MikroTik

Jotne

If you go to some PitateBay proxy or other Torrent site they tell you to not download if you do not use a VPN, and with VPN your rules does not work at all.

Jotne

You need to declare variable before using set. I have no wifi router at the moment, so can not test it fully, but this runs without error on my test router: [ :local wifistatus :local registeredclients :local overalltxccq :local channel2 :local noisefloor :do { :if ([:len [/interface wireless find ]...

Jotne

If you can not figure out what the problem hang is, then change modem, change ISP.
Rebooting should not be needed.

Jotne

Here is the solution for you:

power adapter.jpg

http://www.networktechinc.com/control-power.html#tab-5

Connect this power adapter on the power for the modem. Then set it to auto ping an IP address.
If ping stops, then the adapter power cycle the modem.

Jotne

So if the speed limit is 100 kph and I have a car that can run 200 kph, we need to close the road?
Torrent are not illegal, sharing copyright material are.
Closing one service just move user to another :)

Jotne

on-error needs to be connected to the :do block, not the :if command My routers that do not have wifi accept the wireless command with out error so I do get: No active wifi interfaces Also use code tags <\> button while posting to more easy see the structure of your code (using tab) Since this code...

Jotne

See my signature on how I do use Splunk to handle log files. I do not know how to use API.

Jotne

This can not bee your whole script? It do miss an end }

You are using variable the wrong way, see my post yesterday here:
viewtopic.php?p=820135#p820135

Jotne

I wanted to log Tx/Rx signal strength, Tx/Rx CCQ, Signal to Noise and some other parameter from Wireless Registration Table in a log file stored locally. Hi. If you look at link in my Signature, you will find link to Splunk with MikroTik. There you store all log information externally and graph it ...

Jotne

- Commenting interfaces based on looking up the hostname of what is connected to a port on Bridge -> Hosts This should be easy to do, but what with: * Client do changes, so interface needs to be updated by a schedule and then interface name would change. * What if there are multiple clients? (Switc...

Jotne

You are handling the variables the wrong way. Correct way are to declare the variable, set it and then print/log. I always use wrap code with [] and cut paste code to terminal to test it. So this does work: [ :local attackip :local logEntryMessage "<110.54.203.170>: user ppp1 authentication failed" ...

Jotne

I cant install current frmwre to hAP lite "smips".
no space! =(

Install an older/smaller version of the software like 6.44.x then upgrade

Jotne

Im uTorrent
Options->Prefences->BitTorrent-Protocol Encryption set it to Enabled, then test if your rule still blocks it.

Jotne

Did this solution work with splunk linux docker version as well ? In my case, splunk receives mikrotik syslog data but in this plugin shows no devices All message need to be tagged "MikroTik", so message should look like this using this search: index=* (section 2b) dns MikroTik : done query: #30835...

Jotne

I guess you have opened the admin (web/winbox/ssh or other) from internet.
Do you use VPN or secure your ruter better.

Jotne

Wow, i thought MT had forgotten the 6.46 train.
For long time it as not been listed under "ANNOUNCEMENTS" section, so you had to search for it to find it.

Jotne

When using external logging tools like Splunk to analyse logs, this old and messy format gives a lot of extra work.
I have sent this request two times to MikroTik so they know about it.

Jotne

Note to self - never upgrade ROS unless you are on site.

That is why I always let it go some weeks before I upgrade, and only after testing it on a similar device that has same config and software version.

Jotne

@trancenet and other regarding 5Ghz DFS legal compliance. This has nothing to do with 6.47.2 It was change several version back, so trancenet did only see this because he skipped many upgrade. No, I have always the latest (stable) version, I did not skip new updates. The problem appeared only after...

Jotne

@trancenet and other regarding 5Ghz DFS legal compliance. This has nothing to do with 6.47.2 It was change several version back, so trancenet did only see this because he skipped many upgrade.

Jotne

I will never update to a new version again! Did you try to setup the config from scratch, or did you just upgrade and it stopped working. I have seen some stuff changes when upgrade so you need to manually configure it to get it working. If 5 GHz did stops working for every one, 6.47.2 would be rem...

Jotne

Instead of relay on an external service to get password, you can use this solution.
viewtopic.php?f=9&t=164114

Jotne

Instead of relay on an external service to get password, you can use this solution.
viewtopic.php?f=9&t=164114

Jotne

Why do the WAN goes down?

Jotne

Do you have any admin possibility from the internet? If so that is a way inn. VPN is the only good solution for remote admin.
What version did your router have? Old version should be upgraded.

Jotne

any hint on how to flash this on a HAP MINI? On previous beta, it said internal storage is not enough to upgrade... it's a brand new model, factory Do a search on this forum and you find many answer. Netinstall is one way. You can also downgrade to an older version that is much smaller, like some 6...

Jotne

hAP Lite - not enough space for upgrade

Downgrade to an older smaller version like 6.44, then upgrade to latest. PS this may give problem with your current configuration.

Jotne

Can i change mac address automatically by script on every day?..

Yes it can be do.
Post it as a new question.

Jotne

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.

Jotne

I would think its better to use syslog for this.
In a script, run the ping test, if it fail, send a syslog to a monitoring system.

Have a look at my Syslog -> Splunk post linked in my signature.

Jotne

It will see the IOS devices as a new device every time it changes its mac address. So if you have some in your system that are dependent of the mac address, it will break. That will be hostspot where you have whitelist mac, static IP for devices like i do ++ I did find this list: 1 Users are always ...

Jotne

It did work with 7.0 beta, have not had time to look at 7.1 Most negative thing with the new >= 7.0 beta 8 is that they have removed accounting. We now have to use Netflow to log detailed data. This gives around 10 times larger logs, and need extra port not just syslog port. Much more complicated se...

Jotne

To all. Look at the date of the thread. For some reason alfred998 responded to a thread that is 1 1/2 year old. Where m4rk did not post his config. I guess he did see that and left the thread.

Jotne

I guess you all had router opened for remote access using winbox, ssh, telnet or web access. Winbox was hacked some time back and are fixed in later version. (lots of scan was done to the winbox port 8291, so 2. in list below would have helped) VPN is the best option for remote access to the router....

Jotne

00:01:00
Every minute.

Jotne

Why do you need to delete these filter/nat rules?
Post example comments.

Jotne

Adding reboot does just remove symptoms of a problem. Fix the problem. Upgrade to a good version.

Jotne

You need to try an test and learn some scripting.
I just give you idea on how to solve it.

your_profile need to be set to an real profile.

Jotne

4) You will see it on your mobile phone:

And as well in Windows 10

Wifi.jpg

Jotne

Some like this?

{
:local new ([/certificate scep-server otp generate minutes-valid=0 as-value]->"password")
:interface wireless security-profiles set your_profile wpa2-pre-shared-key="$new"
}

Jotne

If you use the time base password script it will be the same all time.
Did you try this?

viewtopic.php?p=807658

Jotne

Cool SSID showing up on your pc/phone.

Like this ssid:

I am happy

Jotne

And you tried with what version?

Jotne

viewtopic.php?f=9&t=164114

Jotne

wow, this was interesting. Seems to generate a random hex string on 20 character each time its run. Should be fine as a password. It seems to store each run in this view for some time: /certificate scep-server otp print # PASSWORD EXPIRES USED 0 677d57c658119f4f8804 0s no 1 bd4a331ef703af86d1ac 0s n...

Jotne

Why? Reboot should not be needed.

Jotne

Problem with RouterOS is that it does not follow any standard time format. I have made a script that convert date/time to epoc that can be used to calculate time difference. This is some that MT should add as a standard.

Jotne

Code: Select all
$str~"^OK(\r|\n|\r\n|\$)"

Since there are lots of or and it only match the \r\n
This could be used as well

$str~"^OK\r\n"

But it depends on your real input as well.

Jotne

Problem is that if you do use longer name, RouterOS starts to chop off characters. So to solve this MikroTik needs to modify the RouterOS.
This is why I in first post added sample on how to name the filter rules to have some contoll.

Jotne

I guess you post will be reported and deleted. Who do you expect someone reply to your post using this type of language. Starting by calling MT Routers a pieces of shit. A better question would be: I have a remote router (mine) that I have lost password to. Is there a way to enter it, maybe using a ...

Jotne

This is not tested and my need some modification /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=\ Test supplicant-identity="" wpa2-pre-shared-key=[/system routerboard get serial-number] /interface wireless a...

Jotne

No there are no simple way to hack this stupid router. Its very secure.

Jotne

Since my script log events as info and you have this: add action=disk1 topics=critical add action=disk1 topics=error add action=disk1 topics= info You do tell that all info log should go to the disk as well. Why can you not give your ISP access to your Splunk? They will then get the same log as you ...

Jotne

Du a search like this to see if any data comes inn to splunk.

index=*

Jotne

The point with the script is to send all information using syslog. If you selet that log should be sent to disk, it will also go there. As far as I know, you can not split the logg saying that some should go to disk, some to memory and some to disk. I still do not understand why you need logs to dis...

Jotne

the files are showing on my disk because i have a rule that send the logs there

You have selected to write the logs to your disk so it will write it there. I do not understand the problem. Just remove the log to the disk?

Jotne

by the way iam using v5 of microtik

v5???
Its so old that you can not find v5 on the archive files: https://mikrotik.com/download/archive

Start by upgrading to some of the latest release.

Jotne

Thank you I going to try this somewhere in the next day's.

Should work as long as data gets inn to Splunk and are tagged correctly "MikroTik"

Jotne

is there a way to make the script output not be reflected on the memory or disk log?, only send it to the remote splunk server?

I do not see those files on my disk. Can you download one of them to your PC and list whats in the file?

Jotne

A good question

Added to first post.

Jotne

Did not now that this was possible. Will test it out.

Jotne

how to reboot the router monthly

Why?

Jotne

I think this is broken in 6.47

What is this? Post info here, not a link..

Jotne

Hi i dont believe that i will be able to upgrade my hex3. Only 4.9MiB free but nothing on the flash. Anybody an idea ? Im about 50km away from this box. I would downgrade to an older, much smaller version then upgrade to latest, but in your case that may give problem if you loose some function so t...

Jotne

It would be fine if you edit first post and explain when you use it, for what and what is VK.

Jotne

Great!
But Winbox CRASH DOWN, when Press + under System -> IPsec-> Policies.

Please fix that bug...

Its IP -> IPsec -> Policies not System and it works fine with Winbox 3.24 (latest)

Jotne

This is wrong. Your are only the 10th this week with this error. :) /ip address add address=192.168.1.1/24 comment=defconf interface= ether2 network=\ 192.168.1.0 When using bringing, the IP should be on the bridge (or VLAN if that is used), not one of the interface belongs to the bridge. Correct /i...

Jotne

Where is version 4.1??, i only see ver 4.0 on the OP.

Fixed

Jotne

This part fails: [/ip address get [find where interface=$ipgw] value-name=address] For my routers, interface does not show IP default-gateway 92.xxx.xxx.1 . So you can not use default-gateway to find what IP address you have on public interface. Example: /ip address print Flags: X - disabled, I - in...

Jotne

That is not to complicated to make: /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=\ Test supplicant-identity="" wpa2-pre-shared-key=[/system routerboard get serial-number] This will create a security profil...

Jotne

*) bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v 6.46 ); *) crs3xx - fixed HW offloading for netPower 15FR and netPower 16P devices (introduced in v 6.47 ); *) crs3xx - fixed increased CPU temperature for CRS354-48G-4S+2Q+ device (introduced in v 6...

Jotne

Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.

Log interface traffic counter to a syslog server. There you can see it number or you can graph it if you like.
See link in my signature on how to set up Splunk (syslog server) to log MikroTik Routers.

Jotne

@itforeverru

It looks like you are inn to some. Here is memory usage on MT 6.47 (running on a vmware)
This router only do DoH and used for testing only.
A reboot was done 5 July

Memory leak.jpg

My RB750Gv3 that is much more loaded, does not show this behaviour. 6.45.9

Memory leak2.jpg

Jotne

On thing may create problem for you. You have added lan IP on an interface and not an bridge. You are not the first and for sure 100% not the last one to make this error. DHCP server is correctly configured on the bridge, so why did you miss the main IP? I guess you have upgraded from an older versi...

Jotne

Block Bittorrent and P2P using latest MikroTik RouterOS 6.43.3

This was posted 5 Juli 2020. 6.43.3 is very old and far far from latest Router OS (from 18.10.2018). Latest stable 6.47 and long term 6.45.9
I would not have used this old version due to lots of missing security patches.

Jotne

This is the solution:

Maybe you should write that this is in spanish?
Also no need for posting the same multiple places.

Jotne

Its not important how many devices you have on the inside lan. A 100Mpgs internet line should be no problem for the router to handle.

Jotne

I need port based forwards so I can migrate one service at a time to my new server instead of having to migrate them all at once. The reason for different (and non standard) ports is that I have several instances of services already running in Docker on new server for test purposes. Send out inform...

Jotne

@Diresta

Changing server may be an normal operation to do with new IP. This is why we have DNS. Just redirect DNS to new server.
But why do you need to change port? What services is this that you have on port 150 or port 10000? Not standard ports?

Jotne

19 chain= input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=80 20 chain= input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=443 Where are IP 1.2.3.4 located? on the router it self? if not this will do nothing. Input chain is only used for tra...

Jotne

Script creating password based on time will never work on RouterOS. Send an request to MikroTik to add a random password generator.

Jotne

option to specify multiple adress lists inside single firewall rule?

You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.

Jotne

Her in Norway, if I do use my ISP router, it will send data untagged VLAN to all my PC etc. Then IPTV goes on a separate VLAN. But if I change my ISP router to bridge, I will have one port on ISP router where my Router connects using NAT. Another port sends out IPTV on a tagger VLAN (not sure if it ...

Jotne

There is an error.
wrong:

:put [/interface/list get [find name=Double-WAN-List]

correct

:put [/interface get [find name="Double-WAN-List]" ] tx-byte]

No list and double quote.

Jotne

Did you try the url in a browser?

https://www.random.org/passwords/\?num=1&len=20&format=plain&rnd=new

It seems that they have added some DDoS protection using java.
DDoS protection by Cloudflare

So it may prevent the download to work from Mikrotik.
Try to find another password site.

Jotne

Cut and past this to terminal. Do you get any output. :put [/interface find name=Double-WAN-List] If this is ok, try: :put [/interface/list get [find name=Double-WAN-List] Post output of /interface print detail Edit: It may be the hyphen - giving problems. Try to rename interface to DoubleWANList

Jotne

When you past it to terminal, you do wrap it on brackets? { }

{
your code
}

If not it will not work.

6.44.6 are getting some old. Oktober 2019. It should work with the script.

Jotne

I can not explain why a script stops working. Try to run it on the terminal to see what is going on.
Upgrade your RouterOS if you do run an older version.

Jotne

I can send the address list to Splunk using script. On Splunk you can do a lot of stuff with it. What is your goal?

Jotne

Script updated to 4.1 to get CAPsMANN inforamtion.

Read section 2f) if you like to use CAPsMANN function.

Jotne

Splunk for MikroTik updated to v3.1 Mayor changes is the CAPsMAN view If you like to use the CAPsMAN, update script to 4.1 and add capsmann script fond in section 2f first post: To upgrade, delete the folder /splunk/etc/app/Mikrotik Then install the unpacked spl (use winrar/winzip) file, install app...

Jotne

Hence why I was asking if you read the first post.

And my reply to that is you cant. NTP only sends UTC format. Its up to each device to stets the correct time zone.
If that can not be done on your devices, some I find very strange, you should complain to that hardware manufacture.

Jotne

I will make a view that shows total traffic in/out, what IP it does come from and what IP it goes to. That is not the problem. What I would like to know is what port is used, there i were the problem lays. Look at line 1 and line 2 in the above post. Both comes from same IP 193.212.a.a, both goes to...

Jotne

After talking more than one hour with a super spesialist in Netflow, I do start to get the grip on how things works. There are no way you can se in a Netflow packets, if its traffic returning from an started inside session or if it some from outside starting to sending inn data. You can look at port...

Jotne

If you look at my post over here you will see why. https://forum.mikrotik.com/viewtopic.php?p=801674#p801674 Netflow packet do contain what interface they are sent trough. Name of the filed is inputSNMPidx or outputSNMPidx. So I do know that with SNMP i can find the corresponding interface. line _ti...

Jotne

Look at this table line _time src_ip s_port dest_ip d_port next_ip byte pacet prot in_if out_if 1 2020-06-23 10:50:11.280 193.212.a.a 42744 92.220.b.b 514 10.10.10.50 3903 35 17 1 2 0 2 2020-06-23 10:50:00.570 193.212.a.a 22 92.220.b.b 55774 10.10.10.32 1312380 2191 6 1 2 24 3 2020-06-23 10:50:00.54...

Jotne

Hmm. This seems to be hard to solve.
Rotuer OS do send interface id in all netflow packets, but there are no easy way to get hold of them, since OID only shows it on the print command and not on the get command.

Jotne

Please only post script or comment for script here.
If you like a script, post a request here:
viewforum.php?f=9

Jotne

I need the SNMP_IDX for each interface in Router OS. This give me all interface { :foreach id in=[interface find] do={ :local Name [interface get $id name] :put "ifname=$Name" } } But to get the SNMP Index I need to use print, there are no get. Value i need are the last digit for all ODI :put [/inte...

Jotne

Some more investigation. Snmpidx are the interfaces on the router. You can get it using SNMP like this: snmpwalk -v2C -c public 10.10.10.1 ifname IF-MIB::ifName.1 = STRING: ether1 IF-MIB::ifName.2 = STRING: Bridge1 IF-MIB::ifName.3 = STRING: ether3 IF-MIB::ifName.4 = STRING: ether4 IF-MIB::ifName.5 ...

Jotne

Here is how to do it on a Cisco device:

Interface UP:

snmpset -v1 -c community hostname IF-MIB::ifAdminStatus.interface i 1

Interface DOWN:

snmpset -v1 -c community hostname IF-MIB::ifAdminStatus.interface i 2

Jotne

I will look at it. Should be doable to separate input/output like I did no the accounting dashboard. Maybe by looking at public/private net.

Jotne

Maybe this should be an add on module for the MikroTik app since it would involve lots of extra stuff. Using wan IP as a trigger is not good enough, since this will change for many user and then you need to have some sort of auto update. But after looking at input_snmpidx and output_snmpidx (input/o...

Jotne

I got it up and running. Some more complicated when Splunk do not run as an admin (what I do recommend to do).
Not sure why there are so many low number on source port like 443. That is normal destination port. Will examine it, make a SPL search that graph it and post it here.

Jotne

Good catch, fixed the original post.

Jotne

Have not had time to look at much yet, but it look possible som complicated to set up. It have to much possibility, not sure of saved format is ok. I would like a small program that listen for netflow and save them one line at a time. Then Splunk can index it. System we have to day with just sending...

Jotne

Did you use the Hotspot function?

Jotne

@jotne: if the addresses were like in your example, then indeed there would be some weird stuff going on. However, OP's diagram (in initial post) indicates completely separate IP subnets and in that case, the effects you're describing don't happen. Did not catch that, but you are right. I would not...

Jotne

Some more analyses. I have expanded the script and renamed variables to make it some more readable. Firs script looks for a hotspot user with name Mikroticket and set current time/date and mac to the user. Then it seems to send information about the router (time/date/serial number etc) to an externa...

Jotne

What version of RouterOS do you have on your router? Can you administrate your router on internet using Winbox (or http/ssh/telnet)? Its clear that this is a hack, since no one would use variable name like this in normal programming: P6oHA7pLvicrO8ub2fa2 :local P6oHA7pLvicrO8ub2fa2 [/ip hotspot user...

Jotne

I agree with pe1chl. Blocking every UDP may not help. You will end up with an unstable net, where stuff that should work does not work, and thing you try to block, just change from UDP to an TCP port. So if this an work place, make every one sign a contract, where misuse has consequences. Also do in...

Jotne

Not sure what your goal is. For me this give a text file with one IP pr line. And you need what?

No need for semicolon ; at the end of each line, only between commands on the same line.

Jotne

If your ISP Router has default gw of 192.168.88.1 Mikrotik has IP 192.168.88.2 and as a route 0.0.0.0/0 -> 192.168.88.1 Client with IP 192.168.88.55 has default gw 192.168.88.2 Then data going out will be redirected at MT to ISP router. When packet coming back inn, ISP will see the client on the sam...

Jotne

I do see many struggle to get script to work on the terminal. Example if you cut and past this to terminal, you do not get anything out. But will work fine as a saved script. :local test "My script" :put $test To get it to work in the terminal wrap it in brackets {} { :local test "My script" :put $t...

Jotne

To get queues to work traffic need to pass trough your Mikrotik.

ISP
-
Mikrotik
-
Clients

If you can not set ISP router in bridge mode, you will have double NAT, but other than that, most stuff should work.

Jotne

Blocking using DNS are easy to overcome. Just add a host mapping.
https://play.google.com/store/apps/deta ... ver.change

Want to help how to block Imo, Whatsapp, Viber in Mikrotik router.Please co-operate me.

Why?
Bandwidth limitation.
Governmental control.
Other.

Jotne

Updated post that any can just brute-force try to access it. If you have a weak password, it should not be hard to access the router, since all user/password will work and you can connect to the VPN connection from anywhere without two way authentication.

Jotne

See my post here:
viewtopic.php?f=9&t=162583

Jotne

I tried this today and I was not able to get this to work.. You did copy past link to the Winbox software not to a browser? It sure is simple, but I'm less sure about security. If the posted config is all you get, then SSTP client will happily connect to any server provided by MITM. The attacker wo...

Jotne

How do we then flag articles on the wiki that need to be updated then?

Send an email to support@mikrotik.com

Jotne

I'm currently playing around with the PMACCT-packages and writing out some CSV-style files. (other formats possible too like json) This is interesting. CSV is perfect, and better than json since its smaller. Splunk app do show traffic accounting using the accounting on the Router it self and sends ...

Jotne

Disclaimer: I have nothing to do with RemoteWinBox and are not getting paid for this review. I do see this all over the forum. How to administrate my router over internet? My router are behind NAT, how to reach it for admin? My response to that is to use VPN. And if VPN can not be used or you have n...

Jotne

To see DNS loogs, your router needs to be the one and only DNS server.

Up time 1 is one day so it show 1. It also takes time (days) to get graphs for up time, so have a look after some days

Jotne

I can see that v7 beta has not fixed anything regarding log format.

Jotne

For the user: no more parsing the logs via a lame script :-) This is were Splunk or other Syslog tools does it work. I have added various view to show different types of error logs. See my signature. But I agree that Splunk has a long way to clean up its logging system. Look at this post: https://f...

Jotne

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.

Its a huge difference. I can choose between someone I know and some I do not know. How many can see my DNS request, I do not now, but with DoH I have some clue.

Jotne

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.

Maybe that the people here that do no like DoH DoT are ISP them self

Jotne

I do agree with @martinclaro. I use a L2TP/IPsec tunnel from the remote router to a sentral VPN. This way I can reach the router and configure it even if it behind some other NAT. Also VPN is one of the most secure way to configure a remote router over internet. Since SNMP can not sent trough NAT th...

Jotne

I think its the else that makes problem. Can not see in your script that you have set the macaddress. All variables needs to be set or declared. Do not use global variable if you do not need it. Only when passing data from one script to another or store the variable for later use. Even then you need...

Jotne

Not ok:

:if $provisionedstatus do={} else={/tool fetch url=<space>$configserver output=file; :log info "download provision"}

OK:

:if $provisionedstatus do={} else={/tool fetch url=$configserver output=file; :log info "download provision"}

Jotne

Time zone is always set on the device. NTP just helps to correct the time.

Jotne

So far I've not been able to find a free Netflow collector that actually works. Did try netflow for Splunk, but does not get it to work. It also add a new port to listen to, not only Syslog. Not sure if nteflow work over long internet connection. Why not just leave the working accounting that are i...

Jotne

Delete " mar " from array " aaa " Loop trough the array, send to new array all except " mar " :local delete "mar" :local array [:toarray ""] :local aaa ([:toarray "jan,feb,mar,apr"]) :foreach i in=$aaa do={ :if ( $i!=$delete ) do={ :set array ( $array, $i ) } } :set aaa $array :put $aaa There may by...

Jotne

This just add more to why block by country is not a good thing. Quality of search a service would never be high and you can bypass it using proxy/VPN. It looks like millenium7 like this to protect input chain that is used to admin the router. VPN should give the needed security.

Jotne

/ip address add address=192.168.88.1/24 comment=defconf interface= ether2 network=192.168.88.0 This is wrong. Many, many have it wrong. If you look at DHCP server that is correct, it connected to the bridge. /ip dhcp-server add address-pool=dhcp disabled=no interface= bridge lease-script=":local DH...

Jotne

Jotne's waveform? It's temperature: Day and night change...

My router is up in the attic, so outside temperature and sun on the roof makes nice sinus curves

Jotne

That would not be an 'input' chain, that would be forward chain. Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router. If you can not use VPN to manage your router, follow this:...

Jotne

I would say that is some dangerous thing to do.
Can be done, but you need to exclude ether1, bridge and possible other, like wlan, pppoe +++

Jotne

If you just have one web server and you have a DNS server on your router, you can add a static DNS entry to it. Example you server is www.cnn.com and internal IP is 192.168.88.10, then just add a DNS with that informatin. User on outside will use the public IP and user on inside will use the inside ...

Jotne

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.

Jotne

Hmm. here is a counter use-case: Imagine you have a service for users from your own country only. Then it makes sense to block all login attempts from any other country. Q.E.D. :-) And as I did write, how to access these services if the user are out travelling in another country? If I would like to...

Jotne

Id is just and internal value at the moment you search for some. You need to find the filter rule by using where and then some field that make it unique. Best way is to add an custom id to the comment field and then search for it. Example add a comment to the rule with some like this " AZ43 ", then ...

Jotne

.id are some temporary stuff in RouterOS and can not be used directly. Eks I see with /ip firewall filter print that rule I need to edit is marked 4. This I can not use. If I do use find like this (since I know the comment is drop ): :put [/ip firewall filter find where comment~"drop"] Same rule in ...

Jotne

v3.24 has adjustable font size. in the loader, tools > zooom in

For me its not under tools, but under setting. You should name stuff the same on Windows/Mac

Jotne

I would say it does not matter. GPS will give more exact time then NTP, but both are good enough to give you correct time. When going up the NTP chain three you will see that they uses GPS as well to get their time synced. https://www.masterclock.com/company/masterclock-inc-blog/network-synchronizat...

Jotne

Not easy, since MT does not follow ieee standards on time format, that it makes it nearly impossible to calculate time difference. Take a look at this post on how to convert MT time format to Linux epoch format that you can use to convert it. Then it should be possible to calculate time difference. ...

Jotne

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can ...

Jotne

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green? https://www.cloudflare.com/ssl/encrypted-sni/ Thanks Yes. You need the certificate, check by type: /certificate print detail Flags: K - private-key, L - crl, C - smart-card-key, A - authority, ...

Jotne

Someone needs to tell Mikrotik that there is a bug in OSPFv3 (tested in 6.44.5, 6.44.6 and 6.45. when the router is experiencing high IPv6 traffic (1.5gbps here started to give problems).

You can do that: support@mikrotik.com

Jotne

"-Cc" flag to snmpwalk.

That did the trick. Thanks.

Jotne

Trail and error gave me the second certificate installed is the only needed one.

Name: cacert.pem_1
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign

Jotne

And from this list what is the root certificate needed for DoH to work? 1 T cacert.pem_0 GlobalSign Root CA ebd41040e4bb3ec742c9e38... 2 L T cacert.pem_1 GlobalSign ca42dd41745fd0b81eb9023... 3 T cacert.pem_2 VeriSign Class 3 Public... eb04cf5eb1f39afa762f2bb... 4 T cacert.pem_3 Entrust.net Certific...

Jotne

To find the number of leases per scope you need to walk the .1.3.6.1.2.1.9999.1.1.6.4.1.4 OID and group/count the entries (the address is part of the OID, the value of each entry is the type static/dynamic/waiting). Seems to be a bug in RouterOS when getting DHCP information. I have around 200 addr...

Jotne

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem

This worked, but installed 137 Certificates

Do I need all? Can I see what is use?

Jotne

What do you mean? How did you add a second DoH server?

Just as Sindy writes. Using a fail-over script to a second server.
What can also be done, is to setup three routes. One with two DNS points to the two other. Then the two other running each own DoH.
Will test the google cert

Jotne

I did a copy past error in test script above. The true stat is used as an override if you do not use the function. Fixed the line. But this still does not work. If I add this to my script, nothing is run on a router without CAPsMAN local CAPsMAN true :do { /caps-man registration-table find :put "cap...

Jotne

I have skipped use SNMP, since I need to set up SNMP for each new router. Instead I make the router send me the data using Syslog, including DHCP pool information. See how to use Splunk with MikrotTik using link in my signature. Or click here to just show the DHCP example. https://forum.mikrotik.com...

Jotne

id changes all the time and can not be used in any script. You need to find the id as part of the script when it runs.

Jotne

I try to add CAPsMAN log to my Splunk script. Some like this :local CAPsMAN true :do { if ($CAPsMAN) do={ :local capsregistered ([/caps-man registration-table print count-only]) /caps-man interface :local name :local mac # ignore all master interfaces :foreach p in=[find where master-interface="none...

Jotne

I would guess it can use all frequency between 4920 and 6100.
5825-5825 is between this number so no extra line is needed.
And for 2.4 GHz 2733-2483 can not be used, so therefor two lines.

I see the same number as you on my hAP ac2

Jotne

Even some shorter, since you already are in correct location.

:put [/ip dhcp-client get [find comment="ISP2"] default-route-distance]]

Jotne

Agree with pe1chl Scanning all ports will hit the one port that opens all. I have done the following. You need to knock three port in correct order withing certain time limit. If you try one port that is not part of the knock or is not open for a service, you will be added to a black list for 24 hou...

Jotne

Why do you run this in a loop? Just set the value for all at a time:

Ahh, thanks
Did not now you could set all in one go. I was just caught up in the first post.
This is even shorter with the not needed semi column at the ende

set [ find ] address=192.168.20.2

Jotne

You have done some liket this:
viewtopic.php?p=787643#p787643

Post output of /ip dns export

Jotne

Why on the computer?

Could this not be done with the button on the router.
Or a script that triggers the NAT change based on x,y,z

I try to see why you need to do this remote and not on the router itself.

Jotne

Best is to remove internet complete, than your are a lot more secure.

Jotne

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink. And if you connect to the "free" Wifi in McDonald, the they can spy on all your DNS requests to see what the clients surf on when thy are there. A VPN is a better solution, but just shows that any can s...

Jotne

>Why would you like to change the NAT rule?
I want to enable and disable from an application on a computer or phone

Why would you like to do that?

Also what button? Physical on the router or in a program on a computer?

I do try to see what you try to do. There may be other way to solve it.

Jotne

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background. I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I d...

Jotne

Why would you like to change the NAT rule?
When would you change the rule?
What button do you like to use? The mode button on the router?
Could his be done using a script on the router?

Jotne

do static entries have precedence over DoH? If yes, I'd rather use

I can confirm that it is. And agree that a static entry is a better solution.

Jotne

We did have a discussion about that over here: https://forum.mikrotik.com/viewtopic.php?p=798678#p798678 I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without. :local result yes :do {tool fetch url="...

Jotne

And now please explain me the idea behind hiding where you browse from your ISP or government when you can, but cowardly reverting to plaintext DNS whenever it fails. It not so much what I need, but more that I can do :) DNS is one of the things that ISP still has control over (until DoH and other ...

Jotne

Works perfectly, and thanks for the explanation of commands. Learning some new every day, even if I am not 20 any more

Jotne

Thanks. It seems to not work in the fail situation. If I cut an past this to terminal { :if ([ :do { tool fetch url="https://1.1.1.21/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json } on-error={:nothing} ] = ";") do={ /ip dns set serve...

Jotne

Thanks sindy, your script works. But when I try to add commands to it, it does not work. :if ([:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json} on-error={/ip dns set allow-remote-requests=yes server...

Jotne

If I have DoH + normal DNS configured which one is used? Is there a fallback if DoH is inaccessible? Personally, since it's uncertain, I removed the normal DNS and set CF DoH only. I did comment this as well in the 6.47 thread. There are no way to see if the router uses DoH server or the DNS, so th...

Jotne

Wow DoH saved me from internet censorship. In your photo I can see that you are using DoH DNS with name, but there are no static or dynamic DNS to resolve its own DoH DNS name. In MikroTiks wiki example they suggest that you add 1.1.1.1 I do use IP instead of name to skip the extra "needed" dns ser...

Jotne

https://www.youtube.com/watch?v=wWDwgv_oLuA

Jotne

VPN is the best way to administrate the router from a remote location. But if you can not use VPN 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing open ports. 3. Use a long and good password. 4. Use access list to prevent any random internet from accessing yo...

Jotne

# may/20/2020 16:37:30 by RouterOS 6.43.11

You are running an rather old version of RouterOS. You should upgrade to latest "long term" 6.45.9 or latest stable 6.47.

Jotne

Did forget about Netflow. Will have a look at it.
I do see that this needs an extra input to work on my server. Accounting do work with Syslog that I already uses.

Jotne

No need to change the thread header. I may be better to start a new thread.

Jotne

IP Acccounting is deprecated and removed from ROS v7.

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik?
SNMP is not an option.

Script will then fail 100% if some do an upgrade to 7.x, since on-error seem to not handle this situation.
.

Accounting.jpg

Jotne

/ip accouning is missing in latest beta. This breaks my Splunk script. :local AccuntData true # Get traffic data (accounting data) # ---------------------------------- if ($AccuntData) do={ # Test if fasttrack is enabled and give warning :if ([/ip firewall filter find where (action=fasttrack-connec...

Jotne

/ip pool add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254 add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.126 add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.126 You have some error in your config. These three pools are overlapping or duplicate. I guess you only need the first line. It ...

Jotne

I do think that is a better solution. It clear where DNS go, since you only have DoH configured. Wiki should at least be updated with that no password are needed.

Are there option to use other DoH than Cloudflare?

Jotne

Everyone - DNS wiki page has been updated - https://wiki.mikrotik.com/wiki/Manual:IP/DNS#DNS_over_HTTPS Just a comment to the Wiki that it does miss some information. When importing the certificate, you are asked for a password phrase. This is not mention in the Wiki and it not clear for me when to...

Jotne

2. When I exported my settings with command export file=yyyy-mm-dd-export all ports are exported with speed=100Mbps , so the export looks like: set [ find default-name=ether15 ] speed=100Mbps set [ find default-name=ether16 ] speed=100Mbps set [ find default-name=ether17 ] disabled=yes speed=100Mbp...

Jotne

i have no idea how to make more free space...
hAP lite

Install an older smaller image, then upgrade to latest.

Jotne

Test this instead:

/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query

Looks like your router does not resolve the name for cloudflare-dns.com

Jotne

Does it work without certificates? Just to test the DoH to see what is wrong?

Jotne

DoH works fine for me.

Just added

https://1.1.1.1/dns-query

Did not select "Verify DoH Certificate" since this is just a test.

Jotne

My hAP ac2 did upgrade without problem to 6.47.
I guess you now that you have to select stable in channel to see the upgrade?

Jotne

Script updated to 4.0 Removed double stuff Added write-sector-total PS script can be updated without update Splunk software. Here is an example view on write sector increase last 10 hour that will be included in Splunk for MikroTik 3.1 * 10.10.10.1 hEX 6.45.9 (will have a look at this after upgrade ...

Jotne

Blocking IP may can give problems. Example AnyDesk server is on a big amazon server with hundreds of other web servers. Then you block them all.

Jotne

you can go to https://1.1.1.1/dns-query using the web browser

There are no webpage opening at this url.

Jotne

Script /ip firewall filter move 2 destination=11; Schedule /system script run script1; Semicolon at the end of the line has not been needed for many years, and will not help here. You should not use ID number for anything in the script since its temporary and is not the same as the number you see i...

Jotne

Why?

Do you thing my ISP opens up the https packets and look for DNS packets?
I will add certificate later. This was just for testing purpose, since DoH was just released.

Jotne

I did not use any certificate, just added:

/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query

One line only for DNS and it works fine.

Search found 1817 matches