MikroTik

Amm0

Now Published as VSCode Extension! The newest (v0.3.4) release now appears in VSCode's Extension 'Marketplace' , to allow for easy install and update. To install – in Visual Studio Code — use Shift + ⌘ + X to bring up "Extensions" in VSCode, then search for "RouterOS LSP" and th...

Amm0

routeros-colors-in-lsp-on-alpine-armv7-container.png

Amm0

I think NAT input/output chains are pretty much edge cases, but they definitely have their uses. You might include them in the main diagram, or if you prefer, group them with other, more complex use cases like IPSec and WireGuard encryption loopback in a separate diagram. Agreed. Even MikroTik nume...

Amm0

I think it's time to move on to another vendor whose sole aim in business is NOT to make life as difficult as possible for it's customers. While I'm quick to complain myself too... I do think it's IPSec more generally that's tricky on ANY platform. Since complaint was about neighbors not showing up...

Amm0

There is also cellmapper.com where you lookup where the tower are located & that also shows bands by carrier. While "Jungle" is not what I associate with Germany, publishing maps of cell tower locations is something they may do as alternative to cellmapper.com. As @mkx says the "b...

Amm0

Yep. DHCPv4 shouldn't be mentioned.

Not shown, but "ping" / ICMP be in same category since the kernel does some work there.

Amm0

@jaclaz, just a minor detail: shouldn’t the text in the purple "nat" boxes to the left be something like “/ip firewall srcnat” and “/ip firewall dstnat” instead of just “/ip firewall nat”? or the full/partial "real" syntax (or "MikroT t ik configuration naming") like &...

Amm0

Newsletter #125 it says: "Runs entirely on our own RDS and hardware"

👍

Maybe it can run back-to-home-files to start replacing Box.com too :)

Amm0

I suppose TikTube is running in a container for example.

It be a good application for RDS... but is that what it's actually running?

If so, I just hope they don't need to downgrade from this beta, otherwise possible the container gets "lost"/removed. ;-)

Amm0

Or only change the purple fat arrows on the left? Or both? Minor, again, the "fat arrow" things are not process. Maybe use rounded corners label boxes with the arrows, or just put the text in arrow without any box . Just so they are even more visually distinctive from the "inner"...

Amm0

@Amm0: Once the diagram is finished, it’s time to start adding different use cases. I’m thinking maybe 8–10 examples should be enough to cover most of the common scenarios. [...] Yup, some "overlays" with connection arrows (in "Dude terms", "links") might be one future...

Amm0

@Amm0: Actually Wireguard is fully covered. You're right actually. I've just been skared by the multiwan routing of the tunnel ;) - the firewall is actually not hard. IMO, the only reason to include "IPSec" is that the default firewall has "matchers" on ipsec-policy=. But again ...

Amm0

LOL, @Larsa's list is list the "hard mode" of the MikroTik forum's password challenge (where they ask you identify routers in a list as captcha)... Except, @Larsa list is "which of the following do NOT involve the Layer3 IPv4 firewall"... The value, I think, of @jaclaz's work is ...

Amm0

If you want nightly check the nightly: mt.lv/nightly-build I know MikroTik uses Box for "cloud files" sometimes.... But the nightly build seem like an ideal way to " dogfood " their own "back-to-home-files"... #self-hosting If they ran into usability/missing features/b...

Amm0

I had some containers working (including a faucet container, see posting * above)... Not anymore. I downgraded to 7.19.1 to test something, and the upgraded back to 7.20beta2 — however my containers all disappeared. I know it's beta & been lot of [good] changes in this release for containers... ...

Amm0

The third possibility is to use RoMON . I'm don't have experience with it, but AFAIK it should be fairly easy to set up, most of setup is on first (router) device. I kinda think long-term be better to get the routing/VLANs setup between the two routers. But RoMON is handy & description is kinda...

Amm0

Because they want to force the user to buy two To the topic at hand, that is a lot more ports and WAY more routing horsepower in same 1U as an RB1100AHx4. My issue with RB1100AHx4 today is that it is NOT a great value... since even one RB5009 is way more powerful than a RB1100AHx4. And two RB5009 i...

Amm0

Oh there are few project and various discussion over the years on using MPTCP proxying to enable bonding. The IETF has had presentations on the topic, and quick google came up with this paper with some nice graphics showing the concept: https://ieeexplore.ieee.org/document/9524976 So I kinda view re...

Amm0

The background is the comments you see explain the "why" it was dynamically added. Since they were added for different reasons, there are multiple dynamic entries. In this scheme, you can already have a static and dynamic (so a "duplicate") for same VLAN in /interface/bridge/vlan...

Amm0

No. You need some "hardware" to enable eSIM. The older devices do not have the need things on the "motherboard" or modem module, so only choice is to use a special physical/hard SIM card that will allow RouterOS eSIM commands to work. If you're not planing on switching carriers, ...

Amm0

An it has been solid as a rock for me for years. Install & configure & forget :) does the RB1100AHx4 have any limitations on router OS version? was reading that the CCR series for example series if not mistaken is limited to Router OS V7 only? Mine are all older, but all work with V6. I can...

Amm0

Code is posted on GitHub and VSIX file can be downloaded from there with the RouterOS LSP for VSCode. See post #1 and README.md on GitHub https://i.ibb.co/1t1y3kLL/Router-OS-LSP-as-VSIX-loaded-in-VSCode.png At this point, it should not break anything – since it just reads routeros & can be easil...

Amm0

Very minor, but eventually, if you use GIF with Alpha channel that might allow better support for dark-mode, to avoid the hideous sand color background. I think that png is better in resizing/adapting to various resolutions, and it supports Alpha channel just fine. I saw PDF here... Not the expert ...

Amm0

Commands with sensitive fields are entirely remove from history. This has been annoying since there is no need for the entire command to be removed when it's only the sensitive attribute that should be removed (or shown as ="" like export) from history. I often "try" a command vi...

Amm0

Agree the login screen can be improved. At least part of that is already on the list:

Known issues to be addressed :

should be some vertical split control between the login/password on left and the neighbors

Amm0

Oh

agree that it's ridiculous it comes with 16MB. And they pitch TR-069 support, which does not help when already limited space... I bet LMT is sitting on a bunch of them, only hope is they'll put pressure on MikroTik to further reduce size so it works.

Amm0

Agree on RB5009. But have a few RB1100AHx4 that we use to run Dude and hosting VPN tunnels to remotely managed devices. But main advantage of RB1100AHx4 is that it has internal disks. Downside is there NO USB and it's ARM32 (while RB5009 has both). Also RB1100AHx4 does have the nifty "bypass&qu...

Amm0

Is it really water moisture? It might be some oil or loctite or something from the manufacturing process, IDK? If unit is kept inside, I'm lost at how that much water could start to leak...although I guess the RB5009 does get hot, so if you have a lot of humidity perhaps... but thermodynamics is not...

Amm0

Not sure I've complained about it recently... but also waiting to see some "Audience AX 5G" (with support for global LTE/5G bands, or "R" model with M.2 slot) in these newsletters. The existing Audience-LTE6 is great device, but these have been discontinued and there is no replac...

Amm0

Very minor, but eventually, if you use GIF with Alpha channel that might allow better support for dark-mode, to avoid the hideous sand color background.

Amm0

*) container - show explicit stopped flag for container; Perhaps you should NOT use "S" as /container flag for STOPPED as it "conflicts" the the usual "slave"/etc & started also starts with letter "S". While "flag letters" may overlap in other p...

Amm0

Initial Implementation Notes I tried a TypeScript-based sample LSP server from Microsoft, and added REST calls to /console/inspect highlight and completion based on LSP client requests. Just a bare-bone, hardwire, demo at this point... But concept does work at least to see something in VSCode. You ...

Amm0

Some "migrate" feature is certainly missing. It's like MikroTik wants to make it difficult to "just upgrade" to newer/better hardware.

Amm0

I like the presentation here. While the full detail (other than WG) is in Packet Flow diagrams in docs — those are not very understandable to get the "high level" picture from a "configuration perspective" — so showing the "chains vs /ip/firewall/XXX" is pretty cleaver ...

Amm0

Handy feature but it is way too coarse to be useful - at least on macOS Mine (Linux) goes in 8% increments/decrements. Worked all right for me (using at 92% now). How did it work for You? Is it 8% too? Yeah it may be macOS thing. The trackpad zoom is very "twitchy". The increments are fin...

Amm0

Background This topic recently arose from a commentary between @Kentzo and me in the 7.20beta thread concerning an "LSP". While many folks may not know what an LSP is... it is an API that most modern text editors use (like VSCode) to do, among other things, syntax checking, and coloring s...

Amm0

If you saved them... then you need to change the view in WinBox4 to "Saved" in the dropdown near top center that says "Select From" (i.e. so it does NOT say Neighbors). The Neighbors view listens for UDP broadcasts to 255.255.255.255, which [AFAIK] you're not going to have with L...

Amm0

Advice? Move back to 7.19.1 Perhaps good idea. But I'd at least "Make supout.rif" before downgrading, so you can report it if desired. Another option is to enable more IPSec logging in /system/logging/add topics=ipsec,!raw which might have some clues on what causing it. (And if you captur...

Amm0

I'll leave it on auto then.

Yup. And I think the settings are same all platforms. i.e. perhaps in future it might support BTH or new features that use DDNS.

But IMO, there should be a =no just for clarity. =auto might be a good default, but IDK why they removed =no...

Amm0

Also, I'm not sure what specific things are included LMT branded ones.... But it MIGHT include TR-069 package, which also use some "disk" space. To check see if tr069 is shown under System > Package. If so, you can uninstall that package (and can always add it back to enable LMT control of...

Amm0

The MMCX in photo are 2.4Ghz Wi-Fi.

So for external lte, there is only one option to unplug internal antena?

Correct. You connect the U.FL pigtails directly to modem. So there is no switch between internal/external possible with LTE on LtAP.

Amm0

In past few releases there is "auto" and "on" for DDNS settings. The "auto" means off/disabled — unless you enable "BackToHome" features. The IP Cloud docs, https://help.mikrotik.com/docs/spaces/ROS/pages/97779929/Cloud#Cloud-DDNS say: Before 7.17, the defaul...

Amm0

If you delete the backup file, you'd have 36K, which might be enough to save the config. And beta versions are often initially bigger than final versions - making them very tricky on the 16MB flash units. But netinstall is about only way to free up more space. Of note here, this is an LMT-branded Ch...

Amm0

@jaclaz: Nice work.

another nit... is it does miss the case of encapsulated protocols like IPSec – which the default firewall does subtly handle in filter and NAT rules.

Amm0

I use Dude on macOS/intel, so it works. I use homebrew to get wine & just use CLI to launch Dude... but you can use Automator to make it an "app". The Dude auto-upgrade that matches the version even works. Since it's emulating Windows – the path needs to be valid Windows path.... And U...

Amm0

Can you try the 7.20beta2 version? There was a fix related to dynamic ACL rules not working properly: *) switch - fixed ACL rules when ports are not specified (fixes dynamic rules for RoMON); Maybe y'all should clarify docs on multiple secrets, too. While it does describe the secrets are a "li...

Amm0

100% docs first ... videos after! Which is largely making the docs the script, not the other way around. I think partially youtube is to blame. People watch those "tech youtubers" and have a feeling the whole world has home lab with 100Gbit :D LOL – says the guy with a YouTube plaque :)

Amm0

On the original case of CRS without RoMON in 7.19 (but working in 7.18), I'm going to open a case with Mikrotik to see what they say. Make sure to include a supout.rif, ideally from both 7.19.1 and 7.18 Apparently they update the RoMON docs a bit: RoMON packets can be forwarded through network switc...

Amm0

I believe the reason why I´m rarely seeing MT deployed in enterprise level networks is often the lack of good support. IMO, the root problem is the l ack of good written docs ... you cannot have good support if you communicate everything person-to-person. If an IT engineer can find the answer in do...

Amm0

On this subtopic of multiple secrets... You can have multiple secrets, which allows remotes to use different secrets. You can even if one empty secret (like default) with other actual secrets. have you tested it ? does it work like that? It's worked like for me. But it's not documented. The use case...

Amm0

I'm going to open a case with Mikrotik to see what they say.

Make sure to include a supout.rif, ideally from both 7.19.1 and 7.18

Amm0

I'm mostly* on @normis side on this 2.5G port debate. But I'm not sure SFPs are a good solution for "home"... onboard 2.5G or 10G ethernet ports seem better in a home environment. I have no* devices with 2.5G ports (*although I suppose dongles). Now console games might have HUGE downloads ...

Amm0

Speaking of @tangent, there is also his excellent guide that walks through the firewall in more detail: https://tangentsoft.com/mikrotik/wiki?name=Default%20Router%20Configuration And I put @Kentzo postings as a "firewall faction", with philosophy of let's all be good citizens (e.g. using ...

Amm0

You wrap the email send in a function, that checks DNS name. Something like this should work in ~v7.17+: :global sendmail do={ :local emailsplit [:deserialize from=dsv $to delimiter="@" options=dsv.plain] :if ([:typeof ($emailsplit->0->1)] = "str") do={ :onerror errtext in={:reso...

Amm0

You can have multiple secrets, which allows remotes to use different secrets. You can even if one empty secret (like default) with other actual secrets.

Amm0

IMO both routing (option 1) and passthrough (option 2) are valid. Now speeds should be similar regardless, since LTE6 theoretical max speed is well within the routing limits of even 16MB wAP or hAP. The benefit of option 1 (routing) is the LTE backup can actually function independently via it's Wi-F...

Amm0

Use victron energy mppt solar controller and lifepo4 batteries. I like the Victron's too - we have a few setups with their MPPTs and LoRaWAN connection (to remote KNOTs). And, we have a couple setups that use AGM batteries, and they work fine with Victron. Only downside with victron is you need to ...

Amm0

I can connect fine both to AND from 7.19.1 devices. As well as from 7.20beta2 to various V6/V7 things. But I just have arm/arm64/mipsbe/CHR things, but no CRS's.... But I'd note they have made various HW offload changes between 7.18 and 7.19... And RoMON is kinda weird (different ether-type) .... so...

Amm0

The "WHY" is important... For example, maybe using the "interface-list" (which is what default one does) is too limiting... but perhaps modifying defaults to use "address-list" might be all that's needed. Another example be that @anav/others often suggest allowing what ...

Amm0

Also, a related idea is a "source code license" that might be some middle ground here. Years ago even Microsoft would license the source code to NT (at high cost, under strict NDA, and to select ISV) & many other smaller vendors did offer the source code to proprietary software , for a...

Amm0

Taking a step back here... in a lot of ways... you're just asking for the return of the "long-term" channel — which is sorely missing. And any kind of "enterprise" thing generally has good documentation(+KB/guides) and training/certification — which are also lacking. So investing...

Amm0

+1

We currently don't plan to support 3rd party relays, but it's an interesting idea worth considering.

This has been suggested before in @normis's BTH thread... so I'll take this as progress

A few months ago it was:

the name literally includes the word "home"

Amm0

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects…

@Kentzo, I wrote up what I know about /console/inspect and LSPs in this thread:
viewtopic.php?t=217229

Amm0

The "null" should have worked - but you're right even in 7.20, you get "" which is NOT empty. But in most cases, POST let to replicate anything the CLI can do, so that's the trick needed here... So if you use a POST with "unset" instead, including in JSON of .id and val...

Amm0

I have not tested this is a while and not expert on L2TP... But I don't the broadcast packet (255.255.255.255) needed for neighbors are received by client OS when using L2TP. And not 100% send MNDP broadcasts are even allowed over L2TP for sending.

Amm0

But now that I look at this again you might want to try: /interface/bridge/filter/add mac-protocol=vlan vlan-encap=pppoe-discovery ... I forgot there is the vlan-encap= that might work — since you want to match on inner ether-type, not IP headers. But it the VLAN with IP matchers that I know don't w...

Amm0

I'm just thinking bridge filter works only on untagged packet inside the bridge with no vlan-filtering set to yes Mostly right. There is no "inner" mac-protocol= is why it doesn't work. The mac-protocol= (i.e.. ether-type) is "vlan", not "ip" or "pppoe-discovery&q...

Amm0

I'm not 100% sure CAKE is helping you in this case...or at least adding complexity since CAKE does have some important params. Have you tried a similar queue, like fq_codel or WFQ or even just using no queue? Also if can you enable FEC on your MPEG-TS streams? That often helps with raw UDP media str...

Amm0

Small correction here: Winbox requires layer 2 for discovery. Not quite. WinBox uses MNDP discovery. And MNDP is a Layer3 UDP broadcast packet (255.255.255.255) so it's broadcast support you need for WinBox Neighbors. Now Layer2 access, always would get you UDP broadcast, so that part is right. And ...

Amm0

Let's start with "What is a LSP?" The Language Server protocol is used between a tool (the client) and a language smartness provider (the server) to integrate features like auto complete, go to definition, find all references and alike into the tool —from https://langserver.org As discuss...

Amm0

Why don't you try to guess at least? Plenty of clues already in the thread. Or, at least show you've tried something and provide error why it doesn't work. And just be aware NONE of this is going to work if you EVER upgrade to V7... and the whole approach to add/delete scheduled task is where this g...

Amm0

TL;DR: you set the attribute to null (without quotes) in the JSON provided to `curl`. But that's may not your only problem. I think you're confusing add and set, which are PUT and PATCH respectively in REST API. https://help.mikrotik.com/docs/spaces/ROS/pages/47579162/REST+API#RESTAPI-HTTPMethods i....

Amm0

*) bth - added extra file-share functionality for use with apps; I'm not sure what those changes are... But... Is there some way to "force proxy mode" in using /ip/cloud/back-to-home-files? The use case is that if I "share a file", I may not want to [indirectly via DNS] share my...

Amm0

You can get a trial CHR license without the limit. Say what you want but CHR has the most relaxed licensing system imaginable. - You can get a free license with a speed limit and run it forever - You can get a trial license for a whole whopping 60 days with no limitations at all - The trial still w...

Amm0

In order to download the eSIM to the physical card I had to connect the router with cable internet This is a good point — it does need internet first to reach the MNO's server to activate. Docs do say that in roundabout way - that might be missed in testing: connectivity to eSIM SIM profile provide...

Amm0

A DNS resolution will get caught if you use /tool/fetch or :resolve. Either using do/on-error=, or newer "onerror/in=/do=". However /tool/e-mail is "more asynchronous", so I think, it gets queued like most MTAs... so any error in SMTP protocol happens after the command returns. T...

Amm0

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects… All roads to an LSP involve some form of schema (whether BNF, OpenAPI, etc), which is lacking. I thought before "/console/inspect request=completion" could be used as part of an LSP, but then the...

Amm0

"replace TAB characters with spaces when editing scripts" [...] Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console. Doesn't it bother anyone who work with scripts? I'm not...

Amm0

Yup, I keep thinking this is going to be fixed too. It is annoying that "copy" does not remember the remote-image= (and few others too). And, the CLI is similar broken for "export" where remote-image= is missing there too. I have an open bug (SUP-128652) since 2023 on the CLI par...

Amm0

The sysmocom EUICC1-C2G works flawlessly with my SXT LTE! Of course no output for /interfaces/lte/esim print But that my request! i.e. /interface/lte/esim/provision to work on wAPacR/SXT-R/SXT-LTE6-US/AudienceLTE6-US/LtAP/LtAPmini/RB593/RBM33/L23UGSR/RB911/RB923/ChateauLTE6-US/ChateauLTE6-US/KNOT/e...

Amm0

For context, @Larsa has documented the overall manual process of eSIM activations: Get the eSIM SM-DP+ address and activation code (or QR code) from your mobile operator. Log in to your MikroTik router via WebFig or WinBox. Go to Interfaces > LTE > eSIM Management. Add new eSIM profile and enter the...

Amm0

And it can be related to this https://forum.mikrotik.com/viewtopic.php?t=217111 :) The last thing that helps OP's cause is cross-posting, which is not allowed on the forum. I'd recommend you file as a Feature Request at help.mikrotik.com - to which MikroTik likely say some form of: "thanks ......

Amm0

The idea is there should be SOME "physical eSIM" that works with RouterOS's /interface/lte/esim/provision commands . While there are solutions that use their OWN apps/tools to program an eSIM, the issue is if eSIM Profile needs to change... If RouterOS commands don't work with the physical...

Amm0

@john231: Is there a guide somewhere else? It only talks about the new connectivity app. No explanation on how to use another ISP besides Mikrotik... This how you activiate your own: Get the eSIM SM-DP+ address and activation code (or QR code) from your mobile operator. Log in to your MikroTik rout...

Amm0

MT marketing has reached a low point. This is stated for the HEXs : "Connect your PC over 2.5G, then bond two 1G ports to your NAS" I think Synology and SNAP support LCAP, so MikroTik may not be wrong. But issue is if you say stuff like that you have some article/doc/etc that describes how.

Amm0

Can't you change the "coordinate-format" to use "dms"? i.e. /system/gps/set coordinate-format=dms which would get you degrees, minutes, seconds. May still require some parsing for your needs... but avoid floating point math (which is not possible). Or there is "coordinate-fo...

Amm0

I'm not sure criticality, or need, myself... it's a "/system/schedule add ..." with one extra line in script to "/system/schedule/remove [find name=run-after-reboot]", as noted. But the concept does exist with a FILE named *.auto.rsc , see https://help.mikrotik.com/docs/spaces/RO...

Amm0

FWIW, MikroTik did a decent video explainer about QoS in 2025:
https://tiktube.com/w/7PBqw2rJ933B1q98tK21rL

May have some background on the examples shown here.

Amm0

Somebody was too chatty with it, it went over the limits.

It wasn't me.

I'm not sure it's actually all that useful FWIW & does clutter the help.mikrotik.com page since it shows opened hiding the link to support cases.

Amm0

There have been a few thread about newer eSIM support, all good number of "view counts": Guide: How to activate eSIM from any mobile operator on your Mikrotik router Which modems support eSIM esim in 7.18rc MikroTik has suggested the newer 5G/LTE devices will come with eSIM hardware built-...

Amm0

The scheduler, script and on-event script are present on supout? If yes: Except what is stored inside script, ANY script, on any position. Good point. FWIW, there is the "supout.rif Viewer" section on https://mikrotik.com/client/supout (under Account, after login in free account), which s...

Amm0

@Amm0, please get in touch with us and send supout.rif file.

Filed as SUP-189565

Amm0

Try our own AI bot. It's not very good at scripting, because RouterOS is not as popular as generic programming languages, but it's still pretty good if you can do your own sanity checks, and if you are able to formulate the problem in full sentences with a lot of details: https://mikrotik.com/suppo...

Amm0

*) container - allow to use multiple veths in a container, change the in container interface name to same as in RouterOS; Finally I will be able to move Homebridge to ax^3. I didn't have good luck on this multiple veths to homebridge however... Now did get to see what these look like: *) container ...

Amm0

@MT Openflow seems to work with faucet at first try the question is how does hardware offload came into play? since the ports is being handled now in the openflow->ports not in the bridge could you please give clarity on this please? I'm curious too... Running some tests with faucet on RB1100AHx4.....

Amm0

Connecting from MacOS to a defaulted Mikrotik using L2 still doesn't work in beta 21. ERR: Could not connect, MacConnection syn timeout Do you have multiple interface running on Mac? i.e. Wi-Fi and Ethernet I have sometime seen issue where that caused some issue with MAC winbox. So if that's the ca...

Amm0

*) container - added option to execute commands inside a container using "/container/shell cmd= user="; *) system - added support for OpenFlow 1.3 (new package "openflow" available); OpenFlow seems to work with Faucet as a /container. Good work. But the scripting around /contain...

Amm0

*) ip - added socksify feature and new NAT action "socksify"; Is there documentation? While there should be. You can almost guess... /interface/list add name=REQUIRE_PROXY /interface/list/member add list=REQUIRE_PROXY interface=<what-interface-to-force-sock-proxy> /ip/firewall/nat/add act...

Amm0

Nope. It requires "winbox" and at least "read". Now agree more fine-grain control of users/policy has been sorely lacking in RouterOS (and Dude)...

But I'm not sure this is specific to V7 per se, since I think this changed with newer auth scheme at some point in V6's lifecycle.

Amm0

And I recall 7.19.0 had some bug with Dude, so good you upgraded. But package version do have to match exactly... but the "extra package selector" is new 7.19 - but that align extra-package automatically in future.

Amm0

Additional evergreen (beside of memory leak), ROM space shortage on 16MB hAP ac^2 with wifi-qcom-ac. It is quite obvious - RouterOS 7.20 for ARM is roughly 100kB bigger than RouterOS 7.19. Netinstall procedure has been applied with manual configuration. Come on, buy a decent newer router already. F...

Amm0

You can go to System > Packages, use "Check for Updates", the check the "dude" package, hit "Apply". That will install the right dude for your system - but this will only work in 7.19+. If you're out of disk space, that could be a problem. But I'd try above, then check ...

Amm0

Yup no PCC is applied to last one... so rule just assigns a connmark (and routing-mark) since it "escaped" PCC. PCC at end of day is just a "matching rule", but it does not take action itself (i.e. you still need some action=).

Amm0

Lots of good changes in container! On these specifically... *) container - added option to execute commands inside a container using "/container/shell cmd= user="; I tried this out, works! But... few minor issues with it... - should be some timeout= on it (or something)... since if the com...

Amm0

Didnt help understand your shortcut technique :-( It's like using a DROP rule at the end of fw filter to capture "everything else" – except in reverse. Each rule in firewall has a small CPU cost, so if you can reduce PCC rules, you improve latency. So theory be you have the SMALL sized PC...

Amm0

Well, definitely /tool/sms needs improvements viewtopic.php?t=191963

It's a router, so "notifications" are rather useful... so it should ideally be simple to use SMS

Amm0

If need is "cold standby"... having an identical unit, and use the .backup file to restore is pretty straightfoward. Obviously only ONE router can be online at same time when using .backup file, and may require cable swap (or VLAN re-assigment, etc) in the disaster scenario. Alternatively,...

Amm0

sms-protocol property on LTE interface is not related to at-chat and possible sending SMS with AT commends over it, it's for /tool/sms functionallity. Yup. But log would show the specific AT command for the SMS sending - so might be able to "see" what command RouterOS. But the underlying ...

Amm0

I just don't get the level of vitriol - especially with the return of "dialog tabs" on top... I got my quibbles – some of which were fixed – but overall WinBox4 is coming out good - I use it everyday without any "real" issues. And "wine" had way more legibility issues t...

Amm0

FWIW, I wasn't saying "impossible", just complex/difficult/etc. I cannot recall the specific, but there have been past thread on using AT to generating SMS. But if only problem is SIM card memory gets filled up with saved messages... one scripted delete message AT seems WAY easier. Now if ...

Amm0

I think the initial decision to add/remove scheduled entries on per user session basis is kinda wonky. I'm just thinking some :for loop in ONE schedule script that [find]'s the particular users to cleanup would be a better approach, than re-calculating the schedule time and incurring all the config ...

Amm0

So I understand that it is actually impossible to send SMS via AT-CHAT on Mikrotik because normally sending messages via AT requires interactive prompt while you are entering the message. Mikrotik command shell seems not to be able to allow for that, hence commands documented in Quectel manual fail...

Amm0

@MikroTik, perhaps y'all can formally clarify how long WinBox3 will be supported? There has just a lot of commentary, both here and release threads, worrying about when winbox3 will stop working: Winbox 4 is not forced yet , v7.21 is alpha and should be treated as such. There, I fixed it for you. I ...

Amm0

Having a look at ECMP: / ip route add dst-address=0.0.0.0/0 gateway=10.1.50.2,10.6.6.10,10.6.6.10,10.6.6.10,10.1.50.2 check-gateway=ping Link: https://wiki.mikrotik.com/ECMP_load_balancing_with_masquerade FWIW, in RouterOS v7, the routing engine for ECMP does not store duplicate routes like V6... s...

Amm0

My quick take is you may be over-focused on the PCC part... While that may be involved, I'm not sure that's the entire story. VoIP/realtime AV (i.e. "Microsoft teams") is way more sensitive to latency/packet loss/etc than "normal" web traffic. Are you using any queuing mechanism?...

Amm0

until I put proxy-arp on the "main" outbound interface... apparently it's not needed on the other firewall link.. Yup, that's expected. Your ISP has their subnet set to /28, so it will use ARP to find any of your devices, but the customer-router isn't "discoverable" via ARP sinc...

Amm0

FWIW, with RouterOS 7.19... there is now an option in /ip/dhcp-client to set "Gateway Ping" discussed above (i.e. check-gateway=ping) DIRECTLY on the dhcp-client so it's automatic – this avoids needing a custom script on the DHCP client per WAN & makes this part simpler. And, there is ...

Amm0

It would also be productive, I think, for them to publish a formal OpenAPI spec for the HTTP API. It wouldn't be too hard to create a syntax def from that, I would think since: [...] Third-party schema is downloadable here: https://tikoci.github.io/restraml/#Schema+Downloads As an experiment, I tri...

Amm0

What is this funny business with the webfig mikrotik_logo.svg? LOL. I've noticed that too, I wasn't sure if it was just rendering... But logo SVG looks like an export, it just a long path. From my Latvian history lessons (https://youtu.be/rgo7pKDb4c8?si=C5lOGmupBHoZGaUL&t=532), it's not the &qu...

Amm0

While I like that ESC will close a dialog box... it should NOT close it if the dialog form is DIRTY (fields modified), i.e. should prompt to Apply+Close, Ignore Changes, or Edit if you CHANGED a field.

Amm0

Could we get more information and examples on this new check gateway feature? What happens if it cannot reach the gateway? When the DHCP client adds default route provided by server, it will add the check-gateway=<value-from-dhcp-client-config> to the dynamically add /ip/route dst-address=0.0.0.0/0...

Amm0

I don't think that there is that much choice, when the eSIM support was announced: [...] to which you can add 9esim Has anyone tried: https://www.1nce.com as the eUICC on physical SIM? There "freedom-to-switch" implies it has the eUICC bits, which may work with RouterOS eSIM commands – bu...

Amm0

To be honest I still do not fully understand why Proxy-ARP should be required...

Have you tired to ping the customer-side IP from outside your network (i.e. the internet)?

Amm0

Friends, I have realized that the problem is when the LIMIT-UPTIME is 1d 00:00:00, how can I convert it into a date and time? Thank you for your help Assuming you're talking about a recent V7, state-date= allows a time type (which limit-update is), so you can just add your $limitUpdate to value of ...

Amm0

I don't know the internal logic. But there is not a way to "force" it AFAIK. @normis, perhaps you can explain how the detection works since the part is still mysterious (well, undocumented)... I'd check /ip/cloud for DDNS, i.e. does it show "router is behind a NAT"? That uses som...

Amm0

At a high level, you should just need to look at "/interface/wireguard/print detail" and see what port is used by the BTH WG interface & then port forward that in pfSense. If pfSense failover, BTH should figure out the failover after ~1 minute (time may vary since it tied to DDNS updat...

Amm0

not sure why , but for me: *) reintroduce tab support in the top menu of forms, with the ability to open multiple tabs using Shift + left-click. does not work at all. Can anyone describe more? I couldn't get that work either (tested macOS). Also, the ⌘/Meta+Scroll Wheel for ZOOM is rather "twi...

Amm0

I have not tried this, but... You likely can do some warm/cold standby by copying the sqlite DB file and have matching config on both routers. But there is NO built-in "sync", so this be a manual/scripted processes to copy the DB file from one router to other. And, as noted above, you coul...

Amm0

The solved "closes" it. But if you don't mind, can you still post the output of: /interface/lte/show-capabilities [find] ...just to know what RouterOS thinks about this particular modem... I'm not sure what it report in the case of your ECM USB LTE modem "stick" ... so just good ...

Amm0

MikroTik is not big on the password confirmation anywhere, so be kinda strange if only backup confirmed the password. And not sure everyone want to be prompted all the time. Now... IMO there should be at least some "Show Password" option or 👓 icon in winbox/webfig to "see" the pa...

Amm0

IDK for sure but USB stick modem is likely in "ECM" mode, not MBIM modem. In ECM mode, compatibility to set APN stuff / get stats is limited to specific hardware – so APN setting may not be doing anything (as reported). ECM mode basically presents an ethernet interface, and in lot of cases...

Amm0

Or, plan C: forget PiHole/AdBlock Home/Blocky and delegate DNS-based ad blocking to an external service like NextDNS.

Or, plan R: give up on ARMv5 containers, and just use new AdList feature, if need is ad blocking.

Amm0

I think you're going to have to describe the topology a bit more and/or provide some config. i.e. how is the customer connected today or planned to be? But you're in "Option 2" from @StubArea51 Option 2. The ISP has a gateway inside the /28 they hand off to you. In this case, you have to t...

Amm0

Besides the ( BTW surely interesting and useful) discussione on the details of a VLAN and OSPF (complex) configuration ... I agree that VLAN and OSPF are, shall we say, nontrivial topics, I'm fortunate to have done both in a corporate setting. OSPF isn't as bad as eBGP, in my opinion. :) Another ea...

Amm0

Not sure it's your specific issue. But one thing you may want to check the logs about "MTU" after the modem starts up. Sometime the MTU needs to be set lower, and generally the carrier will report the MTU in logs. MikroTik just logs this, but you can use the value from logs, to set the MTU...

Amm0

Why not just improve docs?

No idea. Why I mention it. If docs are right, the script for video be easier...

Amm0

FWIW, MikroTik published a YouTube video that has at least has a few more details on "simple" queue towards end of video: https://youtu.be/wYg-9VCl3LM?t=927 If only they'd update docs when they do a video... For example, I thought the simple queue was still HTB internally, but video allude...

Amm0

Like this idea! I played with JS and blessed module before to do similar a "TUI" since for "status" things, GUI/web sometimes aren't as quick or information dense. This is especially true with RouterOS, since winbox/webfig/etc are NOT very helpful to get an overview of operationa...

Amm0

1. What is the purpose of this entry.......... /ip dhcp-server network add address =0.0.0.0/24 gateway =0.0.0.0 netmask=24 Likely, a side-effect QuickSet bug in older version (which you may have if you have a new unit, run QuickSet, THEN upgrade). But that causes all sorts of troubles. You should d...

Amm0

"netmap" is pretty useful trick in RouterOS. So that part make sense. Unrelated, but how did you discover this problem? I imagine getting the routing table form an iOS device was not trivial. I'm curious too on the use case... So you have a MikroTik on some car's "LAN", and want ...

Amm0

Part of the issue is the winbox protocol is not described/documented. So if some packet looks "different" than rest of sessions, it may drop session. And you got stuff like ARP and bond caches in between. Flip side is that packets should look same since it's going through the bond. But IDK...

Amm0

Nope. And it's annoying that you cannot separate that out. The Wi-Fi password is considered "sensitive" policy, so that means it can change ANY password beyond Wi-Fi PSK. And while you can restrict it SOMEWHAT using skins and customizing the policy to say only allow webfig for a user. But ...

Amm0

Also note, in the upcoming 7.19 release, there is newer feature that will show all open ports (similar to netstat) in /ip/services. This would help to identify WHICH process might be using something like 443 in future.

Amm0

There is setting to enable tls-1.2-only on the SSTP interface.

/interface/sstp-server/server/set tls-version=only-1.2

It's also in winbox, from PPP on left, then "SSTP Server" button, you'll see the same option.

Amm0

That's like "needle in the haystack" ... Is the winbox flowing over any of the bonded links? While winbox protocol should be fine with transmit-hash-policy=layer-3-and-4 (at least IMO)...it's also not hard imagine something could "go wrong" in hashing winbox traffic. And since w...

Amm0

It's programmable via scripting. So by default it does nothing.

See https://help.mikrotik.com/docs/spaces/R ... setbuttons

Amm0

With ADR, I believe that what will control what channels a sensor will use. You may want to verify the channel plan on backend aligns with RouterOS channels. I don't use LNS (just Semtech UDP), and in US band are different, so IDK for sure. What backend are you using? But if UDP mode works, and LNS ...

Amm0

There is more underneath (unsaid, don't ask) that makes it worth updating. I don't find mere alluding to some security issue as any safer or even helpful. They claim to practice responsible disclosure. If something needed, don't you think MikroTik should say that themselves? Maybe other people like...

Amm0

Doc says it's universal ... but doesn't seem to be that universal ... The docs say... your factory-firmware version is lower than 7.18.2 and your device displays the message → The "protected routerboot" feature requires a backup-routerboot upgrade ← when trying to enable the feature, do t...

Amm0

Yeah I don't use web UI directly, but we did use the "status" page so a customer can use webfig to see some basic stats via web. So in my case, I lost functionality, beyond just the WebFig4-everywhere look-and-feel.

Amm0

AFAIK, you can't. Unless you keep using an older version. And, you can add "No Status Screen" to the list of grips / MIA in new WebFig... I think they were trying to align WinBox4 UI with WebFig. Personally, I'd let the dust settle on WinBox4, and wait until V8 for changing the web UI...Mi...

Amm0

I'm still a bigger fan of an "official" language server provider (LSP), see https://microsoft.github.io/language-server-protocol/specifications/lsp/3.17/specification/. This would seem more doable, since an LSP is just another REST API...so the LSP could just be part of REST API with diffe...

Amm0

Either should work... It could be the password has characters that require escaping. try using quotes "" in the curl -u "user:password" ... (or url-encoding if using http://user:password@ scheme) SwOS has no default gateway, so you have to be on same LAN segment for it to work, i...

Amm0

Lack of responses makes me uneasy Does no one have both GUA and ULA on the same link?

LOL, you're normally the one with IPv6 answers...

You seem to allow ICMP in firewall, which would have been my guess. Is it getting any hits in counter?

Amm0

The "sandwich" in upper-right "..." has a "Page History" for any page in help.mikrotik.com. Diff can be seen there:
https://help.mikrotik.com/docs/pages/vi ... Id=8323208

Amm0

Curiosity of the day:
The netwatch help page has been changed/edited yesterday,

I filed a report about the docs. MT fixed the description of the thr- params...but yeah they forgot the ICMP probe stats (which have been wrong for a while). It's still open.

Amm0

Given what you have, and you know how to setup links and switch... And your "neighbor customers" don't have demanding needs.... The easiest way is put the customer LHG into "CPE Router" in QuickSet (see https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurati...

Amm0

*) route - added options to set dynamic-in and connected-in chains in /routing/settings; FWIW, these are not in the docs yet (or at least I cannot find them): /routing/settings/set <tab> connected-in-chain dynamic-in-chain single-process The "dynamic-in-chain" works fine, but none of the ...

Amm0

Also, what may be happening... is netwatch will not "get" a threshold value if it is still default value / left unset. (More specifically, the value return of the get will be type "nil", and NOT the default value).

Amm0

@Amm0 so you automatically give for reknown basic things that a beginner needs to learn My point is if you understand the problem, you MAY be able to avoid script. If goal is to JUST "tweak a netwatch", then to output current values (rtt- loss- etc) AND configured "threshold", t...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). This would return a valid address (from pure IPv6 point of view) to the device, which then might try to use it. [...] You're probably right. I was t...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's a different problem. Anyway, jaclaz has more patience than I. If we knew what the desired output and preferred scheme, it be easier to help. And, my understanding is that only th...

Amm0

So if you put the WAN interface into the bridge also, with I think the same firewall rules, would it not be faster? [...] The way it's configured in the examples is it not the case that all packets between the bridged VLANs and the WAN have to be handled by the CPU at L3 where if that port (or VLAN...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's not helpful to start again, since context is lost. Discussed in that thread is there is no need for :local variables in the first place! When a /system/script is called as action ...

Amm0

*) dhcpv4/v6-client - added check-gateway parameter;

Using WInBox4, the DHCP client "check-gateway" option is a static control, but should be drop-down.

Amm0

I did see something odd in a YouTube video. With Winbox - In the bridge section. Double click the bridge then click the ports tab, I see the interfaces with the PVID. The video showed manually putting the ether# on each vlan in the vlan tab (in the tagged untagged section). I did not do this and it...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). And a script/scheduler to keep them updated from A record if desired. Or perhaps just use NextDNS for all static records, and just let MikroTik resol...

Amm0

So, provided that the way I understood the mechanism is correct :? , it seems to me that: interval should be as low as possible (with some common sense, the default 10s seems too little, I would settle for 60 seconds or 1 minute) Well, I'd say that setting interval= is more about often you want any...

Amm0

Regardless about thoughts on AI... you haven't stated the problem you're having. That's the issue! ChatGPT analysis is also FURTHER WRONG about using 0.0.0.0-0.0.0.0 range. ONE client will get a 0.0.0.0 address, since pool in inclusive. So if the goal was ALWAYS RADIUS, then 0.0.0.0-0.0.0.0 isn't th...

Amm0

[...] the only way to know for sure if a particular box would do the job is to buy it and put a hypervisor on it and test with CHR (or x86 ISO as a VM) and PCI passthrough. If all ports are passed through and show up in the VM, then it should support everything natively. [...] Wouldn't it be easier...

Amm0

If only something like a hAP ax2 LTE6 kit existed. Well, they do make the hAP ax lite with CAT6 modem, internal antennas, 5 4 ports, and small. https://mikrotik.com/product/hap_ax_lite_lte6 If you need it as a main router with LTE backup... now the hAPaxLite-LTE6 might be a little unpowered dependi...

Amm0

I'm not sure exactly what you're trying to do since you mention fiber and LTE. For LTE, if you want the modem to go DIRECTLY to a port (thus not routed or available to the MikroTIk), you can use "passthrough". See docs: https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE#LTE-Passt...

Amm0

I face the same problem with a RB1100AHx4. Probably not. /container is just picky on config, so it can be a lot of things. Plus, fixes/changes get added by version. I have tried all the above and still the same problem mentioned at the top of this thread. Any clues anyone? Post what YOU tried, your...

Amm0

I would normally use static-only selection in corresponding vlan dhcp server setting but chapgpt insist [ ... ]. Any insight is much appreciated. So you knew the answer: use "static-only" to skip using a pool.... Was there an actual problem that lead you search an LLM for some answer? I'm...

Amm0

Maybe @jaclaz can share the spreadsheet, that might be easier to see what going on. Or you can use /tool/torch or /ip/firewall/connections to see the effects. packet-interval is often each icmp packet is sent within the interval. So one packet goes out when netwatch starts, then after packet-interva...

Amm0

/tool netwatch add comment=Netwatch-192.168.2.2 disabled=no down-script=Netwatch-details host=192.168.2.2 http-codes="" interval=2m name=Netwatch-192.168.2.2 packet-count=400 packet-interval=200ms test-script="" thr-avg=\ 400ms thr-loss-percent=95% type=icmp up-script=Netwatch-d...

Amm0

Converting @jaclaz calcs.... you're running 3⅓ pings every second... Assuming you the path is over fiber/cable with decent speed, I don't think it matters much – it's still not a lot of data even at 3⅓ pings/sec. But does seem high frequency. If it's working, I'd leave... or perhaps copy @jaclaz's s...

Amm0

I had case where file was corrupted in mount dir, because service was writing some file in it. So if such files are not recreated there, issue can still persist if is such case. Fair enough. More saying it's a 50/50% shot it the root-dir (*perhaps higher since there are more files) & if root-di...

Amm0

Can you see the files in the mount? ... If so, you should be able to just delete the container - not the mount. And create a new one, using same VETH and mount as before. In fact, if "copy" before deleting, you'll have all the setting to re-create it (perhaps needing to specify the tag). W...

Amm0

The only issue I'm facing now (somewhat related to the original one) is that when I get home, BTH doesn't detect that and stays connected and the connection is unusable until I manually disconnect. I'll mess around with Tasker to see if I can do something about it. On the router, it does take it a ...

Amm0

BUT your issue is DELETE does not take a body ... Well, I'm half wrong. According to RFC specs for HTTP, DELETE with a message body is just discouraged and undefined – so my "does not" is wrong. But seems MikroTik is also under the same WRONG assumption that a message body is not allowed ...

Amm0

No one has "proof" of anything. Just arguing about nothing.

MikroTik hopeful will expand there "Test Results" to include VPNs. Lot of conjecture everywhere, and no controlled apples-to-apples tests anywhere.

Amm0

The wAP generally do pretty well - obviously they need to be vertical and screwed on tight etc. And using some silicone can help further seal it.

Amm0

Error 400 for /tool fetch That does suggest it's the payload. You can enabling logging in /system/logging, which will output the generated header etc to logs: /system/logging/add action=memory topics=fetch and then compare those with working curl if you add a "-v" for verbose logs ... (an...

Amm0

What error code are you getting?

Amm0

And, "({\"items\": [{\"id\": \"$id\"}]})" like be "{\"items\": [{\"id\": \"$id\"}]}" without parentheses or perhaps just, since items is in URL, it shouldn't need items in body, but IDK the CF API... "[{\"id\&q...

Amm0

And,
http-header-field=("Content-Type: application/json","Authorization: Bearer apiToken")
should be:
http-header-field=("Content-Type: application/json","Authorization: Bearer $apiToken")

[and maybe another cut-and-paste error, just saying]

Amm0

Your URL has spaces in it: https://api.cloudflare.com/client/v4/accounts/ $accountId/rules/lists/$listId /items so might want to try: https://api.cloudflare.com/client/v4/accounts/$accountId/rules/lists/$listId/items Now, according the HTTP 1.1 spec, I pretty sure a body is allowed with a DELETE, li...

Amm0

The variable names match winbox, except the name is all lowercase, and any spaces become a dash (-): netwatch-icmp-variables.png As noted, both here and docs, if it contains a - (or space as shown in winbox), then you need to use $"first-second" in any scripts. Is there some terminology so...

Amm0

It's just $"loss-percent", $"thr-loss-percent" defines where the $"loss-percent" fails. These variables already pre-defined in the down/up-script= so they do not have to be declared or "get"

Amm0

Why are you dropping related connections as the first action? /ip firewall filter add action=drop chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yes in-interface-list=WAN protocol=\ icmp - nevermind, it's d...

Amm0

Amm0, with all due respect :) , you need to use more linear English if you want to explain something (or maybe you also got the Latvian virus that make affected people use excessively periphrasis or double negations? :shock: ). LOL. Perhaps. I'm waiting for Apple Intelligence to do proofreading in ...

Amm0

Might want to try output=none

I'm not sure why that's getting an error. But the RAM FAILED issue is odd and never seen.

Amm0

I have a website that converts a curl command (at least most of them & also limited to what fetch can do) Click the "curl2rsc" link on https://tikoci.github.io/restraml You can past in the `curl` command and pick a "format" (i.e. to variable or to screen etc). It sometimes ta...

Amm0

The tricky ones are (IMHO) the "statistic" ones, avg and stdev, particularly the latter. I believe that the real world behaviour for these might be influenced by the sheer number of pings performed, i.e. by packet-count, a higher number of pings per run should "flatten" the stat...

Amm0

The way I read the docs, it is a "or", i.e. there are 6 different thresholds: thr-max (Default: 1s) Fail threshold for round trip time-max (a value above thr-max is a probe fail) thr-avg (Default: 100ms) Fail threshold for round trip time-avg thr-stdev (Default: 250ms) Fail threshold for ...

Amm0

What version of RouterOS are you using? If it's V7... (if not, redirect is only only in very new V7) you likely don't want to set mode= nor src-address=. Also you can can use user="" password="" instead of setting the header with auth string You can also enabling logging in /syst...

Amm0

Please share the R11e-LTE-US files so I can install them on my LTE module.

You need to get them from MikroTik as they cannot be posted publicly. Email support at support@mikrotik.com for the files, which will have the instructions since it rather complex operation.

Amm0

LOL, almost same answer.

Amm0

The "D" part is important in first column..., that mean "dynamic" config. That means it was added by RouterOS, so the way to remove a "D" item is from the source that created it. So the item you're trying to remove looks like a "connected route" (see MikroTik ...

Search found 5634 matches