MikroTik

eworm

BTW, is this log message related?

system;error;critical error while running customized default configuration script: no such item

eworm

Several of my devices show this as well.
With reset you reference

/system reset-configuration

?
Will this be fixed in a future version without reset?

eworm

I do not see anything wrong with that call. Perhaps it's a race condition because resolving is not yet available? You can try to catch runtime error: :local ipddns; :do { :set ipddns [:resolve $ddnsbase]; } on-error={ :log warning "Resolving failed."; } Or try to wait... :local ipddns ""; :while ($i...

eworm

That's awesome! What a snug fit. Does the PD source always rise to 20V? I don't own a wAP... yet, but this definitely makes me want one. You can configure the voltage (or voltage range with preference) your PD buddy delivers. It also depends on your power source, some do not support 20V... The PD b...

eworm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1. Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik. If piehole doesn't work... The client will ask the Mikrotik. That does not work. The client will use piehole and Mikrotik simultaneously.

eworm

I guess that would result in a lot of locked devices. So bad idea.
Unless your first rule is to allow administrative access you would no longer be able to log in to your device.

eworm

RouterOS can import keys in PEM format only. Convert the key and you are fine.

eworm

The firewall has a lot of attributes to filter on:

/ip firewall filter add protocol=tcp connection-state=new ...

eworm

I use a power bank with USB-C power delivery output. Combine that with a PD Buddy Sink and you are done.

The PD Buddy Sink even fits into a wAP (LTE) case - resulting in a powerful mobile access point.

photo_2020-05-27_22-53-20.jpg

eworm

Setting attributes for static DNS records changes other attributes unintentionally: [admin@mt] /ip dns static> add forward-to=10.0.0.1 regexp="example.com" type=FWD [admin@mt] /ip dns static> set regexp="example\\.com\$" [ find where regexp="example.com" ] [admin@mt] /ip dns static> export [...] add...

eworm

I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.

eworm

+1. I'd like to forward internal zones via VPN to an organization DNS and all the rest - to 1.1.1.1 via DoH

Exactly my use case.
Two great now features - would be frustrating to have to choose between them.

eworm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.

eworm

eworm Currently DoH will be prioritized over all other DNS configuration. Not sure if this will change any time soon.

In general this makes sense. But I vote for an excepting with conditional forwarding of DNS queries.

eworm

On boot system logs:

system;error;critical error while running customized default configuration script: no such item

Is this expected? (If it is I would like to see the severity reduced. "error" and "critical" raise alerts here.)

eworm

This has... *) dns - added support for multiple type static entries; ... but is missing from 6.47beta60... *) dns - added support for forwarding DNS queries of static entries to specific server (CLI only); This can still be configured, but still does not work when DNS over HTTPS is enabled. I would ...

eworm

Interesting device...

Also nice to see that more devices are equipped with ARM 64bit CPUs (just like new CCR).

eworm

I do not, and here is why:
If you have complex code depending on relative paths it tends to break if you move fragments of code up or down.

eworm

IMHO it is very intuitive if you are used to it. Scripting is one of the reasons I do love RouterOS.

eworm

No setting, it will just work.

eworm

The command print is (mostly) for terminal output.

Does something like this work for you?

:foreach i in=[ /interface bridge host find ] do={ :put [ /interface bridge host get $i ]; }

BTW, why do you expect everything to be a bug?

eworm

You initialize the variable inside a block, thus it's not visible outside. But it's a global variable :-) Sure, it is. But even global variables are accessible only... ... when used directly from command line (without block!) or... ... when initialized properly. So when ever you want to access $gAr...

eworm

The RB750UPr2 does passive POE only, so your 802.3af devices will not receive power, even if the power supply matches your voltage requirements. I guess you have to go with one of these: https://mikrotik.com/product/crs112_8p_4s_in (requires additional power supply for 48V!) https://mikrotik.com/pro...

eworm

I guess you have to do some urlencoding for your sms message...

If you want a working solution have a look at this:
RouterOS Scripts - Forward received SMS
This requires the installation of global scripts on top, see main README.

eworm

Not sure I got this right, but looks like you have a nested url inside url? Try to urlencode the characters there, specifically replace '&' with '%26'.

eworm

You initialize the variable inside a block, thus it's not visible outside.

eworm

No progress, no reaction on ed25519 keys from Mikrotik.

eworm

Good question... Wondering myself.
Time for a new release anyway, the last one is three weeks old already.

eworm

Most of your packets go fast path, missing the IPSec tunnel. Make sure all your IPSec traffic does not go fast path.

eworm

I solved this with a backup script that sends notification via e-mail and/or Telegram message including the secret download key. Just look up your mailbox and you are fine.

You need the basic installation and this script:
routeros-scripts - Upload backup to Mikrotik cloud

eworm

I guess the build process for arm64 works, but the release process has been enabled just before recent long term release.
Be patient and wait for the next testing and stable releases, I think they will include arm64 builds.

eworm

I guess the release process had not been prepared. Expect version 6.46.7 to have arm64 build...

eworm

There is information when the DoH function will go from beta to release?

When version 6.47 is released to stable channel. There's no date for that, though.

eworm

I guess the device's CPU is the limiting factor here.

eworm

You can't do that. You have either local wireless configuration or device is connected to capsman. Both is not possible, at least not with a single band device.
You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.

eworm

Internal builds with wireguard support are rumored to exist.
Search the v7 section for details.

eworm

Do you have more information about that Annapurna AL32400? E.g. how many cores?

It has four cores. See here for details of CCR2004:
https://mikrotik.com/product/ccr2004_1g_12s_2xs

eworm

Why you don't fix OSPF ?

Possibly because they could not reproduce. Did you open a support ticket?

eworm

Sure, just configure it properly:

/ip dns set verify-doh-cert=yes

eworm

Im currently testing DoH on my HAP Lite, which is working great. But I have few questions. I got some Dynamic NS Servers supplied by my ISP and thus they are automatically added to Mikrotik DNS server list (read-only). I also put some static NS records (e.g dns.cloudflare 1.1.1.1) as Static list. S...

eworm

The scheduler is perfectly reliable in my experience. Note that a script (and thus scheduler) is stopped on first error, though. Possibly your scripts terminate with error?

eworm

This is available now in RouterOS 6.47beta60!

eworm

That is a chicken and egg problem. Neither chicken nor egg is involved. Let's assume I add something like this: /ip dns static add forward-to=10.0.0.1 regexp="(.*\\.)\?example\\.com" type=FWD This will make all requests for example.com and its subdomains go to nameserver 10.0.0.1 . Works find, but ...

eworm

Version 6.47beta60 has reset my settings for mode button.

eworm

Yes! Mikrotik, you made my day!

One thing, though: Looks like DNS forwarding does not work if DoH configuration is active. I think the forwarding should have priority over DoH.

eworm

I think a CCR1009 should be capable of doing this... Are you really using packet marking? Why not mark connection?

Have a look a profiling to see what process uses the cpu most:

/tool profile

eworm

Works for me... Checked on two CAPsMAN devices (CCR & RB3011) with 6.46.5.

eworm

Sounds like you want a routing protocol. Ever thought about ospf or similar?

eworm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query. Well, checking again... It does send a redirect, but the dns response is contained as well... % curl -I 'https://8....

eworm

For me it works. Do you have IPv6 disabled (or not installed at all)?

eworm

Yes, I know that. I have configured NTP on all my devices. Still I have a script that requires the time to be "about right" at least (so cloud is fine) - and this script should work on as many devices as possible with whatever configuration. I would still appreciate to have detailed information on t...

eworm

Hello everybody, with Mikrotik's cloud service it's possible to disable dynamic dns update, but enable time update: /ip cloud set ddns-enabled=no update-time=yes Not sure if this is a valid configuration, so: Does the device update the time if dynamic dns is disabled? Can I check if time has been up...

eworm

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?

eworm

Uh, google does a redirect there... So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

eworm

Do the same, but with different url: https://8.8.8.8/dns-query

eworm

Anyone know how to do arithmetic with ipv6?

e.g. :put (fe80::0 + = fe80::8

Rich

Does it help in your use case if you use bitwise operator?

[admin@MikroTik] > :put (fe80::0 | ::8) 
fe80::8

eworm

You should get an idea about the ssh protocol in general and host keys specifically.
https://www.ssh.com/ssh/host-key

In "/ip ssh" you can export, import and regenerate host keys.

eworm

So why don't you use ssh to access routers? mactelnet has one single function which ssh doesn't: connectivity over MAC, which comes handy when IP setup gets south. But hopefully that's not very often and I (being a linux/console nerd myself) resort to using winbox in such case (runs under linux / w...

eworm

A "refused to connect" is unrelated to the certificate. Make sure the service is enabled and the firewall does not block it. I think "Webfig" is short for "Webconfig", no? The https certificate is used to authenticate the host, a valid certificate is verified by trust chain to root CAs in your brows...

eworm

It is maintained, but not all details about authentication are available. Read this for details:
https://github.com/haakonnessjoen/MAC-Telnet/issues/42

eworm

No, but you can add an additional system note.
https://wiki.mikrotik.com/wiki/Manual:System/Note

eworm

Configuration in /certificate and /user is (partly) skipped.

eworm

My first guess was the trust chain is not complete, but looks like your made sure this is ok. Perhaps Android wants to access the CRL url? Try adding that to your hotspot (replacing with correct hotspot server name): /ip hotspot walled-garden ip add action=accept disabled=no dst-address=ocsp.int-x3....

eworm

Looks like v016 has been withdrawn... No idea if this was the reason.

Mikrotik, any info on that?
Wondering if my devices (successfully) running v016 are at risk in whatever way.

eworm

I got confused a bit please elaborate to me.. If I set the RouterOS to act as DoH client to a server (Google/Cloudflare), how do they know the first time to address of google/cloudflare without first querying via regular DNS server? Two ways to solve this: configure a regular DNS server use an url ...

eworm

*) certificate - added "skid" and "akid" values for detailed print;

This looks like SHA1 key ids. Can you give more details?

skid = signing key id?

eworm

Let me clarify some things. There is a project WIFI4EU that demands a specific image to be dynamically displayed on the captive portal the snippet code is the following: <img id="wifi4eulogo" class="identity-image" src="https://collection.wifi4eu.ec.europa.eu/media/logo/Wifi4EU-EL.svg"> Unfortunate...

eworm

Then it's indeed unexpected behavior. Probably nobody here can help any further, contact support if this bothers you.

eworm

Well, ok... Did not try to guess the correct name. Just "remote-id" is not available.

You can get that info from $"lease-options". With ($"lease-options"->"82") you get both infos from option 82, surrounded by some binary bits. Looks like you have to parse that yourself.

eworm

of course i'm pinging wireless client. from my laptop

And your laptop is connected to the same CAP wirelessly?

eworm

AFAIK this setting only handles wireless client to wireless client.
Your echo request comes from the wired side of CAP?

eworm

Have a look at Local Forwarding Mode and Manager Forwarding Mode.

Probably you want to control client-to-client forwarding on capsman?

eworm

This setting controls whether or not to tunnel traffic to the capsman device.
Any reason why a ping to a client should not succeed?

eworm

IMHO the DoH logs have too high severity. I've configured my devices to forward error logs via e-mail. Now I get... ... on boot, probably because I have ipsec peers with dns name in address: dns,error: DoH connection error: Network is unreachable ... and every now and then: dns,error: DoH connection...

eworm

I think Mikrotik does not even support dns peers pushed via openvpn, no?
Are you sure this is not just your dhcp client adding the dynamic servers?

eworm

At the moment I have a 30 line script to ensure only 1 DHCP lease can be active per Remote-ID at a time, the newest lease clears all other entries that have the same Remote-ID (potential issue if a client plugged a switch into their WAN connection instead of a router) but there's currently a bug in...

eworm

Nothing wrong, ed25519 is not supported.

eworm

That's the link I know:
https://help.mikrotik.com/servicedesk/customer/portal/1

eworm

When you import the cert int RouterOS you should have 3 entries.
DigiCert Global Root CA
DigiCert ECC Secure Server CA
cloudflare-dns.com

Last one is server certificate and not required in certificate store.

eworm

My test device was set up to use crl, but to not download crl:

/ certificate settings crl-download=no crl-use=yes

That results in flooding the log:

dns,error DoH connection error: SSL: handshake failed: unable to get certificate CRL (6)

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate. yeah it's worked without Verify DoH Certificate :) and where can we get cloudflare certificate file to importing in router ? If you trust my repository get it here: https://git.eworm.de/cg...

eworm

As others are saying. The router does not know what dns.nextdns.io is. Add at least a single regular DNS server which will be used for DoH servers name resolving. Adding a static DNS entry should also suffice. Are DoH servers prioritized? When does it fall back to regular dns servers? Oh, and is it...

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.

Same for quad-nine:

https://9.9.9.9/dns-query (secured)
https://9.9.9.10/dns-query (unsecured)

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.

eworm

Enable DNS logs, it should provide all necessary information for troubleshooting. I tested the DoH implementation with various publicly available servers and could not find any issues. If there are any, please let us know. /system logging add topics=dns tested with public DoH server but nothing doh...

eworm

Try setting https://10.5.51.5 as the server.
thanks for reply now it's verified but could not resolve any dns name
How can it verify only by a IP address?

Certificates can have subject alternative name with ip address.

eworm

I use this for years now, but on a Mikrotik router device. Not 100% sure for AP's, do not have one to test with.

This is true for every device running RouterOS, except CHR without license.

eworm

HAP AC2 with 802.3af poe-input support (as cap ac does) And at least one pass-through poe-out port please. cAP ac? Almost the same hardware (well, without USB and with only 2 Ethernet ports), but with 802.3af/at and PoE pass-through. And has already been available for a while... We could define the...

eworm

No, it is not possible.
You need to use scripts for Telegram functionality.

eworm

HAP AC2 with 802.3af poe-input support (as cap ac does)

And at least one pass-through poe-out port please.

eworm

hi, possibility to create variables named from object on the routeur like : :varname [:caps-man remote-cap get $i serial] so i have a variable named BF090FS8938 (serial number of the router) /env print BF090FS8938={foo="bar"; foo; bar} You could put this into an array... [admin@mt] > :global Remote...

eworm

Works just fine for me... ... 12:03:25 ssh,debug agreed on: diffie-hellman-group-exchange-sha256 rsa-sha2-256 aes128-ctr aes128-ctr hmac-sha2-256 hmac-sha2-256 none none ... 12:03:26 ssh,debug pki algorithm: ssh-rsa 12:03:26 ssh,info publickey accepted for user: admin 12:03:26 system,info,account us...

eworm

I think it should have the following functionality in addition to what it can do now: - for static records, add the capability to install a CNAME, MX, TXT, NS or SRV record (in addition to the A and AAAA that it can do now). - allow to forward queries for a statically inserted domain to a specified...

eworm

Version 6.46.4 also fixes the issue with public key authentication. All fine now, thanks a lot!

eworm

You should post the relevant part of your configuration. Something like this could help:

/ip ipsec export hide-sensitive

The NordVPN CA certificate is installed? System time is set correctly?

eworm

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore: This is fixed with 6.46.4 stable, so I guess it will be ok with next beta. I am on 6.46.4 stable. I came from 6.46.1. now i have the issue. I am on confused. With openssh and RouterOS 6.46.4 everything works fine, even if I disabl...

eworm

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore:

This is fixed with 6.46.4 stable, so I guess it will be ok with next beta.

eworm

What ever you send to log in lease script is sent to offsite syslog as well (if configured in "/ system logging").
So why do you think this is required to be a native feature? IMHO this is an example where everything is fine due to extensibility by script.

eworm

You have to use square brackets ([ and ]), not parenthesis (( and )).
And the "put" is wrong, it's supposed to output to terminal. Just remove that (and the parenthesis).

eworm

You have the same address inside and outside the GRE tunnel?
Looks like your havoc originates there.

Anyway, this issue is resolved, please one a new topic with details on your topic.

eworm

Damn, I should have checked the forum before installing 6.47beta35. I can no longer login via ssh (key/password). :-( I cannot test winbox because it is disabled. But I assume it would fail too. The device is HAP AC2. What SSH client do you use? Try to disable host key algorithm rsa-sha2-256 for no...

eworm

*) dns - added support for exclusive dynamic DNS server usage from IPsec;
This is configurable now? Where to find this setting?

Found it!

/ ip ipsec mode-config set use-responder-dns=no [ find ... ]

This setting takes exclusively, no and yes.

Thanks a lot!

eworm

Version 6.47beta35 adds support for rsa-sha2-256. Public key authentication does not work, though.
Thanks anyway!

eworm

*) dns - added support for exclusive dynamic DNS server usage from IPsec;

This is configurable now? Where to find this setting?

eworm

*) ssh - added support for RSA keys with SHA256 hash (RFC8332); Ha, that was fast. Thanks! Will give it a try now. Looks like this breaks public key authentication. If I remove ssh-rsa from host key algorithms I am prompted for a password. Password login succeeds (if always-allow-password-login is ...

eworm

*) ssh - added support for RSA keys with SHA256 hash (RFC8332);

Ha, that was fast. Thanks!
Will give it a try now.

eworm

I guess that's because you have two wireless packages installed. Remove one and try again.

eworm

Just had a closer look. Would be nice to have ssh-ed25519, but it's not a requirement. Support for rsa-sha2-512 and/or rsa-sha2-256 (defined in RFC8332) would be sufficient. Just ssh-rsa (which uses SHA1) is deprecated here. Sadly RouterOS supports the latter one only.

eworm

Looks like you need to update RouterOS first.
Note that the firmware is no more than the boot code.

eworm

Hello everybody, version 8.2 of well known OpenSSH has been release: [openssh-unix-announce] Announce: OpenSSH 8.2 released The announcement comes with a deprecation notice for RSA host keys as used with RouterOS: Future deprecation notice ========================= It is now possible[1] to perform c...

eworm

*) dns - use only servers received from IKEv2 server when present; IMHO that's a bad change. I have an open wifi network for guests, client traffic is routed via IKEv2 provider. I do not necessarily trust this provider - I just want to hide my public IP address for unknown clients. Traffic from kno...

eworm

Do not follow that advise! You should never use numerical index in scripts.
Try something like:

/ip dhcp-server disable [ find where comment=.... ]

Change the find to your needs.

eworm

Possibly an issue with SSH host keys. Try regenerating them.

eworm

There is very little information in your question... Please be more verbose.
Anyway... Installed the root CA certificate?
https://wiki.mikrotik.com/wiki/IKEv2_EA ... he_root_CA

eworm

Sadly no, it's not possible.

eworm

This gives an overview of wireless logs:
https://wiki.mikrotik.com/wiki/Manual:W ... Debug_Logs

There is no "disconnected, disabling", though. Possibly the same like "disconnected, device disabled"?
Is there anything that disables or changes configuration for wireless interface?

eworm

We have good experience with HDMI fiber cables. These are available with length up to 100m.

eworm

Both devices support 802.3af/at, so this should work.
Anything on switch side you can configure?

eworm

You changed just one case, the scripts still have numeric ids.

eworm

You should not use numerical ids in scripts. Never ever! For this case (RB mAP2nD) replace "2" with

[ find where leds=led3 ]

.

This works for every device with configurable leds... A lot devices have these.

eworm

You would have to query the api with fetch command, then parse the output.
I've thought about implementing that myself, but do not want to implement a reliable parser. :-p

MikroTik, want to implement a JSON parser? Would be handy for this and other use cases...

eworm

Official documentation:
https://wiki.mikrotik.com/wiki/Manual:I ... re_upgrade

But keep in mind that you can not do the upgrade via LTE this way. A stable management connection is required.

eworm

To check if an update is available: [admin@MikroTik] > /interface lte firmware-upgrade lte1 installed: MikroTik_CP_2.160.000_v011 latest: MikroTik_CP_2.160.000_v013 I would advise to use my script unattended-lte-firmware-upgrade . Just copy and paste into a terminal, then be patient and wait until t...

eworm

Linus just pulled the net-next branch from David Miller, thus Wireguard is now upstream:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

eworm

There is no way to ignore it, friend. It works in the same way as a registration you do on a Bank website: "If you do not meet the requirements where there is a red * I will not go to the next page" Hu? The html form is just a hint what the server may expect. If you want to try... Take Firefox, ope...

eworm

Auto upgrader will not try to install if at least one package is missing or not finished downloading. I think there are special conditions where this is (or was?) not true. As said earlier... My LTE router managed to update with missing wireless package at least twice. Sadly I can not give exact ve...

eworm

The compat version (https://git.zx2c4.com/wireguard-linux-compat/) is the same as what goes into Linux 5.6, it's just the out-of-tree repository.

eworm

Ok I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid instal...

eworm

In the past I suffered a missing wireless package on wAP LTE after update due to bad LTE connection at least twice. Thus I created the script packages-update . It requires global functions, so follow the installation instructions first. Intermittently this script has some extra functionality, like d...

eworm

How about this? # check for updates, install after two days :if ([ / system scheduler print count-only where name="reboot-for-update" ] > 0) do={ :error "A reboot for update is already scheduled."; } / system package update check-for-updates without-paging; :local Update [ / system package update ge...

eworm

RouterOS can not import PPK files. Export the file to OpenSSH format.

eworm

You should remove the extra disabled=yes from your code.

I can confirm this workaround works. Any news from Mikrotik about fixing this?

eworm

This was just added in latest beta 6.47beta19:

!) socks - added support for SOCKS5 (RFC 1928);

eworm

You do not have to get ip and mac address, these are available already.

/system ssh address=10.114.2.2 user=user ("/ip firewall filter add action=accept chain=forward src-address=" . $address . " src-mac-address=" . $"mac-address")

Untested, but should work...

eworm

If output " {"wifiauthtype":"wpa-psk;wpa2-psk"} " is ok... Try this: :local wifiauthtype [ :tostr [ /interface wireless security-profiles get [ find default=yes ] authentication-types ] ] /tool fetch http-method=post http-header-field="content-type:application/json" http-data="{\"wifiauthtype\":\"$w...

eworm

Your problem is that "authentication-types" returns an array. How is your JSON supposed to look?

eworm

I want create a create script and check existed other scripts and remove. Pls help me.

Not sure if this is what you need... How about:

/ system script remove [ find where name!="not-this-one" ]

eworm

Everything with 5V and 0.5A or more is fine.

eworm

In v6.47beta there is a new menu added - "/system health gauges". You should use this for polling "Health" related data from all the RouterBOARDs. Just testing this... [admin@MikroTik] /system health gauges> :put [ :typeof [ get [ find where type="V" ] value ] ] str [admin@Mikrotik] /system health ...

eworm

The following problem is not specific to this version of the router and has been around for a while now on multiple routers ...

A good reason not to post it here.

eworm

You can use POSIX regular expressions, with some exceptions.

eworm

This does a bit more, but has the important bits to get you started: hotspot-to-wpa
(Currently on mobile, thus not writing the code.)

eworm

Out of curiosity, how can a 2nd knock be wrong ? This is not about your own knocks, but about an attacker penetrating your security. Guess you have a knock sequence of three ports in random order. The attacker issues three port scans et voilà... That's why acting on wrong knocks is important. But t...

eworm

My script expects that you have an open network for hotspot (let's call it "example") and a WPA enabled network with with suffic "-wpa" in name (that would be "example-wpa" in this case).
You can add information and instructions to "alogin.html" to make them visible to guests after successful login.

eworm

Note this is not bullet proof as client can ignore it.

eworm

Tell your radius server to accept lowercase characters for username only.
I did this for freeradius, no idea how to configure MS radius.

eworm

Well, you need to have an assignment from user to VLAN. You could use the username (available as $UserName) or a substring of it. So if user "1234" with password "secret" logs in you create an access list entry for VLAN 1234, user's mac address and his passphrase "secret". Alternatively you could ge...

eworm

In the v6.46beta, you indicated *) ptp - added support for IEEE 1588 Precision Clock Synchronization Protocol on CRS317-1G-16S+ (CLI only); Did this feature make the v6.46 [stable] release? Is this IEEE 1588 version 2? From 6.46rc1: !) ptp - disabled support for IEEE 1588 Precision Clock Synchroniz...

eworm

I use this script on a hotspot system: hotspot-to-wpa (add this with on-login=hotspot-to-wpa in hotspot profile) The user has to connect to open network and authenticate to hotspot. An access-list entry for his device (mac address) is created, using the hotspot password for WPA passphrase. Not exact...

eworm

Looks like these devices have a "join to mesh" button. Is that just reset with cap mode?

eworm

make sure you download the correct files, we have MD5 and SHA sum available

Checksums do help against corruption at transfer time, but that's it. If an attacker manages to replace the package files he/she will also place matching checksums.
Having gpg signatures would be much better...

eworm

if ([/system routerboard get current-firmware] < [/system routerboard get upgrade-firmware]) do={ ... The values are of type "str" (string): [admin@Mikrotik] > :put [ :typeof [ /system routerboard get current-firmware ] ] str [admin@Mikrotik] > :put [ :typeof [ /system routerboard get upgrade-firmw...

eworm

Can you expand on this? What do you specifically mean by "not safe"? Just trying to understand.

If the device breaks the backup is lost as well.
Always store backups at diffetent location.

eworm

Ah, using an external captive portal... Yes, possible as well.
Still if you want to go Mikrotik-only - hotspot with on-login script would be a possibility.

eworm

No need for API... If you have to modify the configuration use "on-login" script in "/ip hotspot user profile".
https://wiki.mikrotik.com/wiki/Manual:I ... er_Profile

eworm

My DNS server is public and this worked with 6.45.7 without issues. This is specific to 6.46rc1 (and possibly beta releases, did not try these).
So no chicken and egg problem.

eworm

Sure, that's what VLAN is for:
https://wiki.mikrotik.com/wiki/Manual:B ... _switching

eworm

IPsec (IKEv2) does not connect if dns names are used for peer's address. Reported in #[SUP-2599] with more details.

eworm

You need to upload the package for correct architecture, that is "ntp-6.45.7-arm.npk".

eworm

To disconnect the user you have to kick her/him at "/ interface wireless registration-table" (or "/ caps-man registration-table").
Note the "connected to wifi" and "internet access" is not the same! The latter should not be available without active session.

eworm

If you want to keep DNS queries secret, there's currently no point, because you'll most likely use them to connect to some website and SNI will tell anyone on the way to which one. So developing ESNI (encrypted SNI) does not make sense because usual DNS leaks the information anyway? Your argument i...

eworm

I have a solution that covers a lot of what has been requested, and more.
To use this you need to install and configure the basic scripts, see RouterOS scripts. Then install check-health and add a scheduler.

eworm

I am not perfectly sure what you want to achieve... How about something like this? :foreach Interface in=[/interface lte find] do={ :put ("RSRP value " . [/interface lte get $Interface name] . ": " . ([/interface lte info $Interface once as-value ]->"rsrp"))} Output on my device is: RSRP value lte: ...

eworm

You should never ever address configuration items by numerical index in a script! That is guaranteed to break. Replace this: / ip route set distance=1 0 with something like: / ip route set distance=1 [ find where dst-address="0.0.0.0/0" ] Of course you have to adopt the code to your needs. Perhaps t...

eworm

I am trying to understand / find out some info re modem firmware upgrade process. Can this be done across the LTE connection, i.e. I connect to device remotely via the LTE connection to upgrade? The terminal connection is required for all steps to finish. However you can work around this limitation...

eworm

Probably because there is so much more than just browsers...

eworm

This is an issue with latest stable release:

[admin@MikroTik] > :put [ :resolve ipv6.google.com ]
not enough permissions (9)

Resolving does not work for AAAA records.

eworm

Why do you loop? This should be sufficient:

:local username "some-user-name"
:local password "some-password"

/user {
add name=$username password=$password group=full
remove [ find where name!=$username ]
}

eworm

- Definitely add options to specify terminal width and not export with any color or other terminal options using the /export command. Right now this only works if adding options to the username when logging in i.e. instead of "admin" you have to use username "admin+ct240w". If just using 'admin' th...

eworm

Ho about something like this?

/queue simple add name="testing" target="10.0.0.254" max-limit="10M/10M" place-before=([ find ]->0);

eworm

Try to quote the port number: /ip firewall nat remove [ find dst-port="8103" ] Alternatively convert it to a string, may be required in a script: /ip firewall nat remove [ find dst-port=[ :tostr 8103 ] ] And this is the prove it is correct: :put [ :typeof [ /ip firewall nat get [ find where dst-port...

eworm

Probably the change was too late for 6.45.7... But if 6.46 will take some more time (I think so...) we could still hope for 6.45.8.

I am still waiting for the bitwise operator support for "ip6" data type. Let's hope that will be available soon.

eworm

Just a stupid guess... The code above is missing a "s" in the filename. That's not the reason for your failure, no?

eworm

Put it into a condition:

:if ([/system routerboard get routerboard] = true) do={
  :put [/system routerboard get model]
}

eworm

*) ike2 - fixed phase 1 rekeying (introduced in v6.45);

This is supposed to fix "ipsec,error Mikrotik: got fatal error: INVALID_SYNTAX"?

Works well on all my devices. Thanks Mikrotik for the update!

eworm

Already fixed in 6.45.5 and others. So what?

eworm

Already gone and moved to development release tree...

eworm

The changelog lists version 7.0beta3 in testing release tree. Did it move there?
Checking on my devices it is not available (yet)?

eworm

I need some script that will monitor the voltage on the mikrotik and send to the telegram, do you have anyone?

Yes, you sent your question as a reply to the answer.

See the links in my post above...

eworm

No, it should show PSU output, so about 24V for first PSU, about 48V for second PSU.

eworm

You can not generate ssh key pair on RouterOS device. Please give some more specific information, for example output of "/user ssh-keys private print" and logs.

eworm

When I press the mode-button I only see the following in the logs :
wlan1:WPS physical button pushed

The mAP lite does not have a mode button.

eworm

Different versions of CCR1009 exist. Which one do you have?

eworm

I just checked my rb1100 and shows exactly voltage of psu1 and psu2... Ok, then there are devices that have the info. Never touched a RB1100, though. Can you show the complete output of health for RB1100? Possibly I could make my script use the info. Too bad CCRs do not support this... I don't boug...

eworm

Just found this post which verifies the source with higher voltage is used.

eworm

Ofcorse you can see voltages for psus...

I put this into parenthesis as I am not sure for all devices. But even my CCR does have state only:

psu1-state: ok
psu2-state: ok

eworm

I dont see anything special in your script... If a device has more than 1 psu, then in system health you will see the voltage of psu1 and psu2... That part of the script does not apply for RB3011, it does not have any psu properties. (And I think you will never see voltage for psus, just state "ok"...

eworm

No, you see just one voltage value in "/system health". That's the higher value, as the source with higher value is used. However you can monitor voltage jumping up or down for possible failure of active source. I have a script that does this (and more): check-health You need to install my basic Rou...

eworm

The correct line is:
Code: Select all
:local localIP [:pick [/interface pppoe-client monitor PPPoE-Digi once as-value] 6;];
works again.

This makes it even more future-proof:

:local localIP ([/interface pppoe-client monitor PPPoE-Digi once as-value]->"local-address");

eworm

Wondering myself... This topic became really quiet lately.

eworm

All you need is a SSH server with SFTP implementation. I guess OpenSSH is used the most, but there are others. What's expensive about it?

eworm

You can use SFTP (transport over SSH) to securely upload your files.

eworm

DSA keys are supported as well, but I guess you do not want to use these, no?
The forum has some threads asking for ED25519 keys, but Mikrotik did not give any reaction.

eworm

Everyone is testing RouterOS v7.0beta1 (ARM)!!!

Nah, this is a perfect and issue-free release!

But to be honest... I think we should get v7 into official testing channel as soon as possible. Will that happen after 6.46 final release?

eworm

Same here with connections to NordVPN. My lifetime is set to 30 minutes, but error message pops up every 24 hours only.

eworm

Yes, you need to import an SSH key pair: Manual:System/SSH client - Log-in using certificate

eworm

The device from last log successfully authorized, so looks like different issue.

eworm

Some paths are given with "/", some with white space. Is both allowed now?

eworm

Sorry for hijacking this thread, but I would like to introduce an alternative. I had some extra requirements: should integrate with my RouterOS scripts , to re-use some basic functionality like notifications (inkl. Telegram) should support every RouterOS device with health values support notificatio...

eworm

If you use it a a global function I assume its gone after reboot. So you need some script to restore it. Of course. But it's part of my routeros scripts , so available on every device that has these scripts installed. :D Alternatively you can make it a local function (replace ":global" with ":local...

Search found 571 matches