Community discussions

MikroTik App

Search found 683 matches

by eworm
Fri Oct 23, 2020 6:09 pm
Forum: General
Topic: Wildcard DNS
Replies: 15
Views: 740

Re: Wildcard DNS

Same thing happens with international characters, e.g. you can add ěščřžýáíé.example.net, which you might expect to be internally translated to punycode version xn--1caql6dzd0drw5bzo.example.net, because why else would RouterOS accept it, right? But it doesn't happen, it will store exactly what you...
by eworm
Fri Oct 23, 2020 10:38 am
Forum: General
Topic: Error after upgrading to 6.47.6
Replies: 4
Views: 512

Re: Error after upgrading to 6.47.6

There's no impact, just an annoying error message.
by eworm
Thu Oct 22, 2020 6:49 pm
Forum: RouterBOARD hardware
Topic: POE port red on switch, with connected WAP
Replies: 22
Views: 584

Re: POE port red on switch, with connected WAP

The color indicates POE output type. IIRC green is for passive POE and red is for 802.3af/at.
This is not related to the link.
by eworm
Thu Oct 22, 2020 5:41 pm
Forum: General
Topic: Error after upgrading to 6.47.6
Replies: 4
Views: 512

Re: Error after upgrading to 6.47.6

This is a know issue from early 6.48 beta releases... It happens on devices without wireless package.
No idea why they backported the issue but skipped the fix...
by eworm
Thu Oct 22, 2020 2:17 pm
Forum: Announcements
Topic: v6.47.6 [stable] is released!
Replies: 34
Views: 5623

Re: v6.47.6 [stable] is released!

This is now suffering the log messages on default configuration script we had in testing before:
system;error;critical error while running customized default configuration script: expected end of command (line 1337 column 53)
This happens without wireless package only.
by eworm
Mon Oct 19, 2020 10:51 pm
Forum: Scripting
Topic: Log monitor script
Replies: 4
Views: 2789

Re: Log monitor script

I think my script log-forward could serve your needs... Though it does not only notify about failed login attempts but everything interesting - configurable with filters.
It depends on other scripts, see the main README on how to install this.
by eworm
Fri Oct 16, 2020 8:13 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

So a general remark: I think cases should remain browseable for the submitter, even after they have been closed by MikroTik.
I am pretty sure they are. Log in to the support portal and see your closed cases.
by eworm
Thu Oct 15, 2020 11:27 pm
Forum: Scripting
Topic: Got ip firewall rules state/flag
Replies: 2
Views: 128

Re: Got ip firewall rules state/flag

ok, I already found it.: /put [ip firewall filter get number=1 disabled] You should never use index in scripts, that will break! Instead find the correct rule with whatever criteria it has, for example giving it the comment "first": :put [ /ip firewall filter get [ find where comment="first" ] disa...
by eworm
Thu Oct 15, 2020 11:23 pm
Forum: Scripting
Topic: Generate script from another script [SOLVED]
Replies: 2
Views: 234

Re: Generate script from another script [SOLVED]

Sure it does. In this example you should add quotes I guess...
by eworm
Mon Oct 12, 2020 5:25 pm
Forum: Scripting
Topic: system script error, console OK
Replies: 1
Views: 136

Re: system script error, console OK

Your variable is declared too late. It is valid inside the blocks only. Try this:
:global xc;
:if ([ /ping 192.168.5.54 size=28 interval=30ms count=1 ] = 0) do={
  :set xc 20;
} else={
  :set xc 50;
}
:log warning $xc;
by eworm
Mon Oct 12, 2020 5:18 pm
Forum: Scripting
Topic: script works in terminal windwo but not in scheduler [SOLVED]
Replies: 3
Views: 256

Re: script works in terminal windwo but not in scheduler [SOLVED]

Use this: # we are not interested in output, but print is # required to fetch information from cloud / system backup cloud print as-value; / system backup cloud upload-file action=create-and-upload password=$BackupPassword replace=[ get ([ find ]->0) name ]; If you want this to be fully automated an...
by eworm
Mon Oct 12, 2020 5:13 pm
Forum: Scripting
Topic: external editor syntax highlighting
Replies: 40
Views: 52129

Re: external editor syntax highlighting

My editor of choice is vis - a modern, legacy free, simple yet efficient vim-like editor.
I added a RouterOS script lexer, that is now available in git master.
by eworm
Mon Oct 12, 2020 5:01 pm
Forum: Scripting
Topic: Run "down" scripts only if user does not reconnect within time
Replies: 2
Views: 208

Re: Run "down" scripts only if user does not reconnect within time

Does this have to be associated to the vpn disconnect and (re-)connect? I have a script netwatch-notify that does monitor ip addresses via netwatch. It has a simple state machine to ignore a (configurable) number of failed attempts. (You have to install the base scripts for this to work, see main RE...
by eworm
Mon Oct 12, 2020 3:42 pm
Forum: General
Topic: SFTP uploads to remote SFTP server [SOLVED]
Replies: 6
Views: 392

Re: SFTP uploads to remote SFTP server

The path set in /tool fetch url=... is rather absolute path from server's root (not from users home directory). That depends on the configuration. My sftp accounts are jailed into a chroot and limited to sftp only (with openssh's sftp-server). So for me the path is relative to the chroot directory.
by eworm
Mon Oct 12, 2020 3:12 pm
Forum: General
Topic: SFTP uploads to remote SFTP server [SOLVED]
Replies: 6
Views: 392

Re: SFTP uploads to remote SFTP server

The path on your server exists? You need a subdirectory"ftp" with write permission.
by eworm
Fri Oct 09, 2020 9:50 am
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 374

Re: SSH error "can't agree on KEX algorithms"

Error shows up on 2 routers.
These are the only Mikrotik devices or does it work on others?
by eworm
Fri Oct 09, 2020 9:29 am
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 374

Re: SSH error "can't agree on KEX algorithms"

The error message indicates this is about key exchange algorithms , but following the log it was agreed on diffie-hellman-group-exchange-sha256 . In fact it was not agreed on the host key algorithms . Looks like both support rsa-sha2-256 , no idea why it is not used. BTW, ssh-dss and ssh-rsa are val...
by eworm
Thu Oct 08, 2020 9:52 am
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 608

Re: DoH config ignores local static entries

Static entries do work, but behavior changed a bit. I've described the issue in v6.47 release thread.

In short:
Without DoH a single A record does cover everything. With DoH enabled it will check for AAAA record upstream.
by eworm
Thu Oct 08, 2020 9:29 am
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

It is just efficient!
Right you are. But it is important to shorten the quote to what you actually intend to quote, just as we both did.
Quoting a post including a quote, including a quote, including a quote .... does not add mutch value.
So I am all for quotes if done right.
by eworm
Tue Oct 06, 2020 2:15 pm
Forum: General
Topic: Problem with SSH Login
Replies: 1
Views: 222

Re: Problem with SSH Login

What ssh client do you use? Can you give the exact error message?

A blind guess if everything else fails: regenerate your host keys:
/ip ssh regenerate-host-key
by eworm
Wed Sep 30, 2020 12:58 am
Forum: Scripting
Topic: Is it possible to make a DHCP lease script which adds a DNS record for a device through its MAC address?
Replies: 1
Views: 204

Re: Is it possible to make a DHCP lease script which adds a DNS record for a device through its MAC address?

Perhaps my script dhcp-to-dns may be of interest... If I got you right it does what you want.
(It depends on more scripts, so see main README for installation.)
by eworm
Fri Sep 18, 2020 9:26 am
Forum: General
Topic: When doh is enabled, DNS Forward will be unavailable
Replies: 1
Views: 187

Re: When doh is enabled, DNS Forward will be unavailable

This is a known problem, look at the release threads.
Mikrotik did not (yet) react on this. No answers, no changes.
by eworm
Thu Sep 17, 2020 10:31 am
Forum: General
Topic: hAP ac2 over heated vent holes mod
Replies: 16
Views: 949

Re: hAP ac2 over heated vent holes mod

Any details on the temperatures before and after the mod?
by eworm
Thu Sep 17, 2020 1:41 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2993

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

Does it make a difference if you lower the mtu size on wireguard interfaces?
On Device B?
Yes, on device B and on your client. I think the mtu should match on both sides. No idea what happens if it does not.
by eworm
Thu Sep 17, 2020 1:36 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2993

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

Does it make a difference if you lower the mtu size on wireguard interfaces?
by eworm
Mon Sep 14, 2020 8:04 pm
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 43
Views: 9465

Re: v6.46.7 [long-term] is released!

By the way what does this one mean. *) interface - added new builtin "static" interface list; This is a very interesting changelog item, one that has never been in a stable (or development) release. I find confusing that this comes to the long term release with barely no testing, has been first see...
by eworm
Sat Sep 12, 2020 6:43 pm
Forum: General
Topic: Announcements of LTE firmware releases
Replies: 5
Views: 396

Re: Announcements of LTE firmware releases

It is part of a bigger collection and requires the base installation at least. See the main README for details. Configuration for e-mail and telegram goes to global configuration.
by eworm
Wed Sep 09, 2020 11:47 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2993

Re: Wireguard not working when behind internet facing router with DSTNAT

Is there are firewall rule that does source NAT just after destination NAT for the incoming packet? Possibly that confuses wireguard...
What interfaces are in interface list "WAN"?
by eworm
Wed Sep 09, 2020 5:13 pm
Forum: General
Topic: Announcements of LTE firmware releases
Replies: 5
Views: 396

Re: Announcements of LTE firmware releases

You could can use my script for release notification:
Notify on LTE firmware upgrade

Of course this does not give a hint what changed.
by eworm
Wed Sep 09, 2020 11:33 am
Forum: General
Topic: Reset Button feature not working
Replies: 4
Views: 334

Re: Reset Button feature not working

It is not. But would be nice...
Missing this on some devices, including CCR1009 & mAP (lite). Would have to check all my devices for a complete list.
by eworm
Tue Sep 08, 2020 6:01 pm
Forum: General
Topic: Reset Button feature not working
Replies: 4
Views: 334

Re: Reset Button feature not working

Not all devices support this... Try the following code to check:
:if ([ :len [ /system routerboard mode-button print as-value ] ] > 0) do={ :put "Mode button supported."; }
:if ([ :len [ /system routerboard reset-button print as-value ] ] > 0) do={ :put "Reset button supported."; }
by eworm
Tue Sep 08, 2020 5:30 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2993

Re: Wireguard not working when behind internet facing router with DSTNAT

Ah, I misread and misunderstood some details. So both peers are behind NAT, one is supposed to be reachable via destination NAT.
Never tried that with wireguard, no idea if this should work.
by eworm
Tue Sep 08, 2020 4:30 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2993

Re: Wireguard not working when behind internet facing router with DSTNAT

Ok, some questions here:

Why do you configure wireguard on device B, not device A?

What does the other side look like? Does it have a public address without NAT? If it does: Things should work without destination NAT if connection is initiated from device behind NAT.
by eworm
Tue Sep 08, 2020 3:48 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

But Wireguard with Mikrotik behind NAT is not a problem for me.
Share a secret )
I'm sorry, but there's no secret... Just works for me.
Show you configuration export, possibly there's something fishy.
/interface/wireguard/export hide-sensitive
by eworm
Tue Sep 08, 2020 3:15 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.
What is a "white IP"?
But Wireguard with Mikrotik behind NAT is not a problem for me.
by eworm
Tue Sep 08, 2020 2:11 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

Not sure this is working ? The DoH server I'm using is https://doh.opendns.com/dns-query , and I see requests to 146.112.41.2 , but none to 2620:119:fc::2
I guess IPv4 is still preferred if a domain resolves with A and AAAA record. Try a domain that has just an AAAA record or use IPv6 address.
by eworm
Thu Sep 03, 2020 12:02 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

Wireguard endpoints are set and updated automatically on handshake. Huh. Are you sure that both of endpoint can be updated automatically? Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"). May be I'm on wr...
by eworm
Thu Sep 03, 2020 9:39 am
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

Wireguard endpoints are set and updated automatically on handshake.
by eworm
Wed Sep 02, 2020 9:37 pm
Forum: General
Topic: WireGuard Released !
Replies: 41
Views: 24131

Re: WireGuard Released !

So I was going to send the link but thought better of it......... Instead try this www.google.com Are you nuts? I know how to use google and I know the link given by IPANetEngineer. My understanding was that the answer was about connecting to NordVPN via Wireguard, which is not handled by Rick Frey...
by eworm
Wed Sep 02, 2020 4:17 pm
Forum: General
Topic: WireGuard Released !
Replies: 41
Views: 24131

Re: WireGuard Released !

What manual are you speaking about? Can you give a link?
by eworm
Wed Sep 02, 2020 4:06 pm
Forum: Scripting
Topic: Telegram
Replies: 4
Views: 358

Re: Telegram

The Telegram Bot API documentation regarding sending files is here:
https://core.telegram.org/bots/api#sending-files

Not sure this works with fetch command... Probably not.
by eworm
Wed Sep 02, 2020 12:30 am
Forum: Scripting
Topic: How to check if value is empty?
Replies: 9
Views: 6933

Re: How to check if value is empty?

Answering myself... Looks like this is executing an empty command, which evaluates to "nil":
[admin@mt] > :put [ :typeof [] ]
nil
by eworm
Wed Sep 02, 2020 12:26 am
Forum: Scripting
Topic: How to check if value is empty?
Replies: 9
Views: 6933

Re: How to check if value is empty?

For the inversion you have to use parenthesis:
... where !(comment=[])
Really nice to have this... Is this documented anywhere?
by eworm
Thu Aug 27, 2020 6:48 pm
Forum: RouterOS v7 BETA
Topic: Not a fan of the new (/) slash notation.
Replies: 16
Views: 897

Re: Not a fan of the new (/) slash notation.

Wait for RouterOS v8 for an answer on that. :D
by eworm
Wed Aug 26, 2020 1:29 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

This is by design. Peers are identified by their public key, changing the endpoint automatically makes it roam seamlessly.
If the peer changes its address the configuration should update again.
by eworm
Tue Aug 25, 2020 4:49 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

Ah, stupid me... Of course it's keepalive.
/ interface gre unset keepalive [ find ]
by eworm
Tue Aug 25, 2020 3:21 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

You have to unset the timeout for GRE interfaces:
/ interface gre unset timeout [ find ]
by eworm
Mon Aug 24, 2020 5:07 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 163
Views: 47222

Re: Feature Request - Wireguard Protocol

Testing on a RB951G (mipsbe with 600MHz single core) with a 100/40 MBit/s uplink: I could do 90/38 MBit/s through the tunnel - with bandwidth-test on the device itself. Pretty impressive given that IPSec barely does 20 MBit/s... So can't wait to see WireGuard in a stable version... I hope it does no...
by eworm
Mon Aug 24, 2020 1:11 pm
Forum: General
Topic: WireGuard Released !
Replies: 41
Views: 24131

Re: WireGuard Released !

NordVPN uses more than just a plain WireGuard connection... This is to make sure an individual can not be associated with public traffic.
I can not give any more detail, though... I would be interested to make this work as well.
by eworm
Fri Aug 21, 2020 11:01 pm
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16463

Re: v6.47.2 [stable] is released!

Yes, I got that, and I second your request.
But for now only my method is available. ;)
by eworm
Fri Aug 21, 2020 6:50 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 285
Views: 71694

Re: v7.1beta2 [development] is released!

Wireguard support cool thing, but where is an instruction how to use it?
Configuring wireguard is pretty straight forward. Just look at the options available.
by eworm
Fri Aug 21, 2020 6:22 pm
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16463

Re: v6.47.2 [stable] is released!

No, it is not too hard. My scripts collection (see signature) has a function for that. Just run...
$DownloadPackage wireless
... and reboot to install the package. (The also supports downloading packages in other version or for different architecture, for example to use with capsman.)
by eworm
Wed Aug 19, 2020 1:27 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

btw.after install I see in log this :
system,error,critical,,, error while running customized default configuration script: expected end of command (line 1315 column 53)
Me too. Reported for 6.47beta12 as SUP-21264, just re-opened.
by eworm
Tue Aug 18, 2020 7:04 pm
Forum: Scripting
Topic: script to check if dns is running
Replies: 5
Views: 432

Re: script to check if dns is running

No... You can do something like this: :local PIHOLEHOST "pihole.example.com" :local PIHOLEHOSTIP [:resolve $PIHOLEHOST] :log info "PI-Hole script started... ($PIHOLEHOSTIP)" :if ([/ping $PIHOLEHOSTIP interval=1 count=1] = 1) do={ :log info "PI-Hole host is UP! (ping)" :do { :resolve $PIHOLEHOST serv...
by eworm
Tue Aug 18, 2020 5:04 pm
Forum: Scripting
Topic: script to check if dns is running
Replies: 5
Views: 432

Re: script to check if dns is running

I guess the script is terminated on error... Try to catch it:
:do {
  :resolve ...
} on-error={
  ...
}
by eworm
Tue Aug 18, 2020 12:19 am
Forum: General
Topic: IKEv2 between MikroTiks, sides switching, initiator <> responder
Replies: 13
Views: 1751

Re: IKEv2 between MikroTiks, sides switching, initiator <> responder

send-initial-contact=yes is not an instruction to act as initiator; it actually means "replace any already existing connection from my IP address, irrespective of port, by this new one", so it is quite dangerous in some scenarios (multiple initiators coming to the responded from behind the same NAT...
by eworm
Fri Aug 14, 2020 5:00 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

Indeed... We are bored, give us something to play with!
by eworm
Thu Aug 13, 2020 6:06 pm
Forum: General
Topic: How prevent IPSec from adding dynamic DNS servers? [SOLVED]
Replies: 3
Views: 801

Re: How prevent IPSec from adding dynamic DNS servers? [SOLVED]

IIRC the functionality was added in 6.46, the configuration option in 6.47.
Look up the changelog if you are interested in details.
by eworm
Thu Aug 13, 2020 5:28 pm
Forum: General
Topic: How prevent IPSec from adding dynamic DNS servers? [SOLVED]
Replies: 3
Views: 801

Re: How prevent IPSec from adding dynamic DNS servers? [SOLVED]

Just disable dns in mode-config:
/ip ipsec mode-config set use-responder-dns=no NordVPN
by eworm
Thu Aug 13, 2020 2:15 pm
Forum: Scripting
Topic: script trigger on interface down
Replies: 1
Views: 285

Re: script trigger on interface down

Sadly there is no functionality to hook into interface events.
You could run a script via scheduler that checks link status for the ports in very short interval.
by eworm
Thu Aug 13, 2020 2:09 pm
Forum: Scripting
Topic: Multi script mode button
Replies: 1
Views: 421

Re: Multi script mode button

I have something very similar in my scripts collection: Mode button with multiple presses
I think it has some advantages and configuration goes to a central script.
by eworm
Tue Aug 11, 2020 10:34 am
Forum: General
Topic: DoH max concurrent queries reached
Replies: 7
Views: 2201

Re: DoH max concurrent queries reached

Looks like there is a hard limit in RouterOS. Only Mikrotik can change that.
Open a support ticket if you want or need this to change.
by eworm
Sat Aug 08, 2020 3:27 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 163
Views: 47222

Re: Feature Request - Wireguard Protocol

Great! Looks like it is about as fast as IPSec...
At least on ARM. Wondering what numbers look like on mipsbe and tile.
by eworm
Wed Jul 29, 2020 5:36 pm
Forum: General
Topic: RouterOS v6.27 SSh Key login problem.
Replies: 2
Views: 686

Re: RouterOS v6.27 SSh Key login problem.

This is your issue:
debug1: Skipping ssh-dss key id_dsa - not in PubkeyAcceptedKeyTypes
You have to extend your configuration even more.

Better solution: Update RouterOS to a recent version and use RSA keys.
by eworm
Wed Jul 29, 2020 1:53 pm
Forum: Announcements
Topic: Photos of towers and masts
Replies: 81
Views: 32683

Re: Photos of towers and masts

Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.
It now looks like this. Let's hope it will withstand bad weather and strong wind...
by eworm
Wed Jul 29, 2020 12:10 pm
Forum: General
Topic: Question: How to set a NXDOMAIN entry in RouterOS DNS with 6.47.1 [SOLVED]
Replies: 3
Views: 865

Re: Question: How to set a NXDOMAIN entry in RouterOS DNS with 6.47.1 [SOLVED]

You could just set a record of type NXDOMAIN... /ip dns static add name=example.com type=NXDOMAIN However this is not specific to IPv6 and could cause clients to ignore the domain completely. I tend to set an AAAA record representing the IPv4 address: /ip dns static add name=example.com type=AAAA ad...
by eworm
Sun Jul 26, 2020 7:22 pm
Forum: Announcements
Topic: Photos of towers and masts
Replies: 81
Views: 32683

Re: Photos of towers and masts

maybe, mounted on a plastic plate (Polyethylenplast) then a rubber-sucker (Saugnapf) in each corner to fasten to roof.
then very portable.
Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.
by eworm
Sun Jul 26, 2020 3:56 pm
Forum: Announcements
Topic: Photos of towers and masts
Replies: 81
Views: 32683

Re: Photos of towers and masts

How do you turn antenna, by losening the mount on the pole? What do you do while driving around, take the whole installation (including pole base) down? Yes, this is completely manual. When the caravan has its position I can place the antenna - neither caravan nor lte station will move then. :lol: ...
by eworm
Sun Jul 26, 2020 1:22 pm
Forum: Announcements
Topic: Photos of towers and masts
Replies: 81
Views: 32683

Re: Photos of towers and masts

Mounted this on top of my caravan.
Guess it solves my connectivity issues...
by eworm
Fri Jul 24, 2020 6:06 pm
Forum: General
Topic: doh server connect error network is unreachable
Replies: 9
Views: 1621

Re: doh server connect error network is unreachable

You should ping the host cloudflare-dns.com, not the url.
by eworm
Fri Jul 10, 2020 6:30 pm
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 2150

Re: Mikrotik CRS125-24G Speed Problem

Probably a bad idea. CRS125 is a switch, and in no way it can route a gigabit.
The poster wants fast internet connection, not VLAN.
by eworm
Fri Jul 10, 2020 5:25 pm
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 2150

Re: Mikrotik CRS125-24G Speed Problem

Your Huawei Router is connected to what port?

If it is connected to ether1 your CRS is not working as switch but additional router. Disable DHCP server, plug the Huawei Router to any other port and try again.
by eworm
Fri Jul 10, 2020 2:00 pm
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 58503

Re: v6.47.1 [stable] is released!

Already reported for 6.48beta, but applies here, too:
*) dns - do not use DoH for local queries when a server is specified;
This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?
by eworm
Wed Jul 08, 2020 11:57 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 1779

Re: BUG: DNS USE ONLY DOH

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel.
Does it work for you with 6.48beta12? To my findings the behavior did not change.
by eworm
Tue Jul 07, 2020 4:39 pm
Forum: General
Topic: SVG of cloud shaped Mikrotik logo
Replies: 0
Views: 381

SVG of cloud shaped Mikrotik logo

Everybody who visited a MUM knows these: the cloud shaped Mikrotik stickers.
Is the cloud shaped Mikrotik logo available, preferably as SVG file? I've searched designs.mikrotik.com and Google, but could not find anything.
Please share if you have it.
by eworm
Tue Jul 07, 2020 4:34 pm
Forum: General
Topic: RouterOS firmware not upgrading [SOLVED]
Replies: 2
Views: 731

Re: RouterOS firmware not upgrading [SOLVED]

Looks like you have a number of packages on our flash storage. Clean these, then try again.
by eworm
Tue Jul 07, 2020 3:30 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

*) dns - do not use DoH for local queries when a server is specified; This is about forwarding? Looks like queries are still sent via DoH for me. *) dns - do not use type "A" for static entries with unspecified type; I do not understand that one... How could type be "A" and unspecified at the same ...
by eworm
Tue Jul 07, 2020 2:52 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

msatter Do you have custom set of packages installed and wireless package is not installed?
Correct. My system has system, dhcp, advanced-tools & security installed. Opened SUP-21264 with support output.
by eworm
Tue Jul 07, 2020 2:15 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

I wonder what's the real advantage of running my router with ondemand scheduler?
It saves power and runs less hot.
by eworm
Tue Jul 07, 2020 12:51 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 136
Views: 52019

Re: v6.48beta [testing] is released!

Now non-wireless devices have issues with the default configuration script:
system;error;critical;13328;39528;13328 error while running customized default configuration script: expected end of command (line 1310 column 53)
This is on RB750GL.
by eworm
Mon Jul 06, 2020 4:29 pm
Forum: General
Topic: ASK [reset-button]
Replies: 8
Views: 1557

Re: ASK [reset-button]

No idea what you code is supposed to do. Do you want to toggle the interface without my scripts? Use something like this then: :if ([ / caps-man interface get cap1 disabled ] = true) do={ :log info "Enabling..."; / caps-man interface enable cap1; } else={ :log info "Disabling..."; / caps-man interfa...
by eworm
Mon Jul 06, 2020 11:53 am
Forum: General
Topic: ASK [reset-button]
Replies: 8
Views: 1557

Re: ASK [reset-button]

Using my scripts add something like this in configuration: :global ModeButton { 1="/ caps-man interface disable [ find ];"; 2="/ caps-man interface enable [ find ];"; } With one press all interfaces are disabled, with two presses interfaces are enabled. Is that what you want? Of course you could scr...
by eworm
Sun Jul 05, 2020 3:32 pm
Forum: General
Topic: SMS receive 'allowed-number' multiple numbers [SOLVED]
Replies: 9
Views: 1721

Re: SMS receive 'allowed-number' multiple numbers [SOLVED]

Version 6.45.1 had this in change log:
*) sms - allow specifying multiple "allowed-number" values;
So it should be possible. Never used it myself, though.
by eworm
Thu Jul 02, 2020 3:11 pm
Forum: General
Topic: Strange Cert. error with some NordVPN connections
Replies: 15
Views: 2080

Re: Strange Cert. error with some NordVPN connections

I have this stored as a script on my devices: :put ([ / tool fetch http-header-field="User-Agent: Mozilla/4.0" "https://api.nordvpn.com/v1/servers/recommendations\?limit=3" output=user as-value ]->"data"); Then from a linux host: % ssh mikrotik / system script run nordvpn-recommendations | jq --raw-...
by eworm
Thu Jul 02, 2020 1:39 pm
Forum: General
Topic: Strange Cert. error with some NordVPN connections
Replies: 15
Views: 2080

Re: Strange Cert. error with some NordVPN connections

I've seen this myself... Just switched to another server that is currently recommended.
by eworm
Wed Jul 01, 2020 11:48 am
Forum: General
Topic: ASK [reset-button]
Replies: 8
Views: 1557

Re: ASK [reset-button]

This is part of my RouterOS Scripts collection. You can make the device act on multiple presses on mode or reset button. The default is one press to toggle dark mode, two presses for a "Hello World" notification, three presses for shutdown, ... But you can make it do what ever you want.
by eworm
Wed Jul 01, 2020 9:26 am
Forum: General
Topic: ASK [reset-button]
Replies: 8
Views: 1557

Re: ASK [reset-button]

Would you consider this to be useful?
Mode botton with multiple presses
by eworm
Mon Jun 29, 2020 12:15 pm
Forum: RouterOS v7 BETA
Topic: v7.0beta8 [development] is released!
Replies: 180
Views: 65111

Re: v7.0beta8 [development] is released!

It would be like asking MikroTik to make QUIC available. It is already available. Well, RouterOS can be client as well, so for example fetch command could benefit. It's not a big win there, though. But DoH over QUIC or HTTPS/3 could be worth adding one day... No idea if there are endpoints supporti...
by eworm
Wed Jun 24, 2020 4:12 pm
Forum: General
Topic: couldn't add new DHCP client - can not run on slave interface
Replies: 9
Views: 2530

Re: couldn't add new DHCP client - can not run on slave interface

Your port is member of a bridge. Put the dhcp client on the bridge.
by eworm
Wed Jun 24, 2020 12:27 am
Forum: General
Topic: SysLog
Replies: 8
Views: 1438

Re: SysLog

As said before a message has to match all topics given in a rule. So you can use something like this... /system logging add action=remote topics=info,dhcp ... to match all messages that have topic info and dhcp . But there is no message that has topics error and info at the same time. So a rule like...
by eworm
Tue Jun 23, 2020 11:17 pm
Forum: General
Topic: SysLog
Replies: 8
Views: 1438

Re: SysLog

No, this is not a bug. Why do you think so?
by eworm
Tue Jun 23, 2020 11:04 pm
Forum: General
Topic: SysLog
Replies: 8
Views: 1438

Re: SysLog

Rules: topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote A message has to contain all topics to match. That's an impossible combination, even info and error are exclusive to each other. Try this: /system logging add action=remote topics=info add acti...
by eworm
Tue Jun 23, 2020 4:27 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

Please give
/ip firewall filter export
so we can have a look.

There's no (new) breakage in scripting I know of.
by eworm
Tue Jun 23, 2020 2:56 pm
Forum: Scripting
Topic: Telegram notification
Replies: 3
Views: 874

Re: Telegram notification

Possibly missing the escape for question mark?
by eworm
Fri Jun 19, 2020 5:41 pm
Forum: General
Topic: IPsec (in)security: phase2 pfs-group
Replies: 4
Views: 1011

Re: IPsec (in)security: phase2 pfs-group

I think you see the mismatch only if session key is about to expire and rekeying fails. So did you test for more than just session startup?
by eworm
Fri Jun 19, 2020 12:22 am
Forum: General
Topic: where can I create a script in RouterOS?
Replies: 11
Views: 7879

Re: where can I create a script in RouterOS?

Sure, everything is possible... Run / system script export; to see what the code inside an rsc file should look. To turn an uploaded file into a script: / system script add name=new-script source=[ /file get uploaded-script-file contents ]; You may want to take a look at my signature for an idea wha...
by eworm
Mon Jun 15, 2020 5:00 pm
Forum: Scripting
Topic: Return IP Octet Function
Replies: 11
Views: 4503

Re: Return IP Octet Function

RouterOS supports bitwise operations, so you can calculate IP addresses like this, for example get the first octet:
:put (192.168.10.0 & 255.0.0.0)
192.0.0.0
Possibly useful to shorten your functions even further. :D
by eworm
Mon Jun 15, 2020 4:44 pm
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

Does this work for ipv6?
You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.
by eworm
Wed Jun 10, 2020 9:29 pm
Forum: General
Topic: DoH server connection error, idle time out connecting
Replies: 5
Views: 1621

Re: DoH server connection error, idle time out connecting

It expires nov/10/2031 02:00:00, that's more than 595 weeks from now.
by eworm
Wed Jun 10, 2020 12:22 am
Forum: General
Topic: CRS354 - out of space - RESOLVED
Replies: 5
Views: 946

Re: CRS354 - out of space

Looks like anybody uploaded all available extra packages to the device to upgrade...
Should be easy to recover with netinstall. Not sure if there is another way... Probably not if you can not uninstall unwanted packages.
by eworm
Wed Jun 10, 2020 12:11 am
Forum: General
Topic: CRS354 - out of space - RESOLVED
Replies: 5
Views: 946

Re: CRS354 - out of space

What packages are installed? Did you import certificates?
by eworm
Tue Jun 09, 2020 9:48 pm
Forum: General
Topic: Mikrotik DNS cache allocation drive...
Replies: 1
Views: 441

Re: Mikrotik DNS cache allocation drive...

I think dns cache goes to RAM and does not cause flash writes...
by eworm
Tue Jun 09, 2020 12:49 am
Forum: Scripting
Topic: How to set the same field of all list members to the same value? [SOLVED]
Replies: 5
Views: 1399

Re: How to set the same field of all list members to the same value? [SOLVED]

This should do:
:foreach i in=[find] do={set $i address=192.168.20.2/32}
or since its just one IP and no subnet:
:foreach i in=[find] do={set $i address=192.168.20.2}
Why do you run this in a loop? Just set the value for all at a time:
set [ find ] address=192.168.20.2;
by eworm
Mon Jun 08, 2020 12:47 pm
Forum: General
Topic: Very strange environment variables. Did I get hacked?
Replies: 19
Views: 6717

Re: Very strange environment variables. Did I get hacked?

Yes, except that you do not need to update. Just a reboot is sufficient.
by eworm
Sun Jun 07, 2020 11:06 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

To solve this issue First you have to change your Wireless Interface(s) name to the pre-set. wlan1,wlan2,wlan3.... And finally you must Reboot your device, after this your problem will be solved forever And after that you can personalize and change their name. That does the trick, thanks a lot for ...
by eworm
Fri Jun 05, 2020 6:15 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

It would be nice when it first checked for exact matches of static records before it tried the regexp.
Exactly what I described above with my issue. So +1!
by eworm
Fri Jun 05, 2020 5:15 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

To get DoH working I need to use all 3 certificate from dns.google
Depends on whether or not the server ships the intermediate certificate. Then looks like Google server does not.
by eworm
Thu Jun 04, 2020 1:54 pm
Forum: General
Topic: RPKI
Replies: 48
Views: 13796

Re: RPKI

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]
by eworm
Thu Jun 04, 2020 1:53 pm
Forum: RouterOS v7 BETA
Topic: Enable BGP on ROSv7
Replies: 14
Views: 4458

Re: Enable BGP on ROSv7

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]
by eworm
Thu Jun 04, 2020 11:37 am
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 135
Views: 96529

Re: Add DNS over HTTPS (DoH) support

Just want to share to all people, if you want to verify the DoH server, you can go to https://1.1.1.1/dns-query using the web browser and download the the 3 certificates from the server site. Only two certificates are required, use the two with "DigiCert" in name. The "cloudflare-dns.com" certifica...
by eworm
Thu Jun 04, 2020 11:13 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

Just found another hiccup with DNS and DoH... Let's assume I have a domain eworm.de (I do! :D ), which has A and AAAA records. My router has a record router.eworm.de , using *.router.eworm.de as local zone: /ip dns static add address=10.0.0.1 name=router.eworm.de add address=10.0.0.10 name=host.rout...
by eworm
Thu Jun 04, 2020 10:35 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 96740

Re: v6.47 [stable] is released!

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) I brought this topic up for beta and rc releases... ...
by eworm
Thu May 28, 2020 7:54 pm
Forum: General
Topic: Lots of global variables on hAP ac2
Replies: 5
Views: 1279

Re: Lots of global variables on hAP ac2

BTW, is this log message related?
system;error;critical error while running customized default configuration script: no such item
by eworm
Thu May 28, 2020 6:36 pm
Forum: General
Topic: Lots of global variables on hAP ac2
Replies: 5
Views: 1279

Re: Lots of global variables on hAP ac2

Several of my devices show this as well.
With reset you reference
/system reset-configuration
?
Will this be fixed in a future version without reset?
by eworm
Thu May 28, 2020 5:50 pm
Forum: General
Topic: DHCP Client Script when provider renews lease
Replies: 8
Views: 1667

Re: DHCP Client Script when provider renews lease

I do not see anything wrong with that call. Perhaps it's a race condition because resolving is not yet available? You can try to catch runtime error: :local ipddns; :do { :set ipddns [:resolve $ddnsbase]; } on-error={ :log warning "Resolving failed."; } Or try to wait... :local ipddns ""; :while ($i...
by eworm
Thu May 28, 2020 1:39 pm
Forum: RouterBOARD hardware
Topic: Running hardware portably using DC battery power
Replies: 14
Views: 2640

Re: Running hardware portably using DC battery power

That's awesome! What a snug fit. Does the PD source always rise to 20V? I don't own a wAP... yet, but this definitely makes me want one. You can configure the voltage (or voltage range with preference) your PD buddy delivers. It also depends on your power source, some do not support 20V... The PD b...
by eworm
Thu May 28, 2020 12:59 pm
Forum: General
Topic: DNS Failover
Replies: 20
Views: 7237

Re: DNS Failover

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1. Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik. If piehole doesn't work... The client will ask the Mikrotik. That does not work. The client will use piehole and Mikrotik simultaneously.
by eworm
Thu May 28, 2020 12:06 pm
Forum: General
Topic: implicit firewal rules
Replies: 4
Views: 924

Re: implicit firewal rules

I guess that would result in a lot of locked devices. So bad idea.
Unless your first rule is to allow administrative access you would no longer be able to log in to your device.
by eworm
Thu May 28, 2020 12:00 pm
Forum: Scripting
Topic: Question related with ROS client ssh w/o Pass
Replies: 2
Views: 680

Re: Question related with ROS client ssh w/o Pass

RouterOS can import keys in PEM format only. Convert the key and you are fine.
by eworm
Thu May 28, 2020 11:53 am
Forum: RouterOS v7 BETA
Topic: Feature Request: ACL Compare User Defined Bytes
Replies: 3
Views: 1023

Re: Feature Request: ACL Compare User Defined Bytes

The firewall has a lot of attributes to filter on:
/ip firewall filter add protocol=tcp connection-state=new ...
by eworm
Wed May 27, 2020 11:56 pm
Forum: RouterBOARD hardware
Topic: Running hardware portably using DC battery power
Replies: 14
Views: 2640

Re: Running hardware portably using DC battery power

I use a power bank with USB-C power delivery output. Combine that with a PD Buddy Sink and you are done.

The PD Buddy Sink even fits into a wAP (LTE) case - resulting in a powerful mobile access point.
photo_2020-05-27_22-53-20.jpg
by eworm
Wed May 27, 2020 4:42 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 16021

Re: v6.47rc [testing] is released!

Setting attributes for static DNS records changes other attributes unintentionally: [admin@mt] /ip dns static> add forward-to=10.0.0.1 regexp="example.com" type=FWD [admin@mt] /ip dns static> set regexp="example\\.com\$" [ find where regexp="example.com" ] [admin@mt] /ip dns static> export [...] add...
by eworm
Tue May 26, 2020 10:50 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 35
Views: 8233

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.
by eworm
Tue May 26, 2020 9:21 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 16021

Re: v6.47rc [testing] is released!

+1. I'd like to forward internal zones via VPN to an organization DNS and all the rest - to 1.1.1.1 via DoH
Exactly my use case.
Two great now features - would be frustrating to have to choose between them.
by eworm
Tue May 26, 2020 8:06 pm
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

This is not supposed in 6.46.6. You have to use 6.47 for that feature.
by eworm
Tue May 26, 2020 2:22 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 16021

Re: v6.47rc [testing] is released!

eworm Currently DoH will be prioritized over all other DNS configuration. Not sure if this will change any time soon.
In general this makes sense. But I vote for an excepting with conditional forwarding of DNS queries.
by eworm
Tue May 26, 2020 2:21 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 16021

Re: v6.47rc [testing] is released!

On boot system logs:
system;error;critical error while running customized default configuration script: no such item
Is this expected? (If it is I would like to see the severity reduced. "error" and "critical" raise alerts here.)
by eworm
Tue May 26, 2020 1:45 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 16021

Re: v6.47rc [testing] is released!

This has... *) dns - added support for multiple type static entries; ... but is missing from 6.47beta60... *) dns - added support for forwarding DNS queries of static entries to specific server (CLI only); This can still be configured, but still does not work when DNS over HTTPS is enabled. I would ...
by eworm
Mon May 25, 2020 6:50 pm
Forum: RouterBOARD hardware
Topic: new hardware Wireless Wire nRAY 60 ghz
Replies: 40
Views: 7157

Re: new hardware Wireless Wire nRAY 60 ghz

Interesting device...

Also nice to see that more devices are equipped with ARM 64bit CPUs (just like new CCR).
by eworm
Fri May 22, 2020 3:28 pm
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 1516

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

I do not, and here is why:
If you have complex code depending on relative paths it tends to break if you move fragments of code up or down.
by eworm
Fri May 22, 2020 2:57 pm
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 1516

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

IMHO it is very intuitive if you are used to it. Scripting is one of the reasons I do love RouterOS.
by eworm
Fri May 22, 2020 1:44 pm
Forum: General
Topic: Mikrotik Audience Poe IN [SOLVED]
Replies: 1
Views: 628

Re: Mikrotik Audience Poe IN [SOLVED]

No setting, it will just work.
by eworm
Fri May 22, 2020 10:44 am
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 1516

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

The command print is (mostly) for terminal output.

Does something like this work for you?
:foreach i in=[ /interface bridge host find ] do={ :put [ /interface bridge host get $i ]; }
BTW, why do you expect everything to be a bug?
by eworm
Mon May 18, 2020 12:01 am
Forum: Scripting
Topic: How to auto-start a script at interface link up / down ? [SOLVED]
Replies: 30
Views: 5077

Re: How to auto-start a script at interface link up / down ? [SOLVED]

You initialize the variable inside a block, thus it's not visible outside. But it's a global variable :-) Sure, it is. But even global variables are accessible only... ... when used directly from command line (without block!) or... ... when initialized properly. So when ever you want to access $gAr...
by eworm
Sun May 17, 2020 11:46 pm
Forum: General
Topic: Solution needed: router PoE + WIreless
Replies: 6
Views: 1329

Re: Solution needed: router PoE + WIreless

The RB750UPr2 does passive POE only, so your 802.3af devices will not receive power, even if the power supply matches your voltage requirements. I guess you have to go with one of these: https://mikrotik.com/product/crs112_8p_4s_in (requires additional power supply for 48V!) https://mikrotik.com/pro...
by eworm
Sun May 17, 2020 11:25 pm
Forum: Scripting
Topic: sms to telegram
Replies: 8
Views: 1462

Re: sms to telegram

I guess you have to do some urlencoding for your sms message...

If you want a working solution have a look at this:
RouterOS Scripts - Forward received SMS
This requires the installation of global scripts on top, see main README.
by eworm
Sun May 17, 2020 11:16 pm
Forum: Scripting
Topic: Tool Fetch Scripting - HotSpot Telegram QRCode
Replies: 1
Views: 629

Re: Tool Fetch Scripting - HotSpot Telegram QRCode

Not sure I got this right, but looks like you have a nested url inside url? Try to urlencode the characters there, specifically replace '&' with '%26'.
by eworm
Sun May 17, 2020 11:09 pm
Forum: Scripting
Topic: How to auto-start a script at interface link up / down ? [SOLVED]
Replies: 30
Views: 5077

Re: How to auto-start a script at interface link up / down ? [SOLVED]

You initialize the variable inside a block, thus it's not visible outside.
by eworm
Fri May 15, 2020 6:54 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3425

Re: OpenSSH future RSA host key deprecation

No progress, no reaction on ed25519 keys from Mikrotik.
by eworm
Fri May 15, 2020 11:38 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Good question... Wondering myself.
Time for a new release anyway, the last one is three weeks old already.
by eworm
Thu May 14, 2020 10:55 pm
Forum: General
Topic: promiscue mode - what does it let pass?
Replies: 2
Views: 701

Re: promiscue mode - what does it let pass?

Most of your packets go fast path, missing the IPSec tunnel. Make sure all your IPSec traffic does not go fast path.
by eworm
Thu May 14, 2020 9:48 pm
Forum: General
Topic: Cloud backup needs a static token through time for downloading
Replies: 1
Views: 694

Re: Cloud backup needs a static token through time for downloading

I solved this with a backup script that sends notification via e-mail and/or Telegram message including the secret download key. Just look up your mailbox and you are fine.

You need the basic installation and this script:
routeros-scripts - Upload backup to Mikrotik cloud
by eworm
Mon May 11, 2020 9:43 pm
Forum: General
Topic: CCR2004 w/ARM64 : Where to download packages ? [SOLVED]
Replies: 7
Views: 1858

Re: CCR2004 w/ARM64 : Where to download packages ? [SOLVED]

I guess the build process for arm64 works, but the release process has been enabled just before recent long term release.
Be patient and wait for the next testing and stable releases, I think they will include arm64 builds.
by eworm
Sat May 09, 2020 1:04 pm
Forum: General
Topic: 6.46 for arm64?
Replies: 1
Views: 655

Re: 6.46 for arm64?

I guess the release process had not been prepared. Expect version 6.46.7 to have arm64 build...
by eworm
Wed May 06, 2020 11:31 am
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 135
Views: 96529

Re: Add DNS over HTTPS (DoH) support

There is information when the DoH function will go from beta to release?
When version 6.47 is released to stable channel. There's no date for that, though.
by eworm
Mon May 04, 2020 7:02 pm
Forum: RouterOS v7 BETA
Topic: UDP OpenVPN tunnel same speed as TCP
Replies: 7
Views: 2549

Re: UDP OpenVPN tunnel same speed as TCP

I guess the device's CPU is the limiting factor here.
by eworm
Mon May 04, 2020 2:33 pm
Forum: General
Topic: How to replicate home WiFi while staying in a hotel (VPN, capsman)?
Replies: 9
Views: 1907

Re: How to replicate home WiFi while staying in a hotel (VPN, capsman)?

You can't do that. You have either local wireless configuration or device is connected to capsman. Both is not possible, at least not with a single band device.
You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.
by eworm
Wed Apr 29, 2020 11:51 pm
Forum: General
Topic: WireGuard Released !
Replies: 41
Views: 24131

Re: WireGuard Released !

Internal builds with wireguard support are rumored to exist.
Search the v7 section for details.
by eworm
Wed Apr 29, 2020 2:40 pm
Forum: Announcements
Topic: MikroTik newsletter May 2020 (#95)
Replies: 50
Views: 27698

Re: MikroTik newsletter May 2020 (#95)

Do you have more information about that Annapurna AL32400? E.g. how many cores?
It has four cores. See here for details of CCR2004:
https://mikrotik.com/product/ccr2004_1g_12s_2xs
by eworm
Tue Apr 28, 2020 5:48 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 33622

Re: v6.46.6 [stable] is released!

Why you don't fix OSPF ? :?
Possibly because they could not reproduce. Did you open a support ticket?
by eworm
Mon Apr 27, 2020 7:33 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Sure, just configure it properly:
/ip dns set verify-doh-cert=yes
by eworm
Mon Apr 27, 2020 12:31 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Im currently testing DoH on my HAP Lite, which is working great. But I have few questions. I got some Dynamic NS Servers supplied by my ISP and thus they are automatically added to Mikrotik DNS server list (read-only). I also put some static NS records (e.g dns.cloudflare 1.1.1.1) as Static list. S...
by eworm
Sun Apr 26, 2020 10:06 am
Forum: General
Topic: RouterOS Scheduler unreliable by default?
Replies: 1
Views: 799

Re: RouterOS Scheduler unreliable by default?

The scheduler is perfectly reliable in my experience. Note that a script (and thus scheduler) is stopped on first error, though. Possibly your scripts terminate with error?
by eworm
Fri Apr 24, 2020 10:35 pm
Forum: General
Topic: Feature request: per-domain forwarding in DNS
Replies: 21
Views: 18747

Re: Feature request: per-domain forwarding in DNS

This is available now in RouterOS 6.47beta60!
by eworm
Fri Apr 24, 2020 10:32 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

That is a chicken and egg problem. Neither chicken nor egg is involved. Let's assume I add something like this: /ip dns static add forward-to=10.0.0.1 regexp="(.*\\.)\?example\\.com" type=FWD This will make all requests for example.com and its subdomains go to nameserver 10.0.0.1 . Works find, but ...
by eworm
Fri Apr 24, 2020 4:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Version 6.47beta60 has reset my settings for mode button.
by eworm
Fri Apr 24, 2020 4:24 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Yes! Mikrotik, you made my day!

One thing, though: Looks like DNS forwarding does not work if DoH configuration is active. I think the forwarding should have priority over DoH.
by eworm
Fri Apr 24, 2020 9:18 am
Forum: General
Topic: CCR1009 High CPU Load
Replies: 10
Views: 2686

Re: CCR1009 High CPU Load

I think a CCR1009 should be capable of doing this... Are you really using packet marking? Why not mark connection?

Have a look a profiling to see what process uses the cpu most:
/tool profile
by eworm
Fri Apr 24, 2020 9:07 am
Forum: General
Topic: CapsMan - pass Comments to RegistrationTable
Replies: 5
Views: 2081

Re: CapsMan - pass Comments to RegistrationTable

Works for me... Checked on two CAPsMAN devices (CCR & RB3011) with 6.46.5.
by eworm
Thu Apr 23, 2020 8:59 am
Forum: General
Topic: FEATURE REQUEST: Dynamically created VPN+routes (each to each)
Replies: 1
Views: 857

Re: FEATURE REQUEST: Dynamically created VPN+routes (each to each)

Sounds like you want a routing protocol. Ever thought about ospf or similar?
by eworm
Wed Apr 22, 2020 1:21 pm
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query. Well, checking again... It does send a redirect, but the dns response is contained as well... % curl -I 'https://8....
by eworm
Wed Apr 22, 2020 1:08 pm
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 10
Views: 3196

Re: Function: IP to Decimal

For me it works. Do you have IPv6 disabled (or not installed at all)?
by eworm
Wed Apr 22, 2020 12:46 pm
Forum: General
Topic: Cloud: update time without ddns?
Replies: 2
Views: 950

Re: Cloud: update time without ddns?

Yes, I know that. I have configured NTP on all my devices. Still I have a script that requires the time to be "about right" at least (so cloud is fine) - and this script should work on as many devices as possible with whatever configuration. I would still appreciate to have detailed information on t...
by eworm
Wed Apr 22, 2020 12:07 pm
Forum: General
Topic: Cloud: update time without ddns?
Replies: 2
Views: 950

Cloud: update time without ddns?

Hello everybody, with Mikrotik's cloud service it's possible to disable dynamic dns update, but enable time update: /ip cloud set ddns-enabled=no update-time=yes Not sure if this is a valid configuration, so: Does the device update the time if dynamic dns is disabled? Can I check if time has been up...
by eworm
Wed Apr 22, 2020 11:57 am
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
by eworm
Wed Apr 22, 2020 11:32 am
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
by eworm
Wed Apr 22, 2020 11:26 am
Forum: General
Topic: DNS over HTTPS
Replies: 147
Views: 30183

Re: DNS over HTTPS

Do the same, but with different url: https://8.8.8.8/dns-query
by eworm
Wed Apr 22, 2020 12:23 am
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 10
Views: 3196

Re: Function: IP to Decimal

Anyone know how to do arithmetic with ipv6?

e.g. :put (fe80::0 + 8) = fe80::8

Rich
Does it help in your use case if you use bitwise operator?
[admin@MikroTik] > :put (fe80::0 | ::8) 
fe80::8
by eworm
Tue Apr 21, 2020 2:11 pm
Forum: RouterOS v7 BETA
Topic: beta5: Enabling www-ssl gives error [SOLVED]
Replies: 4
Views: 2599

Re: beta5: Enabling www-ssl gives error [SOLVED]

You should get an idea about the ssh protocol in general and host keys specifically.
https://www.ssh.com/ssh/host-key

In "/ip ssh" you can export, import and regenerate host keys.
by eworm
Tue Apr 21, 2020 8:39 am
Forum: General
Topic: MacTelnet-Client
Replies: 8
Views: 1831

Re: MacTelnet-Client

So why don't you use ssh to access routers? mactelnet has one single function which ssh doesn't: connectivity over MAC, which comes handy when IP setup gets south. But hopefully that's not very often and I (being a linux/console nerd myself) resort to using winbox in such case (runs under linux / w...
by eworm
Tue Apr 21, 2020 8:29 am
Forum: RouterOS v7 BETA
Topic: beta5: Enabling www-ssl gives error [SOLVED]
Replies: 4
Views: 2599

Re: beta5: Enabling www-ssl gives error [SOLVED]

A "refused to connect" is unrelated to the certificate. Make sure the service is enabled and the firewall does not block it. I think "Webfig" is short for "Webconfig", no? The https certificate is used to authenticate the host, a valid certificate is verified by trust chain to root CAs in your brows...
by eworm
Sun Apr 19, 2020 11:35 pm
Forum: General
Topic: MacTelnet-Client
Replies: 8
Views: 1831

Re: MacTelnet-Client

It is maintained, but not all details about authentication are available. Read this for details:
https://github.com/haakonnessjoen/MAC-Telnet/issues/42
by eworm
Sun Apr 19, 2020 4:57 pm
Forum: General
Topic: Edit console logo in MIKROTIK
Replies: 2
Views: 1112

Re: Edit console logo in MIKROTIK

No, but you can add an additional system note.
https://wiki.mikrotik.com/wiki/Manual:System/Note
by eworm
Tue Apr 14, 2020 9:30 am
Forum: General
Topic: backup via /export skips some config lines
Replies: 2
Views: 1046

Re: backup via /export skips some config lines

Configuration in /certificate and /user is (partly) skipped.
by eworm
Mon Apr 13, 2020 9:09 pm
Forum: General
Topic: Hotspot HTTPS Certificate Error [SOLVED]
Replies: 3
Views: 2161

Re: Hotspot HTTPS Certificate Error [SOLVED]

My first guess was the trust chain is not complete, but looks like your made sure this is ok. Perhaps Android wants to access the CRL url? Try adding that to your hotspot (replacing with correct hotspot server name): /ip hotspot walled-garden ip add action=accept disabled=no dst-address=ocsp.int-x3....
by eworm
Tue Apr 07, 2020 5:54 pm
Forum: RouterBOARD hardware
Topic: R11e-LTE v016 bug
Replies: 3
Views: 2270

Re: R11e-LTE v016 bug

Looks like v016 has been withdrawn... No idea if this was the reason.

Mikrotik, any info on that?
Wondering if my devices (successfully) running v016 are at risk in whatever way.
by eworm
Sat Apr 04, 2020 12:49 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

I got confused a bit please elaborate to me.. If I set the RouterOS to act as DoH client to a server (Google/Cloudflare), how do they know the first time to address of google/cloudflare without first querying via regular DNS server? Two ways to solve this: configure a regular DNS server use an url ...
by eworm
Fri Apr 03, 2020 2:02 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) certificate - added "skid" and "akid" values for detailed print;
This looks like SHA1 key ids. Can you give more details?

skid = signing key id?
by eworm
Fri Apr 03, 2020 9:56 am
Forum: General
Topic: Load external image on captive portal
Replies: 14
Views: 3082

Re: Load external image on captive portal

Let me clarify some things. There is a project WIFI4EU that demands a specific image to be dynamically displayed on the captive portal the snippet code is the following: <img id="wifi4eulogo" class="identity-image" src="https://collection.wifi4eu.ec.europa.eu/media/logo/Wifi4EU-EL.svg"> Unfortunate...
by eworm
Wed Mar 25, 2020 8:36 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 2007

Re: {ASK} apsman with local-forwarding=no

Then it's indeed unexpected behavior. Probably nobody here can help any further, contact support if this bothers you.
by eworm
Wed Mar 25, 2020 8:30 am
Forum: Scripting
Topic: Are special parameters parsed when script ran by DHCP server?
Replies: 3
Views: 1507

Re: Are special parameters parsed when script ran by DHCP server?

Well, ok... Did not try to guess the correct name. Just "remote-id" is not available.

You can get that info from $"lease-options". With ($"lease-options"->"82") you get both infos from option 82, surrounded by some binary bits. Looks like you have to parse that yourself.
by eworm
Wed Mar 25, 2020 7:46 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 2007

Re: {ASK} apsman with local-forwarding=no

of course i'm pinging wireless client. from my laptop
And your laptop is connected to the same CAP wirelessly?
by eworm
Wed Mar 25, 2020 1:20 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 2007

Re: {ASK} apsman with local-forwarding=no

AFAIK this setting only handles wireless client to wireless client.
Your echo request comes from the wired side of CAP?
by eworm
Wed Mar 25, 2020 1:06 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 2007

Re: {ASK} apsman with local-forwarding=no

Have a look at Local Forwarding Mode and Manager Forwarding Mode.

Probably you want to control client-to-client forwarding on capsman?
by eworm
Wed Mar 25, 2020 12:57 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 2007

Re: {ASK} apsman with local-forwarding=no

This setting controls whether or not to tunnel traffic to the capsman device.
Any reason why a ping to a client should not succeed?
by eworm
Wed Mar 25, 2020 12:53 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

IMHO the DoH logs have too high severity. I've configured my devices to forward error logs via e-mail. Now I get... ... on boot, probably because I have ipsec peers with dns name in address: dns,error: DoH connection error: Network is unreachable ... and every now and then: dns,error: DoH connection...
by eworm
Wed Mar 25, 2020 12:34 am
Forum: General
Topic: Delete DNS Dynamic Servers.
Replies: 2
Views: 1019

Re: Delete DNS Dynamic Servers.

I think Mikrotik does not even support dns peers pushed via openvpn, no?
Are you sure this is not just your dhcp client adding the dynamic servers?
by eworm
Wed Mar 25, 2020 12:16 am
Forum: Scripting
Topic: Are special parameters parsed when script ran by DHCP server?
Replies: 3
Views: 1507

Re: Are special parameters parsed when script ran by DHCP server?

At the moment I have a 30 line script to ensure only 1 DHCP lease can be active per Remote-ID at a time, the newest lease clears all other entries that have the same Remote-ID (potential issue if a client plugged a switch into their WAN connection instead of a router) but there's currently a bug in...
by eworm
Mon Mar 23, 2020 3:24 pm
Forum: General
Topic: Feature Request: Ed25519 SSH keys
Replies: 9
Views: 4010

Re: Feature Request: Ed25519 SSH keys

Nothing wrong, ed25519 is not supported.
by eworm
Fri Mar 20, 2020 10:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

When you import the cert int RouterOS you should have 3 entries.
DigiCert Global Root CA
DigiCert ECC Secure Server CA
cloudflare-dns.com
Last one is server certificate and not required in certificate store.
by eworm
Fri Mar 20, 2020 9:59 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

My test device was set up to use crl, but to not download crl:
/ certificate settings crl-download=no crl-use=yes
That results in flooding the log:
dns,error DoH connection error: SSL: handshake failed: unable to get certificate CRL (6)
by eworm
Fri Mar 20, 2020 4:10 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate. yeah it's worked without Verify DoH Certificate :) and where can we get cloudflare certificate file to importing in router ? If you trust my repository get it here: https://git.eworm.de/cg...
by eworm
Fri Mar 20, 2020 3:59 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

As others are saying. The router does not know what dns.nextdns.io is. Add at least a single regular DNS server which will be used for DoH servers name resolving. Adding a static DNS entry should also suffice. Are DoH servers prioritized? When does it fall back to regular dns servers? Oh, and is it...
by eworm
Fri Mar 20, 2020 3:56 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.
Same for quad-nine:

https://9.9.9.9/dns-query (secured)
https://9.9.9.10/dns-query (unsecured)
by eworm
Fri Mar 20, 2020 3:54 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.
by eworm
Fri Mar 20, 2020 3:50 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Enable DNS logs, it should provide all necessary information for troubleshooting. I tested the DoH implementation with various publicly available servers and could not find any issues. If there are any, please let us know. /system logging add topics=dns tested with public DoH server but nothing doh...
by eworm
Fri Mar 20, 2020 2:55 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Try setting https://10.5.51.5 as the server.
thanks for reply now it's verified but could not resolve any dns name
How can it verify only by a IP address?
Certificates can have subject alternative name with ip address.
by eworm
Tue Mar 17, 2020 10:12 am
Forum: General
Topic: Mikrotik for cloud DDNS
Replies: 2
Views: 962

Re: Mikrotik for cloud DDNS

I use this for years now, but on a Mikrotik router device. Not 100% sure for AP's, do not have one to test with.
This is true for every device running RouterOS, except CHR without license.
by eworm
Mon Mar 16, 2020 9:56 pm
Forum: Announcements
Topic: MikroTik newsletter March 2020 (#94)
Replies: 40
Views: 32674

Re: MikroTik newsletter March 2020 (#94)

HAP AC2 with 802.3af poe-input support (as cap ac does) And at least one pass-through poe-out port please. cAP ac? Almost the same hardware (well, without USB and with only 2 Ethernet ports), but with 802.3af/at and PoE pass-through. And has already been available for a while... We could define the...
by eworm
Sun Mar 15, 2020 4:40 pm
Forum: General
Topic: 💡 Feature Request: Telegram log rule natively on RouterOS
Replies: 1
Views: 858

Re: Telegram log rule natively on RouterOS

No, it is not possible.
You need to use scripts for Telegram functionality.
by eworm
Sat Mar 14, 2020 1:21 pm
Forum: Announcements
Topic: MikroTik newsletter March 2020 (#94)
Replies: 40
Views: 32674

Re: MikroTik newsletter March 2020 (#94)

  • HAP AC2 with 802.3af poe-input support (as cap ac does)
And at least one pass-through poe-out port please.
by eworm
Thu Mar 12, 2020 11:48 am
Forum: Scripting
Topic: Built in function library
Replies: 87
Views: 32875

Re: Built in function library

hi, possibility to create variables named from object on the routeur like : :varname [:caps-man remote-cap get $i serial] so i have a variable named BF090FS8938 (serial number of the router) /env print BF090FS8938={foo="bar"; foo; bar} You could put this into an array... [admin@mt] > :global Remote...
by eworm
Mon Mar 09, 2020 1:07 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 50147

Re: v6.46.4 [stable] is released!

Works just fine for me... ... 12:03:25 ssh,debug agreed on: diffie-hellman-group-exchange-sha256 rsa-sha2-256 aes128-ctr aes128-ctr hmac-sha2-256 hmac-sha2-256 none none ... 12:03:26 ssh,debug pki algorithm: ssh-rsa 12:03:26 ssh,info publickey accepted for user: admin 12:03:26 system,info,account us...
by eworm
Fri Mar 06, 2020 11:14 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 42
Views: 11830

Re: feature request ADVANCED DNS Server

I think it should have the following functionality in addition to what it can do now: - for static records, add the capability to install a CNAME, MX, TXT, NS or SRV record (in addition to the A and AAAA that it can do now). - allow to forward queries for a statically inserted domain to a specified...
by eworm
Mon Mar 02, 2020 11:11 am
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3425

Re: OpenSSH future RSA host key deprecation

Version 6.46.4 also fixes the issue with public key authentication. All fine now, thanks a lot!
by eworm
Mon Mar 02, 2020 10:20 am
Forum: General
Topic: IPsec Nordvpn no more connection
Replies: 5
Views: 2105

Re: IPsec Nordvpn no more connection

You should post the relevant part of your configuration. Something like this could help:
/ip ipsec export hide-sensitive
The NordVPN CA certificate is installed? System time is set correctly?
by eworm
Sun Mar 01, 2020 11:15 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore: This is fixed with 6.46.4 stable, so I guess it will be ok with next beta. I am on 6.46.4 stable. I came from 6.46.1. now i have the issue. I am on confused. With openssh and RouterOS 6.46.4 everything works fine, even if I disabl...
by eworm
Sun Mar 01, 2020 8:43 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore:
This is fixed with 6.46.4 stable, so I guess it will be ok with next beta.
by eworm
Tue Feb 25, 2020 9:56 am
Forum: General
Topic: Question about DHCP log (New feature request)
Replies: 6
Views: 3589

Re: Question about DHCP log (New feature request)

What ever you send to log in lease script is sent to offsite syslog as well (if configured in "/ system logging").
So why do you think this is required to be a native feature? IMHO this is an example where everything is fine due to extensibility by script.
by eworm
Fri Feb 21, 2020 5:31 pm
Forum: Scripting
Topic: Bootup Script Find and Set - Not Working
Replies: 2
Views: 1809

Re: Bootup Script Find and Set - Not Working

You have to use square brackets ([ and ]), not parenthesis (( and )).
And the "put" is wrong, it's supposed to output to terminal. Just remove that (and the parenthesis).
by eworm
Fri Feb 21, 2020 10:07 am
Forum: General
Topic: IKEv2 with mode-config address on wrong interface [SOLVED]
Replies: 6
Views: 2595

Re: IKEv2 with mode-config address on wrong interface [SOLVED]

You have the same address inside and outside the GRE tunnel?
Looks like your havoc originates there.

Anyway, this issue is resolved, please one a new topic with details on your topic.
by eworm
Tue Feb 18, 2020 8:52 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

Damn, I should have checked the forum before installing 6.47beta35. I can no longer login via ssh (key/password). :-( I cannot test winbox because it is disabled. But I assume it would fail too. The device is HAP AC2. What SSH client do you use? Try to disable host key algorithm rsa-sha2-256 for no...
by eworm
Tue Feb 18, 2020 11:04 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) dns - added support for exclusive dynamic DNS server usage from IPsec;
This is configurable now? Where to find this setting?
Found it!
/ ip ipsec mode-config set use-responder-dns=no [ find ... ]
This setting takes exclusively, no and yes.

Thanks a lot!
by eworm
Tue Feb 18, 2020 10:58 am
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3425

Re: OpenSSH future RSA host key deprecation

Version 6.47beta35 adds support for rsa-sha2-256. Public key authentication does not work, though.
Thanks anyway!
by eworm
Tue Feb 18, 2020 10:56 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) dns - added support for exclusive dynamic DNS server usage from IPsec;
This is configurable now? Where to find this setting?
by eworm
Tue Feb 18, 2020 10:52 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) ssh - added support for RSA keys with SHA256 hash (RFC8332); Ha, that was fast. Thanks! Will give it a try now. Looks like this breaks public key authentication. If I remove ssh-rsa from host key algorithms I am prompted for a password. Password login succeeds (if always-allow-password-login is ...
by eworm
Tue Feb 18, 2020 10:41 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) ssh - added support for RSA keys with SHA256 hash (RFC8332);
Ha, that was fast. Thanks!
Will give it a try now.
by eworm
Tue Feb 18, 2020 9:59 am
Forum: General
Topic: Can't Upgrade Firmware
Replies: 8
Views: 2387

Re: Can't Upgrade Firmware

I guess that's because you have two wireless packages installed. Remove one and try again.
by eworm
Mon Feb 17, 2020 9:22 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3425

Re: OpenSSH future RSA host key deprecation

Just had a closer look. Would be nice to have ssh-ed25519, but it's not a requirement. Support for rsa-sha2-512 and/or rsa-sha2-256 (defined in RFC8332) would be sufficient. Just ssh-rsa (which uses SHA1) is deprecated here. Sadly RouterOS supports the latter one only.
by eworm
Sun Feb 16, 2020 12:56 pm
Forum: General
Topic: Can't Upgrade Firmware
Replies: 8
Views: 2387

Re: Can't Upgrade Firmware

Looks like you need to update RouterOS first.
Note that the firmware is no more than the boot code.
by eworm
Fri Feb 14, 2020 2:18 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3425

OpenSSH future RSA host key deprecation

Hello everybody, version 8.2 of well known OpenSSH has been release: [openssh-unix-announce] Announce: OpenSSH 8.2 released The announcement comes with a deprecation notice for RSA host keys as used with RouterOS: Future deprecation notice ========================= It is now possible[1] to perform c...
by eworm
Thu Feb 13, 2020 4:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 125681

Re: v6.47beta [testing] is released!

*) dns - use only servers received from IKEv2 server when present; IMHO that's a bad change. I have an open wifi network for guests, client traffic is routed via IKEv2 provider. I do not necessarily trust this provider - I just want to hide my public IP address for unknown clients. Traffic from kno...
by eworm
Thu Feb 13, 2020 9:45 am
Forum: Scripting
Topic: Diabling a DHCP server
Replies: 6
Views: 2373

Re: Diabling a DHCP server

Do not follow that advise! You should never use numerical index in scripts.
Try something like:
/ip dhcp-server disable [ find where comment=.... ]
Change the find to your needs.
by eworm
Thu Feb 13, 2020 9:24 am
Forum: Scripting
Topic: Auto backup
Replies: 2
Views: 2190

Re: Auto backup

Possibly an issue with SSH host keys. Try regenerating them.
by eworm
Fri Feb 07, 2020 10:09 am
Forum: General
Topic: mikrotik-nordvpn
Replies: 6
Views: 1534

Re: mikrotik-nordvpn

There is very little information in your question... Please be more verbose.
Anyway... Installed the root CA certificate?
https://wiki.mikrotik.com/wiki/IKEv2_EA ... he_root_CA
by eworm
Wed Feb 05, 2020 11:14 am
Forum: General
Topic: Conditionls DNS Forwarding
Replies: 2
Views: 616

Re: Conditionls DNS Forwarding

Sadly no, it's not possible.
by eworm
Wed Feb 05, 2020 11:05 am
Forum: General
Topic: Problem with wifi
Replies: 3
Views: 791

Re: Problem with wifi

This gives an overview of wireless logs:
https://wiki.mikrotik.com/wiki/Manual:W ... Debug_Logs

There is no "disconnected, disabling", though. Possibly the same like "disconnected, device disabled"?
Is there anything that disables or changes configuration for wireless interface?
by eworm
Tue Feb 04, 2020 12:28 am
Forum: General
Topic: HDMI extender kills Wi-Fi [SOLVED]
Replies: 6
Views: 1717

Re: HDMI extender kills Wi-Fi [SOLVED]

We have good experience with HDMI fiber cables. These are available with length up to 100m.
by eworm
Mon Feb 03, 2020 3:22 pm
Forum: General
Topic: mikrotik wap-ac poe-in with d-link dgs1005p
Replies: 2
Views: 691

Re: mikrotik wap-ac poe-in with d-link dgs1005p

Both devices support 802.3af/at, so this should work.
Anything on switch side you can configure?
by eworm
Mon Feb 03, 2020 12:24 pm
Forum: Scripting
Topic: RBmAP2nD Detect internet up & down with red LED
Replies: 3
Views: 1767

Re: RBmAP2nD Detect internet up & down with red LED

You changed just one case, the scripts still have numeric ids.
by eworm
Mon Feb 03, 2020 11:39 am
Forum: Scripting
Topic: RBmAP2nD Detect internet up & down with red LED
Replies: 3
Views: 1767

Re: RBmAP2nD Detect internet up & down with red LED

You should not use numerical ids in scripts. Never ever! For this case (RB mAP2nD) replace "2" with
[ find where leds=led3 ]
.

This works for every device with configurable leds... A lot devices have these.
by eworm
Wed Jan 29, 2020 3:42 pm
Forum: Scripting
Topic: Is possible triggering script by telegram bot?
Replies: 3
Views: 2206

Re: Is possible triggering script by telegram bot?

You would have to query the api with fetch command, then parse the output.
I've thought about implementing that myself, but do not want to implement a reliable parser. :-p

MikroTik, want to implement a JSON parser? Would be handy for this and other use cases...
by eworm
Wed Jan 29, 2020 3:26 pm
Forum: General
Topic: wAP LTE and LHG LTE - Very bad LTE performance
Replies: 14
Views: 1972

Re: wAP LTE and LHG LTE - Very bad LTE performance

But keep in mind that you can not do the upgrade via LTE this way. A stable management connection is required.
by eworm
Wed Jan 29, 2020 11:16 am
Forum: General
Topic: wAP LTE and LHG LTE - Very bad LTE performance
Replies: 14
Views: 1972

Re: wAP LTE and LHG LTE - Very bad LTE performance

To check if an update is available: [admin@MikroTik] > /interface lte firmware-upgrade lte1 installed: MikroTik_CP_2.160.000_v011 latest: MikroTik_CP_2.160.000_v013 I would advise to use my script unattended-lte-firmware-upgrade . Just copy and paste into a terminal, then be patient and wait until t...
by eworm
Wed Jan 29, 2020 10:43 am
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 163
Views: 47222

Re: Feature Request - Wireguard Protocol

Linus just pulled the net-next branch from David Miller, thus Wireguard is now upstream:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
by eworm
Tue Jan 28, 2020 9:00 pm
Forum: General
Topic: uppercase and lowercase letters (hotspot) [SOLVED]
Replies: 6
Views: 1661

Re: uppercase and lowercase letters (hotspot) [SOLVED]

There is no way to ignore it, friend. It works in the same way as a registration you do on a Bank website: "If you do not meet the requirements where there is a red * I will not go to the next page" Hu? The html form is just a hint what the server may expect. If you want to try... Take Firefox, ope...
by eworm
Mon Jan 27, 2020 5:12 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34615

Re: v6.46.2 [stable] is released!

Auto upgrader will not try to install if at least one package is missing or not finished downloading. I think there are special conditions where this is (or was?) not true. As said earlier... My LTE router managed to update with missing wireless package at least twice. Sadly I can not give exact ve...
by eworm
Tue Jan 21, 2020 1:31 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 163
Views: 47222

Re: Feature Request - Wireguard Protocol

The compat version (https://git.zx2c4.com/wireguard-linux-compat/) is the same as what goes into Linux 5.6, it's just the out-of-tree repository.
by eworm
Tue Jan 21, 2020 11:53 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34615

Re: v6.46.2 [stable] is released!

Ok I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid instal...
by eworm
Tue Jan 21, 2020 10:34 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34615

Re: v6.46.2 [stable] is released!

In the past I suffered a missing wireless package on wAP LTE after update due to bad LTE connection at least twice. Thus I created the script packages-update . It requires global functions, so follow the installation instructions first. Intermittently this script has some extra functionality, like d...
by eworm
Sun Jan 19, 2020 12:28 am
Forum: Scripting
Topic: Update after....two days
Replies: 5
Views: 2249

Re: Update after....two days

How about this? # check for updates, install after two days :if ([ / system scheduler print count-only where name="reboot-for-update" ] > 0) do={ :error "A reboot for update is already scheduled."; } / system package update check-for-updates without-paging; :local Update [ / system package update ge...
by eworm
Thu Jan 16, 2020 10:00 pm
Forum: General
Topic: Mikrotik SSH Client to another SSH Server with Private Key
Replies: 1
Views: 509

Re: Mikrotik SSH Client to another SSH Server with Private Key

RouterOS can not import PPK files. Export the file to OpenSSH format.
by eworm
Tue Jan 14, 2020 11:09 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 35
Views: 8233

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

You should remove the extra disabled=yes from your code.

I can confirm this workaround works. Any news from Mikrotik about fixing this?
by eworm
Mon Jan 13, 2020 6:31 pm
Forum: General
Topic: Feature Request: SOCKS5 proxy
Replies: 33
Views: 37829

Re: Feature Request: SOCKS5 proxy

This was just added in latest beta 6.47beta19:
!) socks - added support for SOCKS5 (RFC 1928);
by eworm
Sat Jan 11, 2020 11:49 pm
Forum: Scripting
Topic: Hotspot script to send data via ssh doesn't work
Replies: 5
Views: 1862

Re: Hotspot script to send data via ssh doesn't work

You do not have to get ip and mac address, these are available already.
/system ssh address=10.114.2.2 user=user ("/ip firewall filter add action=accept chain=forward src-address=" . $address . " src-mac-address=" . $"mac-address")
Untested, but should work...
by eworm
Fri Jan 10, 2020 11:51 am
Forum: Scripting
Topic: Fetch, JSON and authentication-types [SOLVED]
Replies: 3
Views: 3956

Re: Fetch, JSON and authentication-types [SOLVED]

If output " {"wifiauthtype":"wpa-psk;wpa2-psk"} " is ok... Try this: :local wifiauthtype [ :tostr [ /interface wireless security-profiles get [ find default=yes ] authentication-types ] ] /tool fetch http-method=post http-header-field="content-type:application/json" http-data="{\"wifiauthtype\":\"$w...
by eworm
Fri Jan 10, 2020 11:35 am
Forum: Scripting
Topic: Fetch, JSON and authentication-types [SOLVED]
Replies: 3
Views: 3956

Re: Fetch, JSON and authentication-types [SOLVED]

Your problem is that "authentication-types" returns an array. How is your JSON supposed to look?
by eworm
Fri Jan 10, 2020 11:31 am
Forum: Scripting
Topic: Check existed a script and remove it
Replies: 1
Views: 1451

Re: Check existed a script and remove it

I want create a create script and check existed other scripts and remove. Pls help me.
Not sure if this is what you need... How about:
/ system script remove [ find where name!="not-this-one" ]
by eworm
Thu Jan 09, 2020 11:32 am
Forum: General
Topic: hAP lite power supply
Replies: 1
Views: 525

Re: hAP lite power supply

Everything with 5V and 0.5A or more is fine.