MikroTik

Amm0

In order to download the eSIM to the physical card I had to connect the router with cable internet This is a good point — it does need internet first to reach the MNO's server to activate. Docs do say that in roundabout way - that might be missed in testing: connectivity to eSIM SIM profile provide...

Amm0

A DNS resolution will get caught if you use /tool/fetch or :resolve. Either using do/on-error=, or newer "onerror/in=/do=". However /tool/e-mail is "more asynchronous", so I think, it gets queued like most MTAs... so any error in SMTP protocol happens after the command returns. T...

Amm0

@Amm0 Many times I considered developing an LSP, I wish Mikrotik funded open source projects… All roads to an LSP involve some form of schema (whether BNF, OpenAPI, etc), which is lacking. I thought before "/console/inspect request=completion" could be used as part of an LSP, but then the...

Amm0

"replace TAB characters with spaces when editing scripts" [...] Please return it back! I mean, TAB character should NOT be replaced, and tab-width parameter should only be used to correctly display TAB character in WinBox or console. Doesn't it bother anyone who work with scripts? I'm not...

Amm0

Yup, I keep thinking this is going to be fixed too. It is annoying that "copy" does not remember the remote-image= (and few others too). And, the CLI is similar broken for "export" where remote-image= is missing there too. I have an open bug (SUP-128652) since 2023 on the CLI par...

Amm0

The sysmocom EUICC1-C2G works flawlessly with my SXT LTE! Of course no output for /interfaces/lte/esim print But that my request! i.e. /interface/lte/esim/provision to work on wAPacR/SXT-R/SXT-LTE6-US/AudienceLTE6-US/LtAP/LtAPmini/RB593/RBM33/L23UGSR/RB911/RB923/ChateauLTE6-US/ChateauLTE6-US/KNOT/e...

Amm0

For context, @Larsa has documented the overall manual process of eSIM activations: Get the eSIM SM-DP+ address and activation code (or QR code) from your mobile operator. Log in to your MikroTik router via WebFig or WinBox. Go to Interfaces > LTE > eSIM Management. Add new eSIM profile and enter the...

Amm0

And it can be related to this https://forum.mikrotik.com/viewtopic.php?t=217111 :) The last thing that helps OP's cause is cross-posting, which is not allowed on the forum. I'd recommend you file as a Feature Request at help.mikrotik.com - to which MikroTik likely say some form of: "thanks ......

Amm0

The idea is there should be SOME "physical eSIM" that works with RouterOS's /interface/lte/esim/provision commands . While there are solutions that use their OWN apps/tools to program an eSIM, the issue is if eSIM Profile needs to change... If RouterOS commands don't work with the physical...

Amm0

@john231: Is there a guide somewhere else? It only talks about the new connectivity app. No explanation on how to use another ISP besides Mikrotik... This how you activiate your own: Get the eSIM SM-DP+ address and activation code (or QR code) from your mobile operator. Log in to your MikroTik rout...

Amm0

MT marketing has reached a low point. This is stated for the HEXs : "Connect your PC over 2.5G, then bond two 1G ports to your NAS" I think Synology and SNAP support LCAP, so MikroTik may not be wrong. But issue is if you say stuff like that you have some article/doc/etc that describes how.

Amm0

Can't you change the "coordinate-format" to use "dms"? i.e. /system/gps/set coordinate-format=dms which would get you degrees, minutes, seconds. May still require some parsing for your needs... but avoid floating point math (which is not possible). Or there is "coordinate-fo...

Amm0

I'm not sure criticality, or need, myself... it's a "/system/schedule add ..." with one extra line in script to "/system/schedule/remove [find name=run-after-reboot]", as noted. But the concept does exist with a FILE named *.auto.rsc , see https://help.mikrotik.com/docs/spaces/RO...

Amm0

FWIW, MikroTik did a decent video explainer about QoS in 2025:
https://tiktube.com/w/7PBqw2rJ933B1q98tK21rL

May have some background on the examples shown here.

Amm0

Somebody was too chatty with it, it went over the limits.

It wasn't me.

I'm not sure it's actually all that useful FWIW & does clutter the help.mikrotik.com page since it shows opened hiding the link to support cases.

Amm0

There have been a few thread about newer eSIM support, all good number of "view counts": Guide: How to activate eSIM from any mobile operator on your Mikrotik router Which modems support eSIM esim in 7.18rc MikroTik has suggested the newer 5G/LTE devices will come with eSIM hardware built-...

Amm0

The scheduler, script and on-event script are present on supout? If yes: Except what is stored inside script, ANY script, on any position. Good point. FWIW, there is the "supout.rif Viewer" section on https://mikrotik.com/client/supout (under Account, after login in free account), which s...

Amm0

@Amm0, please get in touch with us and send supout.rif file.

Filed as SUP-189565

Amm0

Try our own AI bot. It's not very good at scripting, because RouterOS is not as popular as generic programming languages, but it's still pretty good if you can do your own sanity checks, and if you are able to formulate the problem in full sentences with a lot of details: https://mikrotik.com/suppo...

Amm0

*) container - allow to use multiple veths in a container, change the in container interface name to same as in RouterOS; Finally I will be able to move Homebridge to ax^3. I didn't have good luck on this multiple veths to homebridge however... Now did get to see what these look like: *) container ...

Amm0

@MT Openflow seems to work with faucet at first try the question is how does hardware offload came into play? since the ports is being handled now in the openflow->ports not in the bridge could you please give clarity on this please? I'm curious too... Running some tests with faucet on RB1100AHx4.....

Amm0

Connecting from MacOS to a defaulted Mikrotik using L2 still doesn't work in beta 21. ERR: Could not connect, MacConnection syn timeout Do you have multiple interface running on Mac? i.e. Wi-Fi and Ethernet I have sometime seen issue where that caused some issue with MAC winbox. So if that's the ca...

Amm0

*) container - added option to execute commands inside a container using "/container/shell cmd= user="; *) system - added support for OpenFlow 1.3 (new package "openflow" available); OpenFlow seems to work with Faucet as a /container. Good work. But the scripting around /contain...

Amm0

*) ip - added socksify feature and new NAT action "socksify"; Is there documentation? While there should be. You can almost guess... /interface/list add name=REQUIRE_PROXY /interface/list/member add list=REQUIRE_PROXY interface=<what-interface-to-force-sock-proxy> /ip/firewall/nat/add act...

Amm0

Nope. It requires "winbox" and at least "read". Now agree more fine-grain control of users/policy has been sorely lacking in RouterOS (and Dude)...

But I'm not sure this is specific to V7 per se, since I think this changed with newer auth scheme at some point in V6's lifecycle.

Amm0

And I recall 7.19.0 had some bug with Dude, so good you upgraded. But package version do have to match exactly... but the "extra package selector" is new 7.19 - but that align extra-package automatically in future.

Amm0

Additional evergreen (beside of memory leak), ROM space shortage on 16MB hAP ac^2 with wifi-qcom-ac. It is quite obvious - RouterOS 7.20 for ARM is roughly 100kB bigger than RouterOS 7.19. Netinstall procedure has been applied with manual configuration. Come on, buy a decent newer router already. F...

Amm0

You can go to System > Packages, use "Check for Updates", the check the "dude" package, hit "Apply". That will install the right dude for your system - but this will only work in 7.19+. If you're out of disk space, that could be a problem. But I'd try above, then check ...

Amm0

Yup no PCC is applied to last one... so rule just assigns a connmark (and routing-mark) since it "escaped" PCC. PCC at end of day is just a "matching rule", but it does not take action itself (i.e. you still need some action=).

Amm0

Lots of good changes in container! On these specifically... *) container - added option to execute commands inside a container using "/container/shell cmd= user="; I tried this out, works! But... few minor issues with it... - should be some timeout= on it (or something)... since if the com...

Amm0

Didnt help understand your shortcut technique :-( It's like using a DROP rule at the end of fw filter to capture "everything else" – except in reverse. Each rule in firewall has a small CPU cost, so if you can reduce PCC rules, you improve latency. So theory be you have the SMALL sized PC...

Amm0

Well, definitely /tool/sms needs improvements viewtopic.php?t=191963

It's a router, so "notifications" are rather useful... so it should ideally be simple to use SMS

Amm0

If need is "cold standby"... having an identical unit, and use the .backup file to restore is pretty straightfoward. Obviously only ONE router can be online at same time when using .backup file, and may require cable swap (or VLAN re-assigment, etc) in the disaster scenario. Alternatively,...

Amm0

sms-protocol property on LTE interface is not related to at-chat and possible sending SMS with AT commends over it, it's for /tool/sms functionallity. Yup. But log would show the specific AT command for the SMS sending - so might be able to "see" what command RouterOS. But the underlying ...

Amm0

I just don't get the level of vitriol - especially with the return of "dialog tabs" on top... I got my quibbles – some of which were fixed – but overall WinBox4 is coming out good - I use it everyday without any "real" issues. And "wine" had way more legibility issues t...

Amm0

FWIW, I wasn't saying "impossible", just complex/difficult/etc. I cannot recall the specific, but there have been past thread on using AT to generating SMS. But if only problem is SIM card memory gets filled up with saved messages... one scripted delete message AT seems WAY easier. Now if ...

Amm0

I think the initial decision to add/remove scheduled entries on per user session basis is kinda wonky. I'm just thinking some :for loop in ONE schedule script that [find]'s the particular users to cleanup would be a better approach, than re-calculating the schedule time and incurring all the config ...

Amm0

So I understand that it is actually impossible to send SMS via AT-CHAT on Mikrotik because normally sending messages via AT requires interactive prompt while you are entering the message. Mikrotik command shell seems not to be able to allow for that, hence commands documented in Quectel manual fail...

Amm0

@MikroTik, perhaps y'all can formally clarify how long WinBox3 will be supported? There has just a lot of commentary, both here and release threads, worrying about when winbox3 will stop working: Winbox 4 is not forced yet , v7.21 is alpha and should be treated as such. There, I fixed it for you. I ...

Amm0

Having a look at ECMP: / ip route add dst-address=0.0.0.0/0 gateway=10.1.50.2,10.6.6.10,10.6.6.10,10.6.6.10,10.1.50.2 check-gateway=ping Link: https://wiki.mikrotik.com/ECMP_load_balancing_with_masquerade FWIW, in RouterOS v7, the routing engine for ECMP does not store duplicate routes like V6... s...

Amm0

My quick take is you may be over-focused on the PCC part... While that may be involved, I'm not sure that's the entire story. VoIP/realtime AV (i.e. "Microsoft teams") is way more sensitive to latency/packet loss/etc than "normal" web traffic. Are you using any queuing mechanism?...

Amm0

until I put proxy-arp on the "main" outbound interface... apparently it's not needed on the other firewall link.. Yup, that's expected. Your ISP has their subnet set to /28, so it will use ARP to find any of your devices, but the customer-router isn't "discoverable" via ARP sinc...

Amm0

FWIW, with RouterOS 7.19... there is now an option in /ip/dhcp-client to set "Gateway Ping" discussed above (i.e. check-gateway=ping) DIRECTLY on the dhcp-client so it's automatic – this avoids needing a custom script on the DHCP client per WAN & makes this part simpler. And, there is ...

Amm0

It would also be productive, I think, for them to publish a formal OpenAPI spec for the HTTP API. It wouldn't be too hard to create a syntax def from that, I would think since: [...] Third-party schema is downloadable here: https://tikoci.github.io/restraml/#Schema+Downloads As an experiment, I tri...

Amm0

What is this funny business with the webfig mikrotik_logo.svg? LOL. I've noticed that too, I wasn't sure if it was just rendering... But logo SVG looks like an export, it just a long path. From my Latvian history lessons (https://youtu.be/rgo7pKDb4c8?si=C5lOGmupBHoZGaUL&t=532), it's not the &qu...

Amm0

While I like that ESC will close a dialog box... it should NOT close it if the dialog form is DIRTY (fields modified), i.e. should prompt to Apply+Close, Ignore Changes, or Edit if you CHANGED a field.

Amm0

Could we get more information and examples on this new check gateway feature? What happens if it cannot reach the gateway? When the DHCP client adds default route provided by server, it will add the check-gateway=<value-from-dhcp-client-config> to the dynamically add /ip/route dst-address=0.0.0.0/0...

Amm0

I don't think that there is that much choice, when the eSIM support was announced: [...] to which you can add 9esim Has anyone tried: https://www.1nce.com as the eUICC on physical SIM? There "freedom-to-switch" implies it has the eUICC bits, which may work with RouterOS eSIM commands – bu...

Amm0

To be honest I still do not fully understand why Proxy-ARP should be required...

Have you tired to ping the customer-side IP from outside your network (i.e. the internet)?

Amm0

Friends, I have realized that the problem is when the LIMIT-UPTIME is 1d 00:00:00, how can I convert it into a date and time? Thank you for your help Assuming you're talking about a recent V7, state-date= allows a time type (which limit-update is), so you can just add your $limitUpdate to value of ...

Amm0

I don't know the internal logic. But there is not a way to "force" it AFAIK. @normis, perhaps you can explain how the detection works since the part is still mysterious (well, undocumented)... I'd check /ip/cloud for DDNS, i.e. does it show "router is behind a NAT"? That uses som...

Amm0

At a high level, you should just need to look at "/interface/wireguard/print detail" and see what port is used by the BTH WG interface & then port forward that in pfSense. If pfSense failover, BTH should figure out the failover after ~1 minute (time may vary since it tied to DDNS updat...

Amm0

not sure why , but for me: *) reintroduce tab support in the top menu of forms, with the ability to open multiple tabs using Shift + left-click. does not work at all. Can anyone describe more? I couldn't get that work either (tested macOS). Also, the ⌘/Meta+Scroll Wheel for ZOOM is rather "twi...

Amm0

I have not tried this, but... You likely can do some warm/cold standby by copying the sqlite DB file and have matching config on both routers. But there is NO built-in "sync", so this be a manual/scripted processes to copy the DB file from one router to other. And, as noted above, you coul...

Amm0

The solved "closes" it. But if you don't mind, can you still post the output of: /interface/lte/show-capabilities [find] ...just to know what RouterOS thinks about this particular modem... I'm not sure what it report in the case of your ECM USB LTE modem "stick" ... so just good ...

Amm0

MikroTik is not big on the password confirmation anywhere, so be kinda strange if only backup confirmed the password. And not sure everyone want to be prompted all the time. Now... IMO there should be at least some "Show Password" option or 👓 icon in winbox/webfig to "see" the pa...

Amm0

IDK for sure but USB stick modem is likely in "ECM" mode, not MBIM modem. In ECM mode, compatibility to set APN stuff / get stats is limited to specific hardware – so APN setting may not be doing anything (as reported). ECM mode basically presents an ethernet interface, and in lot of cases...

Amm0

Or, plan C: forget PiHole/AdBlock Home/Blocky and delegate DNS-based ad blocking to an external service like NextDNS.

Or, plan R: give up on ARMv5 containers, and just use new AdList feature, if need is ad blocking.

Amm0

I think you're going to have to describe the topology a bit more and/or provide some config. i.e. how is the customer connected today or planned to be? But you're in "Option 2" from @StubArea51 Option 2. The ISP has a gateway inside the /28 they hand off to you. In this case, you have to t...

Amm0

Besides the ( BTW surely interesting and useful) discussione on the details of a VLAN and OSPF (complex) configuration ... I agree that VLAN and OSPF are, shall we say, nontrivial topics, I'm fortunate to have done both in a corporate setting. OSPF isn't as bad as eBGP, in my opinion. :) Another ea...

Amm0

Not sure it's your specific issue. But one thing you may want to check the logs about "MTU" after the modem starts up. Sometime the MTU needs to be set lower, and generally the carrier will report the MTU in logs. MikroTik just logs this, but you can use the value from logs, to set the MTU...

Amm0

Why not just improve docs?

No idea. Why I mention it. If docs are right, the script for video be easier...

Amm0

FWIW, MikroTik published a YouTube video that has at least has a few more details on "simple" queue towards end of video: https://youtu.be/wYg-9VCl3LM?t=927 If only they'd update docs when they do a video... For example, I thought the simple queue was still HTB internally, but video allude...

Amm0

Like this idea! I played with JS and blessed module before to do similar a "TUI" since for "status" things, GUI/web sometimes aren't as quick or information dense. This is especially true with RouterOS, since winbox/webfig/etc are NOT very helpful to get an overview of operationa...

Amm0

1. What is the purpose of this entry.......... /ip dhcp-server network add address =0.0.0.0/24 gateway =0.0.0.0 netmask=24 Likely, a side-effect QuickSet bug in older version (which you may have if you have a new unit, run QuickSet, THEN upgrade). But that causes all sorts of troubles. You should d...

Amm0

"netmap" is pretty useful trick in RouterOS. So that part make sense. Unrelated, but how did you discover this problem? I imagine getting the routing table form an iOS device was not trivial. I'm curious too on the use case... So you have a MikroTik on some car's "LAN", and want ...

Amm0

Part of the issue is the winbox protocol is not described/documented. So if some packet looks "different" than rest of sessions, it may drop session. And you got stuff like ARP and bond caches in between. Flip side is that packets should look same since it's going through the bond. But IDK...

Amm0

Nope. And it's annoying that you cannot separate that out. The Wi-Fi password is considered "sensitive" policy, so that means it can change ANY password beyond Wi-Fi PSK. And while you can restrict it SOMEWHAT using skins and customizing the policy to say only allow webfig for a user. But ...

Amm0

Also note, in the upcoming 7.19 release, there is newer feature that will show all open ports (similar to netstat) in /ip/services. This would help to identify WHICH process might be using something like 443 in future.

Amm0

There is setting to enable tls-1.2-only on the SSTP interface.

/interface/sstp-server/server/set tls-version=only-1.2

It's also in winbox, from PPP on left, then "SSTP Server" button, you'll see the same option.

Amm0

That's like "needle in the haystack" ... Is the winbox flowing over any of the bonded links? While winbox protocol should be fine with transmit-hash-policy=layer-3-and-4 (at least IMO)...it's also not hard imagine something could "go wrong" in hashing winbox traffic. And since w...

Amm0

It's programmable via scripting. So by default it does nothing.

See https://help.mikrotik.com/docs/spaces/R ... setbuttons

Amm0

With ADR, I believe that what will control what channels a sensor will use. You may want to verify the channel plan on backend aligns with RouterOS channels. I don't use LNS (just Semtech UDP), and in US band are different, so IDK for sure. What backend are you using? But if UDP mode works, and LNS ...

Amm0

There is more underneath (unsaid, don't ask) that makes it worth updating. I don't find mere alluding to some security issue as any safer or even helpful. They claim to practice responsible disclosure. If something needed, don't you think MikroTik should say that themselves? Maybe other people like...

Amm0

Doc says it's universal ... but doesn't seem to be that universal ... The docs say... your factory-firmware version is lower than 7.18.2 and your device displays the message → The "protected routerboot" feature requires a backup-routerboot upgrade ← when trying to enable the feature, do t...

Amm0

Yeah I don't use web UI directly, but we did use the "status" page so a customer can use webfig to see some basic stats via web. So in my case, I lost functionality, beyond just the WebFig4-everywhere look-and-feel.

Amm0

AFAIK, you can't. Unless you keep using an older version. And, you can add "No Status Screen" to the list of grips / MIA in new WebFig... I think they were trying to align WinBox4 UI with WebFig. Personally, I'd let the dust settle on WinBox4, and wait until V8 for changing the web UI...Mi...

Amm0

I'm still a bigger fan of an "official" language server provider (LSP), see https://microsoft.github.io/language-server-protocol/specifications/lsp/3.17/specification/. This would seem more doable, since an LSP is just another REST API...so the LSP could just be part of REST API with diffe...

Amm0

Either should work... It could be the password has characters that require escaping. try using quotes "" in the curl -u "user:password" ... (or url-encoding if using http://user:password@ scheme) SwOS has no default gateway, so you have to be on same LAN segment for it to work, i...

Amm0

Lack of responses makes me uneasy Does no one have both GUA and ULA on the same link?

LOL, you're normally the one with IPv6 answers...

You seem to allow ICMP in firewall, which would have been my guess. Is it getting any hits in counter?

Amm0

The "sandwich" in upper-right "..." has a "Page History" for any page in help.mikrotik.com. Diff can be seen there:
https://help.mikrotik.com/docs/pages/vi ... Id=8323208

Amm0

Curiosity of the day:
The netwatch help page has been changed/edited yesterday,

I filed a report about the docs. MT fixed the description of the thr- params...but yeah they forgot the ICMP probe stats (which have been wrong for a while). It's still open.

Amm0

Given what you have, and you know how to setup links and switch... And your "neighbor customers" don't have demanding needs.... The easiest way is put the customer LHG into "CPE Router" in QuickSet (see https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurati...

Amm0

*) route - added options to set dynamic-in and connected-in chains in /routing/settings; FWIW, these are not in the docs yet (or at least I cannot find them): /routing/settings/set <tab> connected-in-chain dynamic-in-chain single-process The "dynamic-in-chain" works fine, but none of the ...

Amm0

Also, what may be happening... is netwatch will not "get" a threshold value if it is still default value / left unset. (More specifically, the value return of the get will be type "nil", and NOT the default value).

Amm0

@Amm0 so you automatically give for reknown basic things that a beginner needs to learn My point is if you understand the problem, you MAY be able to avoid script. If goal is to JUST "tweak a netwatch", then to output current values (rtt- loss- etc) AND configured "threshold", t...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). This would return a valid address (from pure IPv6 point of view) to the device, which then might try to use it. [...] You're probably right. I was t...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's a different problem. Anyway, jaclaz has more patience than I. If we knew what the desired output and preferred scheme, it be easier to help. And, my understanding is that only th...

Amm0

So if you put the WAN interface into the bridge also, with I think the same firewall rules, would it not be faster? [...] The way it's configured in the examples is it not the case that all packets between the bridged VLANs and the WAN have to be handled by the CPU at L3 where if that port (or VLAN...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's not helpful to start again, since context is lost. Discussed in that thread is there is no need for :local variables in the first place! When a /system/script is called as action ...

Amm0

*) dhcpv4/v6-client - added check-gateway parameter;

Using WInBox4, the DHCP client "check-gateway" option is a static control, but should be drop-down.

Amm0

I did see something odd in a YouTube video. With Winbox - In the bridge section. Double click the bridge then click the ports tab, I see the interfaces with the PVID. The video showed manually putting the ether# on each vlan in the vlan tab (in the tagged untagged section). I did not do this and it...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). And a script/scheduler to keep them updated from A record if desired. Or perhaps just use NextDNS for all static records, and just let MikroTik resol...

Amm0

So, provided that the way I understood the mechanism is correct :? , it seems to me that: interval should be as low as possible (with some common sense, the default 10s seems too little, I would settle for 60 seconds or 1 minute) Well, I'd say that setting interval= is more about often you want any...

Amm0

Regardless about thoughts on AI... you haven't stated the problem you're having. That's the issue! ChatGPT analysis is also FURTHER WRONG about using 0.0.0.0-0.0.0.0 range. ONE client will get a 0.0.0.0 address, since pool in inclusive. So if the goal was ALWAYS RADIUS, then 0.0.0.0-0.0.0.0 isn't th...

Amm0

[...] the only way to know for sure if a particular box would do the job is to buy it and put a hypervisor on it and test with CHR (or x86 ISO as a VM) and PCI passthrough. If all ports are passed through and show up in the VM, then it should support everything natively. [...] Wouldn't it be easier...

Amm0

If only something like a hAP ax2 LTE6 kit existed. Well, they do make the hAP ax lite with CAT6 modem, internal antennas, 5 4 ports, and small. https://mikrotik.com/product/hap_ax_lite_lte6 If you need it as a main router with LTE backup... now the hAPaxLite-LTE6 might be a little unpowered dependi...

Amm0

I'm not sure exactly what you're trying to do since you mention fiber and LTE. For LTE, if you want the modem to go DIRECTLY to a port (thus not routed or available to the MikroTIk), you can use "passthrough". See docs: https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE#LTE-Passt...

Amm0

I face the same problem with a RB1100AHx4. Probably not. /container is just picky on config, so it can be a lot of things. Plus, fixes/changes get added by version. I have tried all the above and still the same problem mentioned at the top of this thread. Any clues anyone? Post what YOU tried, your...

Amm0

I would normally use static-only selection in corresponding vlan dhcp server setting but chapgpt insist [ ... ]. Any insight is much appreciated. So you knew the answer: use "static-only" to skip using a pool.... Was there an actual problem that lead you search an LLM for some answer? I'm...

Amm0

Maybe @jaclaz can share the spreadsheet, that might be easier to see what going on. Or you can use /tool/torch or /ip/firewall/connections to see the effects. packet-interval is often each icmp packet is sent within the interval. So one packet goes out when netwatch starts, then after packet-interva...

Amm0

/tool netwatch add comment=Netwatch-192.168.2.2 disabled=no down-script=Netwatch-details host=192.168.2.2 http-codes="" interval=2m name=Netwatch-192.168.2.2 packet-count=400 packet-interval=200ms test-script="" thr-avg=\ 400ms thr-loss-percent=95% type=icmp up-script=Netwatch-d...

Amm0

Converting @jaclaz calcs.... you're running 3⅓ pings every second... Assuming you the path is over fiber/cable with decent speed, I don't think it matters much – it's still not a lot of data even at 3⅓ pings/sec. But does seem high frequency. If it's working, I'd leave... or perhaps copy @jaclaz's s...

Amm0

I had case where file was corrupted in mount dir, because service was writing some file in it. So if such files are not recreated there, issue can still persist if is such case. Fair enough. More saying it's a 50/50% shot it the root-dir (*perhaps higher since there are more files) & if root-di...

Amm0

Can you see the files in the mount? ... If so, you should be able to just delete the container - not the mount. And create a new one, using same VETH and mount as before. In fact, if "copy" before deleting, you'll have all the setting to re-create it (perhaps needing to specify the tag). W...

Amm0

The only issue I'm facing now (somewhat related to the original one) is that when I get home, BTH doesn't detect that and stays connected and the connection is unusable until I manually disconnect. I'll mess around with Tasker to see if I can do something about it. On the router, it does take it a ...

Amm0

BUT your issue is DELETE does not take a body ... Well, I'm half wrong. According to RFC specs for HTTP, DELETE with a message body is just discouraged and undefined – so my "does not" is wrong. But seems MikroTik is also under the same WRONG assumption that a message body is not allowed ...

Amm0

No one has "proof" of anything. Just arguing about nothing.

MikroTik hopeful will expand there "Test Results" to include VPNs. Lot of conjecture everywhere, and no controlled apples-to-apples tests anywhere.

Amm0

The wAP generally do pretty well - obviously they need to be vertical and screwed on tight etc. And using some silicone can help further seal it.

Amm0

Error 400 for /tool fetch That does suggest it's the payload. You can enabling logging in /system/logging, which will output the generated header etc to logs: /system/logging/add action=memory topics=fetch and then compare those with working curl if you add a "-v" for verbose logs ... (an...

Amm0

What error code are you getting?

Amm0

And, "({\"items\": [{\"id\": \"$id\"}]})" like be "{\"items\": [{\"id\": \"$id\"}]}" without parentheses or perhaps just, since items is in URL, it shouldn't need items in body, but IDK the CF API... "[{\"id\&q...

Amm0

And,
http-header-field=("Content-Type: application/json","Authorization: Bearer apiToken")
should be:
http-header-field=("Content-Type: application/json","Authorization: Bearer $apiToken")

[and maybe another cut-and-paste error, just saying]

Amm0

Your URL has spaces in it: https://api.cloudflare.com/client/v4/accounts/ $accountId/rules/lists/$listId /items so might want to try: https://api.cloudflare.com/client/v4/accounts/$accountId/rules/lists/$listId/items Now, according the HTTP 1.1 spec, I pretty sure a body is allowed with a DELETE, li...

Amm0

The variable names match winbox, except the name is all lowercase, and any spaces become a dash (-): netwatch-icmp-variables.png As noted, both here and docs, if it contains a - (or space as shown in winbox), then you need to use $"first-second" in any scripts. Is there some terminology so...

Amm0

It's just $"loss-percent", $"thr-loss-percent" defines where the $"loss-percent" fails. These variables already pre-defined in the down/up-script= so they do not have to be declared or "get"

Amm0

Why are you dropping related connections as the first action? /ip firewall filter add action=drop chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yes in-interface-list=WAN protocol=\ icmp - nevermind, it's d...

Amm0

Amm0, with all due respect :) , you need to use more linear English if you want to explain something (or maybe you also got the Latvian virus that make affected people use excessively periphrasis or double negations? :shock: ). LOL. Perhaps. I'm waiting for Apple Intelligence to do proofreading in ...

Amm0

Might want to try output=none

I'm not sure why that's getting an error. But the RAM FAILED issue is odd and never seen.

Amm0

I have a website that converts a curl command (at least most of them & also limited to what fetch can do) Click the "curl2rsc" link on https://tikoci.github.io/restraml You can past in the `curl` command and pick a "format" (i.e. to variable or to screen etc). It sometimes ta...

Amm0

The tricky ones are (IMHO) the "statistic" ones, avg and stdev, particularly the latter. I believe that the real world behaviour for these might be influenced by the sheer number of pings performed, i.e. by packet-count, a higher number of pings per run should "flatten" the stat...

Amm0

The way I read the docs, it is a "or", i.e. there are 6 different thresholds: thr-max (Default: 1s) Fail threshold for round trip time-max (a value above thr-max is a probe fail) thr-avg (Default: 100ms) Fail threshold for round trip time-avg thr-stdev (Default: 250ms) Fail threshold for ...

Amm0

What version of RouterOS are you using? If it's V7... (if not, redirect is only only in very new V7) you likely don't want to set mode= nor src-address=. Also you can can use user="" password="" instead of setting the header with auth string You can also enabling logging in /syst...

Amm0

Please share the R11e-LTE-US files so I can install them on my LTE module.

You need to get them from MikroTik as they cannot be posted publicly. Email support at support@mikrotik.com for the files, which will have the instructions since it rather complex operation.

Amm0

LOL, almost same answer.

Amm0

The "D" part is important in first column..., that mean "dynamic" config. That means it was added by RouterOS, so the way to remove a "D" item is from the source that created it. So the item you're trying to remove looks like a "connected route" (see MikroTik ...

Amm0

Another potential factor is internet traffic is often asymmetrical flows (i.e. consumer WAN typically have more download than upload). This leads to a related question... is there any difference in CPU usage between upload and download? IDK with WG, but typically there is a difference in CPU load be...

Amm0

Built-in SMB is still bad for some reason. It works fine on 7.17, but throughput on 7.18-7.19 are horrifically slow. One of my test routes is RB1100AHx4, and since 7.18beta2, SMB connections from macOS will cause a hard crash of RB1100. I opened a ticket about, SMB is not critical for me, but it st...

Amm0

then MT simply needs to ensure the functionality exists that covers both, even if its just a checkbox. Agreed! Overall, how WAN "failover" is handled could be improved more generally. Personally rather mucking with conntrack-tools/etc... I'd perfer support for adding eBPF code to the exis...

Amm0

I just wish MikroTik would expand its "Test Results" section to include VPNs beyond IPSec. Or publish some doc/white-paper on performance. Part of the problem here is that each hardware platform may yield different result to which is "best". And whether you're use case is closer ...

Amm0

This is MikroTik. Just because there are not user-visible changes, does not mean they are not "working on it". But since everyone talks about wanting a newer data plane, they could be working on that to modernize it... THEN add some X feature AFTER that architectural work. Who knows. But I...

Amm0

how about NETMAP in conjunction with ECMP + NAT POOL? I'm just thinking aloud here Clever. Now I cannot quite picture that, but I'm sure there is some tricks to pull with netmap... But issue is PCC already let you do this, which be less complex than some netmap-based scheme. IMO the use case for EC...

Amm0

That's a really good idea. Never thought about this, but fill the gap where you'd want "more stability" in load balancing. Now that come at expense of diversity/spreading, so potentially less optimal at maximizing bandwidth... Now if you have enough clients , it still get close to balance....

Amm0

I'd have to guess Blocky be more efficient. It is pure Go code, which is designed for containers and doesn't have all of the rest of Linux like PiHole. Now blocky is more limited in feature if you're coming PiHole. Also MikroTik does have adlist now in DNS, which takes a basic URL lists to block. Th...

Amm0

If you already have the powerline network up... RouterOS has a virtual machine "CHR" (which has a free edition) to test it before getting real hardware. I'd have to imagine power line presents as a switch on the ethernet side, so RouterOS and Dot1X should be able identify particular/unique...

Amm0

Well that is a different approach, I guess it avoid the needed permissions for netwatch. The only esoteric issue with using script/scheduler outside of the "On Down"/"On Up" netwatch scripts... be if the netwatch polling could happen while that is running, if that happened... the...

Amm0

[...] The docs and history suggest NAT masquerade should clear conntrack based on IP change... [...] This is not a feature request, rather just an adaptation to a new way of doing things. [...] Your asserting the kernel current logic, trumps what the MirkoTik docs do say. Perhaps. Docs could be wro...

Amm0

I get the kernel discussion... but Mikrotik does patch a lot of things, so kernel version is not always that telling. The docs and history suggest NAT masquerade should clear conntrack based on IP change... so suggestion DHCP feature for it seems premature (i.e. if DHCP client could do it , so could...

Amm0

In the case of variables names, you cannot use underscore without quotes AFAIK. So :local "my_variable" not :local my_variable.

Amm0

Hmm. If you're not seeing the lte1 interface that's a bit different. I thought the Inseego FX3100 was one of the hotspots with USB, but just looked that more full-blown router... You're may be best just using Mikrotik defaults, and enable the "DMZ Passthough" on the FX3100 to the IP addres...

Amm0

I donated my copy of TCP/IP Illustrated long ago. And Mikrotik docs are a bit vague. So very hard to definitive. Maybe someone else has ideas / double-check your theory. I doubt TCP-MP is involved: the device is a laptop and WiFi was its only path to the internet. I only have one gateway in the netw...

Amm0

I'm doing a yearly review of the firewall Some of these connections seem to be related to Apple's iCloud Private Relay (ODoH): IDK, but Apple does like TCP multiplath ... so perhaps related to escaping "invalid" you commented on. [...] I plan to selectively allow some of the invalid packe...

Amm0

BTW, what do you mean by default is https://lscr.io ? Can Registry URL be omitted, making ROS default to this one? On new units or after reset-configuration, that's the new default. I haven't test that much, why I asked (even though a more careful reading might have seen that). I filed a bug on doc...

Amm0

Seriously, which parameters lead to 19s620ms?

interval=10s packet-count=50 packet-interval=380ms

Amm0

No smartypants, connections have the connection flag, this one doesn't.

My point was it's not clear and there is more subtlety here... Might be the DHCP client polling? Now whether that's a connection in this terminology, IDK.

But I like feature.

Amm0

*) ip-service - show all TCP/UDP connections on the system (additional fixes); *) ip-service - show all TCP/UDP ports on system, including ports in containers (additional fixes); Please re-read changelog - one entry is about "connections" and one about "ports" or, as you prefer ...

Amm0

That looks right to me. As I said, I'd compare the "Status" to make sure all the other RTT things are well within the defaults. If not, or even close, specifically set the various thr-* higher. If you temporary enable topics=netwatch in /system/logging, it will log both the values got, and...

Amm0

Now there is a good idea @rplant.

OP - Is the internet via fiber, cable/DOCSIS, or wireless(5Ghz,60Ghz,LTE/5G)? CAKE lets you set that too. If it's WISP or LTE/5G, it might be just congestion.

Amm0

And polishing interpreter will not hurt. Or the JIRA list of bugs.... Just even just showing colorized syntax in webfig/winbox to show the errors that /console/inspect "highlight" does in CLI and CLI "edit" command - so if you cut-and-paste some LLM code to /system/script, it sh...

Amm0

I cannot image it being a problem, but you're right it's not entirely clear what/if the "limit" be. One has to presume its memory, but even a DHCP record of 1-2K of data each... that still add up to few or dozen(s) MBs of RAM. And, it even being 1K might be pushing it, MikroTik is pretty e...

Amm0

Are you using "b2b.static" as APN and unchecking "Use Network APN" in the LTE APN settings? You may want to confirm b2b.static is right for your account, but I think they use same for any account that has paid for the fee to enable static IPs. Otherwise the default config should ...

Amm0

That only work if VLAN already existed in /interface/bridge/vlan. Now you would have the bridge vlan entry if you already had a /interface/vlan in 7.16+, since one be created dynamically. But otherwise you need an "add"... not set.

Amm0

Still it needs to learn by actual good examples which for rsc there are not much available as for other languages which can mislead AI.

All roads lead to improving docs, and perhaps more "wizards" in UI or at least docs with complete examples to avoid needing AI (or at LLMs)...

Amm0

You can choose to understand what they meant to say or you can choose to get lost in translation.

why not be accurate and fix the RN?

Amm0

It's not hard at all. LLM models just need to be trained with formal syntax or grammar specification languages like EBNF, ANTLR, etc and might be complemented with structured representations such as ASTs. There are plenty of tools and well-documented processes for this online. You do get close the ...

Amm0

Tried another one with Dude AI. And it's similar with config (which is essentially still scripting) – while perhaps LLM get "closer" for standard config... but ,it does not know the needed order of operations and names are inconsistent. For example, I tried a somewhat more complex prompt f...

Amm0

In IP/Services.

The issue is RN says "connections", not "listeners"... There is a difference.

Amm0

I think that was my subtle finding here....The Dude AI certainly picks up changes in MikroTik docs quicker than using generic LLM. But in terms of writing scripts, it suffers same limitations as a generic LLM since it just do not know what's valid. But as @normis points out, if you write complete se...

Amm0

Great info here. Like the use of jump and using the "RFC ways" to terminate connection, instead of just "drop". I've never dug into "invalid" too much, so IDK here. But I suspect you're right about "it's the host"...so many tricks added to TCP stacks over the ...

Amm0

@normis, y'all should give some thought to this: Since MT already uses Confluence/Jira, they can just publish a link to each page that automatically creates a ticket with a comment. MikroTik has always responded to these "doc bugs". e.g. docs on :beep were fixed from above, and now picked ...

Amm0

While this was not always true (see docs)... if docker-1.docker.io is registry, you need to use "library/eclipse-mosquitto:latest". 7.18 made some changes... so new default is https://lscr.io and they also support using a "fully-qualified" remote-image that include the "hub&...

Amm0

What URL are you using for the registry-url in /container/settings?

Sometimes using the fully qualified name (or sometimes not, i.e. without :latest) helps in remote-image= . Also make sure your running the latest stable version, since various past versions have had bugs in this area.

Amm0

Hmm, I'm just relaying on volume of posts in forum as metric here.... There was another thread about DoH and Quad9, where 1.1.1.1 folks reported as more stable than Quad9. Whether @normis is correct IDK All other popular DoH services work with MikroTik without issue. Are you using "verify serve...

Amm0

In absence of this requirement, do you think DoQ would perform better than DoT? Theoretically, yes. "Plain" UDP DNS is generally one packet request, one packet response - hard to get quicker than than. QUIC does auth and request at same time, so it avoids the whole TCP SYN/ACK dance, so u...

Amm0

As a general matter, I don't like any kinda TCP for DNS, so not a big user of DoH as result. So +1 to DoQ as that give you secure DNS, without extra complexity TCP's 3-way handshakes + TLS.

Now Quad9 uses PowerDNS, which does not support DoQUIC [yet?]...so may not help for Quad9.

Amm0

Maybe @Amm0 can help you out here.

@Amm0 already explained to look at sniffers, or lab a smaller example. But ZeroTier "L2" should be transparent to "L3" [multicast] OSPF.

Amm0

Since MT already uses Confluence/Jira, they can just publish a link

100%

Just saying I rather file a ticket, than post a few times on different threads "the docs are wrong"

Amm0

If I gave the impression that I was bridging everything as one big happy L2 network, that is not what I am doing, and I agree that in such a configuration OSPF does not make sense. I think OP isn't actually bridging zerotier on RouterOS bridge – although be to confirm... OP is just checking the &qu...

Amm0

You seem to like your current topology. And if you have CGNAT, ZT is likely best. Whether you can limit ZT to just those sites, IDK.... The only other approach is abuse BackToHome (BTH) - that does deal with CGNAT and is just WireGuard under the covers. i.e. if a site had a fixed public IP, and LTE ...

Amm0

There are also few non-OSPF routers connected by Wireguard to the hub and few direct wireguard links between most important sites. ZeroTier is kind of a backup for wireguard. ZeroTier is slower with our slow connections. And I don't want to rely on routes manually defined in ZeroTier network. Fair ...

Amm0

I've used the Telit LM960 since they are miniPCIe, but problem is there not 5G, but they are LTE CAT18 and work with all US/Canada carriers. Older modems like Sierra MC7455 work pretty well but be slow nowadays (and Sierra modem do not have RSRP/RSRQ stats, while Telit will report them in RouterOS)....

Amm0

I might ask the other way, what would your recommendation instead? You can use ZT to push any route. ZT does not care if the destination is within ZT's IP range — ZT is agnostic on gateway so you can often use ZT for just route distribution. And RouterOS will happy add whatever it gets from ZT dire...

Amm0

I'm pretty convinced they are using something like Lex/Yacc or Flex/Bison That's been my long assumption too. I suspect MikroTik could cut-and-paste the presumed Lex/Yacc code into ChatGPT and ask it to generate a BNF. And with BNF, you're closer to being have some LSP (which is my bigger grip sinc...

Amm0

Yet I have no idea why CAPsMAN be involved in slow wan speed. And OP new config is pretty default, MTU is 1500 now. So something wierd, but it doesn't look like a config error. Maybe try not using auto-negotiate on ether8 and set the ethernet speed manually – but that my only guess. Is the cable the...

Amm0

Oh geez, it's actually here the DOCS that are wrong OR BUG in RouterOS. Upon checking docs... :beep is actually documented as ":beep <freq> <length>", which is wrong since its needs ":beep frequency=X length=X". RouterOS does have /console/inspect — so they have the data needed f...

Amm0

The Dude AI does not abide. It seems to have trouble even know the syntax of :beep — which is pretty regularized in syntax. And, "The Dude AI" really want to insist that argument names are not needed... Screenshot 2025-04-28 at 8.30.15 AM Medium.jpeg Screenshot 2025-04-28 at 8.31.42 AM Med...

Amm0

MikroTik RouterOS AAA users can be linked to RADIUS only & built-in RADIUS server (User Manager) does not support LDAP either. Then other side... AFAIK, Google Workspaces only support LDAP auth. So nothing easy. I imagine you can use something like FreeRADIUS/similar to be a "middle-man&quo...

Amm0

I'm going to get an RDS for testing... Realized their are now tariffs on such things in US... I'd like to purpose Mikrotik offer SKUs for a "hardware-only" version of routers/switch (or at least ones on the expensive side) for US. And, the paying for license for RouterOS, separately, since...

Amm0

Assuming the VLAN needs to be routable (thus via CPU) The primary reason I'm looking for this feature (assigning VLAN based on MAC) in CPU direction is that I want per-VLAN DHCP to work (plus a couple similar container-related cases). My reading is it would go via the CPU, but cannot say for sure. ...

Amm0

100% agree that docs are all of switching features are "messy" and incomplete (i.e. switching page does not mention RDS). Now given the 98DX4310 chip is used by RDS, and that chip is covered in docs.... On the doc comment: "MAC-based VLANs will only work properly between switch ports ...

Amm0

Do you mean MACVLAN? https://help.mikrotik.com/docs/spaces/R ... 40/MACVLAN

You'd add MACVLAN to bridge, and then tag it as needed in bridge vlan settings. But AFAIK it will use CPU.

Amm0

IDK about CCR2004 card. But do you have "promiscuous mode" enabled on the ESXi adapter interface for it? Typically that's needed.

Amm0

There has been similar commentary in past, see https://forum.mikrotik.com/viewtopic.php?t=181433&hilit=friendly+name But there is nothing like Arris/Motorola/Actiontec/etc/etc style with the "Connected Device" list, which I agree is nice. (Now the generic ISP routers are certainly less...

Amm0

RouterOS doesn't do floating point math One has to imagine netwatch is implemented in C, so internally netwatch can do floating point... Now it's an open question whether thr-loss-percent is inclusive or not (i.e. == or >= ) However, @ilium007 is correct user scripting does not do floating point......

Amm0

Now I test it again. Put kievstar simcard, on default settings - getting wrong ip. Change apn and uncheck network apn, set ip only ipv4. Before reboot - does not working. Reboot - and it’s working ok. Maybe this will be fixed in future firmware releases. Is it one of the newer "refresh" L...

Amm0

Strange. Never see that mikrotik devices needs reboot to start working properly. JFYI, yours is the second report I see in two days about some settings change that did not work until the device was rebooted (the other report was about completely unconnected to LTE settings), Ideally you're not chan...

Amm0

The point about: "<packet-count>*<packet-interval> should be below BOTH the "global" <interval> and <timeout> that apply to all netwatch types. " is interesting, never actually thought about it. I dunno actually, thus the advice ("should")... is to avoid having to know...

Amm0

Remove supout, is only for support@mikrotik.com and not for be shared on user forum because can contain sensitive data.

Agreed. I'm surprised this has not happened more. But ideally the forum should block the *.rif from being uploaded.

Amm0

I'm not sure my script is best example of how icmp check works, it assumes you understand the netwatch model. Docs could be improved to explain the high level logic of netwatch. But they do describe all the parameters: https://help.mikrotik.com/docs/spaces/ROS/pages/8323208/Netwatch#Netwatch-icmpICM...

Amm0

There was some discussion of the scheme here: https://forum.mikrotik.com/viewtopic.php?t=198168#p1031333 ...which implies it a diff upgrade scheme, but IDK. I'd imagine trying the 7.19beta8 be easier to see if that works with .09 & be easier than trying unwind how the download works. The URL dow...

Amm0

If you have not upgraded to 7.18.2, you really should do that first. See https://help.mikrotik.com/docs/spaces/ROS/pages/328142/Upgrading+and+installation . If you're already running 7.18.2, make sure the LTE fireware is updated - that on the lte1 interface dialog. There also the firmware, which is ...

Amm0

I'd make sure reboot both router and test machine after MTU changes, and make sure the "BIOS"/firmware in /system/routerboard matches the current RouterOS version. This mismatch speeds screamed "MTU problem", that has to be right — so your "guessing" I'm not sure was he...

Amm0

I imagine that the "Lifecell" SIM does work with the "Use Network APN" enabled, and most carriers do, and why that's the default. So that's what you should use for that SIM. And it dropping is because the APN is wrong for Lifecell once you disable Use Network APN. WRT your "...

Amm0

While you make good points, this thread is not place for these discussions.

Please keep this forum topic strictly related to this particular RouterOS release.

Amm0

Is there a reason you're setting MTU of 1460 on ether1 / WAN? Unless you know something, it likely should be 1500 (or you may need a PPPoE connection, or other things from your ISP than just a lower MTU).

Amm0

Yeah RouterOS has to have time to detect it gone and reinitialize, and often 10 seconds was too short on other modem... so good to see the "force" the minimum duration in power-reset (which may reflect some 30 second timeout in MBIM/LTE stuff... since modem SHOULD actually restart itself).

Amm0

You have to uncheck the "Use Network APN" box in APN dialog to use a APN name. Otherwise, the "Use Network APN" override what you set. Kyivstar may use "www.kyivstar.net" from https://apn.how/ua/kyivstar-gsm#google_vignette as the APN name, but you might confirm that wi...

Amm0

You can reset the LTE modem using: /system/routerboard/usb/power-reset bus=2 duration=45 The "bus=0" may be bus=1 etc... — I don't have Chateau with FG621 to check. Also duration= might be shorter if you like... but often modem do have some residual power and you likely want RouterOS "...

Amm0

Someone else had similar issue with the newest LTE firmware ending in 16121.1034.00.01.01.09: https://forum.mikrotik.com/viewtopic.php?t=216406 This sounds like a bug. As I suggested in other thread, I'd make sure the /system/routerboard "RouterBOOT" firmware is running 7.18.2 firmware. If...

Amm0

I am extremely happy to report that IPv6 Fasttrack works just as well as IPv4 Fasttrack does, and I get identical IPv6 forwarding performance out of the router that I do with IPv4+NAT: ~900Mbit, both directions, even with a LAN bridge + PPPoE with constrained MTU on the WAN. (IPv6, of course, is no...

Search found 5560 matches