why? Order by IP, you can move or sorted by IP but we want order by IP I still don't know what you mean. What do you mean by "order"? What are you trying to get? I do...
by Deantwo
Tue May 31, 2016 9:29 am
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

The terminal in winbox is different. It works for me every time. It only gets the errors via serial. Ah, I don't believe you mentioned this before. In that case, the error messages would help even more. I don't really have access to a router with serial, so I can't test it. But I was wondering, wou...
by Deantwo
Tue May 31, 2016 9:17 am
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

/ip pool add name=pool1 ranges=192.168.1.2-192.168.1.254 /ip dhcp-server add address-pool=pool1 disabled=no interface=ether2 lease-time=3d name=server1 /ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 /ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1...
by Deantwo
Tue May 31, 2016 9:14 am
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

Another stupid question, what router model are you using?
The router does have two ethernet ports, right?
by Deantwo
Tue May 31, 2016 8:32 am
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

They are different each time. Can someone try it and see if they are also getting errors? So, let me just guess. "No such item" "Item already exists" Am I close? I can only really guess while I am not at my desk. Even if they are different every time, it would help A LOT to know what the errors are...
by Deantwo
Tue May 31, 2016 8:07 am
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

I'm trying to paste this script into the router via the serial connection, and I keep getting errors.
Maybe this question is super stupid, but what is the errors you are getting? And at which lines?
by Deantwo
Mon May 30, 2016 9:00 pm
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

let's say the file you want to upload to the router via serial
I don' think you can actually transfer the file through the serial connection.
by Deantwo
Mon May 30, 2016 4:51 pm
Forum: Scripting
Topic: Problem with fetch upload on FTP
Replies: 4
Views: 1538

Re: Problem with fetch upload on FTP

[admin@TEST_RB] >:delay 5; status: finished -- [Q quit|D dump|C-z pause] [admin@TEST_RB] > elay 10;se] bad command name elay (line 1 column 1) [admin@TEST_RB] > [admin@TEST_RB] > /file remove export.rsc; When you use ":delay" in the CLI without having the script in { } the delays may break the past...
by Deantwo
Mon May 30, 2016 4:44 pm
Forum: Scripting
Topic: Monitor 2 remote routers
Replies: 3
Views: 666

Re: Monitor 2 remote routers

Not 100% sure what you are looking to do, but you can use a netwatch to monitor the connection to a network device, can even set a ping timeout it seems. See: wiki.mikrotik.com/wiki/Manual:Tools/Netwatch It can be set up to execute a script when the connection goes down or comes back up. With that y...
by Deantwo
Mon May 30, 2016 4:35 pm
Forum: Scripting
Topic: Order Simple Queue by IP Addresses
Replies: 9
Views: 1686

Re: Order Simple Queue by IP Addresses

a script to order a Simple queue by ip adrresses?
What do you mean by "order"?
You mean you want to print them sorted by IP address? Why?
by Deantwo
Mon May 30, 2016 3:43 pm
Forum: General
Topic: Command Line Reset with External Run After Reset File?
Replies: 32
Views: 2484

Re: Command Line Reset with External Run After Reset File?

What would the command line for uploading a file from your pc to the mikrotik look like? RouterOS has both a FTP server and a FTP client built in. To use the FTP client you can use the "/tool fetch" command. See: wiki.mikrotik.com/wiki/Manual:Tools/Fetch Otherwise you can connect to the router's FT...
by Deantwo
Mon May 30, 2016 3:02 pm
Forum: General
Topic: Fetch file and perform a MD5 calculation
Replies: 4
Views: 941

Re: Fetch file and perform a MD5 calculation

This may be a stupid question, but what MD5 do you wanna compare it to? Unless you also fetch the MD5 checksum in a separate file, which an attacker could just include in his attack, it makes no sense to do this anyway. If you already know the MD5 hash ahead of time, then you must know the content o...
by Deantwo
Mon May 30, 2016 2:34 pm
Forum: General
Topic: IPsec Dead Peer Detection Best Practice
Replies: 3
Views: 4363

IPsec Dead Peer Detection Best Practice

I have a large number of IPsec tunnels in my network, which consist of only MikroTik routers. Commonly it is all made as one central-router which the "satelite"-routers connect to. There are main ways of setting up the IPsec policies and peers, such as dynamic policies and what not. I chose a while ...
by Deantwo
Fri May 27, 2016 2:26 pm
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

i think we should use active user output because user state doesn't refresh until user logout updated it worked now but the only problem is we have to use active user state because it is refreshing all time unlike user state can u change this ? i forgot to mintion that user must logout in order to ...
by Deantwo
Fri May 27, 2016 12:10 pm
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

user profile name = slow tell me the name of the property that has the "total-bytes" on the User = maybe pic will help Ok, I think I got it. I don't have a way to test it in a live environment, but it should work. I suggest you make another User Profile and assign all users that should be affected ...
by Deantwo
Fri May 27, 2016 10:10 am
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

is there a way ?? this maybe help http://forum.mikrotik.com/viewtopic.php?t=100323 should i downgrade? As said in that thread, you have to control the Hotspot Users rather than the queues. The queues are dynamically created and changed when the user is changed. I just don't know anything about the ...
by Deantwo
Thu May 26, 2016 4:09 pm
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

is there a way ?? this maybe help http://forum.mikrotik.com/viewtopic.php?t=100323 should i downgrade? As said in that thread, you have to control the Hotspot Users rather than the queues. The queues are dynamically created and changed when the user is changed. I just don't know anything about the ...
by Deantwo
Wed May 25, 2016 5:01 pm
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

WIP yes there r multi ip same number i did that to make total-bytes work for the same users -i will remove it now and test- but may be as u said loop is easier You replied before I was done editing my post, read it again. the thing is my queue i can't modfy it so total-bytes wont work i think that ...
by Deantwo
Wed May 25, 2016 3:58 pm
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

/queue simple { :for i from=1 to= 254 do={ :local queue [find target=("10.0.0." . $i . "/32")] :if ([:len $queue] != 0) do={ :local traf [get $queue total-bytes] :put ("Queue (" . [get $queue target] . ") traf: " . $traf) :if ($traf > 10000 && [get $queue max-limit] != "32000/64000") do={ set $queu...
by Deantwo
Wed May 25, 2016 9:56 am
Forum: Scripting
Topic: how can i limit users according to amount of download ?
Replies: 32
Views: 5683

Re: how can i limit users according to amount of download ?

maybe there are some errors in code because it not working in terminal my os version 6.32.4 on RB750 If there is errors in the script, the terminal could be giving you an error message when you try to run it there. So what is it saying? EDIT: Yeah there were some syntax errors in the script you pos...
by Deantwo
Tue May 24, 2016 3:44 pm
Forum: General
Topic: how can i limit users according to amount of download ?
Replies: 9
Views: 1514

Re: how can i limit users according to amount of download ?

help please
Mmh, LMGTFY.

Sorry I couldn't help it. But this question is literally asked every week, the most asked question on the forum I fear.
by Deantwo
Tue May 24, 2016 3:34 pm
Forum: General
Topic: 6.16 import stops when there is a duplicate entry
Replies: 15
Views: 6698

Re: 6.16 import stops when there is a duplicate entry

If you pay attention to what line of the config it stopped on, you can continue the import with "import from-line=", just increment the line number that it stopped on by 1. I have yet to see a way to get the error message from an imported script returned to the script doing the import. And simply s...
by Deantwo
Wed May 18, 2016 4:56 pm
Forum: Scripting
Topic: How do you clear a global variable?
Replies: 11
Views: 12154

Re: How do you clear a global variable?

Thanks, I was not aware that you can simply add a [find] at the end of the command to remove. The "[find]" simply selects all objects that matches the search criteria and added them to an array. If there is more than one object the "remove" command is simply repeated for each object in the array. S...
by Deantwo
Wed May 18, 2016 2:13 pm
Forum: Scripting
Topic: [SOLVED] What's the meaning of "no such item" and why does it terminate a script?
Replies: 7
Views: 5005

Re: [SOLVED] What's the meaning of "no such item" and why does it terminate a script?

... /interface { :local varif [find name="WAN" disabled=no] :if ([:len $varif] != 0) do={ :put "Interface \"WAN\" was enabled, disabling." set $varif disabled=yes } else={ :put "Interface \"WAN\" was not found or is already disabled." } } Does `:len` work for `:typeof` returning "nil"? (I used "nil...
by Deantwo
Wed May 18, 2016 12:30 pm
Forum: Scripting
Topic: [SOLVED] What's the meaning of "no such item" and why does it terminate a script?
Replies: 7
Views: 5005

Re: [SOLVED] What's the meaning of "no such item" and why does it terminate a script?

A good rule of thumb is to check if an object exist before trying to get/set it. Quick example: /interface { :local varif [find name="WAN" disabled=no] :if ([:len $varif] != 0) do={ :put "Interface \"WAN\" was enabled, disabling." set $varif disabled=yes } else={ :put "Interface \"WAN\" was not foun...
by Deantwo
Wed May 18, 2016 12:10 pm
Forum: Scripting
Topic: How do you clear a global variable?
Replies: 11
Views: 12154

Re: How do you clear a global variable?

Script to clear all variables :if ([:len [/system script environment find]] != 0) do={ :for E from=0 to=([:len [/system script environment find]] - 1) do={ /system script environment remove $E }} Could just use: /system script environment remove [find] The command doesn't complain if nothing is fou...
by Deantwo
Mon May 09, 2016 12:09 pm
Forum: Scripting
Topic: Why are BBCode Code blocks inserting a space at the start?
Replies: 7
Views: 967

Re: Why are BBCode Code blocks inserting a space at the start?

Funny, a few weeks ago I was about to post about why the BBCode Code box is so horrible. But I got sidetracked when trying to figure out how the CSS for it even worked. Can we please get a better Code box? One that is maybe actually a box with a background color? I guess that MikroTik script/termina...
by Deantwo
Mon May 09, 2016 11:06 am
Forum: General
Topic: SSTP Interface Queue Type is invalid after upgrade
Replies: 3
Views: 1533

Re: SSTP Interface Queue Type is invalid after upgrade

Tested upgrades:
  • 5.18 to 6.35: Invalid queue type
  • 5.26 to 6.35: Invalid queue type
  • 5.18 to 6.33: No interface queue and no errors
  • 6.33 to 6.35: Correct queue type
  • 5.18 to 6.33 to 6.35: Invalid queue type
  • 5.18 to 6.35.1: Invalid queue type
  • 5.18 to 6.35.2: Invalid queue type
by Deantwo
Mon May 09, 2016 10:39 am
Forum: Announcements
Topic: v6.35.2 [current] is released!
Replies: 64
Views: 24740

Re: v6.35.2 [current] is released!

*) queue - fixed interface queue type for ovpn tunnels; Fixed what and how? I am having problems with SSTP interface queues after upgrading routers from 5.x versions. See: http://forum.mikrotik.com/viewtopic.php?f=1&t=108175 Don't know if a supout file is necessary when it is an easily reproduced i...
by Deantwo
Mon May 09, 2016 10:37 am
Forum: General
Topic: SSTP Interface Queue Type is invalid after upgrade
Replies: 3
Views: 1533

SSTP Interface Queue Type is invalid after upgrade

I have a recently just upgraded a number of routers running 5.18 to 6.35 and noticed a couple a scripts failing. Doing a little testing I found out that it is because the Queue Type of a SSTP interface is not changed to the correct default during the upgrade. In version 5.x the default interface que...
by Deantwo
Mon May 02, 2016 4:38 pm
Forum: Scripting
Topic: Suggestion: Certificate for those who post useful scripts
Replies: 5
Views: 1060

Re: Suggestion: Certificate for those who post useful scripts

there is reputation system at the forum, will be nice if used more intensively to thank or to stand out who provides useful help and the topics related On the topic of "forum reputation", was it disabled? I see no way to give reputation anymore. If you have a Wiki account, you can already do that. ...
by Deantwo
Wed Apr 27, 2016 5:42 pm
Forum: Scripting
Topic: "/system upgrade" can't be scripted in auto.rsc file?
Replies: 2
Views: 1427

Re: "/system upgrade" can't be scripted in auto.rsc file?

This should be fixed in 3.10 No it is not. Or it is at least broken again. See: http://forum.mikrotik.com/viewtopic.php?f=2&t=26108&p=535217#p535217 Tested with file test.auto.rsc : :log warning "Attempting import." /system upgrade upgrade-package-source add address=192.168.1.1 user="admin" blahbla...
by Deantwo
Wed Apr 27, 2016 5:18 pm
Forum: General
Topic: Script adding upgrade source
Replies: 8
Views: 1819

Re: Script adding upgrade source

you can even save all these commands in a txt file, rename to RSC and import them with the "/import" command. and THEN you can also use the fetch command to get these files from remote locations :) not so bad at all if you think of the possibilities Still not possible. As mentioned by macsrwe here:...
by Deantwo
Tue Mar 22, 2016 1:01 pm
Forum: Scripting
Topic: Bug in /ip route print where [...] command?
Replies: 3
Views: 987

Re: Bug in /ip route print where [...] command?

Try
print where !dynamic
Or:
/ip route print where static
/ip route print where !static
It is a little hard to see the difference between boolean flags and properties.
Best I can suggest is that you check the wiki manual.
Here: http://wiki.mikrotik.com/wiki/Manual:IP ... Properties
by Deantwo
Tue Mar 22, 2016 9:03 am
Forum: Scripting
Topic: API Encoding [SOLVED]
Replies: 6
Views: 2459

Re: API Encoding [SOLVED]

To convert between the two, you can use System.Text.Encoding.Convert() . Convert from "Unicode" to "Default" when sending, and from "Default" to "Unicode" when receiving. That would explain it. I will give Default a try, I kinda skipped that one because, well it is called "default". The example C# ...
by Deantwo
Mon Mar 21, 2016 4:38 pm
Forum: Scripting
Topic: API Encoding [SOLVED]
Replies: 6
Views: 2459

Re: API Encoding [SOLVED]

RouterOS doesn't support these even in console directly or Winbox. So you will have to stick with a-z 0-9 for now Ok. I would suggest mentioning in the documentation which encoding the API protocol supports. I do see that if i manually set the the identity to "æøåÆØÅ" using WinBox it saves it as " ...