MikroTik

tomasi

Hi, Is it possible to export a device list from SSH including the hostname and its IP address? I'm planning to use netmiko to extract a list of device from certain type + status and use the filtered list to apply commands via python on that specific list. example: /dude device export-list where devi...

tomasi

Hi, I have a netmiko script that collects the configuration of a lot of Mikrotik devices via SSH (more than 300 devices) It runs 'export' command and saves the output to a file for each device I noticed the 'export' command is being interrupted on 6.49 version (6.47 and 6.48 are ok) Attachments show...

tomasi

Hi, Is it possible to create Dude Tools based on User Privilege? Example: Full Group = has access to all Dude Tools Write Group = has access to all Dude Tools that have their group associated Read Group = has access to all Dude Tools that have their group associated That would be useful to give, for...

tomasi

Thank you! I checked the link you provided and it worked: /ip firewall nat add action=dst-nat chain=dstnat comment=".3 access" dst-address=200.N.N.1 dst-port=7000 \ protocol=tcp to-addresses=192.168.1.3 to-ports=8080 add action=src-nat chain=srcnat comment=".3 access" dst-address...

tomasi

Hi, Is it possible to configure dst-nat rule to access a remote device that doesn't have a gateway configured? The image has details about the intended scenario: image_2021-09-27_111104.png I would like to access 192.168.1.3 device (that is behind NAT of 192.168.1.1), but it doesn't have a gateway (...

tomasi

This way I'll need to install another RB just to generate the IPv4 prefix in AS 300

image_2021-06-16_162838.png

tomasi

Hi, I'm trying to change AS-path inside our AS for an specific IPv4 BGP annoucement: 138.N.N.0/24 image_2021-06-16_123611.png PE 7 send route to PE 10 with option Set BGP Prepend Path configured to add AS 300 before our main AS (AS 700 configured in Instance and iBGP peers) 2021-06-16 12_32_19.png T...

tomasi

Hi,

Today I noticed this bug is still not fixed in version 6.45.9

Even though Redistribute Default Route = if installed (as type 1) was configured, BGP default route was not redistributed to adjacent routers (OSPF).

I needed to create a static Default Route to make it work.

tomasi

Hi, I searched about this subject matter in the forum but didn't find an answer. I need to create a firewall rule to monitor PPS traffic from/to customers If a customer exceeds some number of PPS (maybe 50.000 pps), add the /32 IP address to an address-list for some time This way I can block it for ...

tomasi

Hi, I would like to send those logs generated by Dude (device up | device down) to a remote log server (Graylog Server) I already have RouterOS logs being sent to remote log server. How do I can send Dude's logs to RouterOS hosting the Dude Server? This way RouterOS will forward logs received from D...

tomasi

That's the idea: Dedicate one or more Telegram Bot to send notifications related only to High Priority Devices (as you said, Windows and Linux Servers as an example) My issue is that I didn't find way to assign a custom notification (Telegram Bot) to a group instead of device by device I would like ...

tomasi

Hi, Is it possible to generate notifications by Device Type? Example: enable Telegram notification only in Windows Computers group or DNS Servers group? I searched in the wiki, in the forum and inside Dude options but didn't find how to accomplish that. Telegram integration is working perfectly, but...

tomasi

Thanks for all those hints But I'm looking for something at RADIUS level to control this The radius debug from RouterOS shows me it uses these attributes to check a hostpot user authorization against RADIUS: sending Access-Request with id 173 to 172.16.40.40:1812 Signature = 0xbb737bf6ac8c0fbb0da6b9...

tomasi

Hi, I've created a freeRADIUS + MySQL + daloRADIUS server and it's working great for login and hotspot services. My problem is: hotspot users can access winbox with read permissions Which attributes can I use to control/restrict hotspot users to login only in hotspot service? Which attributes can I ...

tomasi

Thank you!

I'll try this method to keep FIB table and LFIB table sync'ed

tomasi

If you don't insist on it being an official feature, you can "fix" your WinBox executable. Fire up your favourite hex editor, search for bytes 63200000 and replace them with c9150000. In current version (3.27) it's there only once in both 32 and 64 bit variants, so you can't go wrong. Gre...

tomasi

We have not had this problem in 3 years since: Matching LDP times to OSPF Replacing MikroTik route reflectors with VyOS (FRR) VyOS uses FRR and can now also do MPLS, it reflects defaults and I submitted patches to get route filter feature parity in VyOS (set distance, set preferred source, match on...

tomasi

That's the point If you type 10.0.0.1, winbox will try to connect to default 8291 port, you don't need to type 10.0.0.1:8291 If you change default port on every Mikrotik in your network, you need to type IP address + new port every time 10.0.0.1:5577 The idea was to set in winbox the default port it...

tomasi

Hi, Is it possible to add to winbox a way to define the default port to connect to? Example: As a security option, I chose to change all my Mikrotik devices to listen to winbox/dude on port 5577 Every time I need to connect to them, I need to write the IP address plus :5577 port on Connect To field ...

tomasi

I tried several formats of route field, but none worked The way I found was the old (but gold) bat script: echo # show interfaces index, L2TP is index 54 netsh interface ipv4 show interfaces # delete old static routes route delete 10.0.0.0 mask 255.0.0.0 route delete 172.16.0.0 mask 255.240.0.0 # ad...

tomasi

Hi, I'm trying to send multiples routes (10.0.0.0/8 network and 172.16.0.0/12 network) to my L2TP client (Windows 7), but I'm only getting the 10.0.0.0/8 network being installed in Windows routing table > ppp secret print detail Flags: X - disabled 0 name="tomasi" service=l2tp caller-id=&q...

tomasi

Please add capability to clear old data or set maximum age of log/outage information

Example: when I need to see outages of a host, it get slow to search all outages

tomasi

Hi,

Any news about 6PE implementation on Mikrotik?

Is this resource present in roadmap?

It seems RouterOS is recognizing IPv4-mapped, but still doesn't resolve it as next-hop:

HbQ1wv.png

tomasi

It seems disabling neighbor discovery solves the false positive alerts (that were generated exactly every 1 min):

[adm@SW2-DIS-01] > ip neighbor discovery-settings print 
  discover-interface-list: none
[adm@SW2-DIS-01] >

tomasi

Hi, I have the following scenario: [RB2011] === [RB911] - - - - - - - - [RB911] === [RB850] RB911 are in bridge + station-bridge mode (MTU = 1600) and a OSPF adjacency configured between RB2011 and RB850 (a /30 IPv4 prefix). - - - The OSPF adjacency was working perfectly till this evening in point-t...

tomasi

Hi, This week we had another failure similar to this: When there is a fault in L2 path, RB converges OSPF correctly to the new best path. But MPLS still tries the earlier interface, causing traffic loops. The solution: disable MPLS LDP and re-enable it When fault is corrected in L2 path, RB again co...

tomasi

Thank you, Anumrak

tomasi

Hi, We have a BNG cluster in our datacenter like this: https://i.imgsafe.org/05/05227650ee.png I noticed some BNG are accepting customers authentication and leasing 0.0.0.0 IP address, while other BNG has available IP address to lease. Is there a way to BNG deny PPPoE authentication when pool is emp...

tomasi

Same issue here: PPPoE servers work for some days and, suddenly, they stop to authenticate PPPoE users, giving radius timeout error user customerabc authentication failed - radius timeout After reboot RB, PPPoE clients authenticate again I saw this issue on CCR (tile) and RB450 (mipsbe) models. I'll...

tomasi

Sometimes, OSPF converges to correct gateway, MPLS LDP stucks on wrong gateway (do not follow OSPF convergence):

tomasi

Hi, I'm trying to figure out what is happening in the following scenario: The router has OSPF route to PE 10.0.0.189 loopback via correct gateway The router has MPLS labels to PE 10.0.0.189 loopback via correct gateway But... traceroute doesn't find the gateway to send the packet labeled. https://i....

tomasi

Hi,

Is there a chance to add to Dude a way to snap items to a grid?

It would be useful to organize maps and keep the layout better.

tomasi

Hi,

I know it was dangerous a key to disable interfaces. But is there a chance to add to winbox a shortcut do edit comments, like F2 key?

It would be very convenient to have some keyboard shortcuts to these non critical operations.

tomasi

Hi, I would like help to solve a problem using the transceiver pair S-35LC20D | S-53LC20D. Optical signals are excellent, but RB2011 insists to use 10Mbps modulation: https://i.imgsafe.org/e5/e5b4f8bed4.png https://i.imgsafe.org/e5/e5b6c4d085.png Is there a hint/suggestion to solve this problem? Tha...

tomasi

Yesterday we replaced a Basebox 5 (RB912UAG-5HPnD-OUT) that wasn't booting RouterOS. Today, I've applied Netinstall on it, and RouterOS booted again (6.40.8 version), but showing bad-blocks: 1.5% . [admin@MikroTik] > sys resou pr uptime: 8m4s version: 6.40.8 (bugfix) build-time: Apr/23/2018 11:34:28...

tomasi

Hi, Today we needed to recover a POP that was using RB912. We have replaced the damaged RB912 with a 911G-5HPacD The .rsc didn't work. The RB didn't accept a 10MHz bandwidth configuration :? Is this a hardware limitation? a bug of wireless package? Frequency box only shows "auto" in the dr...

tomasi

It doesn't allow smaller limits

Active Flow Timeout must be greater than 00:00:59

tomasi

Maybe it was corrected in the new versions (that of image is 6.40.8 ).

RouterOS just accepted, no complained about the 00:00:01 value

tomasi

Hi, I noticed a host inside network 172.16.16.0/24 (172.16.16.254) wasn't replying to Dude Server. After do a traceroute from Dude Server to 172.16.16.254, a loop was detected: tool traceroute address=172.16.16.254 # ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS 1 179.125.47.225 0% 1 1.3ms 1....

tomasi

Excellent, Inactive Flow Timeout = 00:00:01 showed smoother graphs:

Thanks!

tomasi

Hi, Which is the best current configuration to the Mikrotik integration with FastNetMon? I'm using those: * Cache entries = 128k * Active Flow Timeout = 00:01:00 * Inactive Flow Timeout = 00:01:00 Netflow version = 9 Template refresh = 30 Template timeout = 30 FastNetMon is receiving data correctly,...

tomasi

Same bug here:

Queue over ether3 only controls upload:

tomasi

Yes, that is the idea

The SmartTV doesn't allow to run the dude client (.exe).

This way we'll able to view the main map in a web browser to monitor the network while do other tasks.

tomasi

Hi, Is there an option to view network maps on a web browser? We bought some TVs to view some dashboards (Zabbix / PRTG / Management Software / etc.). They only work with web browsers, do not allow to download app (like remote desktop feature). The only way we found to view dude on one of these TVs ...

tomasi

Hi, I noticed my Dude instance doesn't show traffic above ~500 Mbps. (it should be ~950 Mbps at those valleys) It's very strange, because Zabbix also collects information of that router in the same manner (SNMP v1) and doesn't show this gaps. Is there a fine tune in Dude to fix this issue? https://i...

tomasi

Right, I found the answer in this wiki: https://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment Where he says: Interfaces eth3,eth4 are trunk ports and and only need to forward tagged packets. We do not need to do any tag add/remove so there is no need to add vlans. https://i.imgsafe.org/50/501...

tomasi

Right, but in this scenario RB2011 will not tag or untag VLAN. The aim is to configure RB2011 only to transport tagged VLAN from PPPoE Server > AP and vice-versa without modifying them. It seems the only way is to create a bridge and add all ports to it (or use a VLAN capable switch with all ports i...

tomasi

Hi, I've searched in the forum about this topic, but didn't find a solution. Is it possible to make all RB2011 ports as VLAN trunk? The idea is to transport any VLAN (already tagged) from AP to PPPoE Server, keeping redundancy of link between all RB2011 in the tower. This way we can set each AP to a...

tomasi

Hi,

Is there a script to automate the client association to the wlan, removing those who have low modulation at each n seconds?

tomasi

Hi, I have some questions about bridging and I would like help to find the answers: I've made a diagram to give details about the scenario: https://i.imgsafe.org/c0/c0e0302974.png My questions are: 1 - Do the bridge will untag the frame ingressing before forward it to the VPLS tunnel? 2 - Do I need ...

tomasi

Thank you! This tool helps a lot :) The only problem I see is: the tool doesn't have a delay parameter to avoid congestion of alerts. I've tried to generate a warning log every time interface traffic crosses thresholds (above 960M or below 1M). The logs were generated correctly, but my Slack channel...

tomasi

Thank you!

The idea is like this diagram:

This way, even if the clouds suffer instability, dude server will not send false positive alerts.

tomasi

Hi,

Is it possible to generate alerts based on throughput thresholds?

e.g.: my upstream providers give us 1 Gbps each one.
I want to receive alerts when traffic is too high or low.

tomasi

Hi,

Is there a way to install a remote collector or proxy to get the data from far devices.

We get a lot of false positive in our infrastructure. This way it could facilitate and turn more reliable the monitoring process.

tomasi

Excellent! To make it better: # When up to down | unstable to down /tool fetch mode=https url="https://hooks.slack.com/services/TEEEEEEEE/BEEEEEEEE/EEEEEEEEEEEEEEEEEEEEEEEE" http-method=post http-data="payload={\"attachments\": [ { \"title\": \"Dude Notificati...

tomasi

Jarda, you're right The tool to change all passwords is ready: I have a .bat script that calls PLINK.exe and PSCP.exe, log in all routers and apply the command to change password. The problem is: after change all full access password in all routers, I need to change the login credentials of each ite...

tomasi

I'm using the absolute path here:

C:\Tools\winbox.exe "[Device.FirstAddress]" "[Device.UserName]" "[Device.Password]"

it's working perfectly.

tomasi

Hi, Is it possible to add a feature to manage a password profile? Then we could assign this profile, instead of set an individual password to each item. Yesterday, I changed our full access password in all routers of our network via script. Today, I'm facing difficult to access the items via right c...

tomasi

Hi,

I've updated our servers from 6.38.5 to 6.39.1

Now I'm noticing a strange behaviour:

Some items go down, when they came up the map stills shows them down.

Example of one item:

tomasi

It seems that is working now. I added R5, R6 and R7 again. I've changed all seven routers of lab to MPLS MTU = 1522. Now winbox is loading, before creating TE tunnels. And traffic is going through the TE tunnels, after create them in R1 and R4. I don't know why it didn't work with 1508 bytes of MPLS...

tomasi

Thank you,

Now it's working:

tomasi

Hi,

I'm not getting a value to wireless modulation in version 6.38.5 (BaseBox 5). The value for the tx-rate and rx-rate OID are 0, even the radio is operational at MCS 11 (120mbps/120mbps).

Suggestions?

tomasi

The issue was fixed, adding a minus sign before the chat ID: before: https://api.telegram.org/bot123456789:AAQFb1byb3LEwMes_TQeCM1k5wsFb_VguhG/sendMessage\?chat_id=123456789&text=Hello after: https://api.telegram.org/bot123456789:AAQFb1byb3LEwMes_TQeCM1k5wsFb_VguhG/sendMessage\?chat_id=-12345678...

tomasi

I've changed all routers to RB2011. I've tried MPLS MTU = 1598 in all routers I've removed R5, R6 and R7 from scenario, but the issue still persists: R3 and R4 show blank boxes inside winbox. Is this a normal behavior from a PC connected in a interface that doesn't speak MPLS? Which is the correct w...

tomasi

I suggest you try the "IP Bindings" menu.

There you can bypass some IP from the hotspot to avoid blocking communication.

tomasi

Updating: I've done the following steps in all the RB493AH: * updated to 6.38.5; * resetted to default, with no-default=yes; * reconfigured OSPF with loopbacks; * enabled MPLS (LDP-settings = enabled | interfaces ether2 and ether3 added to LDP interfaces). But... still same issue: R1, R2 and R5 are ...

tomasi

At the moment, I only have OSPF and MPLS enabled. From the notebook, winbox have full access to R1, R2 and R5. Routers R3, R4, R6 and R7 reply ping perfectly, but show blank boxes inside Winbox. Which MPLS MTU do you suggest to use? I'll try to upgrade to 6.38.5, like Thierry said, to try solve this...

tomasi

Hi, I'm trying to deploy MPLS in a lab to study VPLS and TE Tunnels. This is my scenario (R1 to R7 are RB493AH): https://i.imgsafe.org/2bcd81441b.png My notebook is connected to R1, and the server to R4. All routers are in 6.37.5 version. Also, all of them have loopback configured (10.0.0.1 to 10.0....

tomasi

Hi, I've tested the hyperlink, that it's inside the fetch command: https://api.telegram.org/bot123456789:AAQFb1byb3LEwMes_TQeCM1k5wsFb_VguhG/sendMessage\?chat_id=123456789&text=Hello But It doesn't even send the Hello message to the group the bot is participating. The webpage says: "{"...

tomasi

Hi, Is it possible to add a feature to allow customers access only their respective submap? It would be usefull to allow them monitor the backbone they are attached to, but that is unavailable outside the WISP AS (OSPF running private IP). This way, we could offer them access to only a submap that h...

tomasi

Hi, How do we do to give read-only access to Tools > Winbox (when right click any device) to dude read users? The aim is to give full winbox access to full dude users and read-only winbox access to dude read users in the same item. :lol: https://i.imgsafe.org/7a9a796f21.png Even the users have read ...

tomasi

I suggest you try to move it through FTP (Filezilla or WinSCP)

Otherwise, we'll have to learn how to change permissions in those folders via terminal.

tomasi

Hi,

This morning I've tried to generate a PDF from the history of a Groove link (Export > pdf).

But, when the PDF was generated, it only showed a blank square

Any hints about this issue?

Thanks!

tomasi

I suggest an option in the parent map to show (or not) the status about the child maps.

tomasi

Hi, I've tried to create a new submap today (in version 6.38). The submap is created, it's listed in Networks Maps , but... it doesn't appear in the map I've created it. After enter it through Network Maps list, I noticed the new submap doesn't have that button to return to main map Any suggestion a...

tomasi

Thank you, PaulsMT I was doing it wrong: creating the Winbox item via Dude > Tools menu inside winbox of x86 server. Now I found the Tools menu in the Dude Windows Client. I followed your instruction and it worked perfectly. Now it keeps the parameters: Type: execute Name: winbox Command: C:\Tools\w...

tomasi

Excellent!

It worked.

Thank you

tomasi

Hi, Here still doesn't work I've created the Winbox link in 6.38 inside Dude > Tools menu pointing the link to C:\Tools\winbox.exe [Device.FirstAddress][Device.UserName] [Device.Password] , but it shows "unknown" status http://i.imgsafe.org/77398a47b4.png This way, in the map, when I right...

tomasi

Hi, Yesterday I've updated my Dude Server to 6.38 (and the windows client too, obvious). When I logged in with a Full User - the map shows icons and fonts correctly. When I logged in with a Read User - the map loads (a good news), but the icons (SVG) and fonts are not loaded. Am I doing something wr...

tomasi

Hi, I've installed a x86 VM on Hyper-V specially to host Dude Server 6.37.3. After install, configure and put level 4 license, I've imported my backup from 4.0beta3. It imported correctly, including imported my customized images (.svg) The problem is: * I only can log in with an user that has Full p...

tomasi

Is there any chance of a Zabbix agent .npk listening on port 10050?

tomasi

Hi, Continuing this discussion... How can we monitor CPU usage in Zabbix? I've tried to create 2 items in Zabbix in RB850Gx2 template: [user@rb850gx2] > sys resource cpu pri oid 0 load=.1.3.6.1.2.1.25.3.3.1.2.1 1 load=.1.3.6.1.2.1.25.3.3.1.2.2 Then I've created a graph to show both of them, but the ...

tomasi

I don't know why, but now they are working.

I simply have inverted the RB2011(s)
RB2011 01 (v6.34.4) ----> <---- RB 2011 02 (6.23)

Maybe the version, or simply because I rebooted everything.

tomasi

Hi, I've made a test in my office today: The topology was this way: [RB2011 01 - eth4 Gigabit] --- [Mimosa B5C AP] ~~~~~~~~~~~~~~~~~~ [Mimosa B5C Station] --- [RB2011 02 - eth5 Gigabit] --- copper link - cat5e ~~~ wireless link RB2011 01 ==== 172.16.200.169/29 B5C AP ====== 172.16.200.170/29 B5C Sta...

tomasi

It worked!

1. I plugged my ethernet cable in eth1
2. I waited it to power on
3. I pressed the res/wds button about 1min
4. It appeared in netinstall 6.36
5. Then I installed routeros-smips in it.

tomasi

Hi,

I'm trying to access it via ethernet cable.
The wireless is down, my notebook do not find it.

It seems the RB has dead, Winbox do not find it.

Thanks.

tomasi

+1

tomasi

Hi, I tried to update an hAP to 6.36. After it rebooted, it did not appear again in winbox. How do I recover it? Which steps do I need to do to inject npk packet in it via Netinstall? I tried a lot of procedures: * hold res/wps for 30 seconds while it is powered on; * hold res/wps before the hAP pow...

tomasi

Thank you for your reply. It seems the following script has worked to search logging rules and IF no rules THEN add them to the system: :D :global name; :set name [/system identity get name]; system logging action set remote remote=ip.ip.ip.ip remote-port=514 :if ([:len [system logging find topics~&...

tomasi

Hi, I'm using batch commands to send a script to all my routers via SSH (with Plink and PSCP). Plink executes a script inside script.something file. I noticed that /system backup save name=$filename; and /export file=$rsc; overwrite the files already existing and create updated files every time I ru...

tomasi

Hi, I have some doubts about the configurations in system > logging. My remote log server (Rsyslog + Loganalyzer on CentOS 6.7) is running ok and receiving all logs correctly. 1 . If I set topic=warning to remote server, will the Mikrotik send error and critical too? (because warning(4) is less seve...

tomasi

Hi,

How do we can increase the severity of interface log.

I mean > in our edge router, we receive link from 2 AS. I want to log interface up/down to my remote server with critical severity.

Is this possible?

Thanks.

tomasi

I've changed a bit your example ( all local to global ). Now the BACKUP and RSC were sucessfully created. Can I have problems using global instead of local? :log info "STARTING BACKUP"; :global filename; :global date [/system clock get date]; :global time [/system clock get time]; :global ...

tomasi

Thank you for your reply

I tested the new script in my RB2011 6.34.4, but it gave me some errors. Another issue was it did not generate the RSC.

Some idea about this?

tomasi

Hi, I tried to execute the following script to get a backup and .rsc file (with name + date + time ) but it gave me errors: :log info "STARTING BACKUP" :global backupfile ([/system identity get name] . "-" . [/system clock get date] . "-" . [/system clock get time]) /...

tomasi

Hi, I need help to recovery my RB493G It didn't boot anymore. I've tried a lot of versions of Netinstall (with the exact .npk version), anyone worked. The serial cable is ok, PuTTY is showing all messages correctly. This is the error: "Formatting disk... ERROR: could not format partitions Pres...

tomasi

It seems these steps worked for me: 1. Open PuTTy Key Generator; 2. Select SSH-2 RSA 2048 bits; 3. Click "Generate"; 4. Move mouse pointer a lot inside blank area to create strong crypto; 5. Right-click "ssh-rsa AAAA...", click on "Select All", copy and paste in Notepad...

tomasi

Hi, I need to redistribute to backbone some static routes from a OSPF router inside a totally stub area. (to route extra prefixes to some clients that do not are in my OSPF scenario) I've tried to apply the following option in this specific router: routing > ospf > instances > default > redistribute...

tomasi

Hi, I have a CCR1016-12G working as a PPPoE Server. Some customers are claiming that do not have access to Internet. Then I made the following test: * ping-ed the IP of my customer and tried to access his router; the ping was successful, but the customer router did not reply; * I let the cmd ping-in...

Search found 99 matches