Community discussions

MikroTik App

Search found 331 matches

  • 1
  • 2
by Deantwo
Tue Feb 13, 2024 12:40 pm
Forum: General
Topic: User poll about using Winbox
Replies: 100
Views: 62623

Re: User poll about using Winbox

1) Have you ever used Sessions? (default ones are <own> and <none> and you can make more) 2) Describe in a few words, what you think they do 3) How could we supercharge this feature to actually be useful for everyone? 4) Does the name Sessions actually convey what this feature is meant to do? 5) Af...
by Deantwo
Thu Nov 09, 2023 8:17 pm
Forum: General
Topic: IPsec Dead Peer Detection Best Practice
Replies: 7
Views: 13124

Re: IPsec Dead Peer Detection Best Practice

I cannot see in the RFC that it is mandatory that the DPD be the same on both sides. According to RFC 3706 point 5. DPD Protocol: To this end, each peer may have different requirements for detecting proof of liveliness. Peer A, for example, may require rapid failover, whereas peer B's requirements ...
by Deantwo
Thu Mar 09, 2023 3:52 pm
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 28
Views: 82729

Re: nslookup on Mikrotik

you can specify target dns server to query easily: put [resolve google.com server 8.8.8.8] I have not found any reference in the official documentation to the parameters of the resolve command. Do you know any website where to find it? https://wiki.mikrotik.com/wiki/Manual:Scripting#Commands Seem t...
by Deantwo
Thu Dec 01, 2022 11:26 am
Forum: General
Topic: Policy "policy" required for access to global variables
Replies: 1
Views: 1134

Re: Policy "policy" required for access to global variables

Accessing global variables require "read,write,policy" policies, if I remember correctly.
A bit more discussion here: viewtopic.php?t=145437
by Deantwo
Wed May 11, 2022 12:42 pm
Forum: General
Topic: After Upgrade from 6.49.1 to 7.1 ipsec Site-Site not working
Replies: 45
Views: 23490

Re: After Upgrade from 6.49.1 to 7.1 ipsec Site-Site not working

IP NAT (in the beginning of roules) /ip firewall nat add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.29.0/24 /ip firewall nat add action=accept chain=srcnat dst-address=192.168.29.0/24 src-address=192.168.10.0/24 Probably won't solve this main issue discussed here, bu...
by Deantwo
Mon Mar 07, 2022 1:10 pm
Forum: General
Topic: IPSec Fatal INVALID-SPI notify message, phase1
Replies: 2
Views: 2053

Re: IPSec Fatal INVALID-SPI notify message, phase1

8-9 years later, and now I have this issue. Anyone able to help? This was the first result on Google, so kinda weird how there is nothing useful posted in this thread. The IPsec policies show a "Established" but no traffic is going through. In the log I am seeing a lot of these messages: <...
by Deantwo
Sat Feb 19, 2022 9:53 am
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 28
Views: 82729

Re: nslookup on Mikrotik

The recent case that brought me here was me remoting into a user's machine who's complaining of xyz (that smelled DNS related) and from that machine I tried to do a nslookup that failed. Now, I KNOW internet works, I'm remoting into the machine FROM the internet. I see that most things work in the ...
by Deantwo
Sat Dec 25, 2021 3:13 am
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 28
Views: 82729

Re: nslookup on Mikrotik

First, try to ping fqdn of an MX record (or any non A record) and all above methods will fail and no IP will be returned. And this is something you need to do from your router? When exactly? I am not saying it wouldn't be nice if the ":resolve" got some more options, for example to lookup...
by Deantwo
Fri Dec 24, 2021 4:39 pm
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 28
Views: 82729

Re: nslookup on Mikrotik

to find out the IP address of some domain, just ping it. or you can use the ":resolve" command, if you need it in scripts: [admin@MikroTik] > put [:resolve mt.lv] 159.148.147.196 The problem with this tact is that it only allows to resolve the first A record. NSLOOKUP allows record type l...
by Deantwo
Fri Nov 12, 2021 3:19 pm
Forum: Scripting
Topic: elif statement
Replies: 12
Views: 12281

Re: elif statement

The better is a @SiB variant, because you can change, or is changed, the tested value. Like "elseif" or switch are executed only one instance. ... I guess your change there fixes the issue I had about if $n is equal to multiple cases at the same time. But it still feels like you are makin...
by Deantwo
Fri Nov 12, 2021 11:33 am
Forum: Scripting
Topic: elif statement
Replies: 12
Views: 12281

Re: elif statement

WorkARound, mutch better then if else if else.... ... & Late, but I will leave the answer to others because I did not find any convincing answer ... I am sorry you two, but how and why would either of those two code samples work as an ELSE IF? Sure you can maybe make a nicer looking SWITCH CASE...
by Deantwo
Tue May 04, 2021 6:50 pm
Forum: Scripting
Topic: upgrade-package-source
Replies: 24
Views: 19472

Re: upgrade-package-source

when one router of your network is compromised that is bad, but if by getting into one router someone could gain access to other router, and that is not acceptable. I know this thread is super old, But this still annoys me to no end. Why does the "/system upgrade upgrade-package-source" e...
by Deantwo
Tue Mar 23, 2021 10:29 am
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 70
Views: 30733

Re: Netwatch deprecated ? [SOLVED]

I tried this and it didnt work!
down-script="{/system script run TelelgramFetch}"
Change that to
down-script="TelelgramFetch"
and it should work. Assuming your script has the required permissions.
by Deantwo
Mon Mar 22, 2021 7:07 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 70
Views: 30733

Re: Netwatch deprecated ? [SOLVED]

Hi Deantwo /system script set [find name="Netwatch up script"] dont-require-permissions=yes That wont work for me because netwatch scripts don't have names assigned?? Now that you know my level of script acumen (very little) Do you mean if you create a script that is called by netwatch, t...
by Deantwo
Mon Nov 16, 2020 7:56 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 70
Views: 30733

Re: Netwatch deprecated ? [SOLVED]

I just checked dont-require-permissions=yes but that does not work here. I see the script run counter increases, when netwatch launches my script, but the global variable is still not changed. I have version 6.44.5 (long-term) running here. Here are the code: 0 name="ispup" owner="ad...
by Deantwo
Tue Oct 20, 2020 3:28 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 70
Views: 30733

Re: Netwatch deprecated ? [SOLVED]

I'm a bit confused about some of the messages that got posted here... So is Netwatch not using any of the permission specified in the script itself, it use it own permissions list, and it only read the don't require permission flag to ignore all the permissions all together ? Just read my post abov...
by Deantwo
Tue Sep 08, 2020 2:20 pm
Forum: General
Topic: Revoked certificates contunue to work
Replies: 11
Views: 8474

Re: Revoked certificates contunue to work

And I am to understand that setting the ca-crl-host is only possible when signing the CA certificate? So the 4 year old self-signed certificate I have been using will have to be trashed and a new CA created if I want to add a ca-crl-host ? I already had the pleasure of having to run with two separat...
by Deantwo
Fri Jun 26, 2020 3:27 pm
Forum: General
Topic: IPsec Peer Identity - Why backwards?
Replies: 1
Views: 1020

IPsec Peer Identity - Why backwards?

I finally just upgraded from 6.43.x to 6.45.x, and I now have to use the new IPsec Peer Identity objects when making a IPsec tunnel. My question is, WHY do I need to make an Identity object for each Peer? Why can't I re-use the same Identity on multiple Peers similarly to how I can with the IPsec Pe...
by Deantwo
Thu Mar 05, 2020 10:05 am
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 106
Views: 77679

Re: v6.46.4 [stable] is released!

I third the branding questions. There is no information about "branding" in the manual, wiki/Manual:Branding doesn't exist, and wiki/Branding was deleted in 2011 (even though it is still linked to). Where can we get information about branding? Is it something we have to buy? Or is it only ...
by Deantwo
Tue Feb 25, 2020 5:00 pm
Forum: General
Topic: feature request: expose variables to netwatch scripts
Replies: 39
Views: 9805

Re: feature request: expose variables to netwatch scripts

This is still not implemented? According to something my co-worker found somewhere, this actually exist for DHCP Server Alerts scripts. Not sure where he found it, but try it: :local hostname [/system identity get name] :local currentDate [/system clock get date] :local currentTime [/system clock ge...
by Deantwo
Mon Feb 10, 2020 11:02 am
Forum: Announcements
Topic: Winbox v3.21 released!
Replies: 55
Views: 40523

Re: Winbox v3.21 released!

I can't get WinBox to update itself this time. I run WinBox.exe on my desktop, use "Tools -> Check for updates", can see the patch notes for v3.21 and when I click "Update" it downloads and then restarts WinBox, but is still running v3.20. Attempting to run WinBox.exe on my deskt...
by Deantwo
Fri Dec 27, 2019 4:15 pm
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 71245

Re: v6.44.6 [long-term] is released!

Ping utility failed after some success pings. It just write "Running" and do nothing. It crashed after some ARP pings and choosing some options like "Interface", "TTL", etc. Issue is actual using Winbox, web interface and console too. Logging in with another user doesn...
by Deantwo
Mon Nov 25, 2019 10:33 am
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 69887

Re: v6.45.7 [stable] is released!

@amojak , Be sure to make a supout and send it to support if you haven't already. @osc86 Today morning my CCR1009 suddenly stopped responding to snmp requests. Seems that all snmp related settings are gone. No changes were made recently. An export of /snmp never finishes. See if rebooting the route...
by Deantwo
Tue Nov 12, 2019 10:26 am
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 71245

Re: v6.44.6 [long-term] is released!

Thanks! this information is helpful. But while upgrading to v6.44.7 I got lots of errors. I don't know what they meant. what should I do to troubleshoot? Regards, Lewis RouterOS v6.44.7 does not exist (yet?), so that could be your issue. If something is suggesting that there is a v6.44.7 but failin...
by Deantwo
Wed Nov 06, 2019 11:54 am
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

Re: NTP Reached but not Synchronized [SOLVED]

Ok, the issue is resolved. Thanks to help from MikroTik support, we found out that the remote NTP server was mismanaged. The owners had started taking the server offline some weeks/months back and hadn't told anyone about it. Supposedly they didn't think anyone anyone was using IP-address instead of...
by Deantwo
Tue Nov 05, 2019 11:09 am
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 71245

Re: v6.44.6 [long-term] is released!

can i downgrade when routerboard firmware is allready on 6.44.6 ? richard Bootloader firmware is not the same as the RouterOS. You need to downgrade the RouterOS version, not the bootloader firmware. /system package print Will show the RouterOS version installed and all packages installed and if th...
by Deantwo
Fri Nov 01, 2019 2:46 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 69887

Re: v6.45.7 [stable] is released!

Didzito, sindy: It might be better if you two take that issue to a new thread, since it doesn't sound like it is directly related to this update.
by Deantwo
Fri Nov 01, 2019 10:50 am
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

Re: NTP Reached but not Synchronized [SOLVED]

Could it be that the stratum of the remote NTP server isn't low enough? (Just a suggestion. I don't know whether the RouterOS' NTP client even looks at the stratum value.) Using Wireshark I can see the stratum the server replies with as 3. Network Time Protocol (NTP Version 4, server) Flags: 0x24, ...
by Deantwo
Fri Nov 01, 2019 9:51 am
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

Re: NTP Reached but not Synchronized [SOLVED]

[Deantwo@NTP Client Server Router] > system ntp client print enabled: yes mode: unicast primary-ntp: xxx.xxx.xxx.xxx secondary-ntp: 0.0.0.0 dynamic-servers: status: started Running the print command seems to say the router is just "started", and I can't seem to get it to say "reached...
by Deantwo
Tue Oct 29, 2019 9:01 am
Forum: General
Topic: Feature Request: Prevent Shutdown
Replies: 13
Views: 3650

Re: Feature Request: Prevent Shutdown

But seriously, maybe there could be some option that once set would make the shutdown less easy (not as bad as above). Yup that is all I am asking for. A small safety option like that would be very nice to have. More popup confirmation dialogs (especially in a row) would not help anything. In short...
by Deantwo
Wed Oct 23, 2019 10:59 am
Forum: General
Topic: Feature Request: Prevent Shutdown
Replies: 13
Views: 3650

Re: Feature Request: Prevent Shutdown

Shutdown should ask us to write a word "ShutMeDown" :)
Yes, something like that would be nice. It could even popup and force me to solve a simple sudoku if we want to go crazy.

But yes, a simple "Please write the word 'Shutdown' to confirm" prompt would be very nice indeed.
by Deantwo
Wed Oct 23, 2019 10:27 am
Forum: General
Topic: Feature Request: Prevent Shutdown
Replies: 13
Views: 3650

Re: Feature Request: Prevent Shutdown

you just want it removed More like I want a way to disable the button on routers where it would be dangerous, or at the very least have the confirmation dialog for shutdown be more distinct so accidents like this are less likely. That is why I named this topic "Prevent Shutdown" rather th...
by Deantwo
Tue Oct 22, 2019 5:42 pm
Forum: General
Topic: Feature Request: Prevent Shutdown
Replies: 13
Views: 3650

Re: Feature Request: Prevent Shutdown

Why when we make a mistake instead of accepting our fault we just blame others? Not so much blame others. I am accepting that it is my fault for being tired and clicking the wrong button. But that doesn't mean I can't wonder why there isn't a better confirmation dialog. It is not that I think the &...
by Deantwo
Tue Oct 22, 2019 5:13 pm
Forum: General
Topic: Feature Request: Prevent Shutdown
Replies: 13
Views: 3650

Feature Request: Prevent Shutdown

I just had one of those !fun! accidents that really makes me wonder, WHY is this even possible? I reboot a router in order to upgrade/install/uninstall a package, but the router doesn't come back online after. I get in a car and rush to the datacenter with a spare router and fearing the worst. When ...
by Deantwo
Tue Oct 22, 2019 10:31 am
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

Re: NTP Reached but not Synchronized [SOLVED]

You should probably generate a supout file and send it to support@mikrotik.com ... this is clearly some internal working (either a bug or problem with your particular device) and none of ordinary users can help you with that. Yeah, I was gonna do that here in a bit after getting some package captur...
by Deantwo
Tue Oct 22, 2019 9:50 am
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

Re: NTP Reached but not Synchronized [SOLVED]

I can see that the issue started after upgrading the router to RouterOS v6.43.16 (long-term) from v6.42.10 (long-term). I tested RouterOS v6.44.5 (long-term) on test router, but the same issue appear on that. NTP Reached Issue Monitoring.png Monitoring setup shortly after router is upgraded. Alarms ...
by Deantwo
Mon Oct 21, 2019 5:08 pm
Forum: General
Topic: NTP Reached but not Synchronized [SOLVED]
Replies: 7
Views: 8155

NTP Reached but not Synchronized [SOLVED]

I have been having some issues with the NTP component on one of my core MikroTik routers lately. I use it to sync to a special non-public remote NTP server, and servers on my network then use the router as NTP server. Therefore the NTP package is installed on the router. According to my monitoring s...
by Deantwo
Tue Oct 08, 2019 2:29 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 10179

Re: Why (not) use Hairpin NAT

One reason not to use hairpin NAT that I haven't seen anyone mention here, is that you lose some of your ability to log what people on the LAN are doing to your servers. Not so much a difference is how difficult it is to setup, but keep in mind that some other things are lost when you just source NA...
by Deantwo
Fri Oct 04, 2019 4:38 pm
Forum: SwOS
Topic: Switch identity character length and possible? bug
Replies: 5
Views: 3928

Re: Switch identity character length and possible? bug

I am having issues setting identity of RB260GS. I wanted to set: LOCATION - OFFICE - DEVICEn The identity character limit is rather small for SwOS yeah. I don't know what exactly you need such a long and complicated identity for, but you might be able to add some of your information to the SNMP set...
by Deantwo
Fri Oct 04, 2019 4:30 pm
Forum: Announcements
Topic: SwOS version 2.10 released!
Replies: 53
Views: 103169

Re: SwOS version 2.10 released!

... @Stangelator , if your issue is not directly related to the new SwOS update (version 2.10), can you maybe take your issue to a new thread instead? Getting constant notifications from this thread about non-update related posts is getting a little annoying. Make a new thread in the SwOS section o...
by Deantwo
Wed Oct 02, 2019 12:48 pm
Forum: Beginner Basics
Topic: nslookup on Mikrotik
Replies: 28
Views: 82729

Re: nslookup on Mikrotik

Yes, you have to assume that the DNS server that replied is the DNS server that you (or the router) specified. The [:resolve "microsoft.com"] is a script command, it is not really a troubleshooting tool. I have a number of scripts that relay on [:resolve "microsoft.com"] returnin...
by Deantwo
Mon Sep 02, 2019 10:01 am
Forum: Announcements
Topic: Newsletter #90
Replies: 55
Views: 40413

Re: Newsletter #90

New switches? So we might see improvements to SwOS?
*crosses fingers*
by Deantwo
Wed Aug 07, 2019 11:02 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 84802

Re: v6.44.5 [long-term] is released!

Can you maybe update the security blog post to include this RouterOS version as a fix?
Here: https://blog.mikrotik.com/security/cve- ... 11479.html
by Deantwo
Mon Jul 01, 2019 4:36 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 12
Views: 22589

Re: v6.43.16 [long-term] is released!

Ditto on the recent Linux DOS vulnerabilities update - will Long-Term receive it and when. If not, please provide recommended Firewall filter rules. Thank you. The advisory linked to in the blog post suggest blocking TCP traffik with a low MSS, but doesn't mention what this "low MSS" is. ...
by Deantwo
Wed May 22, 2019 4:07 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks! Bugfix v...
by Deantwo
Tue May 21, 2019 10:24 am
Forum: General
Topic: SSTP Interface Queue Type is invalid after upgrade
Replies: 3
Views: 2827

Re: SSTP Interface Queue Type is invalid after upgrade

Hello Did you get this work on 6.44? default queue type is default-small on 6.44 , i need to put all new dynamic interfaces on startup to ethernet-default or custom pfifo queue type Can you help me? Workaround for now: 1. empty queue tree rule /queue tree add comment=test name=queue3_test priority=...
by Deantwo
Tue May 14, 2019 12:08 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 18167

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? I feel a little horrible for thinking the exact same thing when I saw a new long-term release. Is that really where we have gotten with long-term release...
by Deantwo
Fri May 10, 2019 4:51 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 24956

Re: v6.43.14 [long-term] is released!

Hi, we are experiencing the following bug: ...
Be sure to email support@mikrotik.com with the details.
This thread isn't really for bug reports, unless it is specifically related to this update alone.
by Deantwo
Fri Apr 12, 2019 2:38 pm
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 205687

Re: Winbox v3.18 released!

He should email it to support@hiscompany.com, because it's false positive on company's DPI side, MikroTik cannot do anything with that. Wouldn't that be himself? XD If P2P/File transfer is restricted in the company network, then it might cause problems with a lot of things. None of which would be M...
by Deantwo
Fri Apr 12, 2019 9:30 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 205687

Re: Winbox v3.18 released!

Winbox when downloading descriptors get stock. After some troubleshooting, I found that winbox is being blocked by P2P/File transfer restrictions in the company.
You should email that to support@mikrotik.com.
by Deantwo
Thu Apr 04, 2019 12:22 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 24956

Re: v6.43.14 [long-term] is released!

Just gonna leave a link to the MikroTik blog post here, so people can read about what this patch fixes.
Here: https://blog.mikrotik.com/software/cve- ... stion.html
by Deantwo
Thu Apr 04, 2019 11:18 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 36889

Re: v6.44.2 [stable] is released!

Hi Emils, Is this fix related to recent vulnerability issue that were going to go public on 9 April? Nice attempt at being subtle there. Wouldn't it have been better to email something like that to support rather than start a new vulnerability panic? ._. yes, see https://forum.mikrotik.com/viewtopi...
by Deantwo
Wed Apr 03, 2019 10:44 am
Forum: Scripting
Topic: Can't launch script from Netwatch
Replies: 14
Views: 11811

Re: Can't launch script from Netwatch

If you are using RouterOS 6.43.x, then you can simply use dont-require-permissions=yes.
See: viewtopic.php?f=2&t=134538#p720232
by Deantwo
Wed Apr 03, 2019 10:34 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50255

Re: v6.44.1 [stable] is released! - URGENT

@mativcp: After upgrade to 6.44.1 (Stable) CCR1009-7G-1C-1S+ STOP WORKINKG ... ill wait answer...Thanks in advance As it says in the opening post, you need to make a supout while the issue is present and send it to MikroTik support along with your report. RouterOS version 6.44.1 has been released in...
by Deantwo
Mon Apr 01, 2019 12:39 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 31029

Re: v6.43.13 [long-term] is released!

I think there is a Bug that wasn't in 6.42.12: Running that command on 6.42.12 works: :log info ([/interface pppoe-client monitor pppoe-WAN as-value]->"status") It's not a bug it's a feature :) Now you need to add "once" after an interface name. This seems like some kind of joke...
by Deantwo
Fri Mar 29, 2019 1:16 pm
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 2097

Re: Multiple CA Certificates for OpenVPN

I wanted to ask the exactly same question now, so I'm rather bumping this up - is it possible to hawe two CAs? For the same reason - to slowly update from old MD5 certs to new ones?
I ended up just setting up a second MikroTik router. Closed the old router down here before new year.
by Deantwo
Tue Mar 26, 2019 4:19 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 31029

Re: v6.43.13 [long-term] is released!

As 6.43 just recently replaced 6.42 long-term. radius - use MS-CHAPv2 for "login" service authentication; Please revert this change, or at least make this configurable. That is true, and yet another thing people upgrading from v6.42.12 to v6.43.13 will be unprepared for. But all is not lo...
by Deantwo
Tue Mar 26, 2019 11:57 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 31029

Re: v6.43.13 [long-term] is released!

So are there actually any changes between this long-term version and the v6.43.12 stable version? Really hard to tell from the changes, since as mentioned by others in this thread, there are even changes missing that were made in the v6.43 release thread. PS: Emailed support about adding the missing...
by Deantwo
Tue Mar 19, 2019 4:55 pm
Forum: General
Topic: to many winbox/dude sessions
Replies: 13
Views: 5199

Re: to many winbox/dude sessions

/system scheduler { :local uptime [/system resource get uptime] :set uptime [:pick $uptime ([:len $uptime] - 5) [:len $uptime]] :local calculation (([:tonum [:pick $uptime 0 2]] + [:tonum [:pick $uptime 3 5]]) * 40) :set calculation [:totime $calculation] :set calculation (04:00:00 + $calculation) ...
by Deantwo
Tue Mar 19, 2019 11:04 am
Forum: General
Topic: to many winbox/dude sessions
Replies: 13
Views: 5199

Re: to many winbox/dude sessions

I don't see any options to set or increase the limit of sessions. I didn't even know there was one. One thing you could do is spread the update checks out over a larger time period so all the requests don't come at the same time. Change your schedulers to have a start-time that depends on the router...
by Deantwo
Mon Mar 18, 2019 1:19 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polle...
by Deantwo
Tue Mar 12, 2019 7:09 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 1122

Re: Connection tracking issue

Sounds like the same issue as described in viewtopic.php?f=2&t=127838&p=628464#p628464.
by Deantwo
Tue Mar 12, 2019 5:25 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Is enough only by upgrading the OS to safe version or MUST BE do netinstall? As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror , netinstall it. If your router hasn't been attacked, probe...
by Deantwo
Mon Mar 11, 2019 1:52 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 70
Views: 30733

Re: Netwatch deprecated ? [SOLVED]

This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now. https://forum.mikrotik.com/viewtopic.php?f=21&t=138995 What's new in 6.43 (2018-Sep-06 12:44): *) console - added "dont-require-permissions" parameter for scripts; *) console ...
by Deantwo
Mon Mar 11, 2019 10:08 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 218
Views: 96547

Re: v6.44 [stable] is released!

Not sure if you read the thread properly, however, we're also both and all of us are at least up to MTCRE. I also cannot share the config of our clients due to a Non-Disclosure agreement. This is companies that's been using these units quite a lot, we talk few thousands of the routers especially th...
by Deantwo
Tue Mar 05, 2019 1:20 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 218
Views: 96547

Re: v6.44 [stable] is released!

Upgrading my RB750 from RouterOS 6.40.8 to 6.44 leaves all IPsec peers with "unknown" profiles. And it looks like any IPsec peer settings were lost since only "default" profile exist. Do I have to jump to another version first and then jump to 6.44? Gonna go test if it also happe...
by Deantwo
Mon Mar 04, 2019 2:24 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furt...
by Deantwo
Mon Feb 25, 2019 9:01 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 52637

Re: Security issue when Winbox exposed

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled? (of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled) The article says it's only agent, but I'd appreci...
by Deantwo
Mon Feb 25, 2019 2:57 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 52637

Re: Security issue when Winbox exposed

Unless I am mistaken, this vulnerability is a lot less dangerous as long as your internal network isn't public knowledge. The attack shown in the article is an example that only works because he knows the LAN IP address of the vulnerable server and the type of server before doing the attack. I am no...
by Deantwo
Fri Feb 22, 2019 10:36 pm
Forum: Beginner Basics
Topic: How to connect from android app Mikrotik to RB2011?
Replies: 6
Views: 1993

Re: How to connect from android app Mikrotik to RB2011?

I have a OpenVPN server on my router and the OpenVPN app. So I can connect to my router from the outside and then use the TikApp to control my router securely.
by Deantwo
Fri Feb 22, 2019 3:32 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 3273

Re: Global variable dissapears?

/system script add dont-require-permissions=no name=script1 policy=\ reboot,read,write,policy,test,password,sniff,sensitive source=\ "/user add name=yy group=full \r\ \n:log info \"user added\"" /tool netwatch add down-script=script1 host=111.111.111.111 .... [admin@BGP_ruby_tes...
by Deantwo
Fri Feb 22, 2019 2:50 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 25869

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Fri Feb 22, 2019 2:43 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 52637

Re: Security issue when Winbox exposed

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.
That is wonderful news, first good news I hear all day.
Can that please be added to the blog post maybe? I am sure more people will want to know this.
by Deantwo
Fri Feb 22, 2019 2:36 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 52637

Re: Security issue when Winbox exposed

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure. With the WinBox service exploit we were told that an address whitelist on the service was enough to block anything bad. I am HOPI...
by Deantwo
Fri Feb 22, 2019 12:04 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 25869

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Thu Feb 21, 2019 12:26 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 3273

Re: Global variable dissapears?

https://forum.mikrotik.com/viewtopic.php?f=21&t=133272 What's new in 6.42 (2018-Apr-13 11:03): *) netwatch - limit to read, write, test and reboot policies for Netwatch script execution; Accessing global variables annoyingly require "policy" permission, which Netwatch script execution ...
by Deantwo
Thu Feb 21, 2019 12:25 pm
Forum: Scripting
Topic: Script via Netwatch Don't Running
Replies: 3
Views: 1674

Re: Script via Netwatch Don't Running

viewtopic.php?f=21&t=133272
What's new in 6.42 (2018-Apr-13 11:03):

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;
by Deantwo
Tue Feb 05, 2019 11:36 am
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 7
Views: 4723

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

We got the new RADIUS server to work with MS-CHAPv2 and RouterOS v6.43. I'll bug my server guy to find out what he did on the server to make it work. I have one fun fact with backward compatibility, a router running <6.43 can still use a MS-CHAPv2 RADIUS, but only for WinBox login. Trying to open th...
by Deantwo
Mon Feb 04, 2019 3:51 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 7
Views: 4723

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

I am told that the guide on the wiki/manual aren't much help anymore.
This: https://wiki.mikrotik.com/wiki/AAA_with ... _Directory

I sendt an e-mail to support about getting the guide updated and possibly some help with this.
by Deantwo
Wed Jan 30, 2019 5:13 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 7
Views: 4723

Upgrade to MS-CHAPv2 RADIUS for >6.43

I am attempting to figure out the best way to upgrade from my old RADIUS server to a new MS-CHAPv2 RADIUS server. I would prefer a backward compatible solution, so routers running <6.43 can use the same configuration as >6.43. Googling for the answer seem to most of all just point me to a post I wro...
by Deantwo
Tue Jan 29, 2019 1:16 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Darman, how do you think an update will know what socks entries are legitimate and what are not? If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD Better idea: if the router is setup incorrectly/insecurely, brick it. But really, none of that is MikroTik's problem to s...
by Deantwo
Wed Jan 23, 2019 1:35 pm
Forum: Announcements
Topic: SwOS version 2.9 released!
Replies: 70
Views: 57231

Re: SwOS version 2.9 released!

reading that no IGMP (Snooping) Problems are know in the latest 2.9 Firmware release, made me a bit angry... As @becs just said; @RobertF and @abrodkin SwOS has supported IGMP v1,v2,v3 since v2.5, also many issues have been addressed since then and now in v2.9 there is an additional port option to ...
by Deantwo
Sat Jan 05, 2019 5:04 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac.... Check the architecture of the router, make sure you are using the correct file. Need more information to be able to help you....
by Deantwo
Fri Dec 28, 2018 12:37 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 9
Views: 4517

Re: The "output" chain and VRFs/routing marks

You are correct in thinking that the "output" chain is after routing decisions are made. But the "output" chain apparently has a "routing adjustment" phase, which I assume is used if the routing mark was changed. See: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6...
by Deantwo
Wed Dec 19, 2018 11:06 pm
Forum: SwOS
Topic: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???
Replies: 10
Views: 6727

Re: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???

Looks like the Watchdog doesn't work in all cases. I have it enabled but the switch hangs for hours rather than rebooting.
Suggest you write to support@mikrotik.com with details so they can make a bug report and get it fixed then.
by Deantwo
Thu Dec 06, 2018 12:59 pm
Forum: Announcements
Topic: URGENT security reminder
Replies: 83
Views: 67338

Re: URGENT security reminder

Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay) Tools -> Traffic Monitor :) "If there's no traffic for the last 5 minutes - it's okay to upgrade" xD = never :D But they will stop complaining about the feature missing! xD Ho...
by Deantwo
Tue Nov 20, 2018 12:16 pm
Forum: General
Topic: Radius not work since upgrade to 6.43
Replies: 7
Views: 4848

Re: Radius not work since upgrade to 6.43

I reading in changelog of last version and I see this line: *) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); Pretty sure that specific line is not related to radius. Instead see v6.43 's !) radius - use MS-CHAPv2 f...
by Deantwo
Fri Nov 16, 2018 7:18 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 1540

Re: IPsec Issues

I have an issues by configuring ipsec tunnel . the issue is the following The tunnel is established, nat bypass rule is also there but I'm unable to ping both local network. Please I need help Likely the same issue, and same information needed. What is your setup like? Diagram? What is your configs...
by Deantwo
Fri Nov 16, 2018 5:09 pm
Forum: Scripting
Topic: Script ended
Replies: 1
Views: 1327

Re: Script ended

What is the error the script is giving?
by Deantwo
Fri Nov 16, 2018 4:54 pm
Forum: General
Topic: VLAN on a regular switch
Replies: 9
Views: 3445

Re: VLAN on a regular switch

If the regular switch doesn't support VLANs, it might be easier to not use VLANs at all.
Or simply get a managed switch that do support VLANs.
by Deantwo
Fri Nov 16, 2018 4:52 pm
Forum: General
Topic: Two VLANS to another place. Voip + Data
Replies: 57
Views: 12228

Re: Two VLANS to another place. Voip + Data

Your VLAN configuration doesn't look totally correct.
Maybe this will help: https://wiki.mikrotik.com/wiki/Manual:L ... idged_VLAN

But if the routers are the only network equipment, then why use VLANs at all? Just make two bridges and route them normally.
by Deantwo
Fri Nov 16, 2018 3:13 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 1540

Re: Routing via IPSec Tunnel

A diagram of your setup would make your question easier to understand.
Also your config would help a lot too.

If the subnets are accessible from each end, what is the issue?
by Deantwo
Tue Nov 06, 2018 11:21 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Hey caresss As mentioned by vecernik87 , MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks. The fact that the attacker is using MAC-Telnet or MAC-WinBox means that ...
by Deantwo
Fri Nov 02, 2018 11:02 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 205687

Re: Winbox v3.18 released!

Can anyone log to an older version of Mikrotik, through WinBox 3.18 ?
I am unable to login to a router running RouterOS v5.26 with WinBox v3.18, I just get an error saying "Error: could not fetch index".
But you didn't really specify how much older.
by Deantwo
Mon Oct 01, 2018 11:36 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

WestTexas : In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place. For example make them only accept WinBox connections from your specific public IP range. Or mak...
by Deantwo
Fri Sep 21, 2018 4:47 pm
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 49
Views: 205687

Re: Winbox v3.18 released!

Please add feature to auto-reconnect or just status-icon what give as info that routerboard is online now. https://image.prntscr.com/image/0QqQhCONT36QRp5LnSRpAA.png Sounds like a nice idea for a feature. But it is not directly related to Winbox v3.18, so you might want to make a new thread about it.
by Deantwo
Wed Sep 19, 2018 12:21 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85155

Re: v6.43.1 [stable] is released!

What does this mean in details? *) winbox - fixed corrupt user database after specifying allowed address range (introduced in v6.43); Does this mean that in ROS lower than 6.43 address range not working? The "introduced in v6.43" means that it was a bug that was introduced (a.k.a. made) i...
by Deantwo
Mon Sep 17, 2018 11:27 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Example is already in the manual: https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#RouterOS_auto-upgrade Ah very nice, thanks. But it would be nice if the example also included "set channel=bugfix", since that took me a moment to find. I can't even see the word "channel"...
by Deantwo
Mon Sep 17, 2018 10:51 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

is there maybe a plan to add auto update option and set that as default option? There are many routers which will never be updated or until something real bad happens. The issue with doing that is that users won't know what is happening. For example if they notice their internet going down their fi...
by Deantwo
Thu Sep 13, 2018 5:17 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 38
Views: 17132

Re: Add emoji to the ssid name

With the suggestions here I've made the script a bit more user friendly.
Cool, but it does mean that it won't return an error if no interface is named that.
But I guess the user will just know that the SSID didn't change, so it likely is better in the end.
by Deantwo
Wed Sep 12, 2018 11:13 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

This is normal, if you open a Terminal. There is no hacker here.
I feel stupid for forgetting this detail... knew I was forgetting something.
Anyway, thanks for the confirmation.
by Deantwo
Wed Sep 12, 2018 10:50 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Sorry I don't understand that question. Try to re-phrase it. He is talking about what he said in https://forum.mikrotik.com/viewtopic.php?p=685673#p685509, a job is shown to be running, yet the configuration doesn't appear to have any scripts in it. But as I said, from the picture and config alone,...
by Deantwo
Wed Sep 12, 2018 10:22 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 38
Views: 17132

Re: Add emoji to the ssid name

Use this tool: https://r-1.ch/mikrotik-unicode-ssid-generator.php Oh my gosh that is awesome! 😂 Yes, I saw that but I'm not sure when and where should I add this command line "/interface wireless set X ssid="\65\78\61\6D\70\6C\65\20\F0\9F\92\BB" and how do I find my x value. Should t...
by Deantwo
Wed Sep 12, 2018 10:03 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router. Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly. The manual page I linked you to has examples on how to do...
by Deantwo
Tue Sep 11, 2018 11:01 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

2. How I can I reinstall CHR license on new disk image? I suggest you email support@mikrotik.com with your license issue. I haven't access to email or account. Only disk image with self-updated license. Any other suggestion? Email support@mikrotik.com , they can help you with all your questions.
by Deantwo
Tue Sep 11, 2018 8:06 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

here is full export command (little obfuscated) /export # sep/11/2018 17:50:21 by RouterOS 6.43 # software id = # # # /interface gre add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1 add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1 /interface wirel...
by Deantwo
Tue Sep 11, 2018 2:36 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc. if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes? It's even happened in 6.42.1 or 6.42.3 Without knowing exactly what you had configured on...
by Deantwo
Tue Sep 11, 2018 10:08 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc. if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes? It's even happened in 6.42.1 or 6.42.3 Without knowing exactly what you had configured on...
by Deantwo
Thu Sep 06, 2018 6:08 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly. Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure. Yeah, if a guide starts by say...
by Deantwo
Thu Sep 06, 2018 3:07 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default. Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is a...
by Deantwo
Wed Sep 05, 2018 10:59 am
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 38404

Re: v6.40.9 [bugfix] is released!

I agree that the way the patch notes were written made it look way more urgent than it was. Compared to how the WinBox vulnerability was mentioned in v6.40.8 [bugfix] , it makes it looks like the CVE vulnerabilities were much more important. Changing the way you announce vulnerabilities in patch not...
by Deantwo
Thu Aug 23, 2018 4:01 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 176631

Re: Winbox vulnerability: please upgrade

How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions? You could use netinstall to reinstall them. See: https://wik...
by Deantwo
Tue Aug 21, 2018 10:42 am
Forum: SwOS
Topic: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???
Replies: 10
Views: 6727

Re: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???

There is not much information about the "watchdog" feature in the CSS326 SwOS manual. https://wiki.mikrotik.com/wiki/SwOS/CSS326#System Watchdog Enable or disable system Watchdog. It will reset CPU of the switch in case of fault condition I am guessing that the SwOS watchdog is not the sam...
by Deantwo
Wed Aug 15, 2018 1:24 pm
Forum: SwOS
Topic: rb 260gs - vlan native how to setup
Replies: 1
Views: 2897

Re: rb 260gs - vlan native how to setup

https://wiki.mikrotik.com/wiki/SwOS/RB2 ... 0#VLAN_Tab

Try setting the port's VLAN Receive to "Any" and the Default VLAN ID to the desired native VLAN.
by Deantwo
Wed Aug 15, 2018 1:18 pm
Forum: SwOS
Topic: MSTP Support?
Replies: 2
Views: 4025

MSTP Support?

Since MSTP support has been added to RouterOS, is there any chance we will be getting it for SwOS too?

Currently trying to setup a CRS326-24G-2S+ (SwOS 2.7) and it only has RSTP, which makes it rather hard to make advanced VLAN networks.
by Deantwo
Wed Aug 15, 2018 12:51 pm
Forum: SwOS
Topic: BUG: Do not open the HOSTS tab and RSTP
Replies: 2
Views: 3169

Re: BUG: Do not open the HOSTS tab and RSTP

Was having issues with RSTP tab not opening at all on v2.7.
Rebooting the switch fixed the issue.
by Deantwo
Wed Aug 15, 2018 12:42 pm
Forum: SwOS
Topic: CSS326-24G-2S+ RSTP doesn't work!
Replies: 1
Views: 2815

Re: CSS326-24G-2S+ RSTP doesn't work!

Two of your pictures show no RSTP enabled on any ports, did you maybe forget to scroll down? Or are you just showing that there is no RSTP enabled on those at all? Do you have any VLANs configured? Your diagram and pictures aren't much help since you don't say what is what really in them. Your post ...
by Deantwo
Fri Aug 10, 2018 3:42 pm
Forum: General
Topic: VLAN Trunk without knowing/cofiguring all VLANS
Replies: 5
Views: 2372

Re: VLAN Trunk without knowing/cofiguring all VLANS

Is CRS317 SFP-SFPPLUS1 and CRS317 SFP-SFPPLUS2 bridged together? Is CCR1009 SFP-SFPPLUS1 and CCR1009 ETHER1 bridged together? If not then, talking about VLANs makes no sense. You only create VLAN trunks between two switches or between a router and a switch, but never between two routers. What you ne...
by Deantwo
Fri Aug 03, 2018 11:01 am
Forum: Forwarding Protocols
Topic: OSPF Router ID
Replies: 6
Views: 5692

Re: OSPF Router ID

The https://wiki.mikrotik.com/wiki/Manual:OSPF-examples page suggests making a loopback interface and giving it the router-id as an IP-address. Does the router-id have to exist as an IP-address on the router? If not then why can we configure the router-id at all? I assume that if you define a value ...
by Deantwo
Thu Jun 28, 2018 1:01 pm
Forum: General
Topic: [OPEN VPN] unique certificate for each secret or caller id
Replies: 2
Views: 1090

Re: [OPEN VPN] unique certificate for each secret or caller id

I am guessing you want something like this:
https://serverfault.com/questions/35885 ... in-openvpn

Sadly there is no way to config something like that on the RouterOS OpenVPN server. The OpenVPN server in RouterOS is very limited.
by Deantwo
Thu Jun 28, 2018 12:09 pm
Forum: Beginner Basics
Topic: OpenVPN client does not work after update to 2.4.6
Replies: 7
Views: 10102

Re: OpenVPN client does not work after update to 2.4.6

Wouldn't it make more sense to ask on the OpenVPN forum? Since it was an OpenVPN update that broke it anyway. Here: https://forums.openvpn.net/viewforum.php?f=6 I had an issue with the upgrading from OpenVPN 2.3.10 to 2.3.11 a couple of years ago, and that was fixed in a RouterOS update. See: https:...
by Deantwo
Thu Jun 07, 2018 5:13 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145860

Re: VPNfilter official statement

how to determine if my router is infected? Back in the Urgent security advisory , it was said that upgrading your RouterOS version would remove "the bad files" on the device. I have not heard anywhere that this is not the case for all RouterOS upgrades, so I would assume that it remove al...
by Deantwo
Tue May 29, 2018 10:54 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145860

Re: VPNfilter official statement

Technical details of the worm here : https://blog.talosintelligence.com/2018/05/VPNFilter.html Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices. I am quite happy with how extremely easy it is to upgrade RouterOS on a MikroTik device...
by Deantwo
Sun Mar 25, 2018 2:31 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

So this is why have gotten notification emails from this thread all day. Sorry to hear you are shutting down Dave, but with what you explain it is understandable. I ended up making my own blacklist script last year, so I never actually used your service much more than as a test. But I at least want ...
by Deantwo
Tue Mar 13, 2018 11:48 am
Forum: General
Topic: RouterBOOT "auto-upgrade"!
Replies: 18
Views: 19203

Re: RouterBOOT "auto-upgrade"!

For example, just this week or so a change in 6.41 renumbered firmware to match the RouterOS release number. Except on older devices the upgrade firmware field showed up blank! This script would have looped forever, because the current firmware would never have matched the ("blank") upgra...
by Deantwo
Tue Mar 13, 2018 10:38 am
Forum: General
Topic: Script adding upgrade source
Replies: 8
Views: 3604

Re: Script adding upgrade source

Found an interesting read on this subject.
It was said back in 2010 that you can set upgrade-package-source via the API.
Here: Re: upgrade-package-source
/system/upgrade/upgrade-package-source/add
I'll have to test this when I have time.

EDIT 2021-11-23: Yeah I never got around to testing this.
by Deantwo
Fri Mar 02, 2018 11:50 am
Forum: Scripting
Topic: How to write string to a file using script ?
Replies: 5
Views: 14513

Re: How to write string to a file using script ?

your script is not working Your comment is not helping. Jokes aside. Helps if you tell me how it isn't working or what is going wrong. You might need a delay between creating the file and changing the content. # Create a file with specific content. { # Variables. :local filename "test.txt"...
by Deantwo
Wed Jan 17, 2018 4:11 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 4503

Re: Block WinBox discovery from specific address

I want to know if I can blockthe discovery from a specific address in my netwrok so the router will be 10.0.0.1/24 my netwrok is 10.0.0.0/24 but I will only see the it in winbox from 10.0.0.10-10.0.0.20 all other computers in the network that aren't this address will not see it From the sound of it...
by Deantwo
Wed Jan 17, 2018 3:45 pm
Forum: General
Topic: How to communicate two networks one device?
Replies: 8
Views: 2532

Re: How to communicate two networks one device?

so ? Src. Address: 192.168.10.0/24 Dst. Address: 50.60.40.0/24 Dst. Address: 192.168.10.0/24 Src. Address: 50.60.40.0/24 Yes. /ip firewall filter add action=accept chain=forward comment="Allow connection between LANs" disabled=no src-address=50.60.40.0/24 dst-address=192.168.10.0/24 place...
by Deantwo
Tue Jan 09, 2018 4:35 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 4503

Re: Block WinBox discovery from specific address

It isn't good enough to just block neighbor discovery from an interface? It has to be a specific IP address?
/ip neighbor discovery set [find name=ether1] discover=no

Alternatively I'll ask why it is all on the same network if it has to be separate. Wouldn't it be easier to set up VLANs?
by Deantwo
Tue Jan 09, 2018 4:19 pm
Forum: General
Topic: Issue with Getting DHCP IP using Bridge interface.
Replies: 5
Views: 5950

Re: Issue with Getting DHCP IP using Bridge interface.

name="bridge2-LAN" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:5A:55:09 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m Did you add any ports to the bridge? name...
by Deantwo
Tue Jan 09, 2018 12:31 pm
Forum: General
Topic: How to communicate two networks one device?
Replies: 8
Views: 2532

Re: How to communicate two networks one device?

that both a network and the other can access all its ports and ip addresses. That is the default on any router, there should be no issue with hosts on ether2 communicating with hosts on ether3. Unless you have firewall rules preventing the traffic. Or if the hosts are incorrectly configured on the ...
by Deantwo
Tue Jan 09, 2018 12:15 pm
Forum: General
Topic: double or triple NAT is bad?
Replies: 13
Views: 10389

Re: double or triple NAT is bad?

Old thread, but first google result on the topic. Another thing that makes many NAT routers a bad idea, is the fact each router preforming NAT will have to keep a NATing table. It will take your router time to check the NAT table every time it has to forward a packet. Not to mention that in theory y...
by Deantwo
Tue Jan 09, 2018 11:31 am
Forum: General
Topic: no IKEv1 peer config for x.x.x.x [SOLVED]
Replies: 1
Views: 7646

Re: no IKEv1 peer config for x.x.x.x [SOLVED]

I found the issue. This is because the router is receiving IPsec requests from routers that isn't expected. The central router doesn't have an IPsec peer for the connecting client router. The sere number of the log messages made me not even think about checking for old client routers with orphan IPs...
by Deantwo
Wed Jan 03, 2018 11:21 am
Forum: General
Topic: no IKEv1 peer config for x.x.x.x [SOLVED]
Replies: 1
Views: 7646

no IKEv1 peer config for x.x.x.x [SOLVED]

I just upgraded a central router that is running a lot of IPsec tunnels from RouterOS v6.36 to v6.40.5, but now I am getting a lot of IPsec log messages that don't quite make any sense to me. The tunnels appear to be working without issue, so it is mostly an annoyance. The log messages are: Jan/03/2...
by Deantwo
Thu Dec 28, 2017 1:30 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 6
Views: 34871

Re: Install SwOS on RouterOS [SOLVED]

It worked nicely. I even found the option in the System -> Routerboard -> Settings menu of WinBox in case someone don't like to use the terminal.

But yes, please add that information to the manual page.
by Deantwo
Wed Dec 27, 2017 8:58 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 6
Views: 34871

Re: Install SwOS on RouterOS [SOLVED]

Device already have RouterOS and SwOS, from RouterOS you can boot SwOS by typing in terminal:
/system routerboard settings set boot-os=swos
SwOS manual
It literatlly says that nowhere on the SwOS manual page. So thank you!
I will try it in the morning.
by Deantwo
Wed Dec 27, 2017 5:01 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 6
Views: 34871

Install SwOS on RouterOS [SOLVED]

How do I install SwOS on a CRS326-24G-2S+ that has RouterOS installed? I have downloaded the swos-css326-2.7.bin file, but I have no idea what to do with it. RouterOS does not seem to detect the file on boot like it does RouterOS NKP-files. So how do I do this? Can I do it remotely? Do I have to use...
by Deantwo
Tue Aug 15, 2017 12:41 pm
Forum: General
Topic: Feature request: Netwatch parameters extension
Replies: 7
Views: 3754

Re: Feature request: Netwatch parameters extension

Bump.

Fully featured ping-like Netwatch would be very nice.
For example:
  • src-interface
  • src-address
  • routing-table
Quite tired of having to make a static route just to specify a source IP address.
by Deantwo
Fri Jul 14, 2017 4:06 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 57632

Re: v6.39.2 [current]

Problem already solved in v6.40rc now DPD logs have ipsec,debug topics.
Ah awesome, thank you. I guess I haven't tried the newest version of the release candidates.

I didn't even know those logs were from the DPD, but with the snippit I just got I can see that it is.
by Deantwo
Thu Jul 13, 2017 8:26 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 57632

Re: v6.39.2 [current]

Not really sure where is the problem, if you do not want to see ispec logs, then remove/disable this entry add action=ipsec topics=ipsec,!debug That would leave the logging action unused. IPsec logging messages used to have the topic "info,ipsec", which meant they would show up in the inf...
by Deantwo
Thu Jul 13, 2017 4:16 pm
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 57632

Re: v6.39.2 [current]

IPsec is still creating a lot of what looks like debug log messages. I have had this logging for a long time, but with the newer versions of RouterOS it is now useless. /system logging action add memory-lines=100 name=ipsec target=memory /system logging add action=ipsec topics=ipsec,!debug Now I jus...
by Deantwo
Thu Jul 06, 2017 11:29 am
Forum: General
Topic: Certificate Thumbprint [SOLVED]
Replies: 1
Views: 1376

Certificate Thumbprint [SOLVED]

I seem to be unable to compare the certificate fingerprint in RouterOS with the certificate thumbprint found in the Windows Certificate Store. I am not fully versed in what the difference is between the two, but I am guessing RouterOS simply doesn't have the same kind of identifier? Is certificate t...
by Deantwo
Fri Jun 23, 2017 12:06 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

Minor typo in the 4th line. ##### Update your path, is you are using a USB Flash or other storage I am thinking you meant to say " if you are using" By the way, why is the default path "disk1/dynamic.rsc"? Anyway, fun fun. I hadn't tried this before: jun/23/2017 10:50:44 system,e...
by Deantwo
Tue Jun 13, 2017 3:13 pm
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 4052

Re: Best Way to Change Static IP Address Remotely

Yeah, so I can set the WAN interface to have both the old and the new IP addresses at the same time. So in theory the ISP could just change the IP address of the gateway or whatever. Can you please elaborate on the scenario? I thought you were the ISP. I mean "suddenly change" as in the I...
by Deantwo
Mon Jun 12, 2017 1:01 pm
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 4052

Re: Best Way to Change Static IP Address Remotely

It is possible to set multiple IP addresses on an interface in RouterOS, and I can set a second default gateway that will be ignored because an active route to that IP (0.0.0.0/0) already exist. The key point here is distance Yeah, but having two routes with the same distance still seems to only ma...
by Deantwo
Mon Jun 12, 2017 12:49 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

Hello Dave, The script has the ?, when pasted in terminal it disappears. The log only has an entry of- script error: expected command name (line 1 column 1) The downloaded dynamic.rsc only has one line- All fields are required. Please update your script. That would mean that you need the current sc...
by Deantwo
Mon Jun 12, 2017 10:26 am
Forum: General
Topic: Best Way to Change Static IP Address Remotely
Replies: 5
Views: 4052

Best Way to Change Static IP Address Remotely

I every so often get the task of preparing for a WAN IP address change on a remote router. Often the change happens outside of business hours, and we of course want the least amount of downtime. Failing at this could leave the router unreachable and require a technician to go to the location to manu...
by Deantwo
Mon May 22, 2017 1:44 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

1. Why there are 2 schedules? And if there are 2 it can't have the same name as in your example. /system scheduler add interval=1d name=UpdateBlackList on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \ start-date=jan/01/1970 ...
by Deantwo
Tue May 16, 2017 11:01 am
Forum: Announcements
Topic: v6.39.1 [current]
Replies: 158
Views: 58606

Re: v6.39.1 [current]

Upgrade 3x CCR1016-12G and my tunnels base on IPSec are down... I also upgraded a CCR1016-12G to RouterOS v6.39.1, and the IPsec tunnel stopped working. From what I could see in the Installed SAs , it was not receiving anything even though the other end was transmitting. Upgrading the router in the...
by Deantwo
Thu May 04, 2017 10:43 am
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 2097

Re: Multiple CA Certificates for OpenVPN

Or is it maybe possible to have multiple Ovpn Servers configured on the same router?
by Deantwo
Tue May 02, 2017 5:06 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

I think it is going wrong with the URL containing (maybe unknown) variables. Out of curiosity, what does your router say to the following if you paste it in the terminal? :put [/system resource get board-name] :put [/system resource get version] :put [/system resource get total-memory] :put [/syste...
by Deantwo
Tue May 02, 2017 11:14 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

Can you give me an update URL without or with preset variables? ... I think it is going wrong with the URL containing (maybe unknown) variables. Like this? /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=750&vers...
by Deantwo
Tue May 02, 2017 10:43 am
Forum: Announcements
Topic: v6.40rc [release candidate] is released!
Replies: 231
Views: 77445

Re: v6.40rc [release candidate] is released!

*) ipsec - optimized logging under IPSec topic;
Hoping that means no more spammy "R_U_THERE" log messages.
Not sure when I can give this version a try though.
by Deantwo
Mon Apr 24, 2017 2:18 pm
Forum: General
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 22540

Re: v6.39rc76 [release candidate] is released!

I am still receive large amounts of spammy debug log messages while I have an active IPsec tunnel. 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec receive Informati...
by Deantwo
Wed Mar 22, 2017 10:46 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

You issue is that the router simply didn't complete the download. Today's download is 603k. If it's getting out off, you may want to see if your ISP is trying to proxy ssl connections. Ok yeah, maybe I was a little hasty to my conclusion. I am able to download the file just fine from the company ne...
by Deantwo
Tue Mar 21, 2017 9:44 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

Something seems to have gone wrong. I am receiving incomplete "dynamic.rsc" files, ending in the middle of an address-list entry add command. Example: # Generated on Mon Mar 20 04:00:54 PDT 2017 by Intrus Technologies /ip firewall address-list add list=dynamicBlacklist address=1.10.16.0/20...
by Deantwo
Tue Mar 14, 2017 10:14 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

And, if you are interested, here are my filter rules: /ip firewall address-list add address=172.16.0.0/16 list=PrivateIPs add address=10.0.0.0/8 list=PrivateIPs add address=192.168.0.0/16 list=PrivateIPs Found a little error in your provided example firewall. Incorrect netmask for the 172 private r...
by Deantwo
Tue Mar 14, 2017 9:50 am
Forum: Announcements
Topic: v6.38.5 [current]
Replies: 66
Views: 40622

Re: v6.38.5 [current]

Shouldn't these log messages be part of debug topic? 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec sendto Information notify. 12:59:22 ipsec receive Information. 12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U...
by Deantwo
Thu Mar 09, 2017 5:13 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

As for the schedule, you will have to play with it. It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was "1970-01-01 00:00:00". RouterOS seems to have some issues with startup scripts, and I haven't had time to ...
by Deantwo
Thu Mar 09, 2017 4:45 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with "Intrus :: " this allows me to sort them and quickly track down problems. While it's not currently required, it really is the only method that I have to keep track of how many...
by Deantwo
Thu Mar 09, 2017 4:33 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

When testing it I also found that the address-list entry timeout don't quite match up with what you say in the opening post. It states that the address-list entries are dynamic with a 48 hour timeout, but the file I am getting shows them having a 24 hour timeout. Shouldn't this at least be 25 hours...
by Deantwo
Thu Mar 09, 2017 2:35 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212082

Re: Blacklist Filter update script

Looks like a very interesting system you got here. I know it has been running fine for soon 2 years I guess, but I do have a few small suggestions for your update script. You should escape the "?" in the URL ("\?") Add brackets around the script ("{ }") Add a ":put...
by Deantwo
Mon Jan 23, 2017 11:45 am
Forum: Scripting
Topic: Meaning of script
Replies: 1
Views: 1320

Re: Meaning of script

/put "### Setting up hotspot ###" /ip hotspot add address-pool=[/ip pool get number=0 value-name=name] disabled=no idle-timeout=none interface=[/interface bridge get 0 value-name=name] name=hotspot-mywifi profile=profile-mywifi addresses-per-mac="" /delay 5s The " [/ip pool...
by Deantwo
Mon Oct 17, 2016 1:32 pm
Forum: Scripting
Topic: count "unreplied" connections
Replies: 1
Views: 1353

Re: count "unreplied" connections

I was just wondering about this myself.
It does not seem to be possible to find "unreplied" flags.
/ip firewall connection print count-only where unreplied
However find where assured is possible:
/ip firewall connection print count-only where assured
by Deantwo
Fri Sep 30, 2016 12:00 pm
Forum: Announcements
Topic: Winbox 3.6 released!
Replies: 25
Views: 18230

Re: Winbox 3.6 released!

*) fixed problem where initial configuration window was shown twice on first connect;
THANK YOU!
This will make mass configuration so much easier next time. ^^
by Deantwo
Thu Sep 29, 2016 12:46 pm
Forum: Scripting
Topic: Adding scheduler 'on-event' two line script problem.
Replies: 2
Views: 2478

Re: Adding scheduler 'on-event' two line script problem.

$api->comm('/system/scheduler/add', array( "name" => 'upgrade_system', "interval" => '5s', "on-event" => "/system scheduler remove upgrade_system. /system identity set name='system upgraded'" )); I am just about to attempt something similar in one of my appli...
by Deantwo
Mon Sep 19, 2016 5:05 pm
Forum: Announcements
Topic: v6.36.3 [current] is released!
Replies: 43
Views: 24505

Re: v6.36.3 [current] is released!

i've upgraded my RB433AH to v6.36.3 [current] is released, and know i see that the ports are on different group. ether1 PoE know is ether 2, ether2 know is ether1, just ether 3 is same. The new version did that or??? Thanks What version did you upgrade from? Did you confirm the default-names are th...
by Deantwo
Tue Sep 13, 2016 11:41 am
Forum: General
Topic: write a dynamic script?
Replies: 1
Views: 898

Re: write a dynamic script?

You should ask in the Scripting sub-forum instead. Or maybe a moderator can move this thread? Well, without a better example of the code you want to change, it will be a little hard to help. But it is possible to change a script using a script I guess. Something like this maybe: /system script :loca...
by Deantwo
Tue Sep 13, 2016 11:26 am
Forum: Scripting
Topic: How to add entries to SSH ACL
Replies: 2
Views: 1559

Re: How to add entries to SSH ACL

To concatenate an element to an array, do this:
:put ({1;2;3} , 5 )
For more information, see: For your specific case, this should do:
/ip service
set ssh address=([get ssh address] , "2.2.2.0/24")
by Deantwo
Mon Sep 12, 2016 6:37 pm
Forum: General
Topic: looking for a little help
Replies: 3
Views: 1335

Re: looking for a little help

yes but portting is not what we are trying. i have one ip (23.67.207.*) i need it to point our ip 23.67.207.* ------------------- 10.24.24.2 (dns) 10.24.24.3 (webber1) 10.24.24.4 webber2 10.24.24.5 webber3 10.24.24.6 webber4 Webber are server on our network, they have have to 443,80,25,etc open so ...
by Deantwo
Mon Sep 12, 2016 6:14 pm
Forum: Scripting
Topic: Netwatch...
Replies: 5
Views: 2474

Re: Netwatch...

Two default gateways with different distances do not always work as expected and has a few disadvantages: - you have to know the address of the default gateway and it has to be always the same If you are getting a default gateway via DHCP, you can specify the distance of it. For example: /ip dhcp-c...
by Deantwo
Fri Sep 09, 2016 9:45 am
Forum: Scripting
Topic: Wanting to send Backup to a VM running Linux needing help
Replies: 3
Views: 1374

Re: Wanting to send Backup to a VM running Linux needing help

# FTP Backup (2014.10.21) { # Get and process time. :local timeString [/system clock get time] :set timeString ([:pick $timeString 0 2] . [:pick $timeString 3 5] . [:pick $timeString 6 8]) # Get and process date. :local dateString [/system clock get date] :set dateString ([:pick $dateString 7 11] ....
by Deantwo
Thu Sep 08, 2016 9:20 pm
Forum: Scripting
Topic: Wanting to send Backup to a VM running Linux needing help
Replies: 3
Views: 1374

Re: Wanting to send Backup to a VM running Linux needing help

Setup a FTP server on the Linux machine and use the fetch command to upload the backup file. Like this: /tool fetch upload=yes mode=ftp address=1.1.1.1 user="USERNAME" password="PASSWORD" src-path="BACKUP.FILE" dst-path="BACKUP.FILE" See the wiki page for more...
by Deantwo
Thu Sep 08, 2016 4:50 pm
Forum: General
Topic: IPsec Between two Mikrotiks
Replies: 3
Views: 1286

Re: IPsec Between two Mikrotiks

When you doing pings from router itself, specify correct source address. Like this: :ping 192.168.88.243 src-address=192.168.1.1 (If i got the IP addresses correct) Alternatively, try to ping from your computer rather than the router it self. Pinging from the router it self can cause some issues wh...
by Deantwo
Thu Sep 08, 2016 4:29 pm
Forum: Scripting
Topic: Second opinion on script
Replies: 2
Views: 1270

Re: Second opinion on script

{ # Specify the BGP advertised subnet to check for :local subnet "10.2.0.0/20" # Specify the name of the VRRP interface to work with :local vrrpInterface1 "vrrp-v4" :local vrrpInterface2 "vrrp-v6" # Specify the priority the $vrrpInterface should get once the BGP routes...
by Deantwo
Thu Sep 08, 2016 4:15 pm
Forum: Scripting
Topic: Other variables pinging
Replies: 4
Views: 1681

Re: Other variables pinging

Thank you for answering, but what I want is to get the average response time (avg-rtt)
I don't know if there is a way to get that.
But I know that it at least isn't possible with the ":ping" command, as I demosatred above.
by Deantwo
Thu Sep 08, 2016 10:25 am
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 3283

Re: Cancel Paste to Terminal [SOLVED]

I think I just found the ultimate answer to this question of mine. /quit Using this in the terminal instantly disconnects you and stops furter pasting. As an added bonus, it leave the terminal window open, so you can actually see what happened and even give feedback to the user. So I wrote this in m...
by Deantwo
Wed Sep 07, 2016 5:58 pm
Forum: General
Topic: failure on import config file
Replies: 7
Views: 2916

Re: failure on import config file

You could just use the menu instead of the terminal, it is a bit easier. Once you actually made it work, export the RoMON configuration. /tool romon export This will give you the commands needed to apply it on another router. Apart from that I can't help much more, since I actually don't know what t...
by Deantwo
Wed Sep 07, 2016 5:13 pm
Forum: Scripting
Topic: Other variables pinging
Replies: 4
Views: 1681

Re: Other variables pinging

Using the ping command like that in the terminal only returns the number of successful pings. For example this: [admin@MikroTik] > :global test [:ping 8.8.8.8 count=5] SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 56 47 16ms 1 8.8.8.8 56 47 15ms 2 8.8.8.8 56 47 15ms 3 8.8.8.8 56 47 15ms 4 8.8.8.8 56 47 15...
by Deantwo
Wed Sep 07, 2016 4:55 pm
Forum: General
Topic: Undocumented feature (bug?) in script scheduler
Replies: 2
Views: 875

Re: Undocumented feature (bug?) in script scheduler

The name of the script was "disableNigthSurfing". When I changed the name of this script into "DenyNightSurfing", everything started to work fine. It is case sensitive, so maybe you had written "DisableNigthSurfing" in the scheduler? Without actually seeing the errored...
by Deantwo
Wed Sep 07, 2016 4:45 pm
Forum: General
Topic: failure on import config file
Replies: 7
Views: 2916

Re: failure on import config file

"failure: can not have multiple enabled entries with same interface" Can't have two entries with the same interface. Sounds pretty self explanatory. Check is there isn't an entry defined with "interface=all" by default, and if there is, simply remove that line from your configur...
by Deantwo
Wed Sep 07, 2016 12:54 pm
Forum: General
Topic: looking for a little help
Replies: 3
Views: 1335

Re: looking for a little help

Does the router have a masquerade NAT rule?
Have you port forwarded to the servers?

For information, see:
by Deantwo
Tue Sep 06, 2016 4:50 pm
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 2097

Multiple CA Certificates for OpenVPN

Is it at all possible to use two different certificates at the same time in RouterOS's Ovpn Server implementation? I am attempting to phase out an old CA and replace it with a new one slowly, but I can't seem to find a way to do this without using a second router. On the OpenVPN forum it was suggest...
by Deantwo
Tue Sep 06, 2016 4:02 pm
Forum: Scripting
Topic: How to write string to a file using script ?
Replies: 5
Views: 14513

Re: How to write string to a file using script ?

# Create a file with specific content. { # Variables. :local filename "test.txt" :local content "This is a test." # Create file. /file print file=$filename # Set file's content. /file set $filename contents=$content } Be aware that there is a maximum file size that RouterOS will...
by Deantwo
Tue Sep 06, 2016 3:49 pm
Forum: Scripting
Topic: /system upgrade upgrade-package-source
Replies: 2
Views: 3067

Re: /system upgrade upgrade-package-source

It is impossible to do this using a script. The only ways to configure upgrade-package-source is by copy-pasting to terminal or using the WinBox interface. For more information, see: http://forum.mikrotik.com/viewtopic.php?f=2&t=26108 . To add it using copy-paste, do the following: /system upgra...
by Deantwo
Tue Sep 06, 2016 3:43 pm
Forum: Scripting
Topic: Netwatch...
Replies: 5
Views: 2474

Re: Netwatch...

Of course, the netwatch is able to reach 8.8.8.8 through the second ling, so it is "up" again. You cannot specify an out-interface using netwatch. It would be much easier to just make two default routes. Like this: /ip route add distance=1 gateway=1.1.1.1%Wan1 check-gateway=ping add distan...
by Deantwo
Tue Sep 06, 2016 3:33 pm
Forum: General
Topic: port forward lost source ip
Replies: 3
Views: 1736

Re: port forward lost source ip

the port forward is ok but all ssh request have source ip 192.168.10.1 . is possible preserve original public ip that request ssh (ex 3.3.3.3 to 192.168.10.200) Sounds like your masquerade rule is the cause. You should only let the masquerade rule apply to traffic leaving your WAN interface. For ex...
by Deantwo
Tue Sep 06, 2016 2:56 pm
Forum: Scripting
Topic: failover two wan + routing policy
Replies: 4
Views: 1716

Re: failover two wan + routing policy

I woul use this script for failover  http://wiki.mikrotik.com/wiki/Failover_Scripting Is there any reason you aren't just using that then? Even more so the corrected version I already gave you. See: http://forum.mikrotik.com/viewtopic.php?f=9&t=109691#p544520 i need that all connection go to wa...
by Deantwo
Mon Sep 05, 2016 1:07 pm
Forum: Scripting
Topic: c# api command to update the hotspot user pless
Replies: 1
Views: 1194

Re: c# api command to update the hotspot user pless

Which C# API? Update a hotspot user in what way? What is it you want to change? The API commands you'll likely need is something like this: "/ip/hotspot/set" "=.id=" + userId "=password=" + newPassword "=email=" + newEmail ".tag=deantwowashere" The &...
by Deantwo
Mon Sep 05, 2016 12:09 pm
Forum: Announcements
Topic: Winbox 3.5 released!
Replies: 19
Views: 18705

Re: Winbox 3.5 released!

I just finished configuring a large batch of routers, all of which opened two "RouterOS Default Configuration" dialog boxes.
This is not a new problem though, as it was also there before the v3.5 update.

Anyone else seeing this after resetting the configuration of a router?
by Deantwo
Mon Aug 29, 2016 2:06 pm
Forum: Announcements
Topic: v6.36.2 [current] is released!
Replies: 54
Views: 27204

Re: v6.36.2 [current] is released!

http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack You should maybe move that wiki page to "Manual:Fasttrack" instead, the multiple instances of the word "wiki" looks silly. Or maybe "Manual:Firewall/Fasttrack" would be better? Also, why doesn't the page explain how t...
by Deantwo
Mon Aug 29, 2016 12:49 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 6641

Re: Scripting Ideas ??

Hi Sinan, i need help with this script: :local phone "android"; :local telefon value=[/ip dhcp-server lease find dynamic=yes host-name~$phone]; :foreach looping in=$telefon do={ :local mac value=[/ip dhcp-server lease get $looping value-name=active-mac-address]; /ip firewall filter add ch...
by Deantwo
Mon Aug 22, 2016 12:49 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

Ok, I seem to have found the issue . The old third-party certificate program that I have been using for the past 6 years doesn't actually check certificate KeyUsage bits. So in short, my CA doesn't have the KeyCertSign KeyUsage bit set! MikroTik, is doing the correct thing in disallowing my certific...
by Deantwo
Mon Aug 22, 2016 12:43 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

Ok, been doing some more research and testing of older RouterOS versions. RouterOS was seemingly not able to make/issue certificates before around version 6.10. The checkbox that was labeled "CA" seem to have just been "Trust" before it was renamed in version 6.3. I have attempte...
by Deantwo
Fri Aug 19, 2016 1:17 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

My current workaround has been to create a new self-signed certificate as CA and use that for all future certificate issuing, then leave the old imported CA along side it as backward compatibility until the day I can phase it out. Mmh, this may not be a valid solution anyway. It doesn't appear to b...
by Deantwo
Thu Aug 18, 2016 2:10 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

AFAIK you CAN generate a self signed CA, but you need to generate it on the router itself.
Then it will show up as a CA.
Yeah that is what I mean.

I can however create a self-signed certificate on one router, export it, and import it into another router while still have it keep the CA status.
by Deantwo
Thu Aug 18, 2016 12:28 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

But they still work. If you have a trusted CA imported as a simple certificate, it will still verify e.g. a remote SSTP certificate, it just will not show up as a CA. True, it has been working for a long time now like this. However now I actually want to use the certificate as a CA by issuing certi...
by Deantwo
Thu Aug 18, 2016 8:09 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: hotspot & queues user speed limit after x download scripts

I have just never used simple queues, and haven't had time recently to look into it.
I am however sure that someone else has done this before, or maybe simple queues can do this with built-in features?
by Deantwo
Tue Aug 16, 2016 10:12 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

hello Deantwo i hope ur fine
i have a request
can u do the same script for pppoe ?
What does PPPoE have to do with Hotspot Users?
But maybe, will have to look at it when I have time.
by Deantwo
Fri Aug 12, 2016 1:08 pm
Forum: General
Topic: Removing (deleting) issued certificates
Replies: 5
Views: 30254

Re: Removing (deleting) issued certificates

The wiki states this. Here: http://wiki.mikrotik.com/wiki/Manual:System/Certificates#FAQ No idea why it is like this. I can't create a new certificate with the same name as a revoked certificate, unless I renamed the revoked certificate first. But either way, this will end up cluttering the certific...
by Deantwo
Thu Aug 11, 2016 5:02 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Re: Making Imported Certificate into a Certificate Authority

Looking a little more around on the forum, and there really is no good search results for "Certificate Authority". Testing a little with my certificate and comparing it to a self-signed certificate on a MikroTik, I only see a difference between the two certificates on the "Key Usage&q...
by Deantwo
Thu Aug 11, 2016 4:43 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 3283

Re: Cancel Paste to Terminal [SOLVED]

Anyway, this is a little off topic. ^^; Why is this off topic? When the reset-configuration would be able to import a .rsc file with slight problems, your whole issue of pasting text in a window would not exist! Ah, now I see what you mean. I have been thinking about that, but like I wrote above, t...
by Deantwo
Thu Aug 11, 2016 4:04 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 3283

Re: Cancel Paste to Terminal [SOLVED]

Not being able to import a .rsc file if it has even the slightest error is a problem that I have raised as an issue again, and the reply is that they are looking into a solution for that. Also a method of reporting errors in the processing (while continuing with the next statement) E.g. when you tr...
by Deantwo
Thu Aug 11, 2016 3:14 pm
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 3283

Re: Cancel Paste to Terminal [SOLVED]

Embed your configuration and interruption code in a /system script and execute this script as last part of your to-be-pasted text. That would only work if the whole configuration script is error-free. Pasting to terminal gives you the advantage of allowing errors in the script, which can be useful ...
by Deantwo
Thu Aug 11, 2016 11:45 am
Forum: Scripting
Topic: Cancel Paste to Terminal [SOLVED]
Replies: 7
Views: 3283

Cancel Paste to Terminal [SOLVED]

I have a rather long initial router configuration script that is used to setup new routers. The script assumes that that router is void of any configuration and all you have to do is set a few variables at the top and then paste the whole script into the terminal. Some times the technician that is t...
by Deantwo
Wed Aug 10, 2016 5:03 pm
Forum: General
Topic: Making Imported Certificate into a Certificate Authority
Replies: 10
Views: 8955

Making Imported Certificate into a Certificate Authority

After fiddling with how to actually import a certificate for a while, I am now ready to use it. Or so I thought. It turns out that MikroTik doesn't consider my certificate an "authority", even thought it has been used for that for a good number of years outside of MikroTik. The http://wiki...
by Deantwo
Wed Aug 10, 2016 4:39 pm
Forum: General
Topic: Importing PKCS#12 Certificate [SOLVED]
Replies: 1
Views: 5705

Re: Importing PKCS#12 Certificate [SOLVED]

I managed to import the certificate by... well... I actually didn't manage to import the PKCS#12 certificate, I had to instead use a PEM certificate. [admin@MK] > certificate [admin@MK] /certificate> import file-name=ca.pem passphrase=1234 certificates-imported: 1 private-keys-imported: 0 files-impo...
by Deantwo
Tue Aug 09, 2016 4:04 pm
Forum: General
Topic: Importing PKCS#12 Certificate [SOLVED]
Replies: 1
Views: 5705

Importing PKCS#12 Certificate [SOLVED]

I have a PKCS#12 certificate that I would like to import into my MikroTik router, but it simply fails with "decryption-failures: 1" and nothing else. I know the passphrase is correct, because I wrote it myself and am able to install the certificate on my windows computer without issue. I h...
by Deantwo
Wed Aug 03, 2016 12:12 pm
Forum: General
Topic: shared openvpn server with differents sub-network
Replies: 1
Views: 868

Re: shared openvpn server with differents sub-network

I use static IP addresses on my OpenVPN secrets, so there it is very easy to just make firewall rules to limit what each OpenVPN user can access. I have not attempted to use DHCP on OpenVPN tunnels yet, so I do not know if that is possible. But I think it would be possible if you just make sure that...
by Deantwo
Thu Jul 28, 2016 3:28 pm
Forum: Scripting
Topic: Problem with Script On Login
Replies: 4
Views: 2018

Re: Problem with Script On Login

The issue seems to be that  $"mac-address " is a system variable, and system variable can act VERY odd. If you put it into a local variable right away it seems to work much better. Try this: /ip hotspot user {    :local macA $"mac-address"    :local dateToday [/system clock get d...
by Deantwo
Thu Jul 21, 2016 11:50 pm
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 3866

Re: Run backup file by script

Here's mine.  Backup and export, and E-Mail both to one of my addresses.
I don't how that is related to OP's problem.
The OP is trying to do the opposite of what your script does.

I think.
by Deantwo
Thu Jul 21, 2016 3:52 pm
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 4089

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

When I write IP Tunnel or GRE Tunnel I mean: IP Tunnel or GRE Tunnel.
I honestly don't know how that would require further explanation or would suggest EOIP Tunnel.
I just don't know much about those two, and guess I was confused.
Anyway, I will look into it, thanks.
by Deantwo
Thu Jul 21, 2016 11:35 am
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 4089

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

Not with only that config, because it will only handle the traffic for that /30. But with that, you can add an IP Tunnel or GRE Tunnel interface with endpoints from that /30 on both sides, and then you have a plain interface that can route all IP traffic depending on the contents of the route table...
by Deantwo
Thu Jul 21, 2016 10:37 am
Forum: General
Topic: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled
Replies: 9
Views: 4089

Re: IPsec - LAN devices can't reach Mikrotik router when IPsec policy is enabled

To explain: you can add another IPsec policy (first) that specifies  172.16.14.0/24 as source and destination and has the setting action=none. I know OP figured it out, but I just wanna give a code sample so people knows what to do in the future. Since I just had the same problem yesterday. /ip ips...
by Deantwo
Wed Jul 20, 2016 11:39 am
Forum: Scripting
Topic: Help me to complete the script
Replies: 6
Views: 1965

Re: Help me to complete the script

The script already has a loop but you pass the wrong info to the SMS tool. It should be phone-number=$r You are correct. But it also seems like the array isn't being defined correctly since the foreach treats it as one long string. Array elements have to be separated with semi-colons when being def...
by Deantwo
Wed Jul 20, 2016 11:30 am
Forum: Scripting
Topic: problem using mikrotik api
Replies: 1
Views: 998

Re: problem using mikrotik api

I am guessing you didn't read anything about how the MikroTik API works at all. If you are gonna be using the API, I suggest you give the manual page a read before continuing. You can find it here: wiki.mikrotik.com/wiki/Manual:API mikrtoik->comm('/ip/hotspot/active/remove/numbers=[/ip/hotspot/activ...
by Deantwo
Wed Jul 20, 2016 11:08 am
Forum: Scripting
Topic: failover script
Replies: 4
Views: 2394

Re: failover script

hello, thanks for suggestion... but the script don't work. I have this error: :set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2] syntax error (line 1 column 6) any suggestion? Did you define PingResult first? If you wanna use this script in the console, you need to add { } around t...
by Deantwo
Fri Jul 01, 2016 1:50 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 6641

Re: Scripting Ideas ??

but I would like to sent them to upstream provider blackhole :) Weird way of doing it, but ok. Try this: {    :local ddosedList [/ip firewall address-list find list=ddosed]    :foreach ddosedEntry in=$ddosedList do={        :local ddosedIp [/ip firewall address-list get $ddosedEntry address]       ...
by Deantwo
Fri Jul 01, 2016 11:08 am
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 6641

Re: Scripting Ideas ??

some script will take ddosed ip's from /ip firewall address-list and will add this to black hole like this /ip route add bgp-communities=1111:333 comment=ddosed distance=1 dst-address="$id/32" type=blackhole i would like to run this every 5min and it will check again if ip removed from dd...
by Deantwo
Thu Jun 30, 2016 4:48 pm
Forum: Scripting
Topic: Scripting Ideas ??
Replies: 25
Views: 6641

Re: Scripting Ideas ??

can you help me for some scripting ?
What are you looking for?
by Deantwo
Thu Jun 30, 2016 9:56 am
Forum: Scripting
Topic: Music to my ears
Replies: 3
Views: 5448

Re: Music to my ears

Ooh looks awesome. But I probably shouldn't try those during work hours. ^^; All I have made is this: # Morse code: IDIOT { :local dot 200ms :local dash 600ms :beep length=$dot :delay $dot :beep length=$dot :delay $dash :beep length=$dash :delay $dot :beep length=$dot :delay $dot :beep length=$dot :...
by Deantwo
Thu Jun 30, 2016 9:47 am
Forum: Scripting
Topic: Customer have a power for change his password
Replies: 7
Views: 1804

Re: Customer have a power for change his password

You could make your own PHP script that uses the MikroTik API.

See: But unless you are a web developer, it may be easier to go with the Usermanager as normis said.
by Deantwo
Thu Jun 30, 2016 9:34 am
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 3866

Re: Run backup file by script

The full command as below /user add name=admin1 group=full /system backup  save name=emac dont-encrypt=yes password=P@ssword /system ssh address=192.168.88.1 user=admin1 "/system backup load name=emac.backup password=P@ssword Run fine in terminal command, but cant to use "/system ssh"...
by Deantwo
Wed Jun 29, 2016 4:13 pm
Forum: Scripting
Topic: Automated Script for Checking PPPoE Client Status
Replies: 2
Views: 11384

Re: Automated Script for Checking PPPoE Client Status

At a glace it would seem like the first script (DSL CHECK STATUS START) goes into an endless loop until it detects a failure, and that is without haven't fully looked at how the flow goes if it does detect a failure. Looking at the "System -> Scripts -> Jobs tab" menu must be scary. Why ar...
by Deantwo
Wed Jun 29, 2016 4:03 pm
Forum: Scripting
Topic: Run backup file by script
Replies: 7
Views: 3866

Re: Run backup file by script

I do not believe if it possible to use "/system shh" from a script" since it will prompt for a password. Much like the same issues with  upgrade-package-source . Running a script containing: /system ssh 127.0.0.1 "/ip address print" user=admin Seems to fail silently. The log...
by Deantwo
Wed Jun 29, 2016 2:33 pm
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 4080

Re: Global variables and user permission Policy

if possible, it would be a nice idea to try that solution. Loading: # Load variables from static DNS. :global bandwidthsource :global switchseconds :if ([:len $bandwidthsource] = 0 || [:len $switchseconds] = 0) do={    /ip dns static {        :set bandwidthsource        :set switchseconds        :l...
by Deantwo
Wed Jun 29, 2016 11:14 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

Something as simple as: :global stat "test" :log warning $stat :beep Seem to fail to actually create the global variable. Almost as if it is treated as a local variable. This seems to just fail to run: :set stat "test" :log warning $stat :beep Even if the global variable exist. S...
by Deantwo
Wed Jun 29, 2016 10:59 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

Ok, Finally got to test it using the API, and I am able to reproduce your issue. But I have to fiddle a little with users and permissions to test it fully. Script I am using: :global stat {    :if ($stat=1) do={        :set stat 0        :beep length=1    } else={        :set stat 1        :beep len...
by Deantwo
Wed Jun 29, 2016 10:41 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

The $s are correct, the "if" statment however was missing a space. How comes the following statements (with and without $ ) are both correct? {:set $stat 0} {:set stat 1} I don't know, but according to the manual and my experience, when you set or define a variable you should not prefix i...
by Deantwo
Wed Jun 29, 2016 9:50 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

I try the run a script with API and the variable is modify by the script.. not to use api to modify the  variable ... I went by the title of your thread when I quoted that, sorry. So are you even sure that the script is even run? What is the code you use to run the script? To run a script in one of...
by Deantwo
Wed Jun 29, 2016 9:46 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

:if($stat=1)  do={:set $stat 0} else={:set stat 1} Not sure it is important, but the use of $ sign here looks inconsistent. The $s are correct, the "if" statment however was missing a space. This works: :global stat { :if ($stat=1) do={:set $stat 0} else={:set stat 1} :put $stat } .I miss...
by Deantwo
Wed Jun 29, 2016 8:33 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

What permissions does the API user have?
What permissions does the script have?
Which user is the owner of the script?

We just talked about this in another thread.
Here: http://forum.mikrotik.com/viewtopic.php?f=9&t=109696
by Deantwo
Wed Jun 29, 2016 8:31 am
Forum: Scripting
Topic: Can't change Global variable with API
Replies: 19
Views: 4993

Re: Can't change Global variable with API

What about
/set
=name=status
=value=1465304159
(assuming the variable already exists)

or
/global
=name=status
=value=1465304159
(if it doesn't)
by Deantwo
Wed Jun 29, 2016 8:20 am
Forum: Scripting
Topic: Script read variable after reboot
Replies: 3
Views: 1847

Re: Script read variable after reboot

You could save the counter in a comment somewhere.
by Deantwo
Wed Jun 29, 2016 7:40 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

Can you make me Script. Can disable active port in dhcp-client ?
Suggest you make a new thread and give more details as to what you mean.
by Deantwo
Wed Jun 29, 2016 2:39 am
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 4080

Re: Global variables and user permission Policy

Script seems harmless and simple. One thing you could do is save the two variables as a static DNS entry instead. Simply make the first oct 127, "bandwidthsource" as the comment and "switchseconds" as the last oct, then save it as "whatever.localhost". I'll give a code ...
by Deantwo
Tue Jun 28, 2016 4:18 pm
Forum: Scripting
Topic: Global variables and user permission Policy
Replies: 7
Views: 4080

Re: Global variables and user permission Policy

It would be useful to know which version of RouterOS you are using. What part of your script is it that fails? Scripts, global variables and schedulers all have an "owner". This owner is commonly set to the user that created the object, or the last user that edited the object. In older ver...
by Deantwo
Tue Jun 28, 2016 3:56 pm
Forum: Scripting
Topic: Script runs on terminal but not from Scheduler
Replies: 4
Views: 1719

Re: Script runs on terminal but not from Scheduler

The "numbers" parameter is used to specify which routing entry to alter, and it actually works. Wrong. It only works if print command has previously been issued in the same console session (and in the same context), and is expected to fail otherwise. The print command [temporarily] assign...
by Deantwo
Tue Jun 28, 2016 3:17 pm
Forum: Scripting
Topic: Script runs on terminal but not from Scheduler
Replies: 4
Views: 1719

Re: Script runs on terminal but not from Scheduler

The "numbers" parameter is used to specify which routing entry to alter, and it actually works. The problems is that the route that have the ID number 2 may change. If what you want to change is always the default gateway, I suggest doing this instead: :if ([:ping 8.8.8.8 interface=ether1-...
by Deantwo
Tue Jun 28, 2016 10:08 am
Forum: Scripting
Topic: failover script
Replies: 4
Views: 2394

Re: failover script

Yeah, it seems that the find statement returned non-static route entries. Why would "[/ip route find static]" return non-static route entries? Try replacing all "static" with "!dynamic" and it may work. Like this: # ------------------- header ------------------- # Scrip...
by Deantwo
Mon Jun 27, 2016 8:05 am
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: RE: Re: how to make user bytes out statistics calculate with active user

I can make a script for you to change his profile to slower one after kicking him out what u want can be done but it is not easy .. Dears Please i want trying this script When the users have 2 giga(example) the scriot change it to another slow profile The above two scripts I posted do this. Here: h...
by Deantwo
Thu Jun 23, 2016 4:14 pm
Forum: Scripting
Topic: Start via script
Replies: 2
Views: 1223

Re: Start via script

after reset? ... asks if I want to accept the factory setting, this prevents running script? If the router has been factory reset, then there is nothing on the router. Files are however not deleted. You can make the router import a script file after resetting the configuration. Similar to the "...
by Deantwo
Thu Jun 23, 2016 3:54 pm
Forum: General
Topic: IPsec Dead Peer Detection Best Practice
Replies: 7
Views: 13124

Re: IPsec Dead Peer Detection Best Practice

What model of central router you use?
Not sure how that is important to know for a question about best practice.
But sure, central route is:
  • RB1100AHx2
The satelite-routers mainly consist of:
  • RB750
  • RB2011iL
by Deantwo
Mon Jun 13, 2016 5:06 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

Ok, with all that nonsense settled. Try this AYcoo: # Checks if limited users has reached the limit, if they have then set them to be limited slow state. # Run this script every few minutes. /ip hotspot user { # Variables:     :local limitedProfile "Limited"     :local limitedSlowProfile &...
by Deantwo
Mon Jun 13, 2016 5:03 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

Maybe try not to use variables with the same name as internal properties and variables. Yeah, that is my guess. I have just never had an issue with this before. No clue why it is acting this weird about it either. An error message would be lovely in this case, "cannot use reserved variable nam...
by Deantwo
Mon Jun 13, 2016 4:52 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

Tested code from the last post on v6.34.5. Works as it should. I am testing on v6.35, but having weird result from the foreach while the loop variable is named "user". If I change the name of the variable to "t" it works as expected. Can you try this: I have two users "user...
by Deantwo
Mon Jun 13, 2016 4:14 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user to limit user download

[localhost] /ip hotspot user> # Variables: [localhost] /ip hotspot user> :global limitedProfile "Limited" [localhost] /ip hotspot user> # Code: [localhost] /ip hotspot user> /ip hotspot user { {...     :local userList [find profile=$limitedProfile] {...     :foreach user in=$userList do={...
by Deantwo
Mon Jun 13, 2016 3:52 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user

i have two routers i tested it in both , can any one try this maybe he will get difference result  Can you try running this and giving me the result if it fails? # Variables: :global limitedProfile "Limited" # Code: /ip hotspot user {    :local userList [find profile=$limitedProfile]    :...
by Deantwo
Mon Jun 13, 2016 3:15 pm
Forum: Scripting
Topic: hotspot & queues user speed limit after x download scripts
Replies: 44
Views: 11978

Re: how to make user bytes out statistics calculate with active user

Things I don't know is rather the "hotspot active user" byte values are for that one session or a total for that user. For example if a user login, download 5 bytes, then logout and login again and then download another 7 bytes. what will each counter say? My guess is that the "hotsp...
  • 1
  • 2