MikroTik

eworm

Same thing happens with international characters, e.g. you can add ěščřžýáíé.example.net, which you might expect to be internally translated to punycode version xn--1caql6dzd0drw5bzo.example.net, because why else would RouterOS accept it, right? But it doesn't happen, it will store exactly what you...

eworm

There's no impact, just an annoying error message.

eworm

The color indicates POE output type. IIRC green is for passive POE and red is for 802.3af/at.
This is not related to the link.

eworm

This is a know issue from early 6.48 beta releases... It happens on devices without wireless package.
No idea why they backported the issue but skipped the fix...

eworm

This is now suffering the log messages on default configuration script we had in testing before:

system;error;critical error while running customized default configuration script: expected end of command (line 1337 column 53)

This happens without wireless package only.

eworm

I think my script log-forward could serve your needs... Though it does not only notify about failed login attempts but everything interesting - configurable with filters.
It depends on other scripts, see the main README on how to install this.

eworm

So a general remark: I think cases should remain browseable for the submitter, even after they have been closed by MikroTik.

I am pretty sure they are. Log in to the support portal and see your closed cases.

eworm

ok, I already found it.: /put [ip firewall filter get number=1 disabled] You should never use index in scripts, that will break! Instead find the correct rule with whatever criteria it has, for example giving it the comment "first": :put [ /ip firewall filter get [ find where comment="first" ] disa...

eworm

Sure it does. In this example you should add quotes I guess...

eworm

Your variable is declared too late. It is valid inside the blocks only. Try this:

:global xc;
:if ([ /ping 192.168.5.54 size=28 interval=30ms count=1 ] = 0) do={
  :set xc 20;
} else={
  :set xc 50;
}
:log warning $xc;

eworm

Use this: # we are not interested in output, but print is # required to fetch information from cloud / system backup cloud print as-value; / system backup cloud upload-file action=create-and-upload password=$BackupPassword replace=[ get ([ find ]->0) name ]; If you want this to be fully automated an...

eworm

My editor of choice is vis - a modern, legacy free, simple yet efficient vim-like editor.
I added a RouterOS script lexer, that is now available in git master.

eworm

Does this have to be associated to the vpn disconnect and (re-)connect? I have a script netwatch-notify that does monitor ip addresses via netwatch. It has a simple state machine to ignore a (configurable) number of failed attempts. (You have to install the base scripts for this to work, see main RE...

eworm

The path set in /tool fetch url=... is rather absolute path from server's root (not from users home directory). That depends on the configuration. My sftp accounts are jailed into a chroot and limited to sftp only (with openssh's sftp-server). So for me the path is relative to the chroot directory.

eworm

The path on your server exists? You need a subdirectory"ftp" with write permission.

eworm

Error shows up on 2 routers.

These are the only Mikrotik devices or does it work on others?

eworm

The error message indicates this is about key exchange algorithms , but following the log it was agreed on diffie-hellman-group-exchange-sha256 . In fact it was not agreed on the host key algorithms . Looks like both support rsa-sha2-256 , no idea why it is not used. BTW, ssh-dss and ssh-rsa are val...

eworm

Static entries do work, but behavior changed a bit. I've described the issue in v6.47 release thread.

In short:
Without DoH a single A record does cover everything. With DoH enabled it will check for AAAA record upstream.

eworm

It is just efficient!

Right you are. But it is important to shorten the quote to what you actually intend to quote, just as we both did.
Quoting a post including a quote, including a quote, including a quote .... does not add mutch value.
So I am all for quotes if done right.

eworm

What ssh client do you use? Can you give the exact error message?

A blind guess if everything else fails: regenerate your host keys:

/ip ssh regenerate-host-key

eworm

Perhaps my script dhcp-to-dns may be of interest... If I got you right it does what you want.
(It depends on more scripts, so see main README for installation.)

eworm

This is a known problem, look at the release threads.
Mikrotik did not (yet) react on this. No answers, no changes.

eworm

Any details on the temperatures before and after the mod?

eworm

Does it make a difference if you lower the mtu size on wireguard interfaces?
On Device B?

Yes, on device B and on your client. I think the mtu should match on both sides. No idea what happens if it does not.

eworm

Does it make a difference if you lower the mtu size on wireguard interfaces?

eworm

By the way what does this one mean. *) interface - added new builtin "static" interface list; This is a very interesting changelog item, one that has never been in a stable (or development) release. I find confusing that this comes to the long term release with barely no testing, has been first see...

eworm

It is part of a bigger collection and requires the base installation at least. See the main README for details. Configuration for e-mail and telegram goes to global configuration.

eworm

Is there are firewall rule that does source NAT just after destination NAT for the incoming packet? Possibly that confuses wireguard...
What interfaces are in interface list "WAN"?

eworm

You could can use my script for release notification:
Notify on LTE firmware upgrade

Of course this does not give a hint what changed.

eworm

It is not. But would be nice...
Missing this on some devices, including CCR1009 & mAP (lite). Would have to check all my devices for a complete list.

eworm

Not all devices support this... Try the following code to check:

:if ([ :len [ /system routerboard mode-button print as-value ] ] > 0) do={ :put "Mode button supported."; }
:if ([ :len [ /system routerboard reset-button print as-value ] ] > 0) do={ :put "Reset button supported."; }

eworm

Ah, I misread and misunderstood some details. So both peers are behind NAT, one is supposed to be reachable via destination NAT.
Never tried that with wireguard, no idea if this should work.

eworm

Ok, some questions here:

Why do you configure wireguard on device B, not device A?

What does the other side look like? Does it have a public address without NAT? If it does: Things should work without destination NAT if connection is initiated from device behind NAT.

eworm

But Wireguard with Mikrotik behind NAT is not a problem for me.
Share a secret )

I'm sorry, but there's no secret... Just works for me.
Show you configuration export, possibly there's something fishy.

/interface/wireguard/export hide-sensitive

eworm

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.

What is a "white IP"?
But Wireguard with Mikrotik behind NAT is not a problem for me.

eworm

Not sure this is working ? The DoH server I'm using is https://doh.opendns.com/dns-query , and I see requests to 146.112.41.2 , but none to 2620:119:fc::2

I guess IPv4 is still preferred if a domain resolves with A and AAAA record. Try a domain that has just an AAAA record or use IPv6 address.

eworm

Wireguard endpoints are set and updated automatically on handshake. Huh. Are you sure that both of endpoint can be updated automatically? Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"). May be I'm on wr...

eworm

Wireguard endpoints are set and updated automatically on handshake.

eworm

So I was going to send the link but thought better of it......... Instead try this www.google.com Are you nuts? I know how to use google and I know the link given by IPANetEngineer. My understanding was that the answer was about connecting to NordVPN via Wireguard, which is not handled by Rick Frey...

eworm

What manual are you speaking about? Can you give a link?

eworm

The Telegram Bot API documentation regarding sending files is here:
https://core.telegram.org/bots/api#sending-files

Not sure this works with fetch command... Probably not.

eworm

Answering myself... Looks like this is executing an empty command, which evaluates to "nil":

[admin@mt] > :put [ :typeof [] ]
nil

eworm

For the inversion you have to use parenthesis:

... where !(comment=[])

Really nice to have this... Is this documented anywhere?

eworm

Wait for RouterOS v8 for an answer on that. :D

eworm

This is by design. Peers are identified by their public key, changing the endpoint automatically makes it roam seamlessly.
If the peer changes its address the configuration should update again.

eworm

Ah, stupid me... Of course it's keepalive.

/ interface gre unset keepalive [ find ]

eworm

You have to unset the timeout for GRE interfaces:

/ interface gre unset timeout [ find ]

eworm

Testing on a RB951G (mipsbe with 600MHz single core) with a 100/40 MBit/s uplink: I could do 90/38 MBit/s through the tunnel - with bandwidth-test on the device itself. Pretty impressive given that IPSec barely does 20 MBit/s... So can't wait to see WireGuard in a stable version... I hope it does no...

eworm

NordVPN uses more than just a plain WireGuard connection... This is to make sure an individual can not be associated with public traffic.
I can not give any more detail, though... I would be interested to make this work as well.

eworm

Yes, I got that, and I second your request.
But for now only my method is available. ;)

eworm

Wireguard support cool thing, but where is an instruction how to use it?

Configuring wireguard is pretty straight forward. Just look at the options available.

eworm

No, it is not too hard. My scripts collection (see signature) has a function for that. Just run...

$DownloadPackage wireless

... and reboot to install the package. (The also supports downloading packages in other version or for different architecture, for example to use with capsman.)

eworm

btw.after install I see in log this :
system,error,critical,,, error while running customized default configuration script: expected end of command (line 1315 column 53)

Me too. Reported for 6.47beta12 as SUP-21264, just re-opened.

eworm

No... You can do something like this: :local PIHOLEHOST "pihole.example.com" :local PIHOLEHOSTIP [:resolve $PIHOLEHOST] :log info "PI-Hole script started... ($PIHOLEHOSTIP)" :if ([/ping $PIHOLEHOSTIP interval=1 count=1] = 1) do={ :log info "PI-Hole host is UP! (ping)" :do { :resolve $PIHOLEHOST serv...

eworm

I guess the script is terminated on error... Try to catch it:

:do {
  :resolve ...
} on-error={
  ...
}

eworm

send-initial-contact=yes is not an instruction to act as initiator; it actually means "replace any already existing connection from my IP address, irrespective of port, by this new one", so it is quite dangerous in some scenarios (multiple initiators coming to the responded from behind the same NAT...

eworm

Indeed... We are bored, give us something to play with!

eworm

IIRC the functionality was added in 6.46, the configuration option in 6.47.
Look up the changelog if you are interested in details.

eworm

Just disable dns in mode-config:

/ip ipsec mode-config set use-responder-dns=no NordVPN

eworm

Sadly there is no functionality to hook into interface events.
You could run a script via scheduler that checks link status for the ports in very short interval.

eworm

I have something very similar in my scripts collection: Mode button with multiple presses
I think it has some advantages and configuration goes to a central script.

eworm

Looks like there is a hard limit in RouterOS. Only Mikrotik can change that.
Open a support ticket if you want or need this to change.

eworm

Great! Looks like it is about as fast as IPSec...
At least on ARM. Wondering what numbers look like on mipsbe and tile.

eworm

This is your issue:

debug1: Skipping ssh-dss key id_dsa - not in PubkeyAcceptedKeyTypes

You have to extend your configuration even more.

Better solution: Update RouterOS to a recent version and use RSA keys.

eworm

Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.

It now looks like this. Let's hope it will withstand bad weather and strong wind...

eworm

You could just set a record of type NXDOMAIN... /ip dns static add name=example.com type=NXDOMAIN However this is not specific to IPv6 and could cause clients to ignore the domain completely. I tend to set an AAAA record representing the IPv4 address: /ip dns static add name=example.com type=AAAA ad...

eworm

maybe, mounted on a plastic plate (Polyethylenplast) then a rubber-sucker (Saugnapf) in each corner to fasten to roof.
then very portable.

Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.

eworm

How do you turn antenna, by losening the mount on the pole? What do you do while driving around, take the whole installation (including pole base) down? Yes, this is completely manual. When the caravan has its position I can place the antenna - neither caravan nor lte station will move then. :lol: ...

eworm

Mounted this on top of my caravan.
Guess it solves my connectivity issues...

eworm

You should ping the host cloudflare-dns.com, not the url.

eworm

Probably a bad idea. CRS125 is a switch, and in no way it can route a gigabit.
The poster wants fast internet connection, not VLAN.

eworm

Your Huawei Router is connected to what port?

If it is connected to ether1 your CRS is not working as switch but additional router. Disable DHCP server, plug the Huawei Router to any other port and try again.

eworm

Already reported for 6.48beta, but applies here, too:

*) dns - do not use DoH for local queries when a server is specified;

This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?

eworm

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel.

Does it work for you with 6.48beta12? To my findings the behavior did not change.

eworm

Everybody who visited a MUM knows these: the cloud shaped Mikrotik stickers.
Is the cloud shaped Mikrotik logo available, preferably as SVG file? I've searched designs.mikrotik.com and Google, but could not find anything.
Please share if you have it.

eworm

Looks like you have a number of packages on our flash storage. Clean these, then try again.

eworm

*) dns - do not use DoH for local queries when a server is specified; This is about forwarding? Looks like queries are still sent via DoH for me. *) dns - do not use type "A" for static entries with unspecified type; I do not understand that one... How could type be "A" and unspecified at the same ...

eworm

msatter Do you have custom set of packages installed and wireless package is not installed?

Correct. My system has system, dhcp, advanced-tools & security installed. Opened SUP-21264 with support output.

eworm

I wonder what's the real advantage of running my router with ondemand scheduler?

It saves power and runs less hot.

eworm

Now non-wireless devices have issues with the default configuration script:

system;error;critical;13328;39528;13328 error while running customized default configuration script: expected end of command (line 1310 column 53)

This is on RB750GL.

eworm

No idea what you code is supposed to do. Do you want to toggle the interface without my scripts? Use something like this then: :if ([ / caps-man interface get cap1 disabled ] = true) do={ :log info "Enabling..."; / caps-man interface enable cap1; } else={ :log info "Disabling..."; / caps-man interfa...

eworm

Using my scripts add something like this in configuration: :global ModeButton { 1="/ caps-man interface disable [ find ];"; 2="/ caps-man interface enable [ find ];"; } With one press all interfaces are disabled, with two presses interfaces are enabled. Is that what you want? Of course you could scr...

eworm

Version 6.45.1 had this in change log:

*) sms - allow specifying multiple "allowed-number" values;

So it should be possible. Never used it myself, though.

eworm

I have this stored as a script on my devices: :put ([ / tool fetch http-header-field="User-Agent: Mozilla/4.0" "https://api.nordvpn.com/v1/servers/recommendations\?limit=3" output=user as-value ]->"data"); Then from a linux host: % ssh mikrotik / system script run nordvpn-recommendations | jq --raw-...

eworm

I've seen this myself... Just switched to another server that is currently recommended.

eworm

This is part of my RouterOS Scripts collection. You can make the device act on multiple presses on mode or reset button. The default is one press to toggle dark mode, two presses for a "Hello World" notification, three presses for shutdown, ... But you can make it do what ever you want.

eworm

Would you consider this to be useful?
Mode botton with multiple presses

eworm

It would be like asking MikroTik to make QUIC available. It is already available. Well, RouterOS can be client as well, so for example fetch command could benefit. It's not a big win there, though. But DoH over QUIC or HTTPS/3 could be worth adding one day... No idea if there are endpoints supporti...

eworm

Your port is member of a bridge. Put the dhcp client on the bridge.

eworm

As said before a message has to match all topics given in a rule. So you can use something like this... /system logging add action=remote topics=info,dhcp ... to match all messages that have topic info and dhcp . But there is no message that has topics error and info at the same time. So a rule like...

eworm

No, this is not a bug. Why do you think so?

eworm

Rules: topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote A message has to contain all topics to match. That's an impossible combination, even info and error are exclusive to each other. Try this: /system logging add action=remote topics=info add acti...

eworm

Please give

/ip firewall filter export

so we can have a look.

There's no (new) breakage in scripting I know of.

eworm

Possibly missing the escape for question mark?

eworm

I think you see the mismatch only if session key is about to expire and rekeying fails. So did you test for more than just session startup?

eworm

Sure, everything is possible... Run / system script export; to see what the code inside an rsc file should look. To turn an uploaded file into a script: / system script add name=new-script source=[ /file get uploaded-script-file contents ]; You may want to take a look at my signature for an idea wha...

eworm

RouterOS supports bitwise operations, so you can calculate IP addresses like this, for example get the first octet:

:put (192.168.10.0 & 255.0.0.0)
192.0.0.0

Possibly useful to shorten your functions even further.

eworm

Does this work for ipv6?

You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.

eworm

It expires nov/10/2031 02:00:00, that's more than 595 weeks from now.

eworm

Looks like anybody uploaded all available extra packages to the device to upgrade...
Should be easy to recover with netinstall. Not sure if there is another way... Probably not if you can not uninstall unwanted packages.

eworm

What packages are installed? Did you import certificates?

eworm

I think dns cache goes to RAM and does not cause flash writes...

eworm

This should do:

:foreach i in=[find] do={set $i address=192.168.20.2/32}
or since its just one IP and no subnet:
:foreach i in=[find] do={set $i address=192.168.20.2}

Why do you run this in a loop? Just set the value for all at a time:

set [ find ] address=192.168.20.2;

eworm

Yes, except that you do not need to update. Just a reboot is sufficient.

eworm

To solve this issue First you have to change your Wireless Interface(s) name to the pre-set. wlan1,wlan2,wlan3.... And finally you must Reboot your device, after this your problem will be solved forever And after that you can personalize and change their name. That does the trick, thanks a lot for ...

eworm

It would be nice when it first checked for exact matches of static records before it tried the regexp.

Exactly what I described above with my issue. So +1!

eworm

To get DoH working I need to use all 3 certificate from dns.google

Depends on whether or not the server ships the intermediate certificate. Then looks like Google server does not.

eworm

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]

eworm

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]

eworm

Just want to share to all people, if you want to verify the DoH server, you can go to https://1.1.1.1/dns-query using the web browser and download the the 3 certificates from the server site. Only two certificates are required, use the two with "DigiCert" in name. The "cloudflare-dns.com" certifica...

eworm

Just found another hiccup with DNS and DoH... Let's assume I have a domain eworm.de (I do! :D ), which has A and AAAA records. My router has a record router.eworm.de , using *.router.eworm.de as local zone: /ip dns static add address=10.0.0.1 name=router.eworm.de add address=10.0.0.10 name=host.rout...

eworm

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) I brought this topic up for beta and rc releases... ...

eworm

BTW, is this log message related?

system;error;critical error while running customized default configuration script: no such item

eworm

Several of my devices show this as well.
With reset you reference

/system reset-configuration

?
Will this be fixed in a future version without reset?

eworm

I do not see anything wrong with that call. Perhaps it's a race condition because resolving is not yet available? You can try to catch runtime error: :local ipddns; :do { :set ipddns [:resolve $ddnsbase]; } on-error={ :log warning "Resolving failed."; } Or try to wait... :local ipddns ""; :while ($i...

eworm

That's awesome! What a snug fit. Does the PD source always rise to 20V? I don't own a wAP... yet, but this definitely makes me want one. You can configure the voltage (or voltage range with preference) your PD buddy delivers. It also depends on your power source, some do not support 20V... The PD b...

eworm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1. Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik. If piehole doesn't work... The client will ask the Mikrotik. That does not work. The client will use piehole and Mikrotik simultaneously.

eworm

I guess that would result in a lot of locked devices. So bad idea.
Unless your first rule is to allow administrative access you would no longer be able to log in to your device.

eworm

RouterOS can import keys in PEM format only. Convert the key and you are fine.

eworm

The firewall has a lot of attributes to filter on:

/ip firewall filter add protocol=tcp connection-state=new ...

eworm

I use a power bank with USB-C power delivery output. Combine that with a PD Buddy Sink and you are done.

The PD Buddy Sink even fits into a wAP (LTE) case - resulting in a powerful mobile access point.

photo_2020-05-27_22-53-20.jpg

eworm

Setting attributes for static DNS records changes other attributes unintentionally: [admin@mt] /ip dns static> add forward-to=10.0.0.1 regexp="example.com" type=FWD [admin@mt] /ip dns static> set regexp="example\\.com\$" [ find where regexp="example.com" ] [admin@mt] /ip dns static> export [...] add...

eworm

I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.

eworm

+1. I'd like to forward internal zones via VPN to an organization DNS and all the rest - to 1.1.1.1 via DoH

Exactly my use case.
Two great now features - would be frustrating to have to choose between them.

eworm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.

eworm

eworm Currently DoH will be prioritized over all other DNS configuration. Not sure if this will change any time soon.

In general this makes sense. But I vote for an excepting with conditional forwarding of DNS queries.

eworm

On boot system logs:

system;error;critical error while running customized default configuration script: no such item

Is this expected? (If it is I would like to see the severity reduced. "error" and "critical" raise alerts here.)

eworm

This has... *) dns - added support for multiple type static entries; ... but is missing from 6.47beta60... *) dns - added support for forwarding DNS queries of static entries to specific server (CLI only); This can still be configured, but still does not work when DNS over HTTPS is enabled. I would ...

eworm

Interesting device...

Also nice to see that more devices are equipped with ARM 64bit CPUs (just like new CCR).

eworm

I do not, and here is why:
If you have complex code depending on relative paths it tends to break if you move fragments of code up or down.

eworm

IMHO it is very intuitive if you are used to it. Scripting is one of the reasons I do love RouterOS.

eworm

No setting, it will just work.

eworm

The command print is (mostly) for terminal output.

Does something like this work for you?

:foreach i in=[ /interface bridge host find ] do={ :put [ /interface bridge host get $i ]; }

BTW, why do you expect everything to be a bug?

eworm

You initialize the variable inside a block, thus it's not visible outside. But it's a global variable :-) Sure, it is. But even global variables are accessible only... ... when used directly from command line (without block!) or... ... when initialized properly. So when ever you want to access $gAr...

eworm

The RB750UPr2 does passive POE only, so your 802.3af devices will not receive power, even if the power supply matches your voltage requirements. I guess you have to go with one of these: https://mikrotik.com/product/crs112_8p_4s_in (requires additional power supply for 48V!) https://mikrotik.com/pro...

eworm

I guess you have to do some urlencoding for your sms message...

If you want a working solution have a look at this:
RouterOS Scripts - Forward received SMS
This requires the installation of global scripts on top, see main README.

eworm

Not sure I got this right, but looks like you have a nested url inside url? Try to urlencode the characters there, specifically replace '&' with '%26'.

eworm

You initialize the variable inside a block, thus it's not visible outside.

eworm

No progress, no reaction on ed25519 keys from Mikrotik.

eworm

Good question... Wondering myself.
Time for a new release anyway, the last one is three weeks old already.

eworm

Most of your packets go fast path, missing the IPSec tunnel. Make sure all your IPSec traffic does not go fast path.

eworm

I solved this with a backup script that sends notification via e-mail and/or Telegram message including the secret download key. Just look up your mailbox and you are fine.

You need the basic installation and this script:
routeros-scripts - Upload backup to Mikrotik cloud

eworm

I guess the build process for arm64 works, but the release process has been enabled just before recent long term release.
Be patient and wait for the next testing and stable releases, I think they will include arm64 builds.

eworm

I guess the release process had not been prepared. Expect version 6.46.7 to have arm64 build...

eworm

There is information when the DoH function will go from beta to release?

When version 6.47 is released to stable channel. There's no date for that, though.

eworm

I guess the device's CPU is the limiting factor here.

eworm

You can't do that. You have either local wireless configuration or device is connected to capsman. Both is not possible, at least not with a single band device.
You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.

eworm

Internal builds with wireguard support are rumored to exist.
Search the v7 section for details.

eworm

Do you have more information about that Annapurna AL32400? E.g. how many cores?

It has four cores. See here for details of CCR2004:
https://mikrotik.com/product/ccr2004_1g_12s_2xs

eworm

Why you don't fix OSPF ?

Possibly because they could not reproduce. Did you open a support ticket?

eworm

Sure, just configure it properly:

/ip dns set verify-doh-cert=yes

eworm

Im currently testing DoH on my HAP Lite, which is working great. But I have few questions. I got some Dynamic NS Servers supplied by my ISP and thus they are automatically added to Mikrotik DNS server list (read-only). I also put some static NS records (e.g dns.cloudflare 1.1.1.1) as Static list. S...

eworm

The scheduler is perfectly reliable in my experience. Note that a script (and thus scheduler) is stopped on first error, though. Possibly your scripts terminate with error?

eworm

This is available now in RouterOS 6.47beta60!

eworm

That is a chicken and egg problem. Neither chicken nor egg is involved. Let's assume I add something like this: /ip dns static add forward-to=10.0.0.1 regexp="(.*\\.)\?example\\.com" type=FWD This will make all requests for example.com and its subdomains go to nameserver 10.0.0.1 . Works find, but ...

eworm

Version 6.47beta60 has reset my settings for mode button.

eworm

Yes! Mikrotik, you made my day!

One thing, though: Looks like DNS forwarding does not work if DoH configuration is active. I think the forwarding should have priority over DoH.

eworm

I think a CCR1009 should be capable of doing this... Are you really using packet marking? Why not mark connection?

Have a look a profiling to see what process uses the cpu most:

/tool profile

eworm

Works for me... Checked on two CAPsMAN devices (CCR & RB3011) with 6.46.5.

eworm

Sounds like you want a routing protocol. Ever thought about ospf or similar?

eworm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query. Well, checking again... It does send a redirect, but the dns response is contained as well... % curl -I 'https://8....

eworm

For me it works. Do you have IPv6 disabled (or not installed at all)?

eworm

Yes, I know that. I have configured NTP on all my devices. Still I have a script that requires the time to be "about right" at least (so cloud is fine) - and this script should work on as many devices as possible with whatever configuration. I would still appreciate to have detailed information on t...

eworm

Hello everybody, with Mikrotik's cloud service it's possible to disable dynamic dns update, but enable time update: /ip cloud set ddns-enabled=no update-time=yes Not sure if this is a valid configuration, so: Does the device update the time if dynamic dns is disabled? Can I check if time has been up...

eworm

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?

eworm

Uh, google does a redirect there... So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

eworm

Do the same, but with different url: https://8.8.8.8/dns-query

eworm

Anyone know how to do arithmetic with ipv6?

e.g. :put (fe80::0 + = fe80::8

Rich

Does it help in your use case if you use bitwise operator?

[admin@MikroTik] > :put (fe80::0 | ::8) 
fe80::8

eworm

You should get an idea about the ssh protocol in general and host keys specifically.
https://www.ssh.com/ssh/host-key

In "/ip ssh" you can export, import and regenerate host keys.

eworm

So why don't you use ssh to access routers? mactelnet has one single function which ssh doesn't: connectivity over MAC, which comes handy when IP setup gets south. But hopefully that's not very often and I (being a linux/console nerd myself) resort to using winbox in such case (runs under linux / w...

eworm

A "refused to connect" is unrelated to the certificate. Make sure the service is enabled and the firewall does not block it. I think "Webfig" is short for "Webconfig", no? The https certificate is used to authenticate the host, a valid certificate is verified by trust chain to root CAs in your brows...

eworm

It is maintained, but not all details about authentication are available. Read this for details:
https://github.com/haakonnessjoen/MAC-Telnet/issues/42

eworm

No, but you can add an additional system note.
https://wiki.mikrotik.com/wiki/Manual:System/Note

eworm

Configuration in /certificate and /user is (partly) skipped.

eworm

My first guess was the trust chain is not complete, but looks like your made sure this is ok. Perhaps Android wants to access the CRL url? Try adding that to your hotspot (replacing with correct hotspot server name): /ip hotspot walled-garden ip add action=accept disabled=no dst-address=ocsp.int-x3....

eworm

Looks like v016 has been withdrawn... No idea if this was the reason.

Mikrotik, any info on that?
Wondering if my devices (successfully) running v016 are at risk in whatever way.

eworm

I got confused a bit please elaborate to me.. If I set the RouterOS to act as DoH client to a server (Google/Cloudflare), how do they know the first time to address of google/cloudflare without first querying via regular DNS server? Two ways to solve this: configure a regular DNS server use an url ...

eworm

*) certificate - added "skid" and "akid" values for detailed print;

This looks like SHA1 key ids. Can you give more details?

skid = signing key id?

eworm

Let me clarify some things. There is a project WIFI4EU that demands a specific image to be dynamically displayed on the captive portal the snippet code is the following: <img id="wifi4eulogo" class="identity-image" src="https://collection.wifi4eu.ec.europa.eu/media/logo/Wifi4EU-EL.svg"> Unfortunate...

eworm

Then it's indeed unexpected behavior. Probably nobody here can help any further, contact support if this bothers you.

eworm

Well, ok... Did not try to guess the correct name. Just "remote-id" is not available.

You can get that info from $"lease-options". With ($"lease-options"->"82") you get both infos from option 82, surrounded by some binary bits. Looks like you have to parse that yourself.

eworm

of course i'm pinging wireless client. from my laptop

And your laptop is connected to the same CAP wirelessly?

eworm

AFAIK this setting only handles wireless client to wireless client.
Your echo request comes from the wired side of CAP?

eworm

Have a look at Local Forwarding Mode and Manager Forwarding Mode.

Probably you want to control client-to-client forwarding on capsman?

eworm

This setting controls whether or not to tunnel traffic to the capsman device.
Any reason why a ping to a client should not succeed?

eworm

IMHO the DoH logs have too high severity. I've configured my devices to forward error logs via e-mail. Now I get... ... on boot, probably because I have ipsec peers with dns name in address: dns,error: DoH connection error: Network is unreachable ... and every now and then: dns,error: DoH connection...

eworm

I think Mikrotik does not even support dns peers pushed via openvpn, no?
Are you sure this is not just your dhcp client adding the dynamic servers?

eworm

At the moment I have a 30 line script to ensure only 1 DHCP lease can be active per Remote-ID at a time, the newest lease clears all other entries that have the same Remote-ID (potential issue if a client plugged a switch into their WAN connection instead of a router) but there's currently a bug in...

eworm

Nothing wrong, ed25519 is not supported.

eworm

That's the link I know:
https://help.mikrotik.com/servicedesk/customer/portal/1

eworm

When you import the cert int RouterOS you should have 3 entries.
DigiCert Global Root CA
DigiCert ECC Secure Server CA
cloudflare-dns.com

Last one is server certificate and not required in certificate store.

eworm

My test device was set up to use crl, but to not download crl:

/ certificate settings crl-download=no crl-use=yes

That results in flooding the log:

dns,error DoH connection error: SSL: handshake failed: unable to get certificate CRL (6)

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate. yeah it's worked without Verify DoH Certificate :) and where can we get cloudflare certificate file to importing in router ? If you trust my repository get it here: https://git.eworm.de/cg...

eworm

As others are saying. The router does not know what dns.nextdns.io is. Add at least a single regular DNS server which will be used for DoH servers name resolving. Adding a static DNS entry should also suffice. Are DoH servers prioritized? When does it fall back to regular dns servers? Oh, and is it...

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.

Same for quad-nine:

https://9.9.9.9/dns-query (secured)
https://9.9.9.10/dns-query (unsecured)

eworm

You could try "https://1.1.1.1/dns-query" - Cloudflare managed to get the the ip address into the certificate.

eworm

Enable DNS logs, it should provide all necessary information for troubleshooting. I tested the DoH implementation with various publicly available servers and could not find any issues. If there are any, please let us know. /system logging add topics=dns tested with public DoH server but nothing doh...

eworm

Try setting https://10.5.51.5 as the server.
thanks for reply now it's verified but could not resolve any dns name
How can it verify only by a IP address?

Certificates can have subject alternative name with ip address.

eworm

I use this for years now, but on a Mikrotik router device. Not 100% sure for AP's, do not have one to test with.

This is true for every device running RouterOS, except CHR without license.

eworm

HAP AC2 with 802.3af poe-input support (as cap ac does) And at least one pass-through poe-out port please. cAP ac? Almost the same hardware (well, without USB and with only 2 Ethernet ports), but with 802.3af/at and PoE pass-through. And has already been available for a while... We could define the...

Search found 683 matches