MikroTik

eworm

No, it should show PSU output, so about 24V for first PSU, about 48V for second PSU.

eworm

You can not generate ssh key pair on RouterOS device. Please give some more specific information, for example output of "/user ssh-keys private print" and logs.

eworm

When I press the mode-button I only see the following in the logs :
wlan1:WPS physical button pushed

The mAP lite does not have a mode button.

eworm

Different versions of CCR1009 exist. Which one do you have?

eworm

I just checked my rb1100 and shows exactly voltage of psu1 and psu2... Ok, then there are devices that have the info. Never touched a RB1100, though. Can you show the complete output of health for RB1100? Possibly I could make my script use the info. Too bad CCRs do not support this... I don't boug...

eworm

Just found this post which verifies the source with higher voltage is used.

eworm

Ofcorse you can see voltages for psus...

I put this into parenthesis as I am not sure for all devices. But even my CCR does have state only:

psu1-state: ok
psu2-state: ok

eworm

I dont see anything special in your script... If a device has more than 1 psu, then in system health you will see the voltage of psu1 and psu2... That part of the script does not apply for RB3011, it does not have any psu properties. (And I think you will never see voltage for psus, just state "ok"...

eworm

No, you see just one voltage value in "/system health". That's the higher value, as the source with higher value is used. However you can monitor voltage jumping up or down for possible failure of active source. I have a script that does this (and more): check-health You need to install my basic Rou...

eworm

The correct line is:
Code: Select all
:local localIP [:pick [/interface pppoe-client monitor PPPoE-Digi once as-value] 6;];
works again.

This makes it even more future-proof:

:local localIP ([/interface pppoe-client monitor PPPoE-Digi once as-value]->"local-address");

eworm

Wondering myself... This topic became really quiet lately.

eworm

All you need is a SSH server with SFTP implementation. I guess OpenSSH is used the most, but there are others. What's expensive about it?

eworm

You can use SFTP (transport over SSH) to securely upload your files.

eworm

DSA keys are supported as well, but I guess you do not want to use these, no?
The forum has some threads asking for ED25519 keys, but Mikrotik did not give any reaction.

eworm

Everyone is testing RouterOS v7.0beta1 (ARM)!!!

Nah, this is a perfect and issue-free release!

But to be honest... I think we should get v7 into official testing channel as soon as possible. Will that happen after 6.46 final release?

eworm

Same here with connections to NordVPN. My lifetime is set to 30 minutes, but error message pops up every 24 hours only.

eworm

Yes, you need to import an SSH key pair: Manual:System/SSH client - Log-in using certificate

eworm

The device from last log successfully authorized, so looks like different issue.

eworm

Some paths are given with "/", some with white space. Is both allowed now?

eworm

Sorry for hijacking this thread, but I would like to introduce an alternative. I had some extra requirements: should integrate with my RouterOS scripts , to re-use some basic functionality like notifications (inkl. Telegram) should support every RouterOS device with health values support notificatio...

eworm

If you use it a a global function I assume its gone after reboot. So you need some script to restore it. Of course. But it's part of my routeros scripts , so available on every device that has these scripts installed. :D Alternatively you can make it a local function (replace ":global" with ":local...

eworm

Jotne, that's not true and modification is not needed.

:put [ $GetRandom 100 ]
55

Just give the max value.

eworm

Sector writes change too seldom.

How about this one?
https://git.eworm.de/cgit/routeros-scri ... tions#n278

Remember that is still a very weak algorithm!

eworm

Please follow this issue for details: Compatibility with RouterOS 6.43

eworm

Yes, please!

eworm

As posted in third post in this thread... RouterOS is picky about authentication methods.
Can you configure SSH server to disable all but password authentication? Follow the link above for details.

eworm

Ps if anyone knows or can figure out how to get rid of the leading semi colon from the $arrAdjRandNumValues variable you would be a godsend!! Someone proposed to replace {} with "" for array declaration. Both is wrong... you should use [ :toarray "" ] for empty array declaration. (see: How to defin...

eworm

Try this for verbose logging:

/system logging add topic=ssh,!packet

eworm

The file extension should be "rsc", no?

eworm

According to wiki the "lame" solution is the correct one.
https://wiki.mikrotik.com/wiki/Manual:S ... mpty_array

eworm

Hi to all, i am trying to read into the mikrotik the speed of the gps from km/h to knots... :local speedknots [$speed * 0.5399] any suggestion? How about this? { :local speed 10; :local speedknots (($speed * 5399 / 10000) . "." . (($speed * 5399 / 10) - ($speed * 5399 / 10000 * 1000))); :put $speed...

eworm

*) console - added bitwise operator support for "ip6" data type; Thanks a lot for this! Have been waiting a long time... :D *) wireless - include last frequency when manually setting frequency step in "scan-list"; Is this supposed to fix Ticket#2019080822004463? I guess no. (It does not.)

eworm

Yeah, I get that - but why have the option to specify a user in the SSH command, if it'll only use the keys from the executing user - it appears a pointless feature in that case.

It's the user connecting to on the remote system.

eworm

Anyone else experiencing such issue?

No, even my old RB751 (mpisbe 400MHz) can connect via SFTP. (I do not run my SSH server on Synology NAS, though.)

eworm

Note that keys are added for a specific account...

eworm

Nothing for ethernet though I presume?

Sadly no. That's on my wishlist as well.

eworm

I use the following in Linux systems:

That's the wrong way. He want to upload from RouterOS, not to.

eworm

Hi, Is there a way to upload files from RouterOS via SFTP? I have tried what I have found on the forum but nothing seems to work. /tool fetch should be able to do it it seems, but I can not get it to work. Any idea's? Thanks! Yes, it works. Show your commands and what happens... RouterOS SFTP clien...

eworm

We do it like this:

That does not help. This topic is about private ssh keys.

eworm

Try to generate your key in PEM format:

ssh-keygen -t rsa -m PEM ..

eworm

Security is made with cryptography, not obscurity. Open specifications do not add any harm. So I do not see a reason not to publish the required information.

Please Mikrotik, I would like to have a fully functional mac-telnet for linux, again, finally.

eworm

BTW, this is the issue report for mac-telnet:
Compatibility with RouterOS 6.43

eworm

The concept of master interfaces does no longer exist in recent RouterOS releases. If the interface belongs to a bridge you should use that.

eworm

@CrimzinZA You have 3 things to check 😁 ROS version, MT firmware and modem firmware. Upgrading modem firmware solved my 4G issues. Here is how to update modem firmware https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Modem_firmware_upgrade Or you use my script, just copy and paste to your termin...

eworm

A friend had a broken SIM card that caused similar issues. Any chance to test with another card?

eworm

The API returns json data, parsing that in RouterOS is not an easy task.
I am interested myself, but as the topic is really complex I did not yet give it a try.

eworm

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add name=NordVPN pfs-group=none

Atleast aes128

The default proposal is not relevant here as the proposal named "NordVPN" is used.

eworm

No, that's something completely different.

eworm

Finally found the cause for my issue with help of support. Looks like the sftp client in RouterOS fails if too many authentication methods are supported by the server. On my SSH server I added this block in /etc/ssh/sshd_config:

Match User mikrotik-upload
    AuthenticationMethods password

eworm

Any news on this topic? We have not heard anything in a long time.

eworm

No idea why the script creates user, group and whatever. Given you have http-ssl service enabled this should suffice:

/tool fetch https://127.0.0.1/ dst-path=path/to/create/xxx

Alternatively use whatever webserver. It creates a file as well, just remove that:

/file remove path/to/create/xxx

eworm

You can access "data", "downloaded", "duration", "status" and "total". Looks like your requested information is not available.

eworm

No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.

No, it does not. Where did you find that information?

eworm

/ tool fetch http-header-field="User-Agent: Mozilla/4.0" ...

eworm

:if ([ /tool e-mail get last-status ] = "succeeded") do={ ...

But I am not sure if you need a delay between sending and checking for status...

eworm

But there is not even an attempt to fix the VPN issues everyone is still having, there was never a clear way to fix that in the v6.45.1 thread, and MT needs to have those settings in the Quick Set "VPN Access" checkbox setup, because the default still has broken VPN. I reported issues with IPSec an...

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - improved stability for peer initialization (introduced in v6.45); Please, can you write something concrete about this? I look on the manual and there is nothing about it. I have problem with bad policies generated fr...

eworm

Sadly the mac-telnet client can not authenticate with new authentication mechanism.

Mikrotik does not give details what is required for encryption.
Compatibility with RouterOS 6.43

eworm

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news.

eworm

Is there any ETA for...
Wrong question! At MikroTik, there never is an ETA!
"it is ready when it's ready".

This is just spam to advertise Bitcoin/Cryptocurrency Trading Exchange Platform. (See signature.)

eworm

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?

eworm

With " group from phase 1 " you refer to dh-group ? Got it... However this could cause a lot of confusion... Selecting " none " looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol: Still wondering why rekeying does not...

eworm

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:

13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN

Possibly it does not find its proposal when rekeying...

eworm

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal

Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?

eworm

Is the IPv6 package installed and enabled? I guess no.

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.

This works perfectly fine! Would like to see it in a stable release as soon as possible... But I guess I have to wait for 6.46 final?

eworm

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12 ... estresults

eworm

@msatter, did my detailed post #17 explain what I had in mind when saying that your rule suggested in post #10 will drop the packets regardless whether they would be finally intercepted by an IPsec policy? I still have a feeling that the mutual misunderstanding may come from the fact that you use a...

eworm

Ah, got it! :D :lol: My false assumption was that I thought... Routing with type=blackhole is the same as routing to an interface with no addresses. Of course it is not. And even more important that I thought... Routing decision is done earlier in flow for unencrypted packet. It is not, or better: L...

eworm

@eworm, Oder did I misunderstood 1.? Either you did, or I've misunderstood your goal. My understanding of your goal is that you want to be sure that those pakets, which should be sent via the VPN, will under no circumstances get to the destination via any other path if the VPN connection fails. The...

eworm

The order of actions is use routing to find the outgoing interface execute the postrouting chain of the firewall (including srcnat) check a match to IPsec policy and send the packet via the policy's SA if it matches send the packet out the interface chosen in step 1 if it didn't match any IPsec pol...

eworm

Really nice this works! No idea why PIA does not support this officially. I am/was about to switch to NordVPN, possibly I should hold on... (Though this would be a delay only, I think.) Your profile and proposal settings are weak, though. I tested with these to work: /ip ipsec profile add dh-group=e...

eworm

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable m...

eworm

Yes. But I can not decide by out interface as that does not differ with policies.

eworm

With l2tp this is quite easy as routing goes to different interfaces. With IPSec policies things work different.

eworm

Hello everybody, with my current VPN provider I use l2tp/IPSec, which works with an interface. I add routing marks, then add a route for these marks to my interface. A second route makes sure no traffic is routed when the interface is down: / ip route add distance=1 gateway=l2tp-pia routing-mark=via...

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator;

Great, thanks a lot for this! Much appreciated.

Is any of the other ipsec changes suppose to fix my issue from Ticket#2019070222004609?

eworm

Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?

Yes, it's just a small bugfix release then.

eworm

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.

You have set strong-crypto=yes? I think it depends on that setting.

eworm

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.

eworm

Let's cool down on the changelog topic. IMHO this is just another matter of communication. Just add a note to the changelog: A new stable release moved to long-term. For full changelog see changes up to version 6.44.3. At least this is a first step and clarifies what changes can be expected in chang...

eworm

/interface ovpn-server server
set certificate=ovpn-ca cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn-impact enabled=yes netmask=19

Looks like you set the ca certificate for the openvpn server. Use the server certificate instead.

eworm

That's a step forward, but not a solution. We need the matcher for the architecture.

eworm

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? One after another the IPSec links came up without any configuration change. Finally today (after...

eworm

My IPSec issues persist. (Though there are no more crashes.) Sent a reply with support output file to Ticket#2019070222004609.

eworm

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.

Is this just GRE or GRE over IPSec? Possibly an IPSec issue?

eworm

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? Edit 1: Initiator devices log: ipsec,error MikroTik: bad state: 7 Edit 2: Looking in /ip ipsec ac...

eworm

Actually calculating with ip addresses is easy:
Manual:Scripting / Bitwise Operators

Do you need anything more?

(Sadly this does not work with ipv6 addresses.

Mikrotik, please implement!)

eworm

What does the network configuration look like?

eworm

Android does not support DHCPv6 unless you root the device and install third party software. Search Google for the details.

For me it works just fine with Linux, though you may have to make sure the firewall does not block the essential packets.

eworm

Now that we have a replace mechanism since version 6.45beta42 one culprit remains: If the cloud server is not accessible for any reason the commands in "/ system backup cloud" give fatal errors. You can not catch these as runtime errors from a script: :do { / system backup cloud ... } on-error={ ......

eworm

I don't think you need to do /system routerboard mode-button set on-event=/system script run your-script In my case it worked just giving the script name directly to the on-event= like so /system routerboard mode-button set on-event=your-script Yes, that's enough for things to work. The above was m...

eworm

You can use something like this:

/ system script add name=mail source=[ / file get mail.rsc contents ];

But keep in mind this is limited to a maximum length of 4kB.

eworm

Script shows up in red, is that correct? The content of this field is displayed with syntax highlighting. Things become colored if you use something like: /system routerboard mode-button set on-event="/system script run test-script;" enabled=yes As a fallback RouterOS tries to run a script with giv...

eworm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters. That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch... Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and ...

eworm

I had similar issues with GRE over IPSec, where connection became stuck after packets were send outside IPSec context. For me rejecting unencrypted GRE did the trick. Try something like this on all your routers:

/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=ipip

eworm

No rc versions this time?

eworm

That would be even more welcome.

However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.

eworm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.

Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?

eworm

Thanks a lot! Will have look at availability from local distributors then.

eworm

Hello everybody, There's new device MikroTik wAP ac LTE . Very interesting, it does provide a lot of features I am interested in. Did not find any information about hardware IPSec acceleration. It is powered by ARM CPU IPQ-4018, so it should support hardware acceleration. Does anybody have specific ...

eworm

Is Backup-cloud stil working? I use to since it comes up,but so fare i got some error. on log says: "Problem connecting with server" Every now and then cloud backup fails with server errors... Just try again later. Sadly using cloud backup in scripts is kind of problematic. Errors are not handled a...

eworm

You could use converters like these from Ubiquiti:
https://www.ui.com/accessories/instant-8023af-adapters/

eworm

I maintain a collection of scripts for managing and extending functionality: RouterOS Scripts This includes a function to download packages... So if the script are set up you can install additional packages like this: [admin@MikroTik] > $DownloadPackage wireless 1 status: finished downloaded: 2824Ki...

eworm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.

Let's hope this is not related to TLS protocol downgrade attacks...

eworm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,

This is the final step for this changlog entry from 6.43:

*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);

eworm

Interface "bridge" is listed twice... That look suspicious. Fix that and try again.

eworm

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added.

See this post for details: viewtopic.php?f=2&t=126221#p731754

I can not test as I do not have a NordVPN account.

eworm

The problem was solved with regenerating ssh host key. But how can i catch this error in auto backup script using do {} error {} ? I tried this but that error messege is not recognized as error. I think you can not. Do it manually if it happens. The backup file is fully functional except the host k...

eworm

To make sure it works in all location i would have used full command like this:

Usually I do. I started from your code, but did not notice the first line was appended to your written text.

eworm

How about this?

:foreach i in=[ print as-value ] do={
  :put (($i->"comment") . " " . ($i->"address") . " " . ($i->"host-name"));
}

eworm

Probably regenerating your ssh host keys helps:

/ ip ssh regenerate-host-key

eworm

Hello.

I think Router OS V6.44.X has introduced an issue with the GPS package.
Since I upgraded to 6.44.X (2 or 3) the latitude and longitude values of the GPS are 32 characters long rather than the normal length.

Already fixed in latest beta version, will be available in stable soon.

eworm

Generally you need a connection to your device while the upgrade is in progress, but the upgrade breaks connection.
But this may help: unattended-lte-firmware-upgrade
Just copy'n'paste the code into your device's terminal.

eworm

I maintain a collection of scripts for managing and extending functionality: RouterOS Scripts This includes a function to download packages... So if the script are set up you can install additional packages like this: [admin@MikroTik] > $DownloadPackage wireless 1 status: finished downloaded: 2824Ki...

eworm

What is "Throughput Booster"?

Edit: And even bigger mystery... Why did you open third topic on this?

eworm

The only poor implementation about e-mail is that there is no way to check the server certificate for TLS connections.

eworm

Probably same as unwanted symbols in variables, gps monitoring.
Just cut the trailing null bytes.

eworm

Just cut the garbage...

:set $lat [ :pick $latitude 0 [ :find $latitude "\00" ] ];
:set $lon [ :pick $longitude 0 [ :find $longitude "\00" ] ];

Put that into your do block.

eworm

All this looks a bit over-complicated. The correct way is this:

:set $MyArray ($MyArray, $Value);

eworm

Works for me... I use this script for update notification and auto-install: check-routeros-update

Anything in the logs about errors?

eworm

You have to get the info from LTE interface:

[admin@MikroTik] > :put ([ / interface lte info lte1 once as-value ]->"model");                        
"R11e-LTE"

eworm

I had hoped for this:

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;

Will we see it in another stable update?

Other than that everything looks good, already updated ~ 30 devices of different type.

eworm

I do not care if it is one command or more. IMHO the problem is that you have to delete a valid backup. And you do not have a cloud backup until you successfully upload a new one. There should be a replace option, that uploads a new backup, then replaces the old one only if upload was successful. If...

eworm

Fixed the typo in original post. Thanks!

eworm

Are there any other unique criteria to find your nameless script? If there are non you shout consider putting it into "/ system script". After all... what's the purpose of this ping? BTW, ping knows an option "count=" to limit its runtime. Or you do it in a loop: :while ([ / interface get $interface...

eworm

Well, an odd behavior in RouterOS... Mikrotik support says "that's how scripting works in RouterOS". You can not use same variable name and option name. I switched to use variable names in CamelCase. Just replace $"mac-address" with $MacAddress . Read my detailed analysis and solution here: global: ...

eworm

Or without loop:

/ tool sms inbox remove [ find where message="" ];

eworm

I use the following script to control PPP connections (on-up in ppp profile ): ping interface=[ / interface get $interface name ] address=($"remote-address") interval=00:00:05 After a PPP interface break, it remains running. Can you please tell me how to kill him? Try this, replace "ppp-script" wit...

eworm

Please clarify what is "proper IKEv2/IPSEC"?

Probably asking for EAP authentication as initiator, which is not possible for IKEv2 atm.

eworm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.

I hope for 6.44.3.

eworm

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;

I think this hit me a lot in the past... Hope this will make its way into next stable release.

eworm

Hello! After upgrading firmware to 6.44.x, the shh and telnet connections, passing through the router, began to break. It is the problem mentioned in posting #5 above. It is known "to us" but not to MikroTik, it appears (never any reaction to those complaints from several people). You can fix it fo...

eworm

I gave it a try, but did not succeed. The server is running openssh 7.9p1, the account is locked to sftp only with openssh's internal sftp implementation. [admin@Mikrotik] > /system ssh user=mikrotik-upload sftp-host Password: This service allows sftp connections only. Welcome back! [admin@Mikrotik]...

eworm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?

Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.

eworm

Starting with version 6.45beta22 the changelog lists:

*) fetch - added SFTP support;

Not sure how it works, though. Looks like mode=sftp is not (yet?) valid.

eworm

My Firewall has:

/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=gre

That serves me well.

eworm

*) fetch - added SFTP support;

Yes, can't wait to use this! Is there a way to use it with public key authentication?

eworm

Tryed to downgrade from 6.44 stable to this release, but after reboot still show me 6.44 stable.. Seems like its not posible to downgrade to this longterm version. What's in the log? What is the factory firmware version? Factory is 6.42.3. Current is 6.44 Stable. This is message from log.. https://...

eworm

You can use your Mikrotik devices as Jumphost. Just search for this keyword for details.

Example for openssh command line client:

ssh -J Mikrotik-A Mikrotik-B

You can use a chain with more than one jumphost.

eworm

I have a 450G and a 750Gr3 that have had this error since upgrading: "backup,critical error creating backup file: could not read all configuration files" It happens with both encrypted and unencrypted backups; both were upgraded from 6.42.12. My 951G that was upgraded from 6.43.12 does not have thi...

eworm

RouterOS can not store just keys, it stores certificates and adds the key when available. This is what happens if you import client.pem: Private key -> no matching certificate -> ignored Certificate -> imported Certificate -> imported Then on second import: Private key -> matching certificate found ...

eworm

Use my script sms-forwarding. You need to set up some more scripts, read the instructions.

eworm

'find' is not supposed to print anything, it returns information other commands can use, something like:

/ ip address remove [ find where interface="etherX" ]

... will remove all ip addresses from interface "etherX".

eworm

I know that I can generate a CA and the rest on the Mikrotik. But, signing takes 3-5 minutes, which is horrible. If I create the same certificate + key with OpenSSL and import it, Mikrotik is not able to see the private key. I have only AT flags, no 'K'? Why is that happening? This works without is...

eworm

Hi, Annotation 2019-03-08 193039.jpg I try to run above scrip to more my cloud backup but it doesn't work at all while I can run the same script in CLI is work perfectly. What I am wrong here? You numeric index is invalid without print. Use this if you want to get rid of cloud backup in any situati...

eworm

Interface for new PWR line adapter comming next months. hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port. Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones) This requires the new hardware, old mAP lite can not get this from soft...

eworm

*) gps - increase precision for dd format; Hi, could it be that the calculation from dms-format to dd-format is incorrect ? For example: in winbox/system/GPS-GUI I switch between dms and dd format. In dms I get 49 29' 6.954' when I switch to dd I get 49.004852 in my calculation it should be 49.4852...

eworm

Hi, Didn't understand this topic (how it works): *) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only); Tried to update WAP-LTE with CLI - it shows that exist new firmware - enter "upgrade" / interface lte firmware-upgrade lte1 installed: MikroTik_CP_2.160.000_v008 ...

eworm

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup...

eworm

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup...

eworm

Inside foreach you must check the script name to prevent killing himself: :if ([/system script job get $id value-name=script] != "myscriptname") do={ <killing instructions> }; Even easier: :foreach id in=[ / system script job find where script!="myscript" ] do={ / system script job remove $id; } Or...

eworm

I've never cleared my connection table... What are your "specific situations"?

eworm

On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates. How do you know which one is right? Give an example please Probably he knows the coordinates the device is located. Something about wrong coordinates has been reported for 6.44beta75: htt...

eworm

Upgrading from stable to testing I have allow-none-crypto enabled : /ip ssh set allow-none-crypto=yes strong-crypto=yes I think this should default to disabled . If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain some...

eworm

With this upgrade I lost the wireless package on wAP LTE, again. The files were downloaded via weak LTE connection.
Reported this before for the update to 6.44beta50: viewtopic.php?f=21&t=139057&start=250#p703960

eworm

The script in the PPP profile is not executed!
Code: Select all
ping interface=$interface address=8.8.8.8 interval=00:00:05

That's not version specific. Anyway... Use:

ping interface=[ / interface get $interface name ] address=8.8.8.8 interval=00:00:05

eworm

At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.

eworm

Anyone noticed interface connectivity issue after upgrade? [...]

I saw this on a device that had internet detection enabled. Try this:

/ interface detect-internet set detect-interface-list=none;

eworm

*) wireless - improved antenna gain setting for devices with built in antennas;

How is this handled with capsman?

eworm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script? (that receives parameters like the remote-id, remote-IP etc) This script could then add/delete phase2 settings e.g. a GRE tunnel. Yes, please! Hooking a script would be much appreciated. Cu...

eworm

Do your own devices have static leases? If no...

/ ip dhcp-server lease make-static [ find where dynamic ]

Then replace

:if ($leaseBound = 1) do={

with

:if ($leaseBound = 1 && [ get [ find where mac-address=$leaseActMAC ] dynamic ] = true) do={

eworm

Hi, i have this problem: /global IP [/ip neighbor get number=0 address]; :set "$IP" ($IP-1); Script Error: cannot substract string from time interval But it work if i set IP variable manually, there is a way to subtract an ip address given by print or get command? Thanks How about this? :global IP ...

eworm

And another mismatch...
* main router -> certificate "server-2019" -> ca "ca-2019"
* remote router -> certificate "client" -> "ca2019" (note the missing dash, this is a completly different CA!)

You really should clean up and control your mess.

eworm

Perhaps you should clean it up to get it working.

If I get the bits right the settings still do not match:
* For main router: peer 0.0.0.0/0 -> profile_4 -> dh-group=none
* For remote router: peer 1.1.1.1/32 -> profile_2 -> dh-group=modp1024

And you still have "remote-certificate=" set...

eworm

Your proposal setting do not match... One has "pfs-group=none", the other "pfs-group=modp1024".

If this still does not work please give config from both sides with:

/ ip ipsec export hide-sensitive

And show detailed infos about certificates with:

/ certificate print detail

eworm

You should be more specific about configuration and certificates.

Wild guess: You did not mix certificates from old and new CA, no?

eworm

The code snippet is from your main router, no? It will accept only one client, the one with certificate "client-2019", everything else is rejected. To fix:

/ ip ipsec peer set remote-certificate=none [ find ]

eworm

Without detailed information and configuration it is hard to tell. Guess into the blue: Your road worriors have different certificates, no? Using the same certificate will make the first being kicked when the second connects. Your central router does need just one public address for multiple clients...

eworm

This has been requested several time. I think it is still not possible:

viewtopic.php?t=95674
viewtopic.php?t=89883

eworm

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only); [admin@MikroTik] /system backup cloud> print -- connecting Server error: Backend error. Try again later. Breakage in version or issue with servers? Edit: Works again, was a server issue. *) console - updated cop...

eworm

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.

eworm

Hello everybody, I do use a linux server for remote logging. For some time I ran a rsyslog instance that listened for syslog messages on UDP port 514 and redirected them to systemd's journald. But the syslog implementations are bloated and complex for a simple task like this - especially if you do n...

eworm

Simply use cc... That accepts several receipients.

/tool e-mail send \
to=abc@mycompany.com \
cc=michael.manns@gmail.com,another@gmail.com \
from=KCMT@foresitewireless.com \
 subject=("Room 206 AP is down")

eworm

Probably when 6.44 is ready... Nobody will give you a date for that.

eworm

You can make the devices act on multiple mode button presses. Have a looks at mode-button-event and mode-button-scheduler. For these to function you need other scripts from routeros-scripts.

eworm

The peer certificate is issued from a CA on your device, that only accepts trusted certificates it issued itself.

eworm

I think your problem is that you have two peers, and only the first is matched. Try:

/ip ipsec peer remove [ find where remote-certificate=client1 ];
/ip ipsec peer set remote-certificate="" [ find ];

eworm

Hello everybody, I have an IPSEC/IKEv2 VPN in transport mode, GRE interfaces connect to the IPSEC addresses. The real data goes through the GRE interfaces. Currently the server runs a script to update the GRE interfaces' remote addresses, according to the client addresses assigned by mode-config. Is...

eworm

It does work from script, but I just realized it fails when started from scheduler. No idea what's wrong, no logs on either side.

eworm

Both to one variable?

:global DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);

If you want each in one varaiable:

:global Date [ / system clock get date ];
:global Time [ / system clock get time ];

eworm

Import private and public key on Router A: /user ssh-keys private import private-key-file=id_rsa public-key-file=id_rsa.pub Then import public key on Router B: /user ssh-keys import user=admin public-key-file=id_rsa.pub Then ssh from Router A to Router B: /system ssh address=10.0.0.1 user=admin com...

eworm

Import private and public key on Router A: /user ssh-keys private import private-key-file=id_rsa public-key-file=id_rsa.pub Then import public key on Router B: /user ssh-keys import user=admin public-key-file=id_rsa.pub Then ssh from Router A to Router B: /system ssh address=10.0.0.1 user=admin comm...

eworm

:put ([ / interface lte info [ :pick [ find ] 0 ] once as-value ]->"uicc")

eworm

/system health print file=file.txt

eworm

This works:

/system script environment { :global A 10; remove "A"; :global A 20; print; remove [ find where name="A" ]; }

I do not have an explanation, though.

eworm

Try a power cycle on the port:

/ interface ethernet poe etherX power-cycle

eworm

Currently only DSA and RSA keys are supported. I would like to see support for ed25519 keys as well... BTW, RSA is supported since RouterOS 6.31 and has been added after OpenSSH deprecated DSA in a way that you had to specify extra options to connect. Let's hope we do not need a similar event for ed...

eworm

Oh, I did misread (or understand at all) this post.
Did not get that he wants to contact a user specifically. So sorry and good luck.

eworm

This creates empty array and adds a value:

:local array [ :toarray "" ];
:set array ( $array, $newvalue );

Just repeat for more values.

eworm

Currently EAP authentication as initiator is not possible for IKEv2.
viewtopic.php?p=650295

eworm

How to write posts.

eworm

I just checked and it is not going to happen till ROS 7.

viewtopic.php?p=650295

Thanks for the link, msatter! In short: currently EAP authentication as initiator is not possible for IKEv2. So the website is right, no-go with Mikrotik.

eworm

IKEv2/IPSEC is supported by NordVPN: https://nordvpn.com/de/tutorials/windows-10/ikev2/ This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What's the issue? Just ignore what they say is not supported, probably they di...

eworm

Then what's the issue with NordVPN and IKEv2/IPSEC?

eworm

Well, IKEv2/IPSEC should do the trick. I do not have a NordVpn account, so can not verify.

eworm

You should not (never ever!) use any print and index in your scripts. Things will break badly if items are numbered different for what ever reason. Instead of this bad code: /int bridge port print remove 4,5 You should use something like this: /int bridge port remove [ find where interface=wlan1 ] r...

eworm

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages. I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages. You can get rid of this. If you d...

eworm

I've been waiting for that christmas tree. Thanks a lot for bringing it back!

eworm

This is a nice feature, but it has one weakness: You have to remove the backup before uploading a new one. In case the removal succeeds but the upload fails you do not have a backup at all (at least in cloud). So you should consider to either provide two upload slots, so one backup can be removed wh...

Search found 392 matches