MikroTik

eworm

This indicates you selected a certificate without private key.

eworm

1. How do you know that this attribute changes on this version? 2. where is the documentation for read it about the changes that affect to the attribute on the new RouterOS version? Just get the column name from CLI, Winbox, Webfig, ... I do not think that the changes are documented. Whenever somet...

eworm

The problem is that /ip dns cache does no longer have an attribute "address", it was renamed to "data".
So replace that in the line where tmpAddress is assigned.

eworm

For me scripting works just fine. Can you be more precise what you think does not (or no longer) work?

eworm

export hanging is a huge problem to evaluate 7.xy beta

IMHO first priority should be fixing export issue

Full ACK! I do not even consider testing before this is fixed.

eworm

Wouldn't matter if MikroTik configured their domain host/CDN correctly like this:

No. There's nothing Mikrotik can do on their servers. If the attacker is successful no request will ever reach Mikrotik's servers.

eworm

BTW, the copyright needs to be updated for 2021... It still reads: MikroTik RouterOS 6.48.1 (c) 1999-2020 http://www.mikrotik.com/ (And when you are at it... How about changing the url to https?) They have enabled HTTPS overwrite on their domain, technically it wouldn't matter. But you'd expect a &...

eworm

BTW, the copyright needs to be updated for 2021... It still reads:

MikroTik RouterOS 6.48.1 (c) 1999-2020       http://www.mikrotik.com/

(And when you are at it... How about changing the url to https?)

eworm

*) api - added support for REST API;

With this being added... How about a JSON parser within RouterOS? This would allow one device to call another device's REST API.

eworm

Looks like export still hangs...

eworm

Same here, rock solid on all my devices: [admin@himalia] > :foreach Device in=[ /ip neighbor find where !(version="") ] do={ :put [ /ip neighbor get $Device uptime ]; } 5w5d03:40:30 5w5d03:40:30 5w5d02:35:32 5w5d02:35:39 5w5d03:32:51 5w5d03:33:36 5w5d03:37:38 5w5d03:37:49 5w5d03:37:52 5w5d...

eworm

At least two of them died for me the last years. But as most devices are powered via POE I have some spare ones.
The power supplies are less reliable than the devices itself, definitely.

eworm

Socks is for proxying:
https://wiki.mikrotik.com/wiki/Manual:IP/SOCKS

eworm

Yes, you are missing a command. 😜

The fourth line should look something like this:

:if ([/ip firewall nat get [find comment="DNS - Redirect all DNS requests to pihole"] disabled] = false) do={

eworm

Eworm, I apologise if you have already written the solution somewhere on your website, I rarely open external links on public forums. I didn't mean to disrespect anyone. :) I have a collection of script, one of them does what plisken wants - and a lot more. But it is complex and depends on other sc...

eworm

I do not understand why you do not test or even consider using my scripts.
What's wrong there?

eworm

BTW, this also can send notification to via Telegram. I have messages about temperature alert and recovery in my history, looks like this:

Screenshot_2021-01-21_22-12-50.png

eworm

Well, as for PSU state... You could use my script for this as well.
Notify about health state

Still you need the base installation, follow main README for this.

eworm

The software dnsmasq is not used in RouterOS, so no.

eworm

A file name containing just a dot represents the current directory. So you create the directory and try to overwrite it with a file... This results in an error:

  status: failed

failure: cannot open file

With your code you have to catch and ignore the error.
I prefer my clean solution. 😜

eworm

The problem was solved... So what exactly is your problem?

eworm

This is fully functional if you do the base installation to meed the requirements. 😜

eworm

If you are really interested... This is the script source:
https://git.eworm.de/cgit/routeros-scri ... eck-health

But as said... It will not work on its own and has dependencies to other scripts.

eworm

Showing the script source would not help... It depends on other scripts.
As said... Follow the main README, then install the wanted script.

eworm

You can try my script:
Notify about health state
This requires the base installation, see main README.

eworm

reviewed all this, found some problems, where people was wrong setup and using default proposals, and still no answer - in my case PFS group and proposals are setuped correctly, on both sides. If on both sides in proposals PFS group is 2048 and lifetime 30, is it a mistake? Search this thread for p...

eworm

Yes, it works. But keep in mind that you have to disable DoH (DNS over HTTPS) for this!

eworm

Best is to open a support ticket with the complains. I did not for 6.47 - in hope anything happens with the details in release thread... Will open a ticket myself soon. I had thought about an extra Raspberry Pi for DNS... But that would be a share for Mikrotik routers. Also this is not an option for...

eworm

It seems static DNS records of type FWD are ignored once a DoH server is added. Is this a design decision or a bug? If this is not going to change, we'll never be able to use it, because we need conditional forwarding. It has been this way since DoH has been introduced in 6.47 - see older release t...

eworm

You can not. The device's serial number is used in dynamic DNS name.

If you want a name that does not change on new hardware use a CNAME:
my-static-name.example.com -> serial.sn.mynetname.com.

If you can not reconfigure the clients it is too late, though...

eworm

Wondering if your solution is over-complicated... How about something like this? :while ([ :len [ / interface detect-internet state find where state=internet ] ] = 0) do={ :delay 200ms; } # your follow-up code here... If you really have to check for the interface just add name="ether8-gateway&q...

eworm

With :local inside the loop you limit the scope of the variable. Initialize it before, then use :set inside loop.

Will have to check this on real hardware, currently typing on my mobile.

eworm

Once entered the script will never leave the loop as neither $waniface nor $wangateway is modified inside.

Please keep in mind that internet detect feature can cause lot of trouble. I would recommend not to use it.

eworm

The script is run when the interface is not yet available. Just add a delay.

eworm

/ip firewall connection remove [find where reply-dst-address~"1.2.3.4"] This will also remove connections for addresses 11.2.3.4 and 1.2.3.44 ... Better match beginning and end of the address when using regular expressions: /ip firewall connection remove [ find where reply-dst-address~&qu...

eworm

You need a dedicated client certificate for every device.

eworm

Please help if you experiencing similar issues as I have no idea where to even start troubleshooting.

Have a look above, IPSec issues have been discussed before.

eworm

Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly:

Yes, they establish correctly. But do they rekey without issue? Have a look at your log...

eworm

See this and the following posts from emils about the details:
viewtopic.php?f=2&t=147769#p740153

eworm

Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.

eworm

Now on rekey childs mikrotik send and want proposals without pfs despite pfs-group=ecp521 configured. Similar issue has Windows 7 time ago. With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals...

eworm

Ah, did not know it is documented... Found it the hard way myself. 😆

eworm

Let's have a looks:

[admin@mikrotik] > :put (192.168.0.1-192.168.0.254)
4294967043

The addresses are subtracted, so your original command evaluated to:

[admin@mikrotik] > :put (192.168.0.1 in 4294967043) 
false

Wondering if bitwise operators could help...

eworm

You should use curly brackets, not square brackets. So correct code:

{ :local myVar; :set myVar "my value"; :log info $myVar; }

eworm

This looks over complicated... How about this: :global showPoeST do={ :foreach Interface in=[ / interface ethernet poe find ] do={ :local IntVal [ / interface ethernet poe monitor $Interface as-value once ]; :put ($IntVal->"name" . " -> " . $IntVal->"poe-out-status"); }...

eworm

But next two find 1.0.0.0 in all address lists, so there's some problem with list=$list. But what could it be? Have a look at this commit, it explains the issue: https://git.eworm.de/cgit/routeros-scripts/commit/?id=870f00bb36f5af3088344371764da48bbde9651a Short conclusion: You are safe if your var...

eworm

Regarding the topic... LHGG is not ARM64 but ARM, no?

eworm

Also all free disk space is gone. Right after update it showed 8kB free, then I deleted two autosupouts to get at least something, but instead ended with nothing: free-hdd-space: 0 total-hdd-space: 59.5MiB The CHR images have been 128MB in size for a really long time now. Possibly this is a very ol...

eworm

Looks like my wireguard tunnel is down after update... Did not check the details, will have to investigate later.

The peer's endpoint-port was set to 0. After setting the correct port everything is back up now.

eworm

Looks like my wireguard tunnel is down after update... Did not check the details, will have to investigate later.

eworm

Damn, I've typed this from a mobile without checking... You are right, it does not work. Sorry for the confusion. To go into detail... [admin@MikroTik] > :global z; [admin@MikroTik] > :put [ :typeof $z ] nothing [admin@MikroTik] > :put [ :typeof [] ] nil There's a difference between "nothing&qu...

eworm

Certificates that do not change are untouched. Have a look at the import output, it should give some numbers.

eworm

No need to remove all certificates... You could just remove the expired ones to clean up.

/certificate remove [ find where authority expired ];

eworm

Oh, is this a winbox issue? I testen via cli (SSH), not winbox.

eworm

Health works on all devices I checked, including these reported with issues before by others:

CCR1036-8G-2S+
CRS328-24P-4S+

eworm

RBD52G-5HacD2HnD (HAP AC2) does not have health information. It just does not have hardware sensors.

eworm

You should never ever use index numbers in scripts. These are just temporary and refer to the last print.
To remove all certificates use this:

/certificate remove [ find ];

eworm

Because your variable is nothing, but you check for an empty string. That's something different. Try this:

:global z; 
:if ($z=[]) do={:put "hello world";}

eworm

I think this is a known problem with TILE, have seen other reports before.
(I do not have beta3, so I can not check there.)

Oh, ignore this post... CCR2004 is ARM64, not TILE.

eworm

I think this is a known problem with TILE, have seen other reports before.
(I do not have beta3, so I can not check there.)

eworm

Ah, you are right, it did not work back in 2016.
What I described requires fetching to variable, that was introduced with RouterOS 6.43 in late 2018.

eworm

Your problem is fasttrack. Make sure the connections to your vpn are not fasttracked and you are fine.
Search the forum with that keyword, you should find enough information.

eworm

Here is where you just kicked the can down the road. The running script can't compare the two script files for same or different because of the variable size limitation -- precisely my original complaint. Please read my post again. The limitation is not the variable size - it is just the reading fr...

eworm

But you do not have to manually remove and add the address list entry, no?
So wondering why mutluit has to.

eworm

That said I gave it a try myself... Looks like RouterOS actually does update the address list entry when ttl expires: /ip firewall address-list add address=et-contents.s3.eu-west-1.amazonaws.com list=test /ip firewall address-list print interval=5s follow where comment="et-contents.s3.eu-west-1...

eworm

The problem with the address list is that it stores the IP, whereas for my use-case it would suffice if it would operate on domain name only. Somehow... This is an address list, it operates on addresses. Creating dynamic address list entries from domain names is a convenient feature, but it is not ...

eworm

There's no need to blame DNS server in RouterOS - that works as expected and is completely unrelated to your problem.
The address list is something completely different, and it can not be use (reliably) the way you expect it.

eworm

And I'm stuck with the conclusion that there is absolutely no other way to do what it is I needed to do. Sure there is. 😜 The only limitation is for file size. This does not apply for script size ( /system script ) for example. So fetch your script to a variable, then store it as script ( /system s...

eworm

Returning the value and leaving the function is the behavior for every language. Everything else does not make sense: What would you return if the function continues and a second return is executed. How to leave the function early? A beter naming for return would then be exit No, return is to return...

eworm

But that is how things work. What do you think this should work like?

eworm

Or for details on that specific domain: [admin@MikroTik] > /ip dns cache print where name="consent.youtube.com" Flags: S - static # NAME TYPE DATA TTL 0 consent... A 172.217.17.142 3m8s Note that TTL here is the actual time remaining in cache, not what the upstream server gave.

eworm

The domain has a time to live (ttl) of 299 seconds. RouterOS caches the record for this time, see / ip dns cache.
This is correct behavior and should not be changed.

eworm

https://en.wikipedia.org/wiki/Internati ... omain_name
https://de.wikipedia.org/wiki/Internati ... Domainname

eworm

You have to use IDN encoding. Try this: xn--allestrungen-9ib.de

eworm

Looks like I bought my LHG LTE6 kit too early... 😝

I had hoped for something like the new wAP ac. But looks like it is missing a POE out or pass through option on the second ethernet port, no? I would like to mount it next to the LHG LTE6 and power that - with just one ethernet cable up to the mast.

eworm

Regarding your post in general section it should... So try this: :foreach Active in=[ / ppp active find ] do={ :local ActiveVal [ / ppp active get $Active ]; :if ([ :len [ / ip address find where address=($ActiveVal->"address" . "/32") dynamic ] ] = 0) do={ / ppp active remove $A...

eworm

Yes, all connections are killed because addresses are listed with netmask in / ip address . Given that line: # NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING 0 xxxxxxxxx... pppoe 00:27:22:24:14:XX 192.168.169.182 10h53... Would this print the matching ip address entry? /ip address print where addres...

eworm

I do not have a PPPoE access concentrator around, but something like this could work: :foreach Active in=[ / ppp active find ] do={ :local ActiveVal [ / ppp active get $Active ]; :if ([ :len [ / ip address find where address=($ActiveVal->"address") dynamic ] ] = 0) do={ / ppp active remove...

eworm

Now these commands are to be used in scripts run by the scheduler - will that be run with the account of the script owner?

Yes.

eworm

So it's not the user "remote" here?
Import your private key for the standard company-wide admin account, not "remote".

eworm

The local device running

/sys ssh-exec ...

- what user is running this?

eworm

Please show your available keys on both sides:

/user ssh-keys print
/user ssh-keys private print

eworm

Glad it works for you. Can't be that wrong then. For me it is not locally/manually installed as I built an Arch Linux package for it. 😜 But I get your point. I think I will polish this a bit and push it to github... The path will be configurable at compile-time only, as granting privileges for a run...

eworm

Netinstall was reported to run on Linux when started as user root. I've never tried - I think starting wine, which is required, as root is a bad idea. With a detailed look the problem seems simple: Netinstall needs to bind to a privileged port, that is port 69 for tftp. All it needs is a special cap...

eworm

I've been struggling with this as well. Looks like netinstall fails to send a reply if the linux host does not have a default route set. After setting a default route everything works just fine.

eworm

Recently lost my crystal ball...
What does your script look like?

eworm

After upgrade from 6.46.3 to 6.47.6 I have error: error while running customized default configuration script: expected end of command (line 1337 column 53) This is a known issue when wireless package is disabled, but nothing to worry about. The default configuration script is an internal one that ...

eworm

Are you speaking about 6.47.5? That was run in Mikrotik labs only, but was never released to the public - probably due to issues.

eworm

Same thing happens with international characters, e.g. you can add ěščřžýáíé.example.net, which you might expect to be internally translated to punycode version xn--1caql6dzd0drw5bzo.example.net, because why else would RouterOS accept it, right? But it doesn't happen, it will store exactly what you...

eworm

There's no impact, just an annoying error message.

eworm

The color indicates POE output type. IIRC green is for passive POE and red is for 802.3af/at.
This is not related to the link.

eworm

This is a know issue from early 6.48 beta releases... It happens on devices without wireless package.
No idea why they backported the issue but skipped the fix...

eworm

This is now suffering the log messages on default configuration script we had in testing before:

system;error;critical error while running customized default configuration script: expected end of command (line 1337 column 53)

This happens without wireless package only.

eworm

I think my script log-forward could serve your needs... Though it does not only notify about failed login attempts but everything interesting - configurable with filters.
It depends on other scripts, see the main README on how to install this.

eworm

So a general remark: I think cases should remain browseable for the submitter, even after they have been closed by MikroTik.

I am pretty sure they are. Log in to the support portal and see your closed cases.

eworm

ok, I already found it.: /put [ip firewall filter get number=1 disabled] You should never use index in scripts, that will break! Instead find the correct rule with whatever criteria it has, for example giving it the comment "first": :put [ /ip firewall filter get [ find where comment=&quo...

eworm

Sure it does. In this example you should add quotes I guess...

eworm

Your variable is declared too late. It is valid inside the blocks only. Try this:

:global xc;
:if ([ /ping 192.168.5.54 size=28 interval=30ms count=1 ] = 0) do={
  :set xc 20;
} else={
  :set xc 50;
}
:log warning $xc;

eworm

Use this: # we are not interested in output, but print is # required to fetch information from cloud / system backup cloud print as-value; / system backup cloud upload-file action=create-and-upload password=$BackupPassword replace=[ get ([ find ]->0) name ]; If you want this to be fully automated an...

eworm

My editor of choice is vis - a modern, legacy free, simple yet efficient vim-like editor.
I added a RouterOS script lexer, that is now available in git master.

eworm

Does this have to be associated to the vpn disconnect and (re-)connect? I have a script netwatch-notify that does monitor ip addresses via netwatch. It has a simple state machine to ignore a (configurable) number of failed attempts. (You have to install the base scripts for this to work, see main RE...

eworm

The path set in /tool fetch url=... is rather absolute path from server's root (not from users home directory). That depends on the configuration. My sftp accounts are jailed into a chroot and limited to sftp only (with openssh's sftp-server). So for me the path is relative to the chroot directory.

eworm

The path on your server exists? You need a subdirectory"ftp" with write permission.

eworm

Error shows up on 2 routers.

These are the only Mikrotik devices or does it work on others?

eworm

The error message indicates this is about key exchange algorithms , but following the log it was agreed on diffie-hellman-group-exchange-sha256 . In fact it was not agreed on the host key algorithms . Looks like both support rsa-sha2-256 , no idea why it is not used. BTW, ssh-dss and ssh-rsa are val...

eworm

Static entries do work, but behavior changed a bit. I've described the issue in v6.47 release thread.

In short:
Without DoH a single A record does cover everything. With DoH enabled it will check for AAAA record upstream.

eworm

It is just efficient!

Right you are. But it is important to shorten the quote to what you actually intend to quote, just as we both did.
Quoting a post including a quote, including a quote, including a quote .... does not add mutch value.
So I am all for quotes if done right.

eworm

What ssh client do you use? Can you give the exact error message?

A blind guess if everything else fails: regenerate your host keys:

/ip ssh regenerate-host-key

eworm

Perhaps my script dhcp-to-dns may be of interest... If I got you right it does what you want.
(It depends on more scripts, so see main README for installation.)

eworm

This is a known problem, look at the release threads.
Mikrotik did not (yet) react on this. No answers, no changes.

eworm

Any details on the temperatures before and after the mod?

eworm

Does it make a difference if you lower the mtu size on wireguard interfaces?
On Device B?

Yes, on device B and on your client. I think the mtu should match on both sides. No idea what happens if it does not.

eworm

Does it make a difference if you lower the mtu size on wireguard interfaces?

eworm

By the way what does this one mean. *) interface - added new builtin "static" interface list; This is a very interesting changelog item, one that has never been in a stable (or development) release. I find confusing that this comes to the long term release with barely no testing, has been...

eworm

It is part of a bigger collection and requires the base installation at least. See the main README for details. Configuration for e-mail and telegram goes to global configuration.

eworm

Is there are firewall rule that does source NAT just after destination NAT for the incoming packet? Possibly that confuses wireguard...
What interfaces are in interface list "WAN"?

eworm

You could can use my script for release notification:
Notify on LTE firmware upgrade

Of course this does not give a hint what changed.

eworm

It is not. But would be nice...
Missing this on some devices, including CCR1009 & mAP (lite). Would have to check all my devices for a complete list.

eworm

Not all devices support this... Try the following code to check: :if ([ :len [ /system routerboard mode-button print as-value ] ] > 0) do={ :put "Mode button supported."; } :if ([ :len [ /system routerboard reset-button print as-value ] ] > 0) do={ :put "Reset button supported.";...

eworm

Ah, I misread and misunderstood some details. So both peers are behind NAT, one is supposed to be reachable via destination NAT.
Never tried that with wireguard, no idea if this should work.

eworm

Ok, some questions here:

Why do you configure wireguard on device B, not device A?

What does the other side look like? Does it have a public address without NAT? If it does: Things should work without destination NAT if connection is initiated from device behind NAT.

eworm

But Wireguard with Mikrotik behind NAT is not a problem for me.
Share a secret )

I'm sorry, but there's no secret... Just works for me.
Show you configuration export, possibly there's something fishy.

/interface/wireguard/export hide-sensitive

eworm

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.

What is a "white IP"?
But Wireguard with Mikrotik behind NAT is not a problem for me.

eworm

Not sure this is working ? The DoH server I'm using is https://doh.opendns.com/dns-query , and I see requests to 146.112.41.2 , but none to 2620:119:fc::2

I guess IPv4 is still preferred if a domain resolves with A and AAAA record. Try a domain that has just an AAAA record or use IPv6 address.

eworm

Wireguard endpoints are set and updated automatically on handshake. Huh. Are you sure that both of endpoint can be updated automatically? Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"...

eworm

Wireguard endpoints are set and updated automatically on handshake.

eworm

So I was going to send the link but thought better of it......... Instead try this www.google.com Are you nuts? I know how to use google and I know the link given by IPANetEngineer. My understanding was that the answer was about connecting to NordVPN via Wireguard, which is not handled by Rick Frey...

eworm

What manual are you speaking about? Can you give a link?

eworm

The Telegram Bot API documentation regarding sending files is here:
https://core.telegram.org/bots/api#sending-files

Not sure this works with fetch command... Probably not.

eworm

Answering myself... Looks like this is executing an empty command, which evaluates to "nil":

[admin@mt] > :put [ :typeof [] ]
nil

eworm

For the inversion you have to use parenthesis:

... where !(comment=[])

Really nice to have this... Is this documented anywhere?

eworm

Wait for RouterOS v8 for an answer on that. :D

eworm

This is by design. Peers are identified by their public key, changing the endpoint automatically makes it roam seamlessly.
If the peer changes its address the configuration should update again.

eworm

Ah, stupid me... Of course it's keepalive.

/ interface gre unset keepalive [ find ]

eworm

You have to unset the timeout for GRE interfaces:

/ interface gre unset timeout [ find ]

eworm

Testing on a RB951G (mipsbe with 600MHz single core) with a 100/40 MBit/s uplink: I could do 90/38 MBit/s through the tunnel - with bandwidth-test on the device itself. Pretty impressive given that IPSec barely does 20 MBit/s... So can't wait to see WireGuard in a stable version... I hope it does no...

eworm

NordVPN uses more than just a plain WireGuard connection... This is to make sure an individual can not be associated with public traffic.
I can not give any more detail, though... I would be interested to make this work as well.

eworm

Yes, I got that, and I second your request.
But for now only my method is available. ;)

eworm

Wireguard support cool thing, but where is an instruction how to use it?

Configuring wireguard is pretty straight forward. Just look at the options available.

eworm

No, it is not too hard. My scripts collection (see signature) has a function for that. Just run...

$DownloadPackage wireless

... and reboot to install the package. (The also supports downloading packages in other version or for different architecture, for example to use with capsman.)

eworm

btw.after install I see in log this :
system,error,critical,,, error while running customized default configuration script: expected end of command (line 1315 column 53)

Me too. Reported for 6.47beta12 as SUP-21264, just re-opened.

eworm

No... You can do something like this: :local PIHOLEHOST "pihole.example.com" :local PIHOLEHOSTIP [:resolve $PIHOLEHOST] :log info "PI-Hole script started... ($PIHOLEHOSTIP)" :if ([/ping $PIHOLEHOSTIP interval=1 count=1] = 1) do={ :log info "PI-Hole host is UP! (ping)" :...

eworm

I guess the script is terminated on error... Try to catch it:

:do {
  :resolve ...
} on-error={
  ...
}

eworm

send-initial-contact=yes is not an instruction to act as initiator; it actually means "replace any already existing connection from my IP address, irrespective of port, by this new one", so it is quite dangerous in some scenarios (multiple initiators coming to the responded from behind th...

eworm

Indeed... We are bored, give us something to play with!

eworm

IIRC the functionality was added in 6.46, the configuration option in 6.47.
Look up the changelog if you are interested in details.

eworm

Just disable dns in mode-config:

/ip ipsec mode-config set use-responder-dns=no NordVPN

eworm

Sadly there is no functionality to hook into interface events.
You could run a script via scheduler that checks link status for the ports in very short interval.

eworm

I have something very similar in my scripts collection: Mode button with multiple presses
I think it has some advantages and configuration goes to a central script.

eworm

Looks like there is a hard limit in RouterOS. Only Mikrotik can change that.
Open a support ticket if you want or need this to change.

eworm

Great! Looks like it is about as fast as IPSec...
At least on ARM. Wondering what numbers look like on mipsbe and tile.

eworm

This is your issue:

debug1: Skipping ssh-dss key id_dsa - not in PubkeyAcceptedKeyTypes

You have to extend your configuration even more.

Better solution: Update RouterOS to a recent version and use RSA keys.

eworm

Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.

It now looks like this. Let's hope it will withstand bad weather and strong wind...

eworm

You could just set a record of type NXDOMAIN... /ip dns static add name=example.com type=NXDOMAIN However this is not specific to IPv6 and could cause clients to ignore the domain completely. I tend to set an AAAA record representing the IPv4 address: /ip dns static add name=example.com type=AAAA ad...

eworm

maybe, mounted on a plastic plate (Polyethylenplast) then a rubber-sucker (Saugnapf) in each corner to fasten to roof.
then very portable.

Yes, it's a heavy plastic plate. But it has just rubber-feet, no sucker. But I will fasten it with a strong cord and eyelets in keder rails.

eworm

How do you turn antenna, by losening the mount on the pole? What do you do while driving around, take the whole installation (including pole base) down? Yes, this is completely manual. When the caravan has its position I can place the antenna - neither caravan nor lte station will move then. :lol: ...

eworm

Mounted this on top of my caravan.
Guess it solves my connectivity issues...

eworm

You should ping the host cloudflare-dns.com, not the url.

eworm

Probably a bad idea. CRS125 is a switch, and in no way it can route a gigabit.
The poster wants fast internet connection, not VLAN.

eworm

Your Huawei Router is connected to what port?

If it is connected to ether1 your CRS is not working as switch but additional router. Disable DHCP server, plug the Huawei Router to any other port and try again.

eworm

Already reported for 6.48beta, but applies here, too:

*) dns - do not use DoH for local queries when a server is specified;

This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?

eworm

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel.

Does it work for you with 6.48beta12? To my findings the behavior did not change.

eworm

Everybody who visited a MUM knows these: the cloud shaped Mikrotik stickers.
Is the cloud shaped Mikrotik logo available, preferably as SVG file? I've searched designs.mikrotik.com and Google, but could not find anything.
Please share if you have it.

eworm

Looks like you have a number of packages on our flash storage. Clean these, then try again.

eworm

*) dns - do not use DoH for local queries when a server is specified; This is about forwarding? Looks like queries are still sent via DoH for me. *) dns - do not use type "A" for static entries with unspecified type; I do not understand that one... How could type be "A" and unsp...

eworm

msatter Do you have custom set of packages installed and wireless package is not installed?

Correct. My system has system, dhcp, advanced-tools & security installed. Opened SUP-21264 with support output.

eworm

I wonder what's the real advantage of running my router with ondemand scheduler?

It saves power and runs less hot.

eworm

Now non-wireless devices have issues with the default configuration script:

system;error;critical;13328;39528;13328 error while running customized default configuration script: expected end of command (line 1310 column 53)

This is on RB750GL.

eworm

No idea what you code is supposed to do. Do you want to toggle the interface without my scripts? Use something like this then: :if ([ / caps-man interface get cap1 disabled ] = true) do={ :log info "Enabling..."; / caps-man interface enable cap1; } else={ :log info "Disabling..."...

eworm

Using my scripts add something like this in configuration: :global ModeButton { 1="/ caps-man interface disable [ find ];"; 2="/ caps-man interface enable [ find ];"; } With one press all interfaces are disabled, with two presses interfaces are enabled. Is that what you want? Of ...

eworm

Version 6.45.1 had this in change log:

*) sms - allow specifying multiple "allowed-number" values;

So it should be possible. Never used it myself, though.

eworm

I have this stored as a script on my devices: :put ([ / tool fetch http-header-field="User-Agent: Mozilla/4.0" "https://api.nordvpn.com/v1/servers/recommendations\?limit=3" output=user as-value ]->"data"); Then from a linux host: % ssh mikrotik / system script run nordv...

eworm

I've seen this myself... Just switched to another server that is currently recommended.

eworm

This is part of my RouterOS Scripts collection. You can make the device act on multiple presses on mode or reset button. The default is one press to toggle dark mode, two presses for a "Hello World" notification, three presses for shutdown, ... But you can make it do what ever you want.

eworm

Would you consider this to be useful?
Mode botton with multiple presses

eworm

It would be like asking MikroTik to make QUIC available. It is already available. Well, RouterOS can be client as well, so for example fetch command could benefit. It's not a big win there, though. But DoH over QUIC or HTTPS/3 could be worth adding one day... No idea if there are endpoints supporti...

eworm

Your port is member of a bridge. Put the dhcp client on the bridge.

eworm

As said before a message has to match all topics given in a rule. So you can use something like this... /system logging add action=remote topics=info,dhcp ... to match all messages that have topic info and dhcp . But there is no message that has topics error and info at the same time. So a rule like...

eworm

No, this is not a bug. Why do you think so?

eworm

Rules: topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote A message has to contain all topics to match. That's an impossible combination, even info and error are exclusive to each other. Try this: /system logging add action=remote topics=inf...

eworm

Please give

/ip firewall filter export

so we can have a look.

There's no (new) breakage in scripting I know of.

eworm

Possibly missing the escape for question mark?

eworm

I think you see the mismatch only if session key is about to expire and rekeying fails. So did you test for more than just session startup?

eworm

Sure, everything is possible... Run / system script export; to see what the code inside an rsc file should look. To turn an uploaded file into a script: / system script add name=new-script source=[ /file get uploaded-script-file contents ]; You may want to take a look at my signature for an idea wha...

eworm

RouterOS supports bitwise operations, so you can calculate IP addresses like this, for example get the first octet:

:put (192.168.10.0 & 255.0.0.0)
192.0.0.0

Possibly useful to shorten your functions even further.

eworm

Does this work for ipv6?

You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.

eworm

It expires nov/10/2031 02:00:00, that's more than 595 weeks from now.

eworm

Looks like anybody uploaded all available extra packages to the device to upgrade...
Should be easy to recover with netinstall. Not sure if there is another way... Probably not if you can not uninstall unwanted packages.

eworm

What packages are installed? Did you import certificates?

eworm

I think dns cache goes to RAM and does not cause flash writes...

eworm

This should do:

:foreach i in=[find] do={set $i address=192.168.20.2/32}
or since its just one IP and no subnet:
:foreach i in=[find] do={set $i address=192.168.20.2}

Why do you run this in a loop? Just set the value for all at a time:

set [ find ] address=192.168.20.2;

eworm

Yes, except that you do not need to update. Just a reboot is sufficient.

eworm

To solve this issue First you have to change your Wireless Interface(s) name to the pre-set. wlan1,wlan2,wlan3.... And finally you must Reboot your device, after this your problem will be solved forever And after that you can personalize and change their name. That does the trick, thanks a lot for ...

eworm

It would be nice when it first checked for exact matches of static records before it tried the regexp.

Exactly what I described above with my issue. So +1!

eworm

To get DoH working I need to use all 3 certificate from dns.google

Depends on whether or not the server ships the intermediate certificate. Then looks like Google server does not.

eworm

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]

eworm

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]

eworm

Just want to share to all people, if you want to verify the DoH server, you can go to https://1.1.1.1/dns-query using the web browser and download the the 3 certificates from the server site. Only two certificates are required, use the two with "DigiCert" in name. The "cloudflare-dns...

eworm

Just found another hiccup with DNS and DoH... Let's assume I have a domain eworm.de (I do! :D ), which has A and AAAA records. My router has a record router.eworm.de , using *.router.eworm.de as local zone: /ip dns static add address=10.0.0.1 name=router.eworm.de add address=10.0.0.10 name=host.rout...

eworm

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) I brought this topic up for beta and rc releases... ...

Search found 771 matches