Community discussions

Search found 392 matches

  • 1
  • 2
by eworm
Thu Oct 17, 2019 5:36 pm
Forum: General
Topic: CRS328 24P 4S+RM All poe ports short circuit status
Replies: 7
Views: 340

Re: CRS328 24P 4S+RM All poe ports short circuit status

No, it should show PSU output, so about 24V for first PSU, about 48V for second PSU.
by eworm
Mon Oct 14, 2019 9:11 pm
Forum: General
Topic: Passwordless SSH login FROM routerboard INTO debian [SOLVED]
Replies: 3
Views: 338

Re: Passwordless SSH login FROM routerboard INTO debian

You can not generate ssh key pair on RouterOS device. Please give some more specific information, for example output of "/user ssh-keys private print" and logs.
by eworm
Sun Oct 13, 2019 11:06 pm
Forum: Scripting
Topic: mAP lite - easy physical script toggle?
Replies: 5
Views: 1274

Re: mAP lite - easy physical script toggle?

When I press the mode-button I only see the following in the logs :
wlan1:WPS physical button pushed
The mAP lite does not have a mode button.
by eworm
Sat Oct 12, 2019 5:00 pm
Forum: General
Topic: CCR1009 Hardware offload [SOLVED]
Replies: 3
Views: 333

Re: CCR1009 Hardware offload [SOLVED]

Different versions of CCR1009 exist. Which one do you have?
by eworm
Fri Oct 11, 2019 10:23 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 1117

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

I just checked my rb1100 and shows exactly voltage of psu1 and psu2... Ok, then there are devices that have the info. Never touched a RB1100, though. Can you show the complete output of health for RB1100? Possibly I could make my script use the info. Too bad CCRs do not support this... I don't boug...
by eworm
Fri Oct 11, 2019 4:32 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 1117

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

Just found this post which verifies the source with higher voltage is used.
by eworm
Fri Oct 11, 2019 4:15 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 1117

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

Ofcorse you can see voltages for psus...
I put this into parenthesis as I am not sure for all devices. But even my CCR does have state only:
psu1-state: ok
psu2-state: ok
by eworm
Fri Oct 11, 2019 3:53 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 1117

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

I dont see anything special in your script... If a device has more than 1 psu, then in system health you will see the voltage of psu1 and psu2... That part of the script does not apply for RB3011, it does not have any psu properties. (And I think you will never see voltage for psus, just state "ok"...
by eworm
Fri Oct 11, 2019 3:15 pm
Forum: Scripting
Topic: RB3011 Can I monitorize voltage from DC and from POE IN?
Replies: 13
Views: 1117

Re: RB3011 Can I monitorize voltage from DC and from POE IN?

No, you see just one voltage value in "/system health". That's the higher value, as the source with higher value is used. However you can monitor voltage jumping up or down for possible failure of active source. I have a script that does this (and more): check-health You need to install my basic Rou...
by eworm
Wed Oct 09, 2019 9:45 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 48
Views: 21104

Re: v6.45.6 [stable] is released!

The correct line is:
:local localIP [:pick [/interface pppoe-client monitor PPPoE-Digi once as-value] 6;];
works again.
This makes it even more future-proof:
:local localIP ([/interface pppoe-client monitor PPPoE-Digi once as-value]->"local-address");
by eworm
Tue Oct 08, 2019 8:30 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

Wondering myself... This topic became really quiet lately.
by eworm
Sat Oct 05, 2019 12:17 am
Forum: Scripting
Topic: HTTP put backup
Replies: 7
Views: 1628

Re: HTTP put backup

All you need is a SSH server with SFTP implementation. I guess OpenSSH is used the most, but there are others. What's expensive about it?
by eworm
Fri Oct 04, 2019 12:08 am
Forum: Scripting
Topic: HTTP put backup
Replies: 7
Views: 1628

Re: HTTP put backup

You can use SFTP (transport over SSH) to securely upload your files.
by eworm
Fri Oct 04, 2019 12:00 am
Forum: General
Topic: ECDSA keys for SSH
Replies: 1
Views: 306

Re: ECDSA keys for SSH

DSA keys are supported as well, but I guess you do not want to use these, no?
The forum has some threads asking for ED25519 keys, but Mikrotik did not give any reaction.
by eworm
Thu Sep 19, 2019 10:00 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

Everyone is testing RouterOS v7.0beta1 (ARM)!!!
Nah, this is a perfect and issue-free release! :lol:

But to be honest... I think we should get v7 into official testing channel as soon as possible. Will that happen after 6.46 final release?
by eworm
Mon Sep 16, 2019 5:42 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 1147

Re: IPsec INVALID_SYNTAX after upgrade

Same here with connections to NordVPN. My lifetime is set to 30 minutes, but error message pops up every 24 hours only.
by eworm
Wed Sep 11, 2019 4:40 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

The device from last log successfully authorized, so looks like different issue.
by eworm
Fri Sep 06, 2019 2:10 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35930

Re: RouterOS v7.0beta1 (ARM)

Some paths are given with "/", some with white space. Is both allowed now?
by eworm
Thu Sep 05, 2019 11:39 pm
Forum: Scripting
Topic: CCR Health Monitoring
Replies: 4
Views: 2197

Re: CCR Health Monitoring

Sorry for hijacking this thread, but I would like to introduce an alternative. I had some extra requirements: should integrate with my RouterOS scripts , to re-use some basic functionality like notifications (inkl. Telegram) should support every RouterOS device with health values support notificatio...
by eworm
Wed Sep 04, 2019 9:44 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 721

Re: Random Number

If you use it a a global function I assume its gone after reboot. So you need some script to restore it. Of course. But it's part of my routeros scripts , so available on every device that has these scripts installed. :D Alternatively you can make it a local function (replace ":global" with ":local...
by eworm
Wed Sep 04, 2019 8:29 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 721

Re: Random Number

Jotne, that's not true and modification is not needed.
:put [ $GetRandom 100 ]
55
Just give the max value.
by eworm
Wed Sep 04, 2019 7:51 am
Forum: Scripting
Topic: Random Number
Replies: 7
Views: 721

Re: Random Number

Sector writes change too seldom.

How about this one?
https://git.eworm.de/cgit/routeros-scri ... tions#n278

Remember that is still a very weak algorithm!
by eworm
Tue Sep 03, 2019 2:15 pm
Forum: General
Topic: feature request: upgrade mactelnet
Replies: 2
Views: 308

Re: feature request: upgrade mactelnet

Please follow this issue for details: Compatibility with RouterOS 6.43
by eworm
Tue Sep 03, 2019 9:46 am
Forum: General
Topic: [Feature Request] interface events
Replies: 2
Views: 575

Re: [Feature Request] interface events

Yes, please!
by eworm
Mon Sep 02, 2019 8:42 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

As posted in third post in this thread... RouterOS is picky about authentication methods.
Can you configure SSH server to disable all but password authentication? Follow the link above for details.
by eworm
Mon Sep 02, 2019 1:59 pm
Forum: Scripting
Topic: Pseudo Random Number Generator Script (Mersenne Twister)
Replies: 5
Views: 6271

Re: Pseudo Random Number Generator Script (Mersenne Twister)

Ps if anyone knows or can figure out how to get rid of the leading semi colon from the $arrAdjRandNumValues variable you would be a godsend!! Someone proposed to replace {} with "" for array declaration. Both is wrong... you should use [ :toarray "" ] for empty array declaration. (see: How to defin...
by eworm
Mon Sep 02, 2019 1:53 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

Try this for verbose logging:
/system logging add topic=ssh,!packet
by eworm
Sat Aug 31, 2019 10:47 am
Forum: Scripting
Topic: Changing autorun.scr no longer works
Replies: 7
Views: 900

Re: Changing autorun.scr no longer works

The file extension should be "rsc", no?
by eworm
Fri Aug 30, 2019 10:31 pm
Forum: Scripting
Topic: Local Array initialization bug? [SOLVED]
Replies: 1
Views: 389

Re: Local Array initialization bug? [SOLVED]

According to wiki the "lame" solution is the correct one.
https://wiki.mikrotik.com/wiki/Manual:S ... mpty_array
by eworm
Fri Aug 30, 2019 10:23 pm
Forum: Scripting
Topic: GPS speed to knots[SOLVED] [SOLVED]
Replies: 4
Views: 702

Re: GPS speed to knots [SOLVED]

Hi to all, i am trying to read into the mikrotik the speed of the gps from km/h to knots... :local speedknots [$speed * 0.5399] any suggestion? How about this? { :local speed 10; :local speedknots (($speed * 5399 / 10000) . "." . (($speed * 5399 / 10) - ($speed * 5399 / 10000 * 1000))); :put $speed...
by eworm
Thu Aug 29, 2019 10:08 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

*) console - added bitwise operator support for "ip6" data type; Thanks a lot for this! Have been waiting a long time... :D *) wireless - include last frequency when manually setting frequency step in "scan-list"; Is this supposed to fix Ticket#2019080822004463? I guess no. (It does not.)
by eworm
Mon Aug 26, 2019 4:49 pm
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 1667

Re: Importing private SSH keys fails [SOLVED]

Yeah, I get that - but why have the option to specify a user in the SSH command, if it'll only use the keys from the executing user - it appears a pointless feature in that case.
It's the user connecting to on the remote system.
by eworm
Mon Aug 26, 2019 4:47 pm
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

Anyone else experiencing such issue?
No, even my old RB751 (mpisbe 400MHz) can connect via SFTP. (I do not run my SSH server on Synology NAS, though.)
by eworm
Thu Aug 22, 2019 12:15 am
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 1667

Re: Importing private SSH keys fails [SOLVED]

Note that keys are added for a specific account...
by eworm
Thu Aug 22, 2019 12:10 am
Forum: Scripting
Topic: Triggered execution? Interface up/down etc
Replies: 5
Views: 714

Re: Triggered execution? Interface up/down etc

Nothing for ethernet though I presume?
Sadly no. That's on my wishlist as well.
by eworm
Thu Aug 22, 2019 12:08 am
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

I use the following in Linux systems:
That's the wrong way. He want to upload from RouterOS, not to.
by eworm
Thu Aug 22, 2019 12:06 am
Forum: Scripting
Topic: SFTP Upload
Replies: 14
Views: 1570

Re: SFTP Upload

Hi, Is there a way to upload files from RouterOS via SFTP? I have tried what I have found on the forum but nothing seems to work. /tool fetch should be able to do it it seems, but I can not get it to work. Any idea's? Thanks! Yes, it works. Show your commands and what happens... RouterOS SFTP clien...
by eworm
Wed Aug 14, 2019 10:50 pm
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 1667

Re: Importing SSH keys fails [SOLVED]

We do it like this:
That does not help. This topic is about private ssh keys.
by eworm
Mon Aug 12, 2019 12:55 am
Forum: Scripting
Topic: Importing private SSH keys fails [SOLVED]
Replies: 11
Views: 1667

Re: Importing SSH keys fails [SOLVED]

Try to generate your key in PEM format:
ssh-keygen -t rsa -m PEM ..
by eworm
Fri Aug 09, 2019 10:18 pm
Forum: General
Topic: ECSRP Details
Replies: 6
Views: 677

Re: ECSRP Details

Security is made with cryptography, not obscurity. Open specifications do not add any harm. So I do not see a reason not to publish the required information.

Please Mikrotik, I would like to have a fully functional mac-telnet for linux, again, finally.
by eworm
Fri Aug 09, 2019 10:14 pm
Forum: General
Topic: ECSRP Details
Replies: 6
Views: 677

Re: ECSRP Details

BTW, this is the issue report for mac-telnet:
Compatibility with RouterOS 6.43
by eworm
Tue Aug 06, 2019 1:06 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 986

Re: WOL not working after upgrade

The concept of master interfaces does no longer exist in recent RouterOS releases. If the interface belongs to a bridge you should use that.
by eworm
Thu Aug 01, 2019 9:56 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35924

Re: v6.45.2 [stable] is released!

@CrimzinZA You have 3 things to check 😁 ROS version, MT firmware and modem firmware. Upgrading modem firmware solved my 4G issues. Here is how to update modem firmware https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Modem_firmware_upgrade Or you use my script, just copy and paste to your termin...
by eworm
Thu Aug 01, 2019 3:00 pm
Forum: General
Topic: LTE modem disconnects every 2 minutes
Replies: 5
Views: 691

Re: LTE modem disconnects every 2 minutes

A friend had a broken SIM card that caused similar issues. Any chance to test with another card?
by eworm
Wed Jul 31, 2019 8:27 pm
Forum: Scripting
Topic: Help with Script to change server NordVPN
Replies: 8
Views: 1031

Re: Help with Script to change server NordVPN

The API returns json data, parsing that in RouterOS is not an easy task.
I am interested myself, but as the topic is really complex I did not yet give it a try.
by eworm
Mon Jul 29, 2019 4:03 pm
Forum: General
Topic: NordVPN
Replies: 7
Views: 909

Re: NordVPN

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add name=NordVPN pfs-group=none

Atleast aes128
The default proposal is not relevant here as the proposal named "NordVPN" is used.
by eworm
Thu Jul 25, 2019 10:42 pm
Forum: General
Topic: Tool Fetch FTPS
Replies: 1
Views: 362

Re: Tool Fetch FTPS

No, that's something completely different.
by eworm
Thu Jul 25, 2019 10:37 pm
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9578

Re: mikrotik scp/sftp client to transfer file between MT

Finally found the cause for my issue with help of support. Looks like the sftp client in RouterOS fails if too many authentication methods are supported by the server. On my SSH server I added this block in /etc/ssh/sshd_config:
Match User mikrotik-upload
    AuthenticationMethods password
by eworm
Wed Jul 24, 2019 12:21 am
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 13821

Re: Built in function library

Any news on this topic? We have not heard anything in a long time.
by eworm
Tue Jul 23, 2019 11:09 pm
Forum: Scripting
Topic: Command to create directory?
Replies: 4
Views: 8904

Re: Command to create directory?

No idea why the script creates user, group and whatever. Given you have http-ssl service enabled this should suffice:
/tool fetch https://127.0.0.1/ dst-path=path/to/create/xxx
Alternatively use whatever webserver. It creates a file as well, just remove that:
/file remove path/to/create/xxx
by eworm
Tue Jul 23, 2019 11:04 pm
Forum: Scripting
Topic: fetch http response and headers
Replies: 2
Views: 436

Re: fetch http response and headers

You can access "data", "downloaded", "duration", "status" and "total". Looks like your requested information is not available.
by eworm
Mon Jul 22, 2019 5:52 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1675

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.
No, it does not. Where did you find that information?
by eworm
Sat Jul 20, 2019 12:21 am
Forum: Scripting
Topic: User agent with fetch tool
Replies: 3
Views: 897

Re: User agent with fetch tool

/ tool fetch http-header-field="User-Agent: Mozilla/4.0" ...
by eworm
Sat Jul 20, 2019 12:19 am
Forum: Scripting
Topic: status of the sent email? [SOLVED]
Replies: 2
Views: 628

Re: status of the sent email? [SOLVED]

:if ([ /tool e-mail get last-status ] = "succeeded") do={ ...
But I am not sure if you need a delay between sending and checking for status...
by eworm
Fri Jul 19, 2019 9:35 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35924

Re: v6.45.2 [stable] is released!

But there is not even an attempt to fix the VPN issues everyone is still having, there was never a clear way to fix that in the v6.45.1 thread, and MT needs to have those settings in the Quick Set "VPN Access" checkbox setup, because the default still has broken VPN. I reported issues with IPSec an...
by eworm
Fri Jul 19, 2019 9:32 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35924

Re: v6.45.2 [stable] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - improved stability for peer initialization (introduced in v6.45); Please, can you write something concrete about this? I look on the manual and there is nothing about it. I have problem with bad policies generated fr...
by eworm
Fri Jul 19, 2019 5:33 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 80
Views: 11403

Re: Winbox 64bit Version

Sadly the mac-telnet client can not authenticate with new authentication mechanism. :(
Mikrotik does not give details what is required for encryption.
Compatibility with RouterOS 6.43
by eworm
Thu Jul 18, 2019 6:00 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news. :mrgreen:
by eworm
Thu Jul 18, 2019 5:56 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 70035

Re: v6.45.1 [stable] is released!

Is there any ETA for...
Wrong question! At MikroTik, there never is an ETA!
"it is ready when it's ready".
This is just spam to advertise Bitcoin/Cryptocurrency Trading Exchange Platform. (See signature.)
by eworm
Wed Jul 17, 2019 6:21 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?
by eworm
Wed Jul 17, 2019 3:26 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

With " group from phase 1 " you refer to dh-group ? Got it... However this could cause a lot of confusion... Selecting " none " looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol: Still wondering why rekeying does not...
by eworm
Wed Jul 17, 2019 2:37 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:
13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN
Possibly it does not find its proposal when rekeying...
by eworm
Wed Jul 17, 2019 2:16 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal
Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?
by eworm
Tue Jul 16, 2019 11:12 pm
Forum: General
Topic: IPv6 in address list
Replies: 5
Views: 1269

Re: IPv6 in address list

Is the IPv6 package installed and enabled? I guess no.
by eworm
Tue Jul 16, 2019 12:53 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.
This works perfectly fine! Would like to see it in a stable release as soon as possible... But I guess I have to wait for 6.46 final?
by eworm
Mon Jul 15, 2019 5:42 pm
Forum: General
Topic: EoIP over IPSec performance
Replies: 2
Views: 281

Re: EoIP over IPSec performance

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12 ... estresults
by eworm
Mon Jul 15, 2019 5:35 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

@msatter, did my detailed post #17 explain what I had in mind when saying that your rule suggested in post #10 will drop the packets regardless whether they would be finally intercepted by an IPsec policy? I still have a feeling that the mutual misunderstanding may come from the fact that you use a...
by eworm
Mon Jul 15, 2019 3:38 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

Ah, got it! :D :lol: My false assumption was that I thought... Routing with type=blackhole is the same as routing to an interface with no addresses. Of course it is not. And even more important that I thought... Routing decision is done earlier in flow for unencrypted packet. It is not, or better: L...
by eworm
Mon Jul 15, 2019 10:55 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

@eworm, Oder did I misunderstood 1.? Either you did, or I've misunderstood your goal. My understanding of your goal is that you want to be sure that those pakets, which should be sent via the VPN, will under no circumstances get to the destination via any other path if the VPN connection fails. The...
by eworm
Mon Jul 15, 2019 12:46 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

The order of actions is use routing to find the outgoing interface execute the postrouting chain of the firewall (including srcnat) check a match to IPsec policy and send the packet via the policy's SA if it matches send the packet out the interface chosen in step 1 if it didn't match any IPsec pol...
by eworm
Sun Jul 14, 2019 11:33 pm
Forum: General
Topic: privateinternetaccess.com IPsec IKE2 config with port forwarding
Replies: 3
Views: 605

Re: privateinternetaccess.com IPsec IKE2 config with port forwarding

Really nice this works! No idea why PIA does not support this officially. I am/was about to switch to NordVPN, possibly I should hold on... (Though this would be a delay only, I think.) Your profile and proposal settings are weak, though. I tested with these to work: /ip ipsec profile add dh-group=e...
by eworm
Sun Jul 14, 2019 12:00 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable m...
by eworm
Sat Jul 13, 2019 1:51 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

Yes. But I can not decide by out interface as that does not differ with policies.
by eworm
Sat Jul 13, 2019 12:50 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

Re: blackhole/unreachable with IPSec policies [SOLVED]

With l2tp this is quite easy as routing goes to different interfaces. With IPSec policies things work different.
by eworm
Sat Jul 13, 2019 12:13 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1593

blackhole/unreachable with IPSec policies [SOLVED]

Hello everybody, with my current VPN provider I use l2tp/IPSec, which works with an interface. I add routing marks, then add a route for these marks to my interface. A second route makes sure no traffic is routed when the interface is down: / ip route add distance=1 gateway=l2tp-pia routing-mark=via...
by eworm
Thu Jul 11, 2019 2:17 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.

Is any of the other ipsec changes suppose to fix my issue from Ticket#2019070222004609?
by eworm
Wed Jul 10, 2019 6:44 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34027

Re: v6.44.5 [long-term] is released!

Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?
Yes, it's just a small bugfix release then.
by eworm
Wed Jul 10, 2019 6:11 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34027

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
You have set strong-crypto=yes? I think it depends on that setting.
by eworm
Wed Jul 10, 2019 5:10 pm
Forum: General
Topic: Can't update Installed SAs
Replies: 7
Views: 569

Re: Can't update Installed SAs

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.
by eworm
Wed Jul 10, 2019 2:06 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34027

Re: v6.44.5 [long-term] is released!

Let's cool down on the changelog topic. IMHO this is just another matter of communication. Just add a note to the changelog: A new stable release moved to long-term. For full changelog see changes up to version 6.44.3. At least this is a first step and clarifies what changes can be expected in chang...
by eworm
Tue Jul 09, 2019 2:57 pm
Forum: General
Topic: OpenVPN woring on all but ubuntu systems
Replies: 1
Views: 259

Re: OpenVPN woring on all but ubuntu systems

/interface ovpn-server server
set certificate=ovpn-ca cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn-impact enabled=yes netmask=19
Looks like you set the ca certificate for the openvpn server. Use the server certificate instead.
by eworm
Mon Jul 08, 2019 3:35 pm
Forum: General
Topic: [Feature request] conditional dhcp options
Replies: 18
Views: 5341

Re: [Feature request] conditional dhcp options

That's a step forward, but not a solution. We need the matcher for the architecture.
by eworm
Sat Jul 06, 2019 1:00 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 70035

Re: v6.45.1 [stable] is released!

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? One after another the IPSec links came up without any configuration change. Finally today (after...
by eworm
Thu Jul 04, 2019 5:06 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 39609

Re: v6.46beta [testing] is released!

My IPSec issues persist. (Though there are no more crashes.) Sent a reply with support output file to Ticket#2019070222004609.
by eworm
Mon Jul 01, 2019 4:17 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 70035

Re: v6.45.1 [stable] is released!

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.
Is this just GRE or GRE over IPSec? Possibly an IPSec issue?
by eworm
Mon Jul 01, 2019 12:36 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 70035

Re: v6.45.1 [stable] is released!

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? Edit 1: Initiator devices log: ipsec,error MikroTik: bad state: 7 Edit 2: Looking in /ip ipsec ac...
by eworm
Thu Jun 27, 2019 12:36 am
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 4
Views: 739

Re: Function: IP to Decimal

Actually calculating with ip addresses is easy:
Manual:Scripting / Bitwise Operators

Do you need anything more?

(Sadly this does not work with ipv6 addresses. :( Mikrotik, please implement!)
by eworm
Wed Jun 19, 2019 7:07 pm
Forum: General
Topic: Local advertised IPv6 DNS cache server
Replies: 7
Views: 486

Re: Local advertised IPv6 DNS cache server

What does the network configuration look like?
by eworm
Wed Jun 19, 2019 5:24 pm
Forum: General
Topic: Local advertised IPv6 DNS cache server
Replies: 7
Views: 486

Re: Local advertised IPv6 DNS cache server

Android does not support DHCPv6 unless you root the device and install third party software. Search Google for the details.

For me it works just fine with Linux, though you may have to make sure the firewall does not block the essential packets.
by eworm
Wed Jun 19, 2019 5:15 pm
Forum: General
Topic: Cloud Backup
Replies: 20
Views: 3730

Re: Cloud Backup

Now that we have a replace mechanism since version 6.45beta42 one culprit remains: If the cloud server is not accessible for any reason the commands in "/ system backup cloud" give fatal errors. You can not catch these as runtime errors from a script: :do { / system backup cloud ... } on-error={ ......
by eworm
Tue Jun 18, 2019 4:51 pm
Forum: General
Topic: hap lite classic "mode" button?
Replies: 18
Views: 5823

Re: hap lite classic "mode" button?

I don't think you need to do /system routerboard mode-button set on-event=/system script run your-script In my case it worked just giving the script name directly to the on-event= like so /system routerboard mode-button set on-event=your-script Yes, that's enough for things to work. The above was m...
by eworm
Tue Jun 18, 2019 12:40 pm
Forum: General
Topic: Upload file and change it into a script
Replies: 2
Views: 260

Re: Upload file and change it into a script

You can use something like this:
/ system script add name=mail source=[ / file get mail.rsc contents ];
But keep in mind this is limited to a maximum length of 4kB.
by eworm
Tue Jun 18, 2019 11:55 am
Forum: General
Topic: hap lite classic "mode" button?
Replies: 18
Views: 5823

Re: hap lite classic "mode" button?

Script shows up in red, is that correct? The content of this field is displayed with syntax highlighting. Things become colored if you use something like: /system routerboard mode-button set on-event="/system script run test-script;" enabled=yes As a fallback RouterOS tries to run a script with giv...
by eworm
Sun Jun 16, 2019 11:25 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters. That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch... Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and ...
by eworm
Fri Jun 14, 2019 8:58 am
Forum: General
Topic: Wierd Problem with Mikrotik
Replies: 5
Views: 515

Re: Wierd Problem with Mikrotik

I had similar issues with GRE over IPSec, where connection became stuck after packets were send outside IPSec context. For me rejecting unencrypted GRE did the trick. Try something like this on all your routers:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=ipip
by eworm
Thu Jun 13, 2019 11:47 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

No rc versions this time?
by eworm
Wed Jun 12, 2019 9:14 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

That would be even more welcome. :D
However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.
by eworm
Wed Jun 12, 2019 4:33 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
by eworm
Wed Jun 12, 2019 4:15 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 611

Re: IPSec with MikroTik wAP ac LTE

Thanks a lot! Will have look at availability from local distributors then.
by eworm
Wed Jun 12, 2019 4:08 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 611

IPSec with MikroTik wAP ac LTE

Hello everybody, There's new device MikroTik wAP ac LTE . Very interesting, it does provide a lot of features I am interested in. Did not find any information about hardware IPSec acceleration. It is powered by ARM CPU IPQ-4018, so it should support hardware acceleration. Does anybody have specific ...
by eworm
Thu Jun 06, 2019 11:21 am
Forum: General
Topic: Backup-cloud,works?
Replies: 2
Views: 233

Re: Backup-cloud,works?

Is Backup-cloud stil working? I use to since it comes up,but so fare i got some error. on log says: "Problem connecting with server" Every now and then cloud backup fails with server errors... Just try again later. Sadly using cloud backup in scripts is kind of problematic. Errors are not handled a...
by eworm
Wed Jun 05, 2019 5:26 pm
Forum: RouterBOARD hardware
Topic: hAP powered from 802.3af port - possible?
Replies: 4
Views: 597

Re: hAP powered from 802.3af port - possible?

You could use converters like these from Ubiquiti:
https://www.ui.com/accessories/instant-8023af-adapters/
by eworm
Fri May 31, 2019 3:50 pm
Forum: General
Topic: Upgrade from main package to extra packages
Replies: 18
Views: 2700

Re: Upgrade from main package to extra packages

I maintain a collection of scripts for managing and extending functionality: RouterOS Scripts This includes a function to download packages... So if the script are set up you can install additional packages like this: [admin@MikroTik] > $DownloadPackage wireless 1 status: finished downloaded: 2824Ki...
by eworm
Wed May 29, 2019 9:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
by eworm
Tue May 28, 2019 2:45 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
This is the final step for this changlog entry from 6.43:
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
by eworm
Thu May 23, 2019 6:45 pm
Forum: General
Topic: CAPsMAN loses CAPs after reboot
Replies: 4
Views: 310

Re: CAPsMAN loses CAPs after reboot

Interface "bridge" is listed twice... That look suspicious. Fix that and try again.
by eworm
Thu May 23, 2019 4:09 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2291

Re: NordVPN

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added.

See this post for details: viewtopic.php?f=2&t=126221#p731754

I can not test as I do not have a NordVPN account.
by eworm
Mon May 20, 2019 10:30 pm
Forum: General
Topic: Backup
Replies: 5
Views: 446

Re: Backup

The problem was solved with regenerating ssh host key. But how can i catch this error in auto backup script using do {} error {} ? I tried this but that error messege is not recognized as error. I think you can not. Do it manually if it happens. The backup file is fully functional except the host k...
by eworm
Mon May 20, 2019 4:23 pm
Forum: Scripting
Topic: How to get multiple data using "value-name"
Replies: 5
Views: 728

Re: How to get multiple data using "value-name"

To make sure it works in all location i would have used full command like this:
Usually I do. I started from your code, but did not notice the first line was appended to your written text. :lol:
by eworm
Mon May 20, 2019 3:20 pm
Forum: Scripting
Topic: How to get multiple data using "value-name"
Replies: 5
Views: 728

Re: How to get multiple data using "value-name"

How about this?
:foreach i in=[ print as-value ] do={
  :put (($i->"comment") . " " . ($i->"address") . " " . ($i->"host-name"));
}
by eworm
Mon May 20, 2019 2:57 pm
Forum: General
Topic: Backup
Replies: 5
Views: 446

Re: Backup

Probably regenerating your ssh host keys helps:
/ ip ssh regenerate-host-key
by eworm
Thu May 16, 2019 2:10 pm
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 31942

Re: v6.44.3 [stable] is released!

Hello.

I think Router OS V6.44.X has introduced an issue with the GPS package.
Since I upgraded to 6.44.X (2 or 3) the latitude and longitude values of the GPS are 32 characters long rather than the normal length.
Already fixed in latest beta version, will be available in stable soon.
by eworm
Mon May 13, 2019 11:55 pm
Forum: General
Topic: R11e-LTE LTE upgrade ... over OVPN Tunnel ?
Replies: 2
Views: 500

Re: R11e-LTE LTE upgrade ... over OVPN Tunnel ?

Generally you need a connection to your device while the upgrade is in progress, but the upgrade breaks connection.
But this may help: unattended-lte-firmware-upgrade
Just copy'n'paste the code into your device's terminal.
by eworm
Fri May 03, 2019 11:05 am
Forum: General
Topic: System Package - Install new package
Replies: 1
Views: 210

Re: System Package - Install new package

I maintain a collection of scripts for managing and extending functionality: RouterOS Scripts This includes a function to download packages... So if the script are set up you can install additional packages like this: [admin@MikroTik] > $DownloadPackage wireless 1 status: finished downloaded: 2824Ki...
by eworm
Thu May 02, 2019 7:26 pm
Forum: General
Topic: after many hours, I solve the wAP ac issue
Replies: 2
Views: 802

Re: after many hours, I solve the wAP ac issue

What is "Throughput Booster"?

Edit: And even bigger mystery... Why did you open third topic on this?
by eworm
Thu May 02, 2019 12:04 pm
Forum: General
Topic: Email feature implementation poor
Replies: 3
Views: 298

Re: Email feature implementation poor

The only poor implementation about e-mail is that there is no way to check the server certificate for TLS connections.
by eworm
Wed May 01, 2019 11:53 pm
Forum: Scripting
Topic: GPS Logging v6.44 [SOLVED]
Replies: 6
Views: 762

Re: GPS Logging v6.44 [SOLVED]

Probably same as unwanted symbols in variables, gps monitoring.
Just cut the trailing null bytes.
by eworm
Wed May 01, 2019 11:48 pm
Forum: Scripting
Topic: unwanted symbols in variables, gps monitoring
Replies: 2
Views: 431

Re: unwanted symbols in variables, gps monitoring

Just cut the garbage...
:set $lat [ :pick $latitude 0 [ :find $latitude "\00" ] ];
:set $lon [ :pick $longitude 0 [ :find $longitude "\00" ] ];
Put that into your do block.
by eworm
Mon Apr 29, 2019 4:14 pm
Forum: Scripting
Topic: Array Push Function
Replies: 9
Views: 4249

Re: Array Push Function

All this looks a bit over-complicated. The correct way is this:
:set $MyArray ($MyArray, $Value);
by eworm
Mon Apr 29, 2019 1:12 pm
Forum: General
Topic: Can't update firmware from scheduled script
Replies: 4
Views: 371

Re: Can't update firmware from scheduled script

Works for me... I use this script for update notification and auto-install: check-routeros-update

Anything in the logs about errors?
by eworm
Thu Apr 25, 2019 9:35 am
Forum: General
Topic: What device do I have?
Replies: 2
Views: 263

Re: What device do I have?

You have to get the info from LTE interface:
[admin@MikroTik] > :put ([ / interface lte info lte1 once as-value ]->"model");                        
"R11e-LTE"
by eworm
Wed Apr 24, 2019 12:44 pm
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 31942

Re: v6.44.3 [stable] is released!

I had hoped for this:
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
Will we see it in another stable update?

Other than that everything looks good, already updated ~ 30 devices of different type.
by eworm
Wed Apr 24, 2019 1:38 am
Forum: General
Topic: /system backup cloud - update?
Replies: 3
Views: 352

Re: /system backup cloud - update?

I do not care if it is one command or more. IMHO the problem is that you have to delete a valid backup. And you do not have a cloud backup until you successfully upload a new one. There should be a replace option, that uploads a new backup, then replaces the old one only if upload was successful. If...
by eworm
Thu Apr 18, 2019 10:33 am
Forum: Scripting
Topic: Howto kill running ppp script?
Replies: 6
Views: 515

Re: Howto kill running ppp script?

Fixed the typo in original post. Thanks!
by eworm
Thu Apr 18, 2019 8:28 am
Forum: Scripting
Topic: Howto kill running ppp script?
Replies: 6
Views: 515

Re: Howto kill running ppp script?

Are there any other unique criteria to find your nameless script? If there are non you shout consider putting it into "/ system script". After all... what's the purpose of this ping? BTW, ping knows an option "count=" to limit its runtime. Or you do it in a loop: :while ([ / interface get $interface...
by eworm
Tue Apr 16, 2019 12:51 pm
Forum: Scripting
Topic: hotspot - make lease static after login [SOLVED]
Replies: 2
Views: 688

Re: hotspot - make lease static after login [SOLVED]

Well, an odd behavior in RouterOS... Mikrotik support says "that's how scripting works in RouterOS". You can not use same variable name and option name. I switched to use variable names in CamelCase. Just replace $"mac-address" with $MacAddress . Read my detailed analysis and solution here: global: ...
by eworm
Tue Apr 16, 2019 12:45 pm
Forum: Scripting
Topic: Some help SMS find and remove [SOLVED]
Replies: 5
Views: 1523

Re: Some help SMS find and remove [SOLVED]

Or without loop:
/ tool sms inbox remove [ find where message="" ];
by eworm
Tue Apr 16, 2019 12:37 pm
Forum: Scripting
Topic: Howto kill running ppp script?
Replies: 6
Views: 515

Re: Howto kill running ppp script?

I use the following script to control PPP connections (on-up in ppp profile ): ping interface=[ / interface get $interface name ] address=($"remote-address") interval=00:00:05 After a PPP interface break, it remains running. Can you please tell me how to kill him? Try this, replace "ppp-script" wit...
by eworm
Mon Apr 15, 2019 3:36 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 24488

Re: v6 RC and v7 BETA

Please clarify what is "proper IKEv2/IPSEC"?
Probably asking for EAP authentication as initiator, which is not possible for IKEv2 atm.
by eworm
Mon Apr 15, 2019 3:07 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
I hope for 6.44.3. :wink:
by eworm
Mon Apr 15, 2019 12:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
I think this hit me a lot in the past... Hope this will make its way into next stable release.
by eworm
Wed Apr 10, 2019 11:53 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 12476

Re: v6.44.2 [stable] is released!

Hello! After upgrading firmware to 6.44.x, the shh and telnet connections, passing through the router, began to break. It is the problem mentioned in posting #5 above. It is known "to us" but not to MikroTik, it appears (never any reaction to those complaints from several people). You can fix it fo...
by eworm
Tue Apr 09, 2019 6:47 pm
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9578

Re: mikrotik scp/sftp client to transfer file between MT

I gave it a try, but did not succeed. The server is running openssh 7.9p1, the account is locked to sftp only with openssh's internal sftp implementation. [admin@Mikrotik] > /system ssh user=mikrotik-upload sftp-host Password: This service allows sftp connections only. Welcome back! [admin@Mikrotik]...
by eworm
Mon Apr 08, 2019 1:11 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.
by eworm
Mon Apr 08, 2019 1:09 pm
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9578

Re: mikrotik scp/sftp client to transfer file between MT

Starting with version 6.45beta22 the changelog lists:
*) fetch - added SFTP support;
Not sure how it works, though. Looks like mode=sftp is not (yet?) valid.
by eworm
Thu Apr 04, 2019 4:31 pm
Forum: General
Topic: Ensure GRE is going trough IPsec with Firewall
Replies: 2
Views: 297

Re: Ensure GRE is going trough IPsec with Firewall

My Firewall has:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=gre
That serves me well.
by eworm
Fri Mar 29, 2019 1:12 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
by eworm
Tue Mar 26, 2019 6:30 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9584

Re: v6.43.13 [long-term] is released!

Tryed to downgrade from 6.44 stable to this release, but after reboot still show me 6.44 stable.. Seems like its not posible to downgrade to this longterm version. What's in the log? What is the factory firmware version? Factory is 6.42.3. Current is 6.44 Stable. This is message from log.. https://...
by eworm
Fri Mar 22, 2019 5:21 pm
Forum: General
Topic: How do you use ssh agent forwarding on the routeros ssh client?
Replies: 9
Views: 913

Re: How do you use ssh agent forwarding on the routeros ssh client?

You can use your Mikrotik devices as Jumphost. Just search for this keyword for details.

Example for openssh command line client:
ssh -J Mikrotik-A Mikrotik-B
You can use a chain with more than one jumphost.
by eworm
Fri Mar 22, 2019 4:29 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9584

Re: v6.43.13 [long-term] is released!

I have a 450G and a 750Gr3 that have had this error since upgrading: "backup,critical error creating backup file: could not read all configuration files" It happens with both encrypted and unencrypted backups; both were upgraded from 6.42.12. My 951G that was upgraded from 6.43.12 does not have thi...
by eworm
Fri Mar 22, 2019 10:09 am
Forum: General
Topic: Importing a pem certificat
Replies: 2
Views: 929

Re: Importing a pem certificat

RouterOS can not store just keys, it stores certificates and adds the key when available. This is what happens if you import client.pem: Private key -> no matching certificate -> ignored Certificate -> imported Certificate -> imported Then on second import: Private key -> matching certificate found ...
by eworm
Thu Mar 21, 2019 12:42 am
Forum: General
Topic: sms to email forwarding
Replies: 4
Views: 603

Re: sms to email forwarding

Use my script sms-forwarding. You need to set up some more scripts, read the instructions.
by eworm
Sun Mar 10, 2019 9:40 pm
Forum: Scripting
Topic: 'find' command returns nothing
Replies: 1
Views: 172

Re: 'find' command returns nothing

'find' is not supposed to print anything, it returns information other commands can use, something like:
/ ip address remove [ find where interface="etherX" ]
... will remove all ip addresses from interface "etherX".
by eworm
Sat Mar 09, 2019 11:03 pm
Forum: General
Topic: How to force Mikrotik to recognize imported private key?
Replies: 1
Views: 190

Re: How to force Mikrotik to recognize imported private key?

I know that I can generate a CA and the rest on the Mikrotik. But, signing takes 3-5 minutes, which is horrible. If I create the same certificate + key with OpenSSL and import it, Mikrotik is not able to see the private key. I have only AT flags, no 'K'? Why is that happening? This works without is...
by eworm
Sat Mar 09, 2019 10:57 pm
Forum: General
Topic: Script doesn't run [SOLVED]
Replies: 1
Views: 248

Re: Script doesn't run [SOLVED]

Hi, Annotation 2019-03-08 193039.jpg I try to run above scrip to more my cloud backup but it doesn't work at all while I can run the same script in CLI is work perfectly. What I am wrong here? You numeric index is invalid without print. Use this if you want to get rid of cloud backup in any situati...
by eworm
Fri Mar 08, 2019 7:22 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36390

Re: v6.44 [stable] is released!

Interface for new PWR line adapter comming next months. hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port. Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones) This requires the new hardware, old mAP lite can not get this from soft...
by eworm
Fri Mar 01, 2019 1:09 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36390

Re: v6.44 [stable] is released!

*) gps - increase precision for dd format; Hi, could it be that the calculation from dms-format to dd-format is incorrect ? For example: in winbox/system/GPS-GUI I switch between dms and dd format. In dms I get 49 29' 6.954' when I switch to dd I get 49.004852 in my calculation it should be 49.4852...
by eworm
Thu Feb 28, 2019 9:32 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36390

Re: v6.44 [stable] is released!

Hi, Didn't understand this topic (how it works): *) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only); Tried to update WAP-LTE with CLI - it shows that exist new firmware - enter "upgrade" / interface lte firmware-upgrade lte1 installed: MikroTik_CP_2.160.000_v008 ...
by eworm
Wed Feb 27, 2019 10:47 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36390

Re: v6.44 [stable] is released!

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup...
by eworm
Tue Feb 26, 2019 2:02 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36390

Re: v6.44 [stable] is released!

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup...
by eworm
Thu Feb 21, 2019 7:14 pm
Forum: Scripting
Topic: Script job killer
Replies: 7
Views: 4017

Re: Script job killer

Inside foreach you must check the script name to prevent killing himself: :if ([/system script job get $id value-name=script] != "myscriptname") do={ <killing instructions> }; Even easier: :foreach id in=[ / system script job find where script!="myscript" ] do={ / system script job remove $id; } Or...
by eworm
Wed Feb 20, 2019 10:27 pm
Forum: General
Topic: Issue with on-down in ppp profiles
Replies: 8
Views: 650

Re: Issue with on-down in ppp profiles

I've never cleared my connection table... What are your "specific situations"?
by eworm
Tue Feb 19, 2019 2:10 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12479

Re: v6.44rc [testing] is released!

On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates. How do you know which one is right? Give an example please Probably he knows the coordinates the device is located. Something about wrong coordinates has been reported for 6.44beta75: htt...
by eworm
Tue Feb 19, 2019 12:40 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12479

Re: v6.44rc [testing] is released!

Upgrading from stable to testing I have allow-none-crypto enabled : /ip ssh set allow-none-crypto=yes strong-crypto=yes I think this should default to disabled . If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain some...
by eworm
Fri Feb 15, 2019 10:41 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12479

Re: v6.44rc [testing] is released!

With this upgrade I lost the wireless package on wAP LTE, again. The files were downloaded via weak LTE connection.
Reported this before for the update to 6.44beta50: viewtopic.php?f=21&t=139057&start=250#p703960
by eworm
Thu Feb 14, 2019 4:56 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 12336

Re: v6.43.12 [stable] is released!

The script in the PPP profile is not executed!

Code: Select all

ping interface=$interface address=8.8.8.8 interval=00:00:05
That's not version specific. Anyway... Use:
ping interface=[ / interface get $interface name ] address=8.8.8.8 interval=00:00:05
by eworm
Wed Feb 13, 2019 11:30 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 157
Views: 45601

Re: Feature request - DNSCrypt support...

At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.
by eworm
Thu Feb 07, 2019 9:57 am
Forum: Announcements
Topic: v6.43.11 [stable] is released!
Replies: 79
Views: 11936

Re: v6.43.11 [stable] is released!

Anyone noticed interface connectivity issue after upgrade? [...]
I saw this on a device that had internet detection enabled. Try this:
/ interface detect-internet set detect-interface-list=none;
by eworm
Wed Feb 06, 2019 4:26 pm
Forum: Announcements
Topic: v6.43.11 [stable] is released!
Replies: 79
Views: 11936

Re: v6.43.11 [stable] is released!

*) wireless - improved antenna gain setting for devices with built in antennas;
How is this handled with capsman?
by eworm
Tue Feb 05, 2019 4:01 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script? (that receives parameters like the remote-id, remote-IP etc) This script could then add/delete phase2 settings e.g. a GRE tunnel. Yes, please! Hooking a script would be much appreciated. Cu...
by eworm
Thu Jan 24, 2019 10:21 pm
Forum: Scripting
Topic: script that warned me by email that a user has been added to my DHCP server
Replies: 5
Views: 2383

Re: script that warned me by email that a user has been added to my DHCP server

Do your own devices have static leases? If no...
/ ip dhcp-server lease make-static [ find where dynamic ]
Then replace
:if ($leaseBound = 1) do={
with
:if ($leaseBound = 1 && [ get [ find where mac-address=$leaseActMAC ] dynamic ] = true) do={
by eworm
Tue Jan 22, 2019 7:14 pm
Forum: Scripting
Topic: Subtract from get given IP
Replies: 3
Views: 657

Re: Subtract from get given IP

Hi, i have this problem: /global IP [/ip neighbor get number=0 address]; :set "$IP" ($IP-1); Script Error: cannot substract string from time interval But it work if i set IP variable manually, there is a way to subtract an ip address given by print or get command? Thanks How about this? :global IP ...
by eworm
Mon Jan 21, 2019 10:34 pm
Forum: General
Topic: ipsec error: peer's ID mismatched with ASN1 SubjectName
Replies: 12
Views: 915

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

And another mismatch...
* main router -> certificate "server-2019" -> ca "ca-2019"
* remote router -> certificate "client" -> "ca2019" (note the missing dash, this is a completly different CA!)

You really should clean up and control your mess.
by eworm
Mon Jan 21, 2019 10:27 pm
Forum: General
Topic: ipsec error: peer's ID mismatched with ASN1 SubjectName
Replies: 12
Views: 915

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Perhaps you should clean it up to get it working.

If I get the bits right the settings still do not match:
* For main router: peer 0.0.0.0/0 -> profile_4 -> dh-group=none
* For remote router: peer 1.1.1.1/32 -> profile_2 -> dh-group=modp1024

And you still have "remote-certificate=" set...
by eworm
Mon Jan 21, 2019 6:17 pm
Forum: General
Topic: ipsec error: peer's ID mismatched with ASN1 SubjectName
Replies: 12
Views: 915

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Your proposal setting do not match... One has "pfs-group=none", the other "pfs-group=modp1024".

If this still does not work please give config from both sides with:
/ ip ipsec export hide-sensitive
And show detailed infos about certificates with:
/ certificate print detail
by eworm
Mon Jan 21, 2019 12:06 am
Forum: General
Topic: ipsec error: peer's ID mismatched with ASN1 SubjectName
Replies: 12
Views: 915

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

You should be more specific about configuration and certificates.

Wild guess: You did not mix certificates from old and new CA, no?
by eworm
Sun Jan 20, 2019 11:18 pm
Forum: General
Topic: ipsec error: peer's ID mismatched with ASN1 SubjectName
Replies: 12
Views: 915

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

The code snippet is from your main router, no? It will accept only one client, the one with certificate "client-2019", everything else is rejected. To fix:
/ ip ipsec peer set remote-certificate=none [ find ]
by eworm
Sun Jan 20, 2019 9:57 pm
Forum: General
Topic: 2 parallel IPsec IKEv2 tunnels to CHR server
Replies: 3
Views: 612

Re: 2 parallel IPsec IKEv2 tunnels to CHR server

Without detailed information and configuration it is hard to tell. Guess into the blue: Your road worriors have different certificates, no? Using the same certificate will make the first being kicked when the second connects. Your central router does need just one public address for multiple clients...
by eworm
Fri Jan 18, 2019 2:35 pm
Forum: Scripting
Topic: DHCP logic to work with PXE
Replies: 1
Views: 302

Re: DHCP logic to work with PXE

This has been requested several time. I think it is still not possible:

viewtopic.php?t=95674
viewtopic.php?t=89883
by eworm
Fri Jan 18, 2019 12:16 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only); [admin@MikroTik] /system backup cloud> print -- connecting Server error: Backend error. Try again later. Breakage in version or issue with servers? Edit: Works again, was a server issue. *) console - updated cop...
by eworm
Thu Jan 17, 2019 6:30 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.
by eworm
Tue Jan 15, 2019 5:41 pm
Forum: General
Topic: remote logging to systemd journal
Replies: 0
Views: 292

remote logging to systemd journal

Hello everybody, I do use a linux server for remote logging. For some time I ran a rsyslog instance that listened for syslog messages on UDP port 514 and redirected them to systemd's journald. But the syslog implementations are bloated and complex for a simple task like this - especially if you do n...
by eworm
Mon Jan 14, 2019 9:59 am
Forum: Scripting
Topic: netwatch script compose email to multiple recipients?
Replies: 7
Views: 8911

Re: netwatch script compose email to multiple recipients?

Simply use cc... That accepts several receipients.
/tool e-mail send \
to=abc@mycompany.com \
cc=michael.manns@gmail.com,another@gmail.com \
from=KCMT@foresitewireless.com \
 subject=("Room 206 AP is down")
by eworm
Fri Jan 11, 2019 6:28 pm
Forum: General
Topic: LTE Modem Firmware upgrade
Replies: 1
Views: 689

Re: LTE Modem Firmware upgrade

Probably when 6.44 is ready... Nobody will give you a date for that.
by eworm
Fri Jan 11, 2019 1:15 am
Forum: RouterBOARD hardware
Topic: Which RB devices are upgraded to have USR LED and MODE button?
Replies: 3
Views: 606

Re: Which RB devices are upgraded to have USR LED and MODE button?

You can make the devices act on multiple mode button presses. Have a looks at mode-button-event and mode-button-scheduler. For these to function you need other scripts from routeros-scripts.
by eworm
Tue Jan 08, 2019 2:28 pm
Forum: General
Topic: IKEv2 multiple clients [SOLVED]
Replies: 7
Views: 1149

Re: IKEv2 multiple clients [SOLVED]

The peer certificate is issued from a CA on your device, that only accepts trusted certificates it issued itself.
by eworm
Tue Jan 08, 2019 2:07 pm
Forum: General
Topic: IKEv2 multiple clients [SOLVED]
Replies: 7
Views: 1149

Re: IKEv2 multiple clients [SOLVED]

I think your problem is that you have two peers, and only the first is matched. Try:
/ip ipsec peer remove [ find where remote-certificate=client1 ];
/ip ipsec peer set remote-certificate="" [ find ];
by eworm
Tue Jan 08, 2019 11:00 am
Forum: General
Topic: IPSEC/IKEv2, mode-config and changing ip addresses
Replies: 0
Views: 309

IPSEC/IKEv2, mode-config and changing ip addresses

Hello everybody, I have an IPSEC/IKEv2 VPN in transport mode, GRE interfaces connect to the IPSEC addresses. The real data goes through the GRE interfaces. Currently the server runs a script to update the GRE interfaces' remote addresses, according to the client addresses assigned by mode-config. Is...
by eworm
Sun Jan 06, 2019 11:39 pm
Forum: General
Topic: Feature request (SCRIPTING)
Replies: 6
Views: 773

Re: Feature request (SCRIPTING)

It does work from script, but I just realized it fails when started from scheduler. No idea what's wrong, no logs on either side.
by eworm
Sun Jan 06, 2019 10:58 pm
Forum: General
Topic: How to get current system date and time to a variable ?
Replies: 1
Views: 355

Re: How to get current system date and time to a variable ?

Both to one variable?
:global DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
If you want each in one varaiable:
:global Date [ / system clock get date ];
:global Time [ / system clock get time ];
by eworm
Sun Jan 06, 2019 6:19 pm
Forum: General
Topic: Feature request (SCRIPTING)
Replies: 6
Views: 773

Re: Feature request (SCRIPTING)

Import private and public key on Router A: /user ssh-keys private import private-key-file=id_rsa public-key-file=id_rsa.pub Then import public key on Router B: /user ssh-keys import user=admin public-key-file=id_rsa.pub Then ssh from Router A to Router B: /system ssh address=10.0.0.1 user=admin com...
by eworm
Fri Jan 04, 2019 7:20 pm
Forum: General
Topic: Feature request (SCRIPTING)
Replies: 6
Views: 773

Re: Feature request (SCRIPTING)

Import private and public key on Router A: /user ssh-keys private import private-key-file=id_rsa public-key-file=id_rsa.pub Then import public key on Router B: /user ssh-keys import user=admin public-key-file=id_rsa.pub Then ssh from Router A to Router B: /system ssh address=10.0.0.1 user=admin comm...
by eworm
Fri Jan 04, 2019 12:15 pm
Forum: RouterBOARD hardware
Topic: HOW TO GET SIM CARD NUMBER
Replies: 6
Views: 1607

Re: HOW TO GET SIM CARD NUMBER

:put ([ / interface lte info [ :pick [ find ] 0 ] once as-value ]->"uicc")
by eworm
Thu Jan 03, 2019 2:31 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 33800

Re: v6.43.8 [stable] is released!

This works:
/system script environment { :global A 10; remove "A"; :global A 20; print; remove [ find where name="A" ]; }
I do not have an explanation, though.
by eworm
Thu Jan 03, 2019 1:03 am
Forum: RouterBOARD hardware
Topic: CRS328-24P-4S+RM POE Problems
Replies: 5
Views: 963

Re: CRS328-24P-4S+RM POE Problems

Try a power cycle on the port:
/ interface ethernet poe etherX power-cycle
by eworm
Wed Jan 02, 2019 12:21 am
Forum: General
Topic: RouterOS 6.34.4 cannot import ed25519 ssh public keys.
Replies: 2
Views: 537

Re: RouterOS 6.34.4 cannot import ed25519 ssh public keys.

Currently only DSA and RSA keys are supported. I would like to see support for ed25519 keys as well... BTW, RSA is supported since RouterOS 6.31 and has been added after OpenSSH deprecated DSA in a way that you had to specify extra options to connect. Let's hope we do not need a similar event for ed...
by eworm
Tue Jan 01, 2019 4:18 pm
Forum: General
Topic: ZeroByte can you help
Replies: 4
Views: 673

Re: ZeroByte can you help

Oh, I did misread (or understand at all) this post.
Did not get that he wants to contact a user specifically. So sorry and good luck.
by eworm
Tue Jan 01, 2019 12:42 pm
Forum: Scripting
Topic: Add value to the end of an array?
Replies: 1
Views: 458

Re: Add value to the end of an array?

This creates empty array and adds a value:
:local array [ :toarray "" ];
:set array ( $array, $newvalue );
Just repeat for more values.
by eworm
Tue Jan 01, 2019 12:31 pm
Forum: General
Topic: ROS as a IKEV2 client support EAP-MSChAPv2?
Replies: 3
Views: 754

Re: ROS as a IKEV2 client support EAP-MSChAPv2?

Currently EAP authentication as initiator is not possible for IKEv2.
viewtopic.php?p=650295
by eworm
Tue Jan 01, 2019 12:27 pm
Forum: General
Topic: ZeroByte can you help
Replies: 4
Views: 673

Re: ZeroByte can you help

by eworm
Mon Dec 31, 2018 12:32 am
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 4166

Re: NordVpn and mikrotik?

I just checked and it is not going to happen till ROS 7.

viewtopic.php?p=650295
Thanks for the link, msatter! In short: currently EAP authentication as initiator is not possible for IKEv2. So the website is right, no-go with Mikrotik.
by eworm
Sun Dec 30, 2018 6:45 pm
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 4166

Re: NordVpn and mikrotik?

IKEv2/IPSEC is supported by NordVPN: https://nordvpn.com/de/tutorials/windows-10/ikev2/ This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What's the issue? Just ignore what they say is not supported, probably they di...
by eworm
Sun Dec 30, 2018 3:19 pm
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 4166

Re: NordVpn and mikrotik?

Then what's the issue with NordVPN and IKEv2/IPSEC?
by eworm
Sun Dec 30, 2018 2:49 am
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 4166

Re: NordVpn and mikrotik?

Well, IKEv2/IPSEC should do the trick. I do not have a NordVpn account, so can not verify.
by eworm
Sat Dec 29, 2018 11:54 pm
Forum: Scripting
Topic: Script only works in terminal, not by GUI or scheduler
Replies: 4
Views: 494

Re: Script only works in terminal, not by GUI or scheduler

You should not (never ever!) use any print and index in your scripts. Things will break badly if items are numbered different for what ever reason. Instead of this bad code: /int bridge port print remove 4,5 You should use something like this: /int bridge port remove [ find where interface=wlan1 ] r...
by eworm
Wed Dec 19, 2018 3:11 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208051

Re: Feature requests

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages. I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages. You can get rid of this. If you d...
by eworm
Wed Dec 19, 2018 1:00 am
Forum: General
Topic: Mikrotik powered christmas tree
Replies: 2
Views: 520

Re: Mikrotik powered christmas tree

I've been waiting for that christmas tree. Thanks a lot for bringing it back!
by eworm
Wed Dec 19, 2018 12:46 am
Forum: General
Topic: Cloud Backup
Replies: 20
Views: 3730

Re: Cloud Backup

This is a nice feature, but it has one weakness: You have to remove the backup before uploading a new one. In case the removal succeeds but the upload fails you do not have a backup at all (at least in cloud). So you should consider to either provide two upload slots, so one backup can be removed wh...
by eworm
Tue Dec 18, 2018 10:31 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

What do you mean with lost package? Did you actually lose wireless package under System/Packages menu or wireless interface did not work properly? The wireless package did no longer show under System/Package, had to copy the npk file manually to recover. Tried to reproduce with a mAP lite that has ...
by eworm
Tue Dec 18, 2018 2:23 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

set frequency-mode to regulatory-domain That works, thanks! Can this be the cause for my trouble with wireless package? *) package - use bundled package by default if standalone packages are installed as well; what set of packages did you have? and what did you use to upgrade? Ah, right, that could...
by eworm
Tue Dec 18, 2018 2:12 pm
Forum: General
Topic: IP CLOUD is down
Replies: 61
Views: 10604

Re: IP CLOUD is down

Normis ... How to know if you are using the old cloud or the new one ??? Is there any way to know it ???
Up to RouterOS 6.42.x: old cloud
RouterOS 6.43 and later: new cloud
by eworm
Tue Dec 18, 2018 2:06 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?
by eworm
Tue Dec 18, 2018 1:40 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/ The LTE connection was really weak, though - no idea if that caused the issue. After restoring my settings I can not set the country for my interface: [admin@MikroTik] /interface wireless> set country=germany wlan1 failure: on...
by eworm
Tue Dec 18, 2018 1:12 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/
The LTE connection was really weak, though - no idea if that caused the issue.
by eworm
Mon Dec 17, 2018 9:39 pm
Forum: General
Topic: GRE tunnel running on one side but not the other?
Replies: 3
Views: 422

Re: GRE tunnel running on one side but not the other?

Und another note... In your current situation removing stale connection may help:
/ ip firewall connection remove [ find where protocol=gre ]
by eworm
Mon Dec 17, 2018 9:11 pm
Forum: General
Topic: GRE tunnel running on one side but not the other?
Replies: 3
Views: 422

Re: GRE tunnel running on one side but not the other?

I use GRE over IPSEC. For me this happened when one side had stale connection in tracking before IPSEC was up. My solution is a simple rule in firewall:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=gre
by eworm
Fri Dec 14, 2018 11:52 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

[admin@MikroTik] > :global firmware [ / interface lte firmware-upgrade lte once as-value ]; [admin@Mikrotik] > :put ($firmware->"installed") MikroTik_CP_2.160.000_v010 [admin@MikroTik] > :put ($firmware->"latest") MikroTik_CP_2.160.000_v010 [admin@MikroTik] > :if (($firmware->"installed") != ($firm...
by eworm
Fri Dec 14, 2018 9:47 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208051

Re: Feature requests

I would love to see the functionality of the Mode button expanded. Specifically, it would be useful to be able to assign different actions taken based on whether the button was pressed once, double-pressed, triple-pressed, or long-pressed. That is possible with scripts. See my RouterOS Scripts (or ...
by eworm
Fri Dec 14, 2018 8:32 am
Forum: Scripting
Topic: Using Wifi or User led to show signal strength
Replies: 7
Views: 1514

Re: Using Wifi or User led to show signal strength

[...] : local a [/interface wireless registration-table get value-name=signal-strength [ find where mac-address=00:11:22:33:44:55 ] ] [...] I will test it out, but then you also have to manually find the mac of the link and edit the script. If MAC address changes because it is not always the same c...
by eworm
Fri Dec 14, 2018 1:23 am
Forum: Scripting
Topic: Using Wifi or User led to show signal strength
Replies: 7
Views: 1514

Re: Using Wifi or User led to show signal strength

But there are some bugs with it. When I start it with a client connected it runs fine. Stop the client and no more blink. But turn on the client again and i do not get any blink. IF I do run this command it will work again /interface wireless registration-table print stats Never ever use item index...
by eworm
Fri Dec 14, 2018 1:09 am
Forum: General
Topic: [Feature request] conditional dhcp options
Replies: 18
Views: 5341

Re: [Feature request] conditional dhcp options

You define an option set named "legacy", but it is not used anywhere. I do not think this works.
by eworm
Thu Dec 13, 2018 4:50 pm
Forum: General
Topic: POE out of mAP-2N ? passive?
Replies: 4
Views: 456

Re: POE out of mAP-2N ? passive?

Hello ,
when I look at the powering specifications of the mAp-2n , is said:
PoE in 802.3af/at
PoE out Passive PoE

what does is mean?
I mean the poe-out ?

if I have a 12V poe camera ,
can I connect it to it?
Output voltage is the same as input.
by eworm
Thu Dec 13, 2018 3:16 pm
Forum: Scripting
Topic: Sync DNS entries with DHCP leases
Replies: 9
Views: 3187

Re: Sync DNS entries with DHCP leases

Looks interesting, but have some question. The readme file I found only describe how the script update process. Do the DHCP script runs at the DHCP or scheduled? What if you have set a DNS name for a host manual, do it get overwritten? Some scripts need extra documentation... Will look into that wh...
by eworm
Wed Dec 12, 2018 11:14 pm
Forum: Scripting
Topic: Auto upgrade script
Replies: 12
Views: 19533

Re: Auto upgrade script

The script that I use is this one: check-routeros-update on github or cgit Its primary purpose is to notify me about updates, but now that fetch command can put results in variable (Thanks Mikrotik!) I added an auto-upgrade functionality. Only thing required is a http server to give the version. (Th...
by eworm
Wed Dec 12, 2018 10:23 pm
Forum: Scripting
Topic: Sync DNS entries with DHCP leases
Replies: 9
Views: 3187

Re: Sync DNS entries with DHCP leases

I have another one:
dhcp-to-dns on github or cgit.

(This depends on other scripts from the same repository, see README to setup.)
by eworm
Wed Dec 12, 2018 10:12 pm
Forum: Scripting
Topic: How to create a loop to add bridge with pre-defined configuration?
Replies: 4
Views: 589

Re: How to create a loop to add bridge with pre-defined configuration?

Try this:
add name=($brname . $br) comment=($brcomm . $br) ...
by eworm
Wed Dec 12, 2018 10:00 pm
Forum: General
Topic: if else won't run script but run on terminal !
Replies: 17
Views: 1474

Re: if else won't run script but run on terminal !

May be this could be change to use default interface name, since I have change mine to some else.
Yes, you need to change that. :wink: As said... Check the condition. :roll: (I did a quick copy and paste on my tablet and missed the changed interface name.)
by eworm
Wed Dec 12, 2018 9:57 pm
Forum: General
Topic: if else won't run script but run on terminal !
Replies: 17
Views: 1474

Re: if else won't run script but run on terminal !

Never address items with index! Replace "0" with find command: :if ([/ip route get [ find where gateway=ether1 ] active] = true) do={/lcd interface display ether1} else={/lcd interface display ether7} Check if the condition is correct... Well you can if you print :D That's true... But it is still p...
by eworm
Wed Dec 12, 2018 7:00 pm
Forum: General
Topic: if else won't run script but run on terminal !
Replies: 17
Views: 1474

Re: if else won't run script but run on terminal !

Never address items with index! Replace "0" with find command:
:if ([/ip route get [ find where gateway=ether1 ] active] = true) do={/lcd interface display ether1} else={/lcd interface display ether7}
Check if the condition is correct...
by eworm
Mon Dec 10, 2018 12:14 pm
Forum: Announcements
Topic: Securing your device is important
Replies: 32
Views: 11332

Re: Securing your device is important

and keep always-allow-password-login set to no : [admin@mikrotik] > /ip ssh set always-allow-password-login=no Password login is no longer possibly and brute force attack can never succeed. Regarding this, that is not actualy the case. Even with this option set to no (which is by the way already se...
by eworm
Fri Nov 30, 2018 1:08 am
Forum: Scripting
Topic: How to pass variable between scripts
Replies: 10
Views: 1829

Re: How to pass variable between scripts

Hello, I have similar problem. I have 2 script name="test1" source=:global test "12345"; name="test2" source=:put $test; And I can't display global variable from script [admin@test] /system script> run test1 [admin@test] /system script> environment print # NAME VALUE 0 test 12345 [admin@test] /syst...
by eworm
Mon Nov 26, 2018 9:36 pm
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 25
Views: 10746

Re: v6.42.10 [long-term] is released!

I can't update an RB4011 with this version. RB4011 states the minimum supported is 6.43.
You can not downgrade below factory firmware.
by eworm
Fri Nov 23, 2018 6:54 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 577

Re: Mikrotik SSH Vulnerability 6.14+

Your provided link does not work. Do you have any other resources?
by eworm
Fri Nov 23, 2018 6:52 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 877

Re: SSl Certificat For Mikrotik

The "Let's encrypt" certificates should work just fine. Possibly you have it import the CA chain (root and intermediate certificate) into your Mikrotik device to make things work.
by eworm
Wed Nov 21, 2018 4:34 pm
Forum: General
Topic: Auto mating ssh key installs [SOLVED]
Replies: 2
Views: 605

Re: Auto mating ssh key installs [SOLVED]

Adding a SSH public key disables password login for SSH. To change this run:
/ ip ssh set always-allow-password-login=yes
by eworm
Tue Nov 13, 2018 12:10 pm
Forum: RouterBOARD hardware
Topic: mAP-2nD PoE Out question
Replies: 6
Views: 911

Re: mAP-2nD PoE Out question

I can confirm this works. I used mAP-2nD to sniff Cisco IP phone which is powered by 802.3af.
by eworm
Tue Nov 13, 2018 11:49 am
Forum: Scripting
Topic: cannot ssh to mikrotik rb750 with dsa key
Replies: 5
Views: 668

Re: cannot ssh to mikrotik rb750 with dsa key

Looks like anything is borked on RouterOS side. You can not even log in with password, no? Try to regenerate the host keys:
/ip ssh regenerate-host-key
by eworm
Fri Nov 02, 2018 2:56 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 26102

Re: v6.42.9 [long-term] is released!

Good point, we definitely need some option to stop bridge if all bridge ports are down (or to run it only if there are active ports). Someone just needs to contact support@mikrotik.com with that request :) I contacted support multiple times. They refused to accept that it is an issue. Oh well, Juni...
by eworm
Fri Nov 02, 2018 10:20 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

Nice catch. It is because of the new IKEv2 feature which works with DHCP. I will update the changelog.
Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?
by eworm
Mon Oct 29, 2018 1:30 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

Starting with 6.44beta28 the security package requires the dhcp package to be installed? I think that is something to be noted in changelog. What's the reason?
by eworm
Mon Oct 22, 2018 12:21 pm
Forum: General
Topic: Can't update firmware from a script
Replies: 4
Views: 921

Re: Can't update firmware from a script

Adding without-paging works reliable and without delay. 8)
by eworm
Sun Oct 21, 2018 6:41 pm
Forum: General
Topic: Can't update firmware from a script
Replies: 4
Views: 921

Re: Can't update firmware from a script

This issue has been around for a while but I am just now getting around to posting it. I can't createa scheduled script to update firmware. I used to be able to do this. It broke someplace along the line. /system package update check-for-updates /system package update install YES,,, I understand th...
by eworm
Tue Oct 16, 2018 11:32 pm
Forum: RouterBOARD hardware
Topic: R11e-4G vs. R11e-LTE
Replies: 4
Views: 1293

Re: R11e-4G vs. R11e-LTE

Looks like I will stay with R11e-LTE then. :-D
Anyway... Is there any reliable source what provider uses what bands (other then searching Google...).
by eworm
Mon Oct 15, 2018 3:15 pm
Forum: RouterBOARD hardware
Topic: R11e-4G vs. R11e-LTE
Replies: 4
Views: 1293

R11e-4G vs. R11e-LTE

Hello everybody,

Mikrotik announced a new miniPCI-e card for LTE/4G named "R11e-4G". It supports some different bands compared to the older card "R11e-LTE". How to decide what card to use at what location? Wondering if it is worth changing/upgrading the cards in my wAP and ltAP.
by eworm
Wed Oct 10, 2018 4:13 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 84074

Re: v6.44beta [testing] is released!

The fetch command behaves wired... [admin@MikroTik] > :put ([ /tool fetch https://www.eworm.de/ip/index.shtml output=user as-value ]->"data") 91.16.17.160 [admin@MikroTik] > /file print where name="index.shtml" # NAME TYPE SIZE CREATION-TIME 0 index.shtml .shtml file 0 oct/10/2018 15:07:50 It does p...
by eworm
Mon Oct 08, 2018 11:55 am
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 13821

Re: Built in function library

- Ability to add items to end of arrays
Looks like "+" works just fine:
No, the documentation says using a comma is the correct way:
:set a ($a, 5);
https://wiki.mikrotik.com/wiki/Manual:S ... _Operators
by eworm
Thu Oct 04, 2018 7:49 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 26102

Re: v6.42.9 [long-term] is released!

I like this long-term version and it works fine for me. I have a small problem with my auto-update script, that updates all my devices (only to bugfix channel). Until now it works just fine with RouterOS and Routerboard firmware updates, but now this code asks for [y/n]... /system routerboard :if (...
by eworm
Tue Oct 02, 2018 3:51 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 26102

Re: v6.42.9 [long-term] is released!

Try this:
Yes. But this topic is named long-term too. Confusion from mikrotik :)
That's true. But I think RouterOS itself will do the change with version 6.44. Any official statement on this?
by eworm
Tue Oct 02, 2018 3:44 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 26102

Re: v6.42.9 [long-term] is released!

Well, technically speaking, it's still "bugfix", not "long-term"
It is not true :)
Try this:
[admin@MikroTik] > :put ("Version " . [ / system package update get latest-version ] . " is channel " . [ / system package update get channel ] . "!");
by eworm
Mon Oct 01, 2018 7:11 pm
Forum: Announcements
Topic: Newsletter #84
Replies: 47
Views: 12950

Re: Newsletter #84

Yes. T-shirts, stickers and free routers ;)
Wondering what routers will surprise us this time... :wink:
by eworm
Wed Sep 12, 2018 10:35 am
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28887

Re: v6.43 [current] is released!

We tried Mac telnet and same issue. Does anyone know if we hard reset device will it clear the backups stored on device? It depends on the version which was there before and how you have stored the backups. Since 6.? (sorry, I don't know exactly), you have to use a file name starting with flash/ to...
by eworm
Mon Sep 10, 2018 3:22 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28887

Re: v6.43 [current] is released!

[...] Since the speed setting does not take effect when "auto-negotiation=yes", [...] Are you sure? I have a CRS where one port negotiates at 100M-full - probably due to bad wiring. If I set speed=1Gbps the port is flapping at 1000M-full. This cosmetic issue can be manually fixed by setting new val...
by eworm
Mon Sep 10, 2018 1:05 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28887

Re: v6.43 [current] is released!

*) fetch - added "as-value" output format; Assuming this is still the same functionality as described at https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch#Return_value_to_a_variable , I am surprised to find that when I do this: /tool fetch mode=https host="mikrotik.com" url="https://mikrotik.com/ab...
by eworm
Thu Sep 06, 2018 9:59 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113454

Re: v6.43rc [release candidate] is released!

Technically this is not about the release candidate version, posting here because of changelog: !) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process); Me device is running current version 6.42.7 and I want to update the l...
by eworm
Thu Sep 06, 2018 5:55 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113454

Re: v6.43rc [release candidate] is released!

After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire. No. From https://wiki.mikrotik.com/wiki/Manual:IP/Cloud : After router sends it's IP address to the cloud server, it will stay on the ...
by eworm
Thu Sep 06, 2018 4:46 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113454

Re: v6.43rc [release candidate] is released!

Technically this is not about the release candidate version, posting here because of changelog: !) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process); Me device is running current version 6.42.7 and I want to update the la...
by eworm
Fri Aug 31, 2018 5:56 pm
Forum: Scripting
Topic: Exit script if...
Replies: 4
Views: 1238

Re: Exit script if...

/quit
That closes the terminal connection...

I'd suggest
:error "bye!"
  • 1
  • 2