Community discussions

MikroTik App

Search found 571 matches

  • 1
  • 2
by eworm
Thu May 28, 2020 7:54 pm
Forum: General
Topic: Lots of global variables on hAP ac2
Replies: 5
Views: 939

Re: Lots of global variables on hAP ac2

BTW, is this log message related?
system;error;critical error while running customized default configuration script: no such item
by eworm
Thu May 28, 2020 6:36 pm
Forum: General
Topic: Lots of global variables on hAP ac2
Replies: 5
Views: 939

Re: Lots of global variables on hAP ac2

Several of my devices show this as well.
With reset you reference
/system reset-configuration
?
Will this be fixed in a future version without reset?
by eworm
Thu May 28, 2020 5:50 pm
Forum: General
Topic: DHCP Client Script when provider renews lease
Replies: 8
Views: 1232

Re: DHCP Client Script when provider renews lease

I do not see anything wrong with that call. Perhaps it's a race condition because resolving is not yet available? You can try to catch runtime error: :local ipddns; :do { :set ipddns [:resolve $ddnsbase]; } on-error={ :log warning "Resolving failed."; } Or try to wait... :local ipddns ""; :while ($i...
by eworm
Thu May 28, 2020 1:39 pm
Forum: RouterBOARD hardware
Topic: Running hardware portably using DC battery power
Replies: 12
Views: 1853

Re: Running hardware portably using DC battery power

That's awesome! What a snug fit. Does the PD source always rise to 20V? I don't own a wAP... yet, but this definitely makes me want one. You can configure the voltage (or voltage range with preference) your PD buddy delivers. It also depends on your power source, some do not support 20V... The PD b...
by eworm
Thu May 28, 2020 12:59 pm
Forum: General
Topic: DNS Failover
Replies: 16
Views: 5153

Re: DNS Failover

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1. Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik. If piehole doesn't work... The client will ask the Mikrotik. That does not work. The client will use piehole and Mikrotik simultaneously.
by eworm
Thu May 28, 2020 12:06 pm
Forum: General
Topic: implicit firewal rules
Replies: 4
Views: 658

Re: implicit firewal rules

I guess that would result in a lot of locked devices. So bad idea.
Unless your first rule is to allow administrative access you would no longer be able to log in to your device.
by eworm
Thu May 28, 2020 12:00 pm
Forum: Scripting
Topic: Question related with ROS client ssh w/o Pass
Replies: 2
Views: 394

Re: Question related with ROS client ssh w/o Pass

RouterOS can import keys in PEM format only. Convert the key and you are fine.
by eworm
Thu May 28, 2020 11:53 am
Forum: RouterOS v7 BETA
Topic: Feature Request: ACL Compare User Defined Bytes
Replies: 3
Views: 599

Re: Feature Request: ACL Compare User Defined Bytes

The firewall has a lot of attributes to filter on:
/ip firewall filter add protocol=tcp connection-state=new ...
by eworm
Wed May 27, 2020 11:56 pm
Forum: RouterBOARD hardware
Topic: Running hardware portably using DC battery power
Replies: 12
Views: 1853

Re: Running hardware portably using DC battery power

I use a power bank with USB-C power delivery output. Combine that with a PD Buddy Sink and you are done.

The PD Buddy Sink even fits into a wAP (LTE) case - resulting in a powerful mobile access point.
photo_2020-05-27_22-53-20.jpg
by eworm
Wed May 27, 2020 4:42 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13149

Re: v6.47rc [testing] is released!

Setting attributes for static DNS records changes other attributes unintentionally: [admin@mt] /ip dns static> add forward-to=10.0.0.1 regexp="example.com" type=FWD [admin@mt] /ip dns static> set regexp="example\\.com\$" [ find where regexp="example.com" ] [admin@mt] /ip dns static> export [...] add...
by eworm
Tue May 26, 2020 10:50 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 35
Views: 6451

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.
by eworm
Tue May 26, 2020 9:21 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13149

Re: v6.47rc [testing] is released!

+1. I'd like to forward internal zones via VPN to an organization DNS and all the rest - to 1.1.1.1 via DoH
Exactly my use case.
Two great now features - would be frustrating to have to choose between them.
by eworm
Tue May 26, 2020 8:06 pm
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3508

Re: DNS over HTTPS

This is not supposed in 6.46.6. You have to use 6.47 for that feature.
by eworm
Tue May 26, 2020 2:22 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13149

Re: v6.47rc [testing] is released!

eworm Currently DoH will be prioritized over all other DNS configuration. Not sure if this will change any time soon.
In general this makes sense. But I vote for an excepting with conditional forwarding of DNS queries.
by eworm
Tue May 26, 2020 2:21 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13149

Re: v6.47rc [testing] is released!

On boot system logs:
system;error;critical error while running customized default configuration script: no such item
Is this expected? (If it is I would like to see the severity reduced. "error" and "critical" raise alerts here.)
by eworm
Tue May 26, 2020 1:45 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13149

Re: v6.47rc [testing] is released!

This has... *) dns - added support for multiple type static entries; ... but is missing from 6.47beta60... *) dns - added support for forwarding DNS queries of static entries to specific server (CLI only); This can still be configured, but still does not work when DNS over HTTPS is enabled. I would ...
by eworm
Mon May 25, 2020 6:50 pm
Forum: RouterBOARD hardware
Topic: new hardware Wireless Wire nRAY 60 ghz
Replies: 9
Views: 1948

Re: new hardware Wireless Wire nRAY 60 ghz

Interesting device...

Also nice to see that more devices are equipped with ARM 64bit CPUs (just like new CCR).
by eworm
Fri May 22, 2020 3:28 pm
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 877

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

I do not, and here is why:
If you have complex code depending on relative paths it tends to break if you move fragments of code up or down.
by eworm
Fri May 22, 2020 2:57 pm
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 877

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

IMHO it is very intuitive if you are used to it. Scripting is one of the reasons I do love RouterOS.
by eworm
Fri May 22, 2020 1:44 pm
Forum: General
Topic: Mikrotik Audience Poe IN [SOLVED]
Replies: 1
Views: 402

Re: Mikrotik Audience Poe IN [SOLVED]

No setting, it will just work.
by eworm
Fri May 22, 2020 10:44 am
Forum: RouterOS v7 BETA
Topic: How to read also the flags of a data record? (bug in beta5?) [SOLVED]
Replies: 5
Views: 877

Re: How to read also the flags of a data record? (bug in beta5?) [SOLVED]

The command print is (mostly) for terminal output.

Does something like this work for you?
:foreach i in=[ /interface bridge host find ] do={ :put [ /interface bridge host get $i ]; }
BTW, why do you expect everything to be a bug?
by eworm
Mon May 18, 2020 12:01 am
Forum: Scripting
Topic: How to auto-start a script at interface link up / down ? [SOLVED]
Replies: 30
Views: 3807

Re: How to auto-start a script at interface link up / down ? [SOLVED]

You initialize the variable inside a block, thus it's not visible outside. But it's a global variable :-) Sure, it is. But even global variables are accessible only... ... when used directly from command line (without block!) or... ... when initialized properly. So when ever you want to access $gAr...
by eworm
Sun May 17, 2020 11:46 pm
Forum: General
Topic: Solution needed: router PoE + WIreless
Replies: 6
Views: 1129

Re: Solution needed: router PoE + WIreless

The RB750UPr2 does passive POE only, so your 802.3af devices will not receive power, even if the power supply matches your voltage requirements. I guess you have to go with one of these: https://mikrotik.com/product/crs112_8p_4s_in (requires additional power supply for 48V!) https://mikrotik.com/pro...
by eworm
Sun May 17, 2020 11:25 pm
Forum: Scripting
Topic: sms to telegram
Replies: 8
Views: 1032

Re: sms to telegram

I guess you have to do some urlencoding for your sms message...

If you want a working solution have a look at this:
RouterOS Scripts - Forward received SMS
This requires the installation of global scripts on top, see main README.
by eworm
Sun May 17, 2020 11:16 pm
Forum: Scripting
Topic: Tool Fetch Scripting - HotSpot Telegram QRCode
Replies: 1
Views: 371

Re: Tool Fetch Scripting - HotSpot Telegram QRCode

Not sure I got this right, but looks like you have a nested url inside url? Try to urlencode the characters there, specifically replace '&' with '%26'.
by eworm
Sun May 17, 2020 11:09 pm
Forum: Scripting
Topic: How to auto-start a script at interface link up / down ? [SOLVED]
Replies: 30
Views: 3807

Re: How to auto-start a script at interface link up / down ? [SOLVED]

You initialize the variable inside a block, thus it's not visible outside.
by eworm
Fri May 15, 2020 6:54 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 2704

Re: OpenSSH future RSA host key deprecation

No progress, no reaction on ed25519 keys from Mikrotik.
by eworm
Fri May 15, 2020 11:38 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Good question... Wondering myself.
Time for a new release anyway, the last one is three weeks old already.
by eworm
Thu May 14, 2020 10:55 pm
Forum: General
Topic: promiscue mode - what does it let pass?
Replies: 2
Views: 544

Re: promiscue mode - what does it let pass?

Most of your packets go fast path, missing the IPSec tunnel. Make sure all your IPSec traffic does not go fast path.
by eworm
Thu May 14, 2020 9:48 pm
Forum: General
Topic: Cloud backup needs a static token through time for downloading
Replies: 1
Views: 530

Re: Cloud backup needs a static token through time for downloading

I solved this with a backup script that sends notification via e-mail and/or Telegram message including the secret download key. Just look up your mailbox and you are fine.

You need the basic installation and this script:
routeros-scripts - Upload backup to Mikrotik cloud
by eworm
Mon May 11, 2020 9:43 pm
Forum: General
Topic: CCR2004 w/ARM64 : Where to download packages ? [SOLVED]
Replies: 7
Views: 1273

Re: CCR2004 w/ARM64 : Where to download packages ? [SOLVED]

I guess the build process for arm64 works, but the release process has been enabled just before recent long term release.
Be patient and wait for the next testing and stable releases, I think they will include arm64 builds.
by eworm
Sat May 09, 2020 1:04 pm
Forum: General
Topic: 6.46 for arm64?
Replies: 1
Views: 524

Re: 6.46 for arm64?

I guess the release process had not been prepared. Expect version 6.46.7 to have arm64 build...
by eworm
Wed May 06, 2020 11:31 am
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 101
Views: 26818

Re: Add DNS over HTTPS (DoH) support

There is information when the DoH function will go from beta to release?
When version 6.47 is released to stable channel. There's no date for that, though.
by eworm
Mon May 04, 2020 7:02 pm
Forum: RouterOS v7 BETA
Topic: UDP OpenVPN tunnel same speed as TCP
Replies: 7
Views: 1765

Re: UDP OpenVPN tunnel same speed as TCP

I guess the device's CPU is the limiting factor here.
by eworm
Mon May 04, 2020 2:33 pm
Forum: General
Topic: How to replicate home WiFi while staying in a hotel (VPN, capsman)?
Replies: 9
Views: 1619

Re: How to replicate home WiFi while staying in a hotel (VPN, capsman)?

You can't do that. You have either local wireless configuration or device is connected to capsman. Both is not possible, at least not with a single band device.
You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.
by eworm
Wed Apr 29, 2020 11:51 pm
Forum: General
Topic: WireGuard Released !
Replies: 16
Views: 15710

Re: WireGuard Released !

Internal builds with wireguard support are rumored to exist.
Search the v7 section for details.
by eworm
Wed Apr 29, 2020 2:40 pm
Forum: Announcements
Topic: MikroTik newsletter May 2020 (#95)
Replies: 43
Views: 20675

Re: MikroTik newsletter May 2020 (#95)

Do you have more information about that Annapurna AL32400? E.g. how many cores?
It has four cores. See here for details of CCR2004:
https://mikrotik.com/product/ccr2004_1g_12s_2xs
by eworm
Tue Apr 28, 2020 5:48 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 29715

Re: v6.46.6 [stable] is released!

Why you don't fix OSPF ? :?
Possibly because they could not reproduce. Did you open a support ticket?
by eworm
Mon Apr 27, 2020 7:33 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Sure, just configure it properly:
/ip dns set verify-doh-cert=yes
by eworm
Mon Apr 27, 2020 12:31 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Im currently testing DoH on my HAP Lite, which is working great. But I have few questions. I got some Dynamic NS Servers supplied by my ISP and thus they are automatically added to Mikrotik DNS server list (read-only). I also put some static NS records (e.g dns.cloudflare 1.1.1.1) as Static list. S...
by eworm
Sun Apr 26, 2020 10:06 am
Forum: General
Topic: RouterOS Scheduler unreliable by default?
Replies: 1
Views: 691

Re: RouterOS Scheduler unreliable by default?

The scheduler is perfectly reliable in my experience. Note that a script (and thus scheduler) is stopped on first error, though. Possibly your scripts terminate with error?
by eworm
Fri Apr 24, 2020 10:35 pm
Forum: General
Topic: Feature request: per-domain forwarding in DNS
Replies: 19
Views: 17200

Re: Feature request: per-domain forwarding in DNS

This is available now in RouterOS 6.47beta60!
by eworm
Fri Apr 24, 2020 10:32 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

That is a chicken and egg problem. Neither chicken nor egg is involved. Let's assume I add something like this: /ip dns static add forward-to=10.0.0.1 regexp="(.*\\.)\?example\\.com" type=FWD This will make all requests for example.com and its subdomains go to nameserver 10.0.0.1 . Works find, but ...
by eworm
Fri Apr 24, 2020 4:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Version 6.47beta60 has reset my settings for mode button.
by eworm
Fri Apr 24, 2020 4:24 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Yes! Mikrotik, you made my day!

One thing, though: Looks like DNS forwarding does not work if DoH configuration is active. I think the forwarding should have priority over DoH.
by eworm
Fri Apr 24, 2020 9:18 am
Forum: General
Topic: CCR1009 High CPU Load
Replies: 10
Views: 2409

Re: CCR1009 High CPU Load

I think a CCR1009 should be capable of doing this... Are you really using packet marking? Why not mark connection?

Have a look a profiling to see what process uses the cpu most:
/tool profile
by eworm
Fri Apr 24, 2020 9:07 am
Forum: General
Topic: CapsMan - pass Comments to RegistrationTable
Replies: 5
Views: 1896

Re: CapsMan - pass Comments to RegistrationTable

Works for me... Checked on two CAPsMAN devices (CCR & RB3011) with 6.46.5.
by eworm
Thu Apr 23, 2020 8:59 am
Forum: General
Topic: FEATURE REQUEST: Dynamically created VPN+routes (each to each)
Replies: 1
Views: 745

Re: FEATURE REQUEST: Dynamically created VPN+routes (each to each)

Sounds like you want a routing protocol. Ever thought about ospf or similar?
by eworm
Wed Apr 22, 2020 1:21 pm
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3508

Re: DNS over HTTPS

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query. Well, checking again... It does send a redirect, but the dns response is contained as well... % curl -I 'https://8....
by eworm
Wed Apr 22, 2020 1:08 pm
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 11
Views: 2822

Re: Function: IP to Decimal

For me it works. Do you have IPv6 disabled (or not installed at all)?
by eworm
Wed Apr 22, 2020 12:46 pm
Forum: General
Topic: Cloud: update time without ddns?
Replies: 2
Views: 747

Re: Cloud: update time without ddns?

Yes, I know that. I have configured NTP on all my devices. Still I have a script that requires the time to be "about right" at least (so cloud is fine) - and this script should work on as many devices as possible with whatever configuration. I would still appreciate to have detailed information on t...
by eworm
Wed Apr 22, 2020 12:07 pm
Forum: General
Topic: Cloud: update time without ddns?
Replies: 2
Views: 747

Cloud: update time without ddns?

Hello everybody, with Mikrotik's cloud service it's possible to disable dynamic dns update, but enable time update: /ip cloud set ddns-enabled=no update-time=yes Not sure if this is a valid configuration, so: Does the device update the time if dynamic dns is disabled? Can I check if time has been up...
by eworm
Wed Apr 22, 2020 11:57 am
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3508

Re: DNS over HTTPS

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
by eworm
Wed Apr 22, 2020 11:32 am
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3508

Re: DNS over HTTPS

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
by eworm
Wed Apr 22, 2020 11:26 am
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3508

Re: DNS over HTTPS

Do the same, but with different url: https://8.8.8.8/dns-query
by eworm
Wed Apr 22, 2020 12:23 am
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 11
Views: 2822

Re: Function: IP to Decimal

Anyone know how to do arithmetic with ipv6?

e.g. :put (fe80::0 + 8) = fe80::8

Rich
Does it help in your use case if you use bitwise operator?
[admin@MikroTik] > :put (fe80::0 | ::8) 
fe80::8
by eworm
Tue Apr 21, 2020 2:11 pm
Forum: RouterOS v7 BETA
Topic: beta5: Enabling www-ssl gives error [SOLVED]
Replies: 4
Views: 1481

Re: beta5: Enabling www-ssl gives error [SOLVED]

You should get an idea about the ssh protocol in general and host keys specifically.
https://www.ssh.com/ssh/host-key

In "/ip ssh" you can export, import and regenerate host keys.
by eworm
Tue Apr 21, 2020 8:39 am
Forum: General
Topic: MacTelnet-Client
Replies: 8
Views: 1576

Re: MacTelnet-Client

So why don't you use ssh to access routers? mactelnet has one single function which ssh doesn't: connectivity over MAC, which comes handy when IP setup gets south. But hopefully that's not very often and I (being a linux/console nerd myself) resort to using winbox in such case (runs under linux / w...
by eworm
Tue Apr 21, 2020 8:29 am
Forum: RouterOS v7 BETA
Topic: beta5: Enabling www-ssl gives error [SOLVED]
Replies: 4
Views: 1481

Re: beta5: Enabling www-ssl gives error [SOLVED]

A "refused to connect" is unrelated to the certificate. Make sure the service is enabled and the firewall does not block it. I think "Webfig" is short for "Webconfig", no? The https certificate is used to authenticate the host, a valid certificate is verified by trust chain to root CAs in your brows...
by eworm
Sun Apr 19, 2020 11:35 pm
Forum: General
Topic: MacTelnet-Client
Replies: 8
Views: 1576

Re: MacTelnet-Client

It is maintained, but not all details about authentication are available. Read this for details:
https://github.com/haakonnessjoen/MAC-Telnet/issues/42
by eworm
Sun Apr 19, 2020 4:57 pm
Forum: General
Topic: Edit console logo in MIKROTIK
Replies: 2
Views: 991

Re: Edit console logo in MIKROTIK

No, but you can add an additional system note.
https://wiki.mikrotik.com/wiki/Manual:System/Note
by eworm
Tue Apr 14, 2020 9:30 am
Forum: General
Topic: backup via /export skips some config lines
Replies: 2
Views: 917

Re: backup via /export skips some config lines

Configuration in /certificate and /user is (partly) skipped.
by eworm
Mon Apr 13, 2020 9:09 pm
Forum: General
Topic: Hotspot HTTPS Certificate Error [SOLVED]
Replies: 3
Views: 1515

Re: Hotspot HTTPS Certificate Error [SOLVED]

My first guess was the trust chain is not complete, but looks like your made sure this is ok. Perhaps Android wants to access the CRL url? Try adding that to your hotspot (replacing with correct hotspot server name): /ip hotspot walled-garden ip add action=accept disabled=no dst-address=ocsp.int-x3....
by eworm
Tue Apr 07, 2020 5:54 pm
Forum: RouterBOARD hardware
Topic: R11e-LTE v016 bug
Replies: 2
Views: 1641

Re: R11e-LTE v016 bug

Looks like v016 has been withdrawn... No idea if this was the reason.

Mikrotik, any info on that?
Wondering if my devices (successfully) running v016 are at risk in whatever way.
by eworm
Sat Apr 04, 2020 12:49 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

I got confused a bit please elaborate to me.. If I set the RouterOS to act as DoH client to a server (Google/Cloudflare), how do they know the first time to address of google/cloudflare without first querying via regular DNS server? Two ways to solve this: configure a regular DNS server use an url ...
by eworm
Fri Apr 03, 2020 2:02 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) certificate - added "skid" and "akid" values for detailed print;
This looks like SHA1 key ids. Can you give more details?

skid = signing key id?
by eworm
Fri Apr 03, 2020 9:56 am
Forum: General
Topic: Load external image on captive portal
Replies: 14
Views: 2725

Re: Load external image on captive portal

Let me clarify some things. There is a project WIFI4EU that demands a specific image to be dynamically displayed on the captive portal the snippet code is the following: <img id="wifi4eulogo" class="identity-image" src="https://collection.wifi4eu.ec.europa.eu/media/logo/Wifi4EU-EL.svg"> Unfortunate...
by eworm
Wed Mar 25, 2020 8:36 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 1716

Re: {ASK} apsman with local-forwarding=no

Then it's indeed unexpected behavior. Probably nobody here can help any further, contact support if this bothers you.
by eworm
Wed Mar 25, 2020 8:30 am
Forum: Scripting
Topic: Are special parameters parsed when script ran by DHCP server?
Replies: 3
Views: 1250

Re: Are special parameters parsed when script ran by DHCP server?

Well, ok... Did not try to guess the correct name. Just "remote-id" is not available.

You can get that info from $"lease-options". With ($"lease-options"->"82") you get both infos from option 82, surrounded by some binary bits. Looks like you have to parse that yourself.
by eworm
Wed Mar 25, 2020 7:46 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 1716

Re: {ASK} apsman with local-forwarding=no

of course i'm pinging wireless client. from my laptop
And your laptop is connected to the same CAP wirelessly?
by eworm
Wed Mar 25, 2020 1:20 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 1716

Re: {ASK} apsman with local-forwarding=no

AFAIK this setting only handles wireless client to wireless client.
Your echo request comes from the wired side of CAP?
by eworm
Wed Mar 25, 2020 1:06 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 1716

Re: {ASK} apsman with local-forwarding=no

Have a look at Local Forwarding Mode and Manager Forwarding Mode.

Probably you want to control client-to-client forwarding on capsman?
by eworm
Wed Mar 25, 2020 12:57 am
Forum: General
Topic: {ASK} apsman with local-forwarding=no
Replies: 10
Views: 1716

Re: {ASK} apsman with local-forwarding=no

This setting controls whether or not to tunnel traffic to the capsman device.
Any reason why a ping to a client should not succeed?
by eworm
Wed Mar 25, 2020 12:53 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

IMHO the DoH logs have too high severity. I've configured my devices to forward error logs via e-mail. Now I get... ... on boot, probably because I have ipsec peers with dns name in address: dns,error: DoH connection error: Network is unreachable ... and every now and then: dns,error: DoH connection...
by eworm
Wed Mar 25, 2020 12:34 am
Forum: General
Topic: Delete DNS Dynamic Servers.
Replies: 2
Views: 914

Re: Delete DNS Dynamic Servers.

I think Mikrotik does not even support dns peers pushed via openvpn, no?
Are you sure this is not just your dhcp client adding the dynamic servers?
by eworm
Wed Mar 25, 2020 12:16 am
Forum: Scripting
Topic: Are special parameters parsed when script ran by DHCP server?
Replies: 3
Views: 1250

Re: Are special parameters parsed when script ran by DHCP server?

At the moment I have a 30 line script to ensure only 1 DHCP lease can be active per Remote-ID at a time, the newest lease clears all other entries that have the same Remote-ID (potential issue if a client plugged a switch into their WAN connection instead of a router) but there's currently a bug in...
by eworm
Mon Mar 23, 2020 3:24 pm
Forum: General
Topic: Feature Request: Ed25519 SSH keys
Replies: 8
Views: 3553

Re: Feature Request: Ed25519 SSH keys

Nothing wrong, ed25519 is not supported.
by eworm
Fri Mar 20, 2020 10:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

When you import the cert int RouterOS you should have 3 entries.
DigiCert Global Root CA
DigiCert ECC Secure Server CA
cloudflare-dns.com
Last one is server certificate and not required in certificate store.
by eworm
Fri Mar 20, 2020 9:59 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

My test device was set up to use crl, but to not download crl:
/ certificate settings crl-download=no crl-use=yes
That results in flooding the log:
dns,error DoH connection error: SSL: handshake failed: unable to get certificate CRL (6)
by eworm
Fri Mar 20, 2020 4:10 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate. yeah it's worked without Verify DoH Certificate :) and where can we get cloudflare certificate file to importing in router ? If you trust my repository get it here: https://git.eworm.de/cg...
by eworm
Fri Mar 20, 2020 3:59 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

As others are saying. The router does not know what dns.nextdns.io is. Add at least a single regular DNS server which will be used for DoH servers name resolving. Adding a static DNS entry should also suffice. Are DoH servers prioritized? When does it fall back to regular dns servers? Oh, and is it...
by eworm
Fri Mar 20, 2020 3:56 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.
Same for quad-nine:

https://9.9.9.9/dns-query (secured)
https://9.9.9.10/dns-query (unsecured)
by eworm
Fri Mar 20, 2020 3:54 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.
by eworm
Fri Mar 20, 2020 3:50 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Enable DNS logs, it should provide all necessary information for troubleshooting. I tested the DoH implementation with various publicly available servers and could not find any issues. If there are any, please let us know. /system logging add topics=dns tested with public DoH server but nothing doh...
by eworm
Fri Mar 20, 2020 2:55 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Try setting https://10.5.51.5 as the server.
thanks for reply now it's verified but could not resolve any dns name
How can it verify only by a IP address?
Certificates can have subject alternative name with ip address.
by eworm
Tue Mar 17, 2020 10:12 am
Forum: General
Topic: Mikrotik for cloud DDNS
Replies: 2
Views: 850

Re: Mikrotik for cloud DDNS

I use this for years now, but on a Mikrotik router device. Not 100% sure for AP's, do not have one to test with.
This is true for every device running RouterOS, except CHR without license.
by eworm
Mon Mar 16, 2020 9:56 pm
Forum: Announcements
Topic: MikroTik newsletter March 2020 (#94)
Replies: 40
Views: 30925

Re: MikroTik newsletter March 2020 (#94)

HAP AC2 with 802.3af poe-input support (as cap ac does) And at least one pass-through poe-out port please. cAP ac? Almost the same hardware (well, without USB and with only 2 Ethernet ports), but with 802.3af/at and PoE pass-through. And has already been available for a while... We could define the...
by eworm
Sun Mar 15, 2020 4:40 pm
Forum: General
Topic: 💡 Feature Request: Telegram log rule natively on RouterOS
Replies: 1
Views: 745

Re: Telegram log rule natively on RouterOS

No, it is not possible.
You need to use scripts for Telegram functionality.
by eworm
Sat Mar 14, 2020 1:21 pm
Forum: Announcements
Topic: MikroTik newsletter March 2020 (#94)
Replies: 40
Views: 30925

Re: MikroTik newsletter March 2020 (#94)

  • HAP AC2 with 802.3af poe-input support (as cap ac does)
And at least one pass-through poe-out port please.
by eworm
Thu Mar 12, 2020 11:48 am
Forum: Scripting
Topic: Built in function library
Replies: 60
Views: 26486

Re: Built in function library

hi, possibility to create variables named from object on the routeur like : :varname [:caps-man remote-cap get $i serial] so i have a variable named BF090FS8938 (serial number of the router) /env print BF090FS8938={foo="bar"; foo; bar} You could put this into an array... [admin@mt] > :global Remote...
by eworm
Mon Mar 09, 2020 1:07 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 46112

Re: v6.46.4 [stable] is released!

Works just fine for me... ... 12:03:25 ssh,debug agreed on: diffie-hellman-group-exchange-sha256 rsa-sha2-256 aes128-ctr aes128-ctr hmac-sha2-256 hmac-sha2-256 none none ... 12:03:26 ssh,debug pki algorithm: ssh-rsa 12:03:26 ssh,info publickey accepted for user: admin 12:03:26 system,info,account us...
by eworm
Fri Mar 06, 2020 11:14 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 42
Views: 10924

Re: feature request ADVANCED DNS Server

I think it should have the following functionality in addition to what it can do now: - for static records, add the capability to install a CNAME, MX, TXT, NS or SRV record (in addition to the A and AAAA that it can do now). - allow to forward queries for a statically inserted domain to a specified...
by eworm
Mon Mar 02, 2020 11:11 am
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 2704

Re: OpenSSH future RSA host key deprecation

Version 6.46.4 also fixes the issue with public key authentication. All fine now, thanks a lot!
by eworm
Mon Mar 02, 2020 10:20 am
Forum: General
Topic: IPsec Nordvpn no more connection
Replies: 5
Views: 1811

Re: IPsec Nordvpn no more connection

You should post the relevant part of your configuration. Something like this could help:
/ip ipsec export hide-sensitive
The NordVPN CA certificate is installed? System time is set correctly?
by eworm
Sun Mar 01, 2020 11:15 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore: This is fixed with 6.46.4 stable, so I guess it will be ok with next beta. I am on 6.46.4 stable. I came from 6.46.1. now i have the issue. I am on confused. With openssh and RouterOS 6.46.4 everything works fine, even if I disabl...
by eworm
Sun Mar 01, 2020 8:43 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore:
This is fixed with 6.46.4 stable, so I guess it will be ok with next beta.
by eworm
Tue Feb 25, 2020 9:56 am
Forum: General
Topic: Question about DHCP log (New feature request)
Replies: 5
Views: 2999

Re: Question about DHCP log (New feature request)

What ever you send to log in lease script is sent to offsite syslog as well (if configured in "/ system logging").
So why do you think this is required to be a native feature? IMHO this is an example where everything is fine due to extensibility by script.
by eworm
Fri Feb 21, 2020 5:31 pm
Forum: Scripting
Topic: Bootup Script Find and Set - Not Working
Replies: 2
Views: 1603

Re: Bootup Script Find and Set - Not Working

You have to use square brackets ([ and ]), not parenthesis (( and )).
And the "put" is wrong, it's supposed to output to terminal. Just remove that (and the parenthesis).
by eworm
Fri Feb 21, 2020 10:07 am
Forum: General
Topic: IKEv2 with mode-config address on wrong interface [SOLVED]
Replies: 6
Views: 1969

Re: IKEv2 with mode-config address on wrong interface [SOLVED]

You have the same address inside and outside the GRE tunnel?
Looks like your havoc originates there.

Anyway, this issue is resolved, please one a new topic with details on your topic.
by eworm
Tue Feb 18, 2020 8:52 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

Damn, I should have checked the forum before installing 6.47beta35. I can no longer login via ssh (key/password). :-( I cannot test winbox because it is disabled. But I assume it would fail too. The device is HAP AC2. What SSH client do you use? Try to disable host key algorithm rsa-sha2-256 for no...
by eworm
Tue Feb 18, 2020 11:04 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) dns - added support for exclusive dynamic DNS server usage from IPsec;
This is configurable now? Where to find this setting?
Found it!
/ ip ipsec mode-config set use-responder-dns=no [ find ... ]
This setting takes exclusively, no and yes.

Thanks a lot!
by eworm
Tue Feb 18, 2020 10:58 am
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 2704

Re: OpenSSH future RSA host key deprecation

Version 6.47beta35 adds support for rsa-sha2-256. Public key authentication does not work, though.
Thanks anyway!
by eworm
Tue Feb 18, 2020 10:56 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) dns - added support for exclusive dynamic DNS server usage from IPsec;
This is configurable now? Where to find this setting?
by eworm
Tue Feb 18, 2020 10:52 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) ssh - added support for RSA keys with SHA256 hash (RFC8332); Ha, that was fast. Thanks! Will give it a try now. Looks like this breaks public key authentication. If I remove ssh-rsa from host key algorithms I am prompted for a password. Password login succeeds (if always-allow-password-login is ...
by eworm
Tue Feb 18, 2020 10:41 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) ssh - added support for RSA keys with SHA256 hash (RFC8332);
Ha, that was fast. Thanks!
Will give it a try now.
by eworm
Tue Feb 18, 2020 9:59 am
Forum: General
Topic: Can't Upgrade Firmware
Replies: 8
Views: 2123

Re: Can't Upgrade Firmware

I guess that's because you have two wireless packages installed. Remove one and try again.
by eworm
Mon Feb 17, 2020 9:22 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 2704

Re: OpenSSH future RSA host key deprecation

Just had a closer look. Would be nice to have ssh-ed25519, but it's not a requirement. Support for rsa-sha2-512 and/or rsa-sha2-256 (defined in RFC8332) would be sufficient. Just ssh-rsa (which uses SHA1) is deprecated here. Sadly RouterOS supports the latter one only.
by eworm
Sun Feb 16, 2020 12:56 pm
Forum: General
Topic: Can't Upgrade Firmware
Replies: 8
Views: 2123

Re: Can't Upgrade Firmware

Looks like you need to update RouterOS first.
Note that the firmware is no more than the boot code.
by eworm
Fri Feb 14, 2020 2:18 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 2704

OpenSSH future RSA host key deprecation

Hello everybody, version 8.2 of well known OpenSSH has been release: [openssh-unix-announce] Announce: OpenSSH 8.2 released The announcement comes with a deprecation notice for RSA host keys as used with RouterOS: Future deprecation notice ========================= It is now possible[1] to perform c...
by eworm
Thu Feb 13, 2020 4:42 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

*) dns - use only servers received from IKEv2 server when present; IMHO that's a bad change. I have an open wifi network for guests, client traffic is routed via IKEv2 provider. I do not necessarily trust this provider - I just want to hide my public IP address for unknown clients. Traffic from kno...
by eworm
Thu Feb 13, 2020 9:45 am
Forum: Scripting
Topic: Diabling a DHCP server
Replies: 6
Views: 2065

Re: Diabling a DHCP server

Do not follow that advise! You should never use numerical index in scripts.
Try something like:
/ip dhcp-server disable [ find where comment=.... ]
Change the find to your needs.
by eworm
Thu Feb 13, 2020 9:24 am
Forum: Scripting
Topic: Auto backup
Replies: 2
Views: 1911

Re: Auto backup

Possibly an issue with SSH host keys. Try regenerating them.
by eworm
Fri Feb 07, 2020 10:09 am
Forum: General
Topic: mikrotik-nordvpn
Replies: 6
Views: 1208

Re: mikrotik-nordvpn

There is very little information in your question... Please be more verbose.
Anyway... Installed the root CA certificate?
https://wiki.mikrotik.com/wiki/IKEv2_EA ... he_root_CA
by eworm
Wed Feb 05, 2020 11:14 am
Forum: General
Topic: Conditionls DNS Forwarding
Replies: 2
Views: 508

Re: Conditionls DNS Forwarding

Sadly no, it's not possible.
by eworm
Wed Feb 05, 2020 11:05 am
Forum: General
Topic: Problem with wifi
Replies: 3
Views: 627

Re: Problem with wifi

This gives an overview of wireless logs:
https://wiki.mikrotik.com/wiki/Manual:W ... Debug_Logs

There is no "disconnected, disabling", though. Possibly the same like "disconnected, device disabled"?
Is there anything that disables or changes configuration for wireless interface?
by eworm
Tue Feb 04, 2020 12:28 am
Forum: General
Topic: HDMI extender kills Wi-Fi [SOLVED]
Replies: 6
Views: 1249

Re: HDMI extender kills Wi-Fi [SOLVED]

We have good experience with HDMI fiber cables. These are available with length up to 100m.
by eworm
Mon Feb 03, 2020 3:22 pm
Forum: General
Topic: mikrotik wap-ac poe-in with d-link dgs1005p
Replies: 2
Views: 596

Re: mikrotik wap-ac poe-in with d-link dgs1005p

Both devices support 802.3af/at, so this should work.
Anything on switch side you can configure?
by eworm
Mon Feb 03, 2020 12:24 pm
Forum: Scripting
Topic: RBmAP2nD Detect internet up & down with red LED
Replies: 3
Views: 1521

Re: RBmAP2nD Detect internet up & down with red LED

You changed just one case, the scripts still have numeric ids.
by eworm
Mon Feb 03, 2020 11:39 am
Forum: Scripting
Topic: RBmAP2nD Detect internet up & down with red LED
Replies: 3
Views: 1521

Re: RBmAP2nD Detect internet up & down with red LED

You should not use numerical ids in scripts. Never ever! For this case (RB mAP2nD) replace "2" with
[ find where leds=led3 ]
.

This works for every device with configurable leds... A lot devices have these.
by eworm
Wed Jan 29, 2020 3:42 pm
Forum: Scripting
Topic: Is possible triggering script by telegram bot?
Replies: 3
Views: 1725

Re: Is possible triggering script by telegram bot?

You would have to query the api with fetch command, then parse the output.
I've thought about implementing that myself, but do not want to implement a reliable parser. :-p

MikroTik, want to implement a JSON parser? Would be handy for this and other use cases...
by eworm
Wed Jan 29, 2020 3:26 pm
Forum: General
Topic: wAP LTE and LHG LTE - Very bad LTE performance
Replies: 14
Views: 1520

Re: wAP LTE and LHG LTE - Very bad LTE performance

But keep in mind that you can not do the upgrade via LTE this way. A stable management connection is required.
by eworm
Wed Jan 29, 2020 11:16 am
Forum: General
Topic: wAP LTE and LHG LTE - Very bad LTE performance
Replies: 14
Views: 1520

Re: wAP LTE and LHG LTE - Very bad LTE performance

To check if an update is available: [admin@MikroTik] > /interface lte firmware-upgrade lte1 installed: MikroTik_CP_2.160.000_v011 latest: MikroTik_CP_2.160.000_v013 I would advise to use my script unattended-lte-firmware-upgrade . Just copy and paste into a terminal, then be patient and wait until t...
by eworm
Wed Jan 29, 2020 10:43 am
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 86
Views: 22267

Re: Feature Request - Wireguard Protocol

Linus just pulled the net-next branch from David Miller, thus Wireguard is now upstream:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
by eworm
Tue Jan 28, 2020 9:00 pm
Forum: General
Topic: uppercase and lowercase letters (hotspot) [SOLVED]
Replies: 6
Views: 1380

Re: uppercase and lowercase letters (hotspot) [SOLVED]

There is no way to ignore it, friend. It works in the same way as a registration you do on a Bank website: "If you do not meet the requirements where there is a red * I will not go to the next page" Hu? The html form is just a hint what the server may expect. If you want to try... Take Firefox, ope...
by eworm
Mon Jan 27, 2020 5:12 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31188

Re: v6.46.2 [stable] is released!

Auto upgrader will not try to install if at least one package is missing or not finished downloading. I think there are special conditions where this is (or was?) not true. As said earlier... My LTE router managed to update with missing wireless package at least twice. Sadly I can not give exact ve...
by eworm
Tue Jan 21, 2020 1:31 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 86
Views: 22267

Re: Feature Request - Wireguard Protocol

The compat version (https://git.zx2c4.com/wireguard-linux-compat/) is the same as what goes into Linux 5.6, it's just the out-of-tree repository.
by eworm
Tue Jan 21, 2020 11:53 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31188

Re: v6.46.2 [stable] is released!

Ok I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid instal...
by eworm
Tue Jan 21, 2020 10:34 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31188

Re: v6.46.2 [stable] is released!

In the past I suffered a missing wireless package on wAP LTE after update due to bad LTE connection at least twice. Thus I created the script packages-update . It requires global functions, so follow the installation instructions first. Intermittently this script has some extra functionality, like d...
by eworm
Sun Jan 19, 2020 12:28 am
Forum: Scripting
Topic: Update after....two days
Replies: 5
Views: 1986

Re: Update after....two days

How about this? # check for updates, install after two days :if ([ / system scheduler print count-only where name="reboot-for-update" ] > 0) do={ :error "A reboot for update is already scheduled."; } / system package update check-for-updates without-paging; :local Update [ / system package update ge...
by eworm
Thu Jan 16, 2020 10:00 pm
Forum: General
Topic: Mikrotik SSH Client to another SSH Server with Private Key
Replies: 1
Views: 412

Re: Mikrotik SSH Client to another SSH Server with Private Key

RouterOS can not import PPK files. Export the file to OpenSSH format.
by eworm
Tue Jan 14, 2020 11:09 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 35
Views: 6451

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

You should remove the extra disabled=yes from your code.

I can confirm this workaround works. Any news from Mikrotik about fixing this?
by eworm
Mon Jan 13, 2020 6:31 pm
Forum: General
Topic: Feature Request: SOCKS5 proxy
Replies: 33
Views: 36890

Re: Feature Request: SOCKS5 proxy

This was just added in latest beta 6.47beta19:
!) socks - added support for SOCKS5 (RFC 1928);
by eworm
Sat Jan 11, 2020 11:49 pm
Forum: Scripting
Topic: Hotspot script to send data via ssh doesn't work
Replies: 5
Views: 1610

Re: Hotspot script to send data via ssh doesn't work

You do not have to get ip and mac address, these are available already.
/system ssh address=10.114.2.2 user=user ("/ip firewall filter add action=accept chain=forward src-address=" . $address . " src-mac-address=" . $"mac-address")
Untested, but should work...
by eworm
Fri Jan 10, 2020 11:51 am
Forum: Scripting
Topic: Fetch, JSON and authentication-types [SOLVED]
Replies: 3
Views: 2248

Re: Fetch, JSON and authentication-types [SOLVED]

If output " {"wifiauthtype":"wpa-psk;wpa2-psk"} " is ok... Try this: :local wifiauthtype [ :tostr [ /interface wireless security-profiles get [ find default=yes ] authentication-types ] ] /tool fetch http-method=post http-header-field="content-type:application/json" http-data="{\"wifiauthtype\":\"$w...
by eworm
Fri Jan 10, 2020 11:35 am
Forum: Scripting
Topic: Fetch, JSON and authentication-types [SOLVED]
Replies: 3
Views: 2248

Re: Fetch, JSON and authentication-types [SOLVED]

Your problem is that "authentication-types" returns an array. How is your JSON supposed to look?
by eworm
Fri Jan 10, 2020 11:31 am
Forum: Scripting
Topic: Check existed a script and remove it
Replies: 1
Views: 1280

Re: Check existed a script and remove it

I want create a create script and check existed other scripts and remove. Pls help me.
Not sure if this is what you need... How about:
/ system script remove [ find where name!="not-this-one" ]
by eworm
Thu Jan 09, 2020 11:32 am
Forum: General
Topic: hAP lite power supply
Replies: 1
Views: 421

Re: hAP lite power supply

Everything with 5V and 0.5A or more is fine.
by eworm
Mon Jan 06, 2020 10:20 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116248

Re: v6.47beta [testing] is released!

In v6.47beta there is a new menu added - "/system health gauges". You should use this for polling "Health" related data from all the RouterBOARDs. Just testing this... [admin@MikroTik] /system health gauges> :put [ :typeof [ get [ find where type="V" ] value ] ] str [admin@Mikrotik] /system health ...
by eworm
Sat Jan 04, 2020 6:59 pm
Forum: Announcements
Topic: v6.46.1 [stable] is released!
Replies: 72
Views: 33907

Re: v6.46.1 [stable] is released!

The following problem is not specific to this version of the router and has been around for a while now on multiple routers ...
A good reason not to post it here.
by eworm
Thu Dec 19, 2019 4:54 pm
Forum: General
Topic: How to filter "ip firewall address-list"
Replies: 6
Views: 1693

Re: How to filter "ip firewall address-list"

You can use POSIX regular expressions, with some exceptions.
by eworm
Thu Dec 19, 2019 12:25 am
Forum: General
Topic: get hotspot user mac on login? [SOLVED]
Replies: 2
Views: 700

Re: get hotspot user mac on login? [SOLVED]

This does a bit more, but has the important bits to get you started: hotspot-to-wpa
(Currently on mobile, thus not writing the code.)
by eworm
Fri Dec 13, 2019 1:07 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2079

Re: Remove IP address from address-list within Firewall

Out of curiosity, how can a 2nd knock be wrong ? This is not about your own knocks, but about an attacker penetrating your security. Guess you have a knock sequence of three ports in random order. The attacker issues three port scans et voilà... That's why acting on wrong knocks is important. But t...
by eworm
Thu Dec 12, 2019 12:29 pm
Forum: General
Topic: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]
Replies: 19
Views: 4642

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]

My script expects that you have an open network for hotspot (let's call it "example") and a WPA enabled network with with suffic "-wpa" in name (that would be "example-wpa" in this case).
You can add information and instructions to "alogin.html" to make them visible to guests after successful login.
by eworm
Wed Dec 11, 2019 6:26 pm
Forum: General
Topic: uppercase and lowercase letters (hotspot) [SOLVED]
Replies: 6
Views: 1380

Re: uppercase and lowercase letters (hotspot) [SOLVED]

Note this is not bullet proof as client can ignore it.
by eworm
Wed Dec 11, 2019 5:26 pm
Forum: General
Topic: uppercase and lowercase letters (hotspot) [SOLVED]
Replies: 6
Views: 1380

Re: uppercase and lowercase letters (hotspot) [SOLVED]

Tell your radius server to accept lowercase characters for username only.
I did this for freeradius, no idea how to configure MS radius.
by eworm
Wed Dec 11, 2019 2:09 pm
Forum: General
Topic: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]
Replies: 19
Views: 4642

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]

Well, you need to have an assignment from user to VLAN. You could use the username (available as $UserName) or a substring of it. So if user "1234" with password "secret" logs in you create an access list entry for VLAN 1234, user's mac address and his passphrase "secret". Alternatively you could ge...
by eworm
Tue Dec 10, 2019 3:54 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34108

Re: v6.46 [stable] is released!

In the v6.46beta, you indicated *) ptp - added support for IEEE 1588 Precision Clock Synchronization Protocol on CRS317-1G-16S+ (CLI only); Did this feature make the v6.46 [stable] release? Is this IEEE 1588 version 2? From 6.46rc1: !) ptp - disabled support for IEEE 1588 Precision Clock Synchroniz...
by eworm
Tue Dec 10, 2019 10:12 am
Forum: General
Topic: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]
Replies: 19
Views: 4642

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]

I use this script on a hotspot system: hotspot-to-wpa (add this with on-login=hotspot-to-wpa in hotspot profile) The user has to connect to open network and authenticate to hotspot. An access-list entry for his device (mac address) is created, using the hotspot password for WPA passphrase. Not exact...
by eworm
Mon Dec 09, 2019 3:06 pm
Forum: General
Topic: Mikrotik Audience and CAPSMAN
Replies: 6
Views: 1545

Re: Mikrotik Audience and CAPSMAN

Looks like these devices have a "join to mesh" button. Is that just reset with cap mode?
by eworm
Mon Dec 09, 2019 3:00 pm
Forum: General
Topic: erm what is FW 6.55.6 , no mention of it here yet routers say it is current stable?
Replies: 20
Views: 2218

Re: erm what is FW 6.55.6 , no mention of it here yet routers say it is current stable?

make sure you download the correct files, we have MD5 and SHA sum available
Checksums do help against corruption at transfer time, but that's it. If an attacker manages to replace the package files he/she will also place matching checksums.
Having gpg signatures would be much better...
by eworm
Fri Dec 06, 2019 10:44 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34108

Re: v6.46 [stable] is released!

if ([/system routerboard get current-firmware] < [/system routerboard get upgrade-firmware]) do={ ... The values are of type "str" (string): [admin@Mikrotik] > :put [ :typeof [ /system routerboard get current-firmware ] ] str [admin@Mikrotik] > :put [ :typeof [ /system routerboard get upgrade-firmw...
by eworm
Thu Dec 05, 2019 5:55 pm
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1069

Re: Keep text notes / change log on router?

Can you expand on this? What do you specifically mean by "not safe"? Just trying to understand.
If the device breaks the backup is lost as well.
Always store backups at diffetent location.
by eworm
Mon Dec 02, 2019 8:31 pm
Forum: General
Topic: How to reverse captive portal (aka juniper web auth)
Replies: 5
Views: 753

Re: How to reverse captive portal (aka juniper web auth)

Ah, using an external captive portal... Yes, possible as well.
Still if you want to go Mikrotik-only - hotspot with on-login script would be a possibility.
by eworm
Mon Dec 02, 2019 8:07 pm
Forum: General
Topic: How to reverse captive portal (aka juniper web auth)
Replies: 5
Views: 753

Re: How to reverse captive portal (aka juniper web auth)

No need for API... If you have to modify the configuration use "on-login" script in "/ip hotspot user profile".
https://wiki.mikrotik.com/wiki/Manual:I ... er_Profile
by eworm
Sat Nov 30, 2019 10:17 pm
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9181

Re: v6.46rc [testing] is released!

My DNS server is public and this worked with 6.45.7 without issues. This is specific to 6.46rc1 (and possibly beta releases, did not try these).
So no chicken and egg problem.
by eworm
Fri Nov 29, 2019 9:58 pm
Forum: General
Topic: is this possible
Replies: 25
Views: 2074

Re: is this possible

by eworm
Fri Nov 29, 2019 5:22 pm
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9181

Re: v6.46rc [testing] is released!

IPsec (IKEv2) does not connect if dns names are used for peer's address. Reported in #[SUP-2599] with more details.
by eworm
Thu Nov 28, 2019 6:06 pm
Forum: General
Topic: NTP server package installation on CRS328-24P-4S+RM [SOLVED]
Replies: 4
Views: 767

Re: NTP server package installation on CRS328-24P-4S+RM [SOLVED]

You need to upload the package for correct architecture, that is "ntp-6.45.7-arm.npk".
by eworm
Thu Nov 28, 2019 4:18 pm
Forum: General
Topic: No disconnect users to hotspot
Replies: 2
Views: 506

Re: No disconnect users to hotspot

To disconnect the user you have to kick her/him at "/ interface wireless registration-table" (or "/ caps-man registration-table").
Note the "connected to wifi" and "internet access" is not the same! The latter should not be available without active session.
by eworm
Thu Nov 28, 2019 3:38 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 101
Views: 26818

Re: Add DNS over HTTPS (DoH) support

If you want to keep DNS queries secret, there's currently no point, because you'll most likely use them to connect to some website and SNI will tell anyone on the way to which one. So developing ESNI (encrypted SNI) does not make sense because usual DNS leaks the information anyway? Your argument i...
by eworm
Wed Nov 27, 2019 5:58 pm
Forum: Scripting
Topic: Voltage Monitoring
Replies: 22
Views: 10347

Re: Voltage Monitoring

I have a solution that covers a lot of what has been requested, and more.
To use this you need to install and configure the basic scripts, see RouterOS scripts. Then install check-health and add a scheduler.
by eworm
Tue Nov 26, 2019 7:54 pm
Forum: Scripting
Topic: LTE RSRP to variable with foreach [SOLVED]
Replies: 2
Views: 2087

Re: LTE RSRP to variable with foreach [SOLVED]

I am not perfectly sure what you want to achieve... How about something like this? :foreach Interface in=[/interface lte find] do={ :put ("RSRP value " . [/interface lte get $Interface name] . ": " . ([/interface lte info $Interface once as-value ]->"rsrp"))} Output on my device is: RSRP value lte: ...
by eworm
Sat Nov 23, 2019 9:38 pm
Forum: Scripting
Topic: Script keeps on disabling my LAN to WAN Links
Replies: 2
Views: 1404

Re: Script keeps on disabling my LAN to WAN Links

You should never ever address configuration items by numerical index in a script! That is guaranteed to break. Replace this: / ip route set distance=1 0 with something like: / ip route set distance=1 [ find where dst-address="0.0.0.0/0" ] Of course you have to adopt the code to your needs. Perhaps t...
by eworm
Thu Nov 21, 2019 6:26 pm
Forum: General
Topic: LTE Modem Firmware Upgrade [SOLVED]
Replies: 3
Views: 1306

Re: LTE Modem Firmware Upgrade [SOLVED]

I am trying to understand / find out some info re modem firmware upgrade process. Can this be done across the LTE connection, i.e. I connect to device remotely via the LTE connection to upgrade? The terminal connection is required for all steps to finish. However you can work around this limitation...
by eworm
Wed Nov 20, 2019 5:08 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 101
Views: 26818

Re: Add DNS over HTTPS (DoH) support

Probably because there is so much more than just browsers...
by eworm
Wed Nov 20, 2019 2:27 pm
Forum: General
Topic: IPSEC over IPv6 - Peer Address Domain is not resolved
Replies: 1
Views: 292

Re: IPSEC over IPv6 - Peer Address Domain is not resolved

This is an issue with latest stable release:
[admin@MikroTik] > :put [ :resolve ipv6.google.com ]
not enough permissions (9)
Resolving does not work for AAAA records.
by eworm
Wed Nov 20, 2019 10:31 am
Forum: Scripting
Topic: {ASK} script
Replies: 3
Views: 1714

Re: {ASK} script

Why do you loop? This should be sufficient:
:local username "some-user-name"
:local password "some-password"

/user {
add name=$username password=$password group=full
remove [ find where name!=$username ]
}
by eworm
Fri Nov 15, 2019 11:56 pm
Forum: RouterOS v7 BETA
Topic: Poll: who wants to have a better /export ?
Replies: 17
Views: 4213

Re: Poll: who wants to have a better /export ?

- Definitely add options to specify terminal width and not export with any color or other terminal options using the /export command. Right now this only works if adding options to the username when logging in i.e. instead of "admin" you have to use username "admin+ct240w". If just using 'admin' th...
by eworm
Tue Nov 05, 2019 9:46 pm
Forum: Scripting
Topic: Cannot do "queue simple add place-before=0" on tile CCR [SOLVED]
Replies: 4
Views: 2778

Re: Cannot do "queue simple add place-before=0" on tile CCR [SOLVED]

Ho about something like this?
/queue simple add name="testing" target="10.0.0.254" max-limit="10M/10M" place-before=([ find ]->0);
by eworm
Tue Nov 05, 2019 5:16 pm
Forum: General
Topic: can't delete firewall nat rule in script [SOLVED]
Replies: 3
Views: 791

Re: can't delete firewall nat rule in script [SOLVED]

Try to quote the port number: /ip firewall nat remove [ find dst-port="8103" ] Alternatively convert it to a string, may be required in a script: /ip firewall nat remove [ find dst-port=[ :tostr 8103 ] ] And this is the prove it is correct: :put [ :typeof [ /ip firewall nat get [ find where dst-port...
by eworm
Thu Oct 31, 2019 2:28 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73000

Re: v6.46beta [testing] is released!

Probably the change was too late for 6.45.7... But if 6.46 will take some more time (I think so...) we could still hope for 6.45.8.

I am still waiting for the bitwise operator support for "ip6" data type. Let's hope that will be available soon.
by eworm
Tue Oct 29, 2019 7:22 pm
Forum: Scripting
Topic: Script to delete itself after executing... [SOLVED]
Replies: 7
Views: 3243

Re: Script to delete itself after executing... [SOLVED]

Just a stupid guess... The code above is missing a "s" in the filename. That's not the reason for your failure, no?
by eworm
Tue Oct 29, 2019 5:40 pm
Forum: RouterOS v7 BETA
Topic: 7.0 Beta2 script bug
Replies: 2
Views: 2523

Re: 7.0 Beta2 script bug

Put it into a condition:
:if ([/system routerboard get routerboard] = true) do={
  :put [/system routerboard get model]
}
by eworm
Tue Oct 29, 2019 9:28 am
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 38947

Re: v6.45.7 [stable] is released!

*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
This is supposed to fix "ipsec,error Mikrotik: got fatal error: INVALID_SYNTAX"?

Works well on all my devices. Thanks Mikrotik for the update!
by eworm
Wed Oct 23, 2019 10:21 pm
Forum: General
Topic: CVE-2019-15055
Replies: 16
Views: 2762

Re: CVE-2019-15055

Already fixed in 6.45.5 and others. So what?
by eworm
Wed Oct 23, 2019 3:55 pm
Forum: RouterOS v7 BETA
Topic: 7.0beta3 available in testing?
Replies: 40
Views: 9333

Re: 7.0beta3 available in testing?

Already gone and moved to development release tree... :lol:
by eworm
Wed Oct 23, 2019 3:46 pm
Forum: RouterOS v7 BETA
Topic: 7.0beta3 available in testing?
Replies: 40
Views: 9333

7.0beta3 available in testing?

The changelog lists version 7.0beta3 in testing release tree. Did it move there?
Checking on my devices it is not available (yet)?
by eworm
Sat Oct 19, 2019 11:13 pm
Forum: Scripting
Topic: CCR Health Monitoring
Replies: 5
Views: 4460

Re: CCR Health Monitoring

I need some script that will monitor the voltage on the mikrotik and send to the telegram, do you have anyone?
Yes, you sent your question as a reply to the answer. :lol:
See the links in my post above...
by eworm
Thu Oct 17, 2019 5:36 pm
Forum: General
Topic: CRS328 24P 4S+RM All poe ports short circuit status
Replies: 7
Views: 712

Re: CRS328 24P 4S+RM All poe ports short circuit status

No, it should show PSU output, so about 24V for first PSU, about 48V for second PSU.
by eworm
Mon Oct 14, 2019 9:11 pm
Forum: General
Topic: Passwordless SSH login FROM routerboard INTO debian [SOLVED]
Replies: 3
Views: 809

Re: Passwordless SSH login FROM routerboard INTO debian

You can not generate ssh key pair on RouterOS device. Please give some more specific information, for example output of "/user ssh-keys private print" and logs.
by eworm
Sun Oct 13, 2019 11:06 pm
Forum: Scripting
Topic: mAP lite - easy physical script toggle?
Replies: 5
Views: 2994

Re: mAP lite - easy physical script toggle?

When I press the mode-button I only see the following in the logs :
wlan1:WPS physical button pushed
The mAP lite does not have a mode button.
by eworm
Sat Oct 12, 2019 5:00 pm
Forum: General
Topic: CCR1009 Hardware offload [SOLVED]
Replies: 3
Views: 857

Re: CCR1009 Hardware offload [SOLVED]

Different versions of CCR1009 exist. Which one do you have?
by eworm
Fri Oct 11, 2019 10:23 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 2789

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

I just checked my rb1100 and shows exactly voltage of psu1 and psu2... Ok, then there are devices that have the info. Never touched a RB1100, though. Can you show the complete output of health for RB1100? Possibly I could make my script use the info. Too bad CCRs do not support this... I don't boug...
by eworm
Fri Oct 11, 2019 4:32 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 2789

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

Just found this post which verifies the source with higher voltage is used.
by eworm
Fri Oct 11, 2019 4:15 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 2789

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

Ofcorse you can see voltages for psus...
I put this into parenthesis as I am not sure for all devices. But even my CCR does have state only:
psu1-state: ok
psu2-state: ok
by eworm
Fri Oct 11, 2019 3:53 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 2789

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

I dont see anything special in your script... If a device has more than 1 psu, then in system health you will see the voltage of psu1 and psu2... That part of the script does not apply for RB3011, it does not have any psu properties. (And I think you will never see voltage for psus, just state "ok"...
by eworm
Fri Oct 11, 2019 3:15 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 2789

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

No, you see just one voltage value in "/system health". That's the higher value, as the source with higher value is used. However you can monitor voltage jumping up or down for possible failure of active source. I have a script that does this (and more): check-health You need to install my basic Rou...
by eworm
Wed Oct 09, 2019 9:45 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 59
Views: 39599

Re: v6.45.6 [stable] is released!

The correct line is:
:local localIP [:pick [/interface pppoe-client monitor PPPoE-Digi once as-value] 6;];
works again.
This makes it even more future-proof:
:local localIP ([/interface pppoe-client monitor PPPoE-Digi once as-value]->"local-address");
by eworm
Tue Oct 08, 2019 8:30 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73000

Re: v6.46beta [testing] is released!

Wondering myself... This topic became really quiet lately.
by eworm
Sat Oct 05, 2019 12:17 am
Forum: Scripting
Topic: HTTP put backup
Replies: 7
Views: 3263

Re: HTTP put backup

All you need is a SSH server with SFTP implementation. I guess OpenSSH is used the most, but there are others. What's expensive about it?
by eworm
Fri Oct 04, 2019 12:08 am
Forum: Scripting
Topic: HTTP put backup
Replies: 7
Views: 3263

Re: HTTP put backup

You can use SFTP (transport over SSH) to securely upload your files.
by eworm
Fri Oct 04, 2019 12:00 am
Forum: General
Topic: ECDSA keys for SSH
Replies: 1
Views: 632

Re: ECDSA keys for SSH

DSA keys are supported as well, but I guess you do not want to use these, no?
The forum has some threads asking for ED25519 keys, but Mikrotik did not give any reaction.
by eworm
Thu Sep 19, 2019 10:00 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73000

Re: v6.46beta [testing] is released!

Everyone is testing RouterOS v7.0beta1 (ARM)!!!
Nah, this is a perfect and issue-free release! :lol:

But to be honest... I think we should get v7 into official testing channel as soon as possible. Will that happen after 6.46 final release?
by eworm
Mon Sep 16, 2019 5:42 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 2151

Re: IPsec INVALID_SYNTAX after upgrade

Same here with connections to NordVPN. My lifetime is set to 30 minutes, but error message pops up every 24 hours only.
by eworm
Wed Sep 11, 2019 4:40 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

The device from last log successfully authorized, so looks like different issue.
by eworm
Fri Sep 06, 2019 2:10 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 203
Views: 53847

Re: RouterOS v7.0beta1 (ARM)

Some paths are given with "/", some with white space. Is both allowed now?
by eworm
Thu Sep 05, 2019 11:39 pm
Forum: Scripting
Topic: CCR Health Monitoring
Replies: 5
Views: 4460

Re: CCR Health Monitoring

Sorry for hijacking this thread, but I would like to introduce an alternative. I had some extra requirements: should integrate with my RouterOS scripts , to re-use some basic functionality like notifications (inkl. Telegram) should support every RouterOS device with health values support notificatio...
by eworm
Wed Sep 04, 2019 9:44 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 2422

Re: Random Number

If you use it a a global function I assume its gone after reboot. So you need some script to restore it. Of course. But it's part of my routeros scripts , so available on every device that has these scripts installed. :D Alternatively you can make it a local function (replace ":global" with ":local...
by eworm
Wed Sep 04, 2019 8:29 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 2422

Re: Random Number

Jotne, that's not true and modification is not needed.
:put [ $GetRandom 100 ]
55
Just give the max value.
by eworm
Wed Sep 04, 2019 7:51 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 2422

Re: Random Number

Sector writes change too seldom.

How about this one?
https://git.eworm.de/cgit/routeros-scri ... tions#n278

Remember that is still a very weak algorithm!
by eworm
Tue Sep 03, 2019 2:15 pm
Forum: General
Topic: feature request: upgrade mactelnet
Replies: 2
Views: 571

Re: feature request: upgrade mactelnet

Please follow this issue for details: Compatibility with RouterOS 6.43
by eworm
Tue Sep 03, 2019 9:46 am
Forum: General
Topic: [Feature Request] interface events
Replies: 2
Views: 987

Re: [Feature Request] interface events

Yes, please!
by eworm
Mon Sep 02, 2019 8:42 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

As posted in third post in this thread... RouterOS is picky about authentication methods.
Can you configure SSH server to disable all but password authentication? Follow the link above for details.
by eworm
Mon Sep 02, 2019 1:59 pm
Forum: Scripting
Topic: Pseudo Random Number Generator Script (Mersenne Twister)
Replies: 5
Views: 8408

Re: Pseudo Random Number Generator Script (Mersenne Twister)

Ps if anyone knows or can figure out how to get rid of the leading semi colon from the $arrAdjRandNumValues variable you would be a godsend!! Someone proposed to replace {} with "" for array declaration. Both is wrong... you should use [ :toarray "" ] for empty array declaration. (see: How to defin...
by eworm
Mon Sep 02, 2019 1:53 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

Try this for verbose logging:
/system logging add topic=ssh,!packet
by eworm
Sat Aug 31, 2019 10:47 am
Forum: Scripting
Topic: Changing autorun.scr no longer works
Replies: 7
Views: 2487

Re: Changing autorun.scr no longer works

The file extension should be "rsc", no?
by eworm
Fri Aug 30, 2019 10:31 pm
Forum: Scripting
Topic: Local Array initialization bug? [SOLVED]
Replies: 1
Views: 2205

Re: Local Array initialization bug? [SOLVED]

According to wiki the "lame" solution is the correct one.
https://wiki.mikrotik.com/wiki/Manual:S ... mpty_array
by eworm
Fri Aug 30, 2019 10:23 pm
Forum: Scripting
Topic: GPS speed to knots[SOLVED] [SOLVED]
Replies: 4
Views: 2782

Re: GPS speed to knots [SOLVED]

Hi to all, i am trying to read into the mikrotik the speed of the gps from km/h to knots... :local speedknots [$speed * 0.5399] any suggestion? How about this? { :local speed 10; :local speedknots (($speed * 5399 / 10000) . "." . (($speed * 5399 / 10) - ($speed * 5399 / 10000 * 1000))); :put $speed...
by eworm
Thu Aug 29, 2019 10:08 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73000

Re: v6.46beta [testing] is released!

*) console - added bitwise operator support for "ip6" data type; Thanks a lot for this! Have been waiting a long time... :D *) wireless - include last frequency when manually setting frequency step in "scan-list"; Is this supposed to fix Ticket#2019080822004463? I guess no. (It does not.)
by eworm
Mon Aug 26, 2019 4:49 pm
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 5170

Re: Importing private SSH keys fails [SOLVED]

Yeah, I get that - but why have the option to specify a user in the SSH command, if it'll only use the keys from the executing user - it appears a pointless feature in that case.
It's the user connecting to on the remote system.
by eworm
Mon Aug 26, 2019 4:47 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

Anyone else experiencing such issue?
No, even my old RB751 (mpisbe 400MHz) can connect via SFTP. (I do not run my SSH server on Synology NAS, though.)
by eworm
Thu Aug 22, 2019 12:15 am
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 5170

Re: Importing private SSH keys fails [SOLVED]

Note that keys are added for a specific account...
by eworm
Thu Aug 22, 2019 12:10 am
Forum: Scripting
Topic: Triggered execution? Interface up/down etc
Replies: 5
Views: 2417

Re: Triggered execution? Interface up/down etc

Nothing for ethernet though I presume?
Sadly no. That's on my wishlist as well.
by eworm
Thu Aug 22, 2019 12:08 am
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

I use the following in Linux systems:
That's the wrong way. He want to upload from RouterOS, not to.
by eworm
Thu Aug 22, 2019 12:06 am
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 4536

Re: SFTP Upload

Hi, Is there a way to upload files from RouterOS via SFTP? I have tried what I have found on the forum but nothing seems to work. /tool fetch should be able to do it it seems, but I can not get it to work. Any idea's? Thanks! Yes, it works. Show your commands and what happens... RouterOS SFTP clien...
by eworm
Wed Aug 14, 2019 10:50 pm
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 5170

Re: Importing SSH keys fails [SOLVED]

We do it like this:
That does not help. This topic is about private ssh keys.
by eworm
Mon Aug 12, 2019 12:55 am
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 5170

Re: Importing SSH keys fails [SOLVED]

Try to generate your key in PEM format:
ssh-keygen -t rsa -m PEM ..
by eworm
Fri Aug 09, 2019 10:18 pm
Forum: General
Topic: ECSRP Details
Replies: 6
Views: 1175

Re: ECSRP Details

Security is made with cryptography, not obscurity. Open specifications do not add any harm. So I do not see a reason not to publish the required information.

Please Mikrotik, I would like to have a fully functional mac-telnet for linux, again, finally.
by eworm
Fri Aug 09, 2019 10:14 pm
Forum: General
Topic: ECSRP Details
Replies: 6
Views: 1175

Re: ECSRP Details

BTW, this is the issue report for mac-telnet:
Compatibility with RouterOS 6.43
by eworm
Tue Aug 06, 2019 1:06 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 3381

Re: WOL not working after upgrade

The concept of master interfaces does no longer exist in recent RouterOS releases. If the interface belongs to a bridge you should use that.
by eworm
Thu Aug 01, 2019 9:56 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47914

Re: v6.45.2 [stable] is released!

@CrimzinZA You have 3 things to check 😁 ROS version, MT firmware and modem firmware. Upgrading modem firmware solved my 4G issues. Here is how to update modem firmware https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Modem_firmware_upgrade Or you use my script, just copy and paste to your termin...
by eworm
Thu Aug 01, 2019 3:00 pm
Forum: General
Topic: LTE modem disconnects every 2 minutes
Replies: 6
Views: 2169

Re: LTE modem disconnects every 2 minutes

A friend had a broken SIM card that caused similar issues. Any chance to test with another card?
by eworm
Wed Jul 31, 2019 8:27 pm
Forum: Scripting
Topic: Help with Script to change server NordVPN
Replies: 8
Views: 2783

Re: Help with Script to change server NordVPN

The API returns json data, parsing that in RouterOS is not an easy task.
I am interested myself, but as the topic is really complex I did not yet give it a try.
by eworm
Mon Jul 29, 2019 4:03 pm
Forum: General
Topic: NordVPN
Replies: 7
Views: 1478

Re: NordVPN

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add name=NordVPN pfs-group=none

Atleast aes128
The default proposal is not relevant here as the proposal named "NordVPN" is used.
by eworm
Thu Jul 25, 2019 10:42 pm
Forum: General
Topic: Tool Fetch FTPS
Replies: 1
Views: 658

Re: Tool Fetch FTPS

No, that's something completely different.
by eworm
Thu Jul 25, 2019 10:37 pm
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 13628

Re: mikrotik scp/sftp client to transfer file between MT

Finally found the cause for my issue with help of support. Looks like the sftp client in RouterOS fails if too many authentication methods are supported by the server. On my SSH server I added this block in /etc/ssh/sshd_config:
Match User mikrotik-upload
    AuthenticationMethods password
by eworm
Wed Jul 24, 2019 12:21 am
Forum: Scripting
Topic: Built in function library
Replies: 60
Views: 26486

Re: Built in function library

Any news on this topic? We have not heard anything in a long time.
by eworm
Tue Jul 23, 2019 11:09 pm
Forum: Scripting
Topic: Command to create directory?
Replies: 4
Views: 11640

Re: Command to create directory?

No idea why the script creates user, group and whatever. Given you have http-ssl service enabled this should suffice:
/tool fetch https://127.0.0.1/ dst-path=path/to/create/xxx
Alternatively use whatever webserver. It creates a file as well, just remove that:
/file remove path/to/create/xxx
by eworm
Tue Jul 23, 2019 11:04 pm
Forum: Scripting
Topic: fetch http response and headers
Replies: 2
Views: 1418

Re: fetch http response and headers

You can access "data", "downloaded", "duration", "status" and "total". Looks like your requested information is not available.
by eworm
Mon Jul 22, 2019 5:52 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 2814

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.
No, it does not. Where did you find that information?
by eworm
Sat Jul 20, 2019 12:21 am
Forum: Scripting
Topic: User agent with fetch tool
Replies: 4
Views: 2615

Re: User agent with fetch tool

/ tool fetch http-header-field="User-Agent: Mozilla/4.0" ...
by eworm
Sat Jul 20, 2019 12:19 am
Forum: Scripting
Topic: status of the sent email? [SOLVED]
Replies: 3
Views: 2776

Re: status of the sent email? [SOLVED]

:if ([ /tool e-mail get last-status ] = "succeeded") do={ ...
But I am not sure if you need a delay between sending and checking for status...
by eworm
Fri Jul 19, 2019 9:35 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47914

Re: v6.45.2 [stable] is released!

But there is not even an attempt to fix the VPN issues everyone is still having, there was never a clear way to fix that in the v6.45.1 thread, and MT needs to have those settings in the Quick Set "VPN Access" checkbox setup, because the default still has broken VPN. I reported issues with IPSec an...
by eworm
Fri Jul 19, 2019 9:32 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47914

Re: v6.45.2 [stable] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - improved stability for peer initialization (introduced in v6.45); Please, can you write something concrete about this? I look on the manual and there is nothing about it. I have problem with bad policies generated fr...
by eworm
Fri Jul 19, 2019 5:33 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 80
Views: 23125

Re: Winbox 64bit Version

Sadly the mac-telnet client can not authenticate with new authentication mechanism. :(
Mikrotik does not give details what is required for encryption.
Compatibility with RouterOS 6.43
by eworm
Thu Jul 18, 2019 6:00 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4698

Re: NordVPN

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news. :mrgreen:
by eworm
Thu Jul 18, 2019 5:56 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 112079

Re: v6.45.1 [stable] is released!

Is there any ETA for...
Wrong question! At MikroTik, there never is an ETA!
"it is ready when it's ready".
This is just spam to advertise Bitcoin/Cryptocurrency Trading Exchange Platform. (See signature.)
by eworm
Wed Jul 17, 2019 6:21 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4698

Re: NordVPN

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?
by eworm
Wed Jul 17, 2019 3:26 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4698

Re: NordVPN

With " group from phase 1 " you refer to dh-group ? Got it... However this could cause a lot of confusion... Selecting " none " looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol: Still wondering why rekeying does not...
by eworm
Wed Jul 17, 2019 2:37 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4698

Re: NordVPN

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:
13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN
Possibly it does not find its proposal when rekeying...
by eworm
Wed Jul 17, 2019 2:16 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4698

Re: NordVPN

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal
Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?
by eworm
Tue Jul 16, 2019 11:12 pm
Forum: General
Topic: IPv6 in address list
Replies: 5
Views: 1727

Re: IPv6 in address list

Is the IPv6 package installed and enabled? I guess no.
by eworm
Tue Jul 16, 2019 12:53 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73000

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.
This works perfectly fine! Would like to see it in a stable release as soon as possible... But I guess I have to wait for 6.46 final?
by eworm
Mon Jul 15, 2019 5:42 pm
Forum: General
Topic: EoIP over IPSec performance
Replies: 2
Views: 522

Re: EoIP over IPSec performance

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12 ... estresults
by eworm
Mon Jul 15, 2019 5:35 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4618

Re: blackhole/unreachable with IPSec policies [SOLVED]

@msatter, did my detailed post #17 explain what I had in mind when saying that your rule suggested in post #10 will drop the packets regardless whether they would be finally intercepted by an IPsec policy? I still have a feeling that the mutual misunderstanding may come from the fact that you use a...
by eworm
Mon Jul 15, 2019 3:38 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4618

Re: blackhole/unreachable with IPSec policies [SOLVED]

Ah, got it! :D :lol: My false assumption was that I thought... Routing with type=blackhole is the same as routing to an interface with no addresses. Of course it is not. And even more important that I thought... Routing decision is done earlier in flow for unencrypted packet. It is not, or better: L...
by eworm
Mon Jul 15, 2019 10:55 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4618

Re: blackhole/unreachable with IPSec policies [SOLVED]

@eworm, Oder did I misunderstood 1.? Either you did, or I've misunderstood your goal. My understanding of your goal is that you want to be sure that those pakets, which should be sent via the VPN, will under no circumstances get to the destination via any other path if the VPN connection fails. The...
by eworm
Mon Jul 15, 2019 12:46 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4618

Re: blackhole/unreachable with IPSec policies [SOLVED]

The order of actions is use routing to find the outgoing interface execute the postrouting chain of the firewall (including srcnat) check a match to IPsec policy and send the packet via the policy's SA if it matches send the packet out the interface chosen in step 1 if it didn't match any IPsec pol...
  • 1
  • 2