MikroTik

Jotne

Stable channel has been full of serious bugs lately. Not only Stable, some month ago MT change some Wifi handling that did break lots of wifi links on both LTS and Stable. Problem was some function some used that was not correct for their country, and when MT changed it by force, it did gave proble...

Jotne

What does then stop? (looks correct)
You should from the scrip (if you have installed it) get data every 5 minutes.
So search for star and search for 30 min window, you should see data coming in all the time.

Jotne

See if your prefix is correct at section 2b. On wrong characters and it break all.

You can also do a search with only a start * and set it to last 24 hour and see what data you get.

Jotne

PPTP is old, outdated, no encryption so should be avoided. Use a newer/better protocol like L2TP/IPSec or SSTP or other.

Jotne

Then this thread could be closed, and you can use the other thread.

Jotne

Interesting question. Will have a look at it when I am back from holiday.

Jotne

I did test out PPTP first, but are now running L2TP/IPSec PSK.
It could be using a certificate as well.

There are several tutorials on the net on how to set it up.

PPTP is a non encrypted tunnel, so no security at all. Do not use.

Jotne

Please edit your post. Select what is code and click the code-button </> to wrap the code.

Like this.

Jotne

That I du understand, but if I know my PC is connected to ether2, its not easy to find out what mac is on ether2

Jotne

I haven't thought about that, but can see that it not an optimal solution if that is the case.
Possible some from MT can give a respond on this ..

Jotne

I did some experiment on my hAP lite to represent Wifi signal strength.

Have a look here:
viewtopic.php?t=142132

Jotne

Interface is Bridge1 for all innside mac on hEX

/ip arp print
 0 DC 10.10.10.41     00:1A:EC:0C:1C:83 Bridge1
 1 DC 10.10.10.32     90:BA:1A:68:DA:D1 Bridge1
...
...

Jotne

This is already mention in section 1b) If you install Ubuntu, (i think from 16.x), rsyslog is installed as default. But its not listening on port 514/UPD as default and you need to edit the config and restart syslog to get it running. So it should normally not be any conflict. But in production envi...

Jotne

You do not need semicolon at end of each line ; , only when multiple commands on same line.

Use this to see what type your variable is.

:put [:typeof $myStr]

It its not string, you can force it to string.

:if ([:tostr $myStr] = "something") do={:put "yes"}

Jotne

Look at my Mikrotik for Splunk int the signature.
There are one view for hotspot user etc.
Can easily be adopted to more view.

Jotne

This give your output, but its ugly

{
:local info "ch-nl2.nordvpn.com"
:local pos
:for i from=0 to=9 do={
	:local test [:find $info $i]
	:if ([:typeof $test]="num") do={set $pos $test}
	}
:put [:pic $info 0 $pos] 
}
ch-nl

Jotne

It does not look like the :find command support regex, just string match. So this does not work: :put [:find $"ch-nl2.nordvpn.com" "[0-9]"] It then makes it hard to find on the string where an unknown number starts. You can loop trough and test number by number from 0-9, but its ugly. find :find <ar...

Jotne

I do not run hotspot, but can try to help.

What command do you run to get this list:

user1 AAAAAA ip address=10.5.50.2
user2 AAAAAA ip address=10.5.50.7
user3 AAAAAA ip address=10.5.50.11

Jotne

This should do: Schedule it to run every 5 min. It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour. # Created Jotne 2019 v1.0 # # Add user who tries wrong user or password to address-list # Find all "login failure" error last 5 min :local logl...

Jotne

This is the message you get when using wrong username or password:

system,error,critical MikroTik: login failure for user per from 192.168.88.10 via winbox

Give me some minute and I will fix a script. But take care, this can block your self from entering the system.

Jotne

Updated Now also block user with these type of message: SPI e14750001eda995ec not registred for 89.50.40.10[4500] # Created Jotne 2019 v1.2 # # This script add ip of user who with "IPSEC negotiation failed" and "SPI* not registered" to a block list for 24hour # Schedule the script to run every 5 min...

Jotne

Strange interface name.
ether may hit both ether1, ether2++++
Also you need to enable same interface you disable. Can not be two different name.

Can you post output of

/interface print

Jotne

You do not need to end every line witch ;.
Its only needed when you have several commands on same line.

Jotne

To list all interface type /interface print They will be named some like ehter1, ether2 etc. # interface to control :local if ether1 :global grx :local rx [/interface get $if rx-byte] :local mbrx ($rx/1048576) :local diff ($mbrx-$grx) :put "diff=$diff local=$mbrx global=$grx" :if ($diff>1024) do={ :...

Jotne

A search like this should give all message:

sourcetype=mikrotik module=system

IF not try this:

sourcetype=mikrotik

Or at last just this

Jotne

The filter rule prefix was changed to be more uniform. So I may have mixed up some from script to Splunk code. One the "Live Attack" dashboard, click Edit->Source. There you will near the top find some like this: <search id="base_search"> <query> sourcetype=mikrotik module=firewall rule=FI_D_port-te...

Jotne

:put [/ip arp get [f where mac-address=A0:48:1E:B8:8D:58] interface]

This may not work. On hEX routers, it will just show name of the bridge where the interface is connected, not the physical interface.

Jotne

This may then work. It takes the MAC address of the unit found by MNDP (CDP), should only be one. local if "ether2" local mac "20:DB:F2:1D:A0:0B" :if ([/interface get $if running] = true) do={ :local ifmac [/ip neighbor get [find interface~"^$if;"] mac-address] :if ($ifmac != $mac) do={ :log info "$...

Jotne

You could then use the first solution I did post that take down the interface if some one turns off or remove the equipment.

If the wap is an Mikrotik Wifi wap, you can use nearly the same as above, but use /ip neighbor print information to see that correct neighbor still is present. MNDP (CDP).

Jotne

I do see that mac address are handled differently on different devices. hAP-Lite /interface ethernet switch host print hEX /ip arp print does not work, since it list mac pr interface group (bridge) So I do see mac for Bridge1 covers port 2-5 And mac for ether1 outside Also mac for each other VLAN is...

Jotne

Connect a PC to one of the ethernet port and use WinBox mac access.

Jotne

A follow up. 3. Consider 802.1X. Setting up 802.1x is not that you can do quick and easy. At least not for only one device. This does nearly the same. Schedule it to run every minutes. (or 5 minutes) :if ([/interface get ether2 running] = true) do={ :local mac [/interface ethernet switch host get [f...

Jotne

2. Parse your logs and look for the AP-facing ethernet port going down. As soon as it goes down, disable it. No need parse logs, just schedule this script to run every minute. :if ([/interface get ether2 running] = false) do={ :log info "ether2 is not running, shutting down" /interface ethernet set...

Jotne

@naiyuan

Edit you first post an change Please help to some better.

Jotne

I was some off in previous post. This should get you started { :global grx :local rx [/interface get ether1 rx-byte] :local mbrx ($rx/1048576) :local diff ($mbrx-$grx) :put "diff=$diff local=$mbrx global=$grx" :if ($diff>1024) do={ :put "larger" :global grx $mbrx :put "turn off interface"} } Since I...

Jotne

I do have some problem/bug with my script to help you out. This should get the rx-byte on interface ether1 , but gives nothing. :put [/interface print as-value stats where name="ether1" rx-byte] This works: :put [/interface print as-value stats where name="ether1"] .id=*1;comment=;name=ether1;rx-byt...

Jotne

If you do run all server on Windows IIS or Linux Apache, they can both handle multiple Webservers based on DNS. But If you have many Webservers on different system or on different ports, you can use a reverse proxy server like HAProxy. Redirect 80(443) to the HAProxy server, then it can based on rul...

Jotne

From all the problem I see that MT have after updating routers, I would not recommend to do an automatically upgrade without any possible to control it when it should run. At least on remote devices. I did lost my L2TP IPSec tunnel after upgrade due to change in config. So take care with this. Anoth...

Jotne

What is your goal by making the routers talk to each other?

Jotne

After some investigation I found out that RouterOS cuts Syslog message at 256 characters. Then add info of what module and prefix. So the total message may be longer than 256 characters, but not the body of the message. If I do send message to terminal using :put they are inn full length. Here are s...

Jotne

Nice to see official release of 6.45.3. But there was no need of removing my thread https://forum.mikrotik.com/viewtopic.php?t=150735 I feel like a criminal ;) Since MT did not post this info, I try to help out. What's new in 6.45.3 (2019-Jul-29 12:11): Just close it with a link to this thread....

Jotne

I do put the script in curly brackets {} and cut past it to the terminal.
This way it runs as you should run it from the script option.
Also I do use a lot of :put to see what is going on with the variables.

Jotne

One day since 6.45.3 released on download, nothing here on the forum.
Can't remember seeing this behavior before.

Jotne

Updated script to 3.1

Fixed CDP, since some devices sends long version with new lines breaking up the log lines. (Cisco)

PS still have problem that line is cut in Splunk. Not sure if its MT not sending whole line, or Splunk that cuts the lines.
I do only get 278 characters.

Jotne

6.45.3

*) rb4011 - fixed SFP+ interface linking (introduced in v6.45.2);

Jotne

Some years ago Cisco bought OpenDNS and have now a solution based on this called Umbrella https://umbrella.cisco.com/products/features An ISP can setup redirect for port 53 to their preferred DNS. They can then control what DNS you should see, and at the same time log everything using Umbrella or ot...

Jotne

If you did read what Sindy says, we need the complete configuration to see if the error is elsewhere.
Do post output of this command.

/export hide-sensitive

Jotne

Look at my post here:
viewtopic.php?f=9&t=148397&p=730484#p730484

I did make a script that take those IPSec testers and back lists them for 30 day.

Jotne

Splunk can handle may routers. I have just set it up for more simple to use in my project using Splunk for MikroTik routers. One nice thing with it, is that it does not use SNMP (SNMP is good at many things, but does not like dynamic IP). You just add a script to each router that do send you all the...

Jotne

I do agree that MT should not have had these problems. Since with MT you can do nearly everything with it, setup proxy or socks server, its much more interesting to get inn to an MikroTik Router Why you should not open your router form outside has been discussed here many times before. If you need a...

Search found 1221 matches