MikroTik

Jotne

# may/20/2020 16:37:30 by RouterOS 6.43.11

You are running an rather old version of RouterOS. You should upgrade to latest "long term" 6.45.9 or latest stable 6.47.

Jotne

Did forget about Netflow. Will have a look at it.
I do see that this needs an extra input to work on my server. Accounting do work with Syslog that I already uses.

Jotne

No need to change the thread header. I may be better to start a new thread.

Jotne

IP Acccounting is deprecated and removed from ROS v7.

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik?
SNMP is not an option.

Script will then fail 100% if some do an upgrade to 7.x, since on-error seem to not handle this situation.
.

Accounting.jpg

Jotne

/ip accouning is missing in latest beta. This breaks my Splunk script. :local AccuntData true # Get traffic data (accounting data) # ---------------------------------- if ($AccuntData) do={ # Test if fasttrack is enabled and give warning :if ([/ip firewall filter find where (action=fasttrack-connec...

Jotne

/ip pool add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254 add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.126 add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.126 You have some error in your config. These three pools are overlapping or duplicate. I guess you only need the first line. It ...

Jotne

I do think that is a better solution. It clear where DNS go, since you only have DoH configured. Wiki should at least be updated with that no password are needed.

Are there option to use other DoH than Cloudflare?

Jotne

Everyone - DNS wiki page has been updated - https://wiki.mikrotik.com/wiki/Manual:IP/DNS#DNS_over_HTTPS Just a comment to the Wiki that it does miss some information. When importing the certificate, you are asked for a password phrase. This is not mention in the Wiki and it not clear for me when to...

Jotne

2. When I exported my settings with command export file=yyyy-mm-dd-export all ports are exported with speed=100Mbps , so the export looks like: set [ find default-name=ether15 ] speed=100Mbps set [ find default-name=ether16 ] speed=100Mbps set [ find default-name=ether17 ] disabled=yes speed=100Mbp...

Jotne

i have no idea how to make more free space...
hAP lite

Install an older smaller image, then upgrade to latest.

Jotne

Test this instead:

/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query

Looks like your router does not resolve the name for cloudflare-dns.com

Jotne

Does it work without certificates? Just to test the DoH to see what is wrong?

Jotne

DoH works fine for me.

Just added

https://1.1.1.1/dns-query

Did not select "Verify DoH Certificate" since this is just a test.

Jotne

My hAP ac2 did upgrade without problem to 6.47.
I guess you now that you have to select stable in channel to see the upgrade?

Jotne

Script updated to 4.0 Removed double stuff Added write-sector-total PS script can be updated without update Splunk software. Here is an example view on write sector increase last 10 hour that will be included in Splunk for MikroTik 3.1 * 10.10.10.1 hEX 6.45.9 (will have a look at this after upgrade ...

Jotne

Blocking IP may can give problems. Example AnyDesk server is on a big amazon server with hundreds of other web servers. Then you block them all.

Jotne

you can go to https://1.1.1.1/dns-query using the web browser

There are no webpage opening at this url.

Jotne

Script /ip firewall filter move 2 destination=11; Schedule /system script run script1; Semicolon at the end of the line has not been needed for many years, and will not help here. You should not use ID number for anything in the script since its temporary and is not the same as the number you see i...

Jotne

Why?

Do you thing my ISP opens up the https packets and look for DNS packets?
I will add certificate later. This was just for testing purpose, since DoH was just released.

Jotne

I did not use any certificate, just added:

/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query

One line only for DNS and it works fine.

Jotne

@anav
It may be a very small animal hospital

" DHCP server cannot run on slave interface". How can i set DHCP on them ?

What version of routerOS do you run on the router. The message above may tell that its rather old, and it may be at risk security wise.

Jotne

Sorry to waste your time over this!

No problem. You have not done anything wrong, just in another way.

I will add a comment about in the DHCP view, that if you add static release outside the pool,but within the subnet, i will give wrong number.

Jotne

Interesting. I see this is a way you can handle DHCP, and it will confuse the system. Its not easy to take inn to account every possibility. In my work (20000 + computers 2500+ servers), we have only DHCP, and all server IP are within the DHCP scope. But we to convert DHCP leases to static for all t...

Jotne

There may be some wrong with that part. Its on part of the script that is not made by me ;) For me it looks correct /ip pool print # NAME RANGES 0 DHCP-Pool-vlan1-Home 10.10.10.55-10.10.11.254 Then the script shows this: script,info MikroTik: script=pool pool=DHCP-Pool-vlan1-Home used=158 total=455 ...

Jotne

You can copy all files you have modified to another folder. Remove all MikroTik files, install 3.0, then restore your files. Its also possible to use 7-zip/winrar to extract all the files from 3.0 manuall, then add one by one. If your edit is interesting for other, you could send me them, and I coul...

Jotne

system,error,critical error while running customized default configuration script: no such item system,error,critical Same here, after update to 6.47 my RB4011iGS+5HacQ2HnD-IN and cAP Ac.. Antena gain was gone.. See this post https://forum.mikrotik.com/viewtopic.php?p=797466#p797466 MT We added an ...

Jotne

My hope.
6.46 - > long term
6.47 - > stable
6.48.. no, no more 6 series
7.01 - > testing

Jotne

Do a google search for "netinstall mikrotik tutorial"

Jotne

Problem is to store log data on the routers. Some routers does nearly have space free at all.
It simple and free (upp to 500MB log a day) to setup a Splunk server. Se link in my signature. (I do use 30 min)

Jotne

I have honey-pot IP addresses, anything that attempts to connect to them, gets their IP added to the block list, these addresses have never been used, so nothing legitimate would have any reason to try and connect. I do nearly the same. Since I do not have an extra public IP, I have and access rule...

Jotne

Also do not add link to the forum. Click the Attachments below the post and add the file/picture to the post.
All your links are dead/down.

Jotne

Just some posting tip.

No quote the post above you. Only quote some part if needed. Use the "Post reply" button (below) instead.
No multipost. If you add some information, just edit previous post if someone has not posted in between. Bump is ok if someone has not replied on some time.

Jotne

If you do not access your router from outside using SSH and there are not NAT rules for SSH, you do not need to worry to much. They will not get inn to you. Here is what I do. If your try one port on my outside that are not open, example port 22, then your IP will go to a black list and stay there f...

Jotne

Are you going to use winbox on the outside interface? If so, do use VPN (but not PPTP) to secure the connection. If you can not use VPN, then: 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing open ports. 3. Use a long and good password. 4. Use access list to ...

Jotne

Seems that you are running some old software 6.44 and the older system with master port and IP bind to that port (ether2). If you do have many VPN services up and running. PPTP LT2P SSTP. Turn off all you do not need. One should do for for all types (not PPTP since no security) I see various rules d...

Jotne

Where are your config?
And why two threads?

Jotne

that didn't work.

Not sure what the problem is. The user in this tread changed his IP without problem.
viewtopic.php?f=7&t=161687

Jotne

If you do use the MT cloud service you can use this command to get your public IP.

:put [/ip cloud get public-address]

Jotne

Here is my version of DoH server not working any more. Thanks again for the idea. Added logging when things change. I love to log everything (see my signature) :local currentDNS [/ip dns get server] :local DoHDNS "192.168.20.10" :local backupDNS "8.8.8.8,1.1.1.1" :local testDomain "www.google.com" :...

Jotne

Thanks for the script. I do see a use for it in my case. I have a DoH server running separately on an MT running 6.47 beta. On my main MT Router i have one DNS point to that DoH MT router. If add a second DNS on main router, that will be used without going trough the DoH server. So I can use the scr...

Jotne

IP on bridge now looks correct.

Do past you code in code tags. Select you code text a click the code button </>

Jotne

/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=\ 192.168.88.0 This is wrong. your main ip should be on the bridge and not on an interface, when that interface is part of a bridge, same as you correctly configured DHCP server /ip dhcp-server add address-pool=dhcp di...

Jotne

I do not think you can just remove parts of log for one user. If you have remote scripts that do log in to the router and does stuff, it will be logged. This is way I removed all remote script and also SNMP, and instead made the router itself sending out all that you need to monitor my rotuers. Look...

Jotne

Are you saying that I just enter this and the old one is overwritten?
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

Yes. You may loose contact with the router, but you should be able to reconnect.

Jotne

All MT devices with more than on part can run fine as Switches. Just configure all part inn to one bridge group, and add IP if admin is needed.
Can not comment about the speed of it, but I think it should do well.

Jotne

This IP is the main internal IP of the router. When you do have a bridge, you do connect DHCP/IP etc to the bridge, not to an interface part of the bridge. So not like this: /ip address add address=192.168.88.1/24 comment=defconf interface= ether2 network=192.168.88.0 But like this: /ip address add ...

Jotne

If you do use PPTP, you should change to L2TP/IPSec.
If you do not use PPTP, you should disable it.

Post your config here.

/export hide-sensitive

Cut and past it in a post and wrap it in code block. Select your code and click the </> button.

Jotne

I do suggest you create a new thread. Not all are equal good to create an informative title.
So for example. Need a script to move IP from one address list to another.
And in new thread also specify what criteria needed to move the IP addresses.

Jotne

I do agree with anav, asking for syn packets in a "V7 question" topic is a bit off. Better to start another thread.

Jotne

Yeah I'm pissed Jotne obscured the process ...........

Uff, that was not my intention

Jotne

192.168.88.0/24 and 172.16.22.0/24 are both c net. 256 Address.
Was just asking since your scope was so small

172.16.0.0/16 is a b net

10.0.0.0/8 is a a net

Jotne

Yes I do use VLAN, did forget abut this table

Jotne

This is some wrong:

sourcetype=mikrotik counter>0  |chart values(counter) by name

Buts not easy to fix when I do not see the real log data.
Sent you a private message.

Jotne

Not a simple solution, but I do monitor lots of stuff using Splunk (see my signature) There is a specific view that show all filter rule action, so can see what is going on, I do log my last port of chain in port-knock to Splunk, so can see who enters. So far its only me, since no automatic script t...

Jotne

(2) Typical rookie mistake. See if you can see it. Can this error come from upgrading from older version where we did have a master port? So an upgrade of OS did this, or is it just normal that so many do this wrong? Here is the config so no need to download file :) # may/28/2020 18:26:55 by Router...

Jotne

My STP was set to none and showing no Hardware Offload.
Did try to change to STP stil no HW, then back to none, still no HW
6.45.8

Jotne

Not sure why you have a DHCP pool on only 10 IP when you are using a C net.
Maybe you have only a few host, or lots of devices with fixed IP?

Jotne

I think this:

add action=dst-nat chain=dstnat dst-port=8999 in-interface=bridge protocol=\
    tcp to-addresses=192.168.88.101

Should be your utside interface not bridge.

add action=dst-nat chain=dstnat dst-port=8999 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.101

Jotne

That is one of your problem.

You have to many open port.
L2TP/IPSec needs UDP/500 1701 4500
Rest should be removed.

Jotne

I do see the same as you . 750G r3 /interface bridge port print detail Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 0 I interface=ether3 bridge=Bridge1 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no rest...

Jotne

I agree with Sindy, PPTP should not be used on the public internet. What you can do. * Block the 92.63.194.0/24 net. * Use a script that block the ip if wrong username is used. One of these scripts should work with just some small modification: https://forum.mikrotik.com/viewtopic.php?p=730484#p7304...

Jotne

It was a bug typo..... fixed

Jotne

it is a nightmare to calculate e.g. "2 hours 3 minutes 9 seconds from now" with the datetime format in ROS scripting, so it is much easier to create an address list item with this lifetime, and link the next action to expiration of this item (or, in another words, to the whole address-list becoming...

Jotne

Ok thanks.
But how to upgrade when I am on latest 6.47.rc2?

Jotne

viewtopic.php?f=2&t=161644

Jotne

What is "ultra fibre speed"? 1Ebps

Jotne

It seems that it is not possible to pass the output from the tool traceroute to a script.

Jotne

Why would you a function like this? I do ask, since If I do now the reason, I may see another way to solve this. I do use Splunk to do handle stuff that I need to monitor. Not a simle solution to solve this, but if you like to add an ip to an access list, and drop it. # Send packet to chain "Demo" o...

Jotne

Please use code tags for code. Click </> button when code is selected ; is not neded, so removed. (only needed when multiple commands on same line) and extra not needed else removed Tab added to better see strukture. #START :local comm "COMMENT" :local time 1 :local bt0 [/ip firewall filter get [fin...

Jotne

question 1: jan/02/1970 00:04:14 This tell me that you have not setup NTP at your router. You should do. . Not sure what your DHCP problem is, but is not ether1 your outside? how come your router list a private address like 192.168.100.11 ? . . question 2: I enter the recommended command below and ...

Jotne

Splunk for MikroTik updated to v3.0 Mayor changes is the PPPoE view and support for IPv6 in the MikroTik Firewall Rules module To upgrade, delete the folder /splunk/etc/app/Mikrotik Then install the unpacked spl (use winrar/winzip) file, install app from "Manage app" -> "Install app from file" To ge...

Jotne

Is it normal to have nearly 30 global variables default on hAP ac2? When I deleted them, they did come back. Router running 6.47rc2, never been on internet, just as a switch behind another router. Any documentation on what this is and what its used for? Some short like the two first here, but rest a...

Jotne

Or you can keep the IPSec open but add QoS and give then a very slow connection, like 1kbps.
Also logg all their traffic and see where they go.
You can also redirect port 80/443 to a specific web server, so same web page opens all the time.

Jotne

On the third line I use /interface to switch to a different 'path' and then I don't have to use a ":" for commands in that 'path'. As soon as I cal a global command then I have to use a ":". I have seen this behaviour as well. If you are doing lots commands in a sub folder you can skip the path if ...

Jotne

Others will say this approach makes no sense, why go through all the hassle of doing this : just drop any packet that is not part of a session or targeted towards non DNAT'ed ports and get on with your life ;-) and don't even bother logging this "noise" that exists "by default" 99.999% of these att...

Jotne

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port. This gives me an access list with from 2000 to 15000 IPs at any time. If this for some reason is me that has been blocked from outside, I can use port knock to whitelist m...

Jotne

6.47 RC was just released over here: viewtopic.php?f=21&t=161583

Jotne

And 6.47 is still in testing

Jotne

Downloaded the file from this forum and expanded it using 7-zip (Winrar should do as well), so file seems fine,

Jotne

However, keep in mind i had a strong password. Strong password is not enough if this was used to administrate the box from outside (internet). Use VPN for administrate your box. If you can not use VPN, use: 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing op...

Jotne

I am working with v3.0 and there the kv search is updated. Try this: This should just give the devices: sourcetype=mikrotik module=script script=sysinfo | dedup host Then if that gives lines, run this updated version. sourcetype=mikrotik module=script script=sysinfo | dedup host | rex "version=\"(?<...

Jotne

for example for only yahoo.com we have got a lot of IPs... how can i do it ? Most of today's website not just have many IPs, but also lots of the code on the page comes from other sits, like commercial and other stuff. So only allow the IP for a specific web site, may not give the result you want. ...

Jotne

To check the syntax you can put the code between { } : This is only when cut and past to terminal for testing and its more than one line. Inside script its not needed. This should do: :do { :local checkdns [:resolve "my.domain" server=1.2.3.100]; /ip dhcp-server network set 0 dns-server=1.2.3.100 }...

Jotne

It can monitor as many as you like. Only limit is the amount of data logged to Splunk. For free you get 500MB, that should be ok for a small to medium system, depending on what you select to log. DNS eats lots of log space. What OS did you try? I do in first post recommend Ubuntu. Ubuntu running on ...

Jotne

I have see KV store error due to certificate error on splunk. Other than that, I do not know what can be wrong. I do suggest that you install Splunk from scratch on an Ubuntu 18.04 or 20.04 server. Works every time I have tried. I do use less than an hour to install Ubuntu/Splunk and Mikrotik plugin...

Jotne

Try it out,

Test it from command line, cut past.
first with and "my.domain" correct, then change this to a name it does not resolve, to see if DNS is changed,

Jotne

I do not need it, but other may help you with your config.

Run form terminal this command to get everything.

/export hide-sensitive

Cut and paste everything inn to a post here using code tags </> (select code and click the button to get code tags)

Jotne

I hva not tested it, but remove :put in front of /ip dhcp...

Test all commands one by one and see what is changing.

/ip dhcp-server network set 0 dns-server=X.X.X.X

do this adds or change dns when run, test it out.

Jotne

What 6.46, and where are your export?

Jotne

Or if you can get my previous post to work with packed marking, you could use source mac address.
Then it does not matter what IP the client gets. The client then get routed based on its mac address.

Jotne

After April update

What version? MT have different train.
6.45
6.46
6.47 beta

@Discmandj: can you please share your config /export hide-sensitive file=config for both routes.

Jotne

You can solve this in two ways. If you have an internal DNS server, add your full host name to it with internal IP. Inside user then points directly to inside server IP, and outside user points to outside public IP + traffic goes directly to your inside server for inside clients - needs an internal ...

Jotne

:do {
	:local test [:resolve "test.com"] 
	:put "this will run on success"
	:put "some more to do"
} on-error={
	/ip dns set servers=1.1.1.1
}

Jotne

It seems that you can mark the packet for one IP and then set a unique route for that marking.
viewtopic.php?t=65544
Dont ask me how, since I have not tested it and mangle is not my field

Edit:
This may help:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing

Jotne

@nichky

Use the "Post Reply" button to reply someone. If quote is needed, only quote some part, not the whole post.
Here you quoted the post without writing anything

Jotne

Did an change in what to debug settings in first post Change from: /system logging add action=logserver prefix=MikroTik topics=!debug to: /system logging add action=logserver prefix=MikroTik topics=!debug, !packet This reduces overall DNS logging by 80% So I do suggest that you add this, specially i...

Jotne

But if you need a script, this should do:

:do {
	:local test [:resolve "test.com"] 
} on-error={
	/ip dns set servers=1.1.1.1
}

Jotne

Why not just add more DNS server.
8.8.8.8
8.8.4.4
1.1.1.1
1.0.0.1

Jotne

And also edit your subject in the first post to describe what your problem is, and not just asking for help.
Ans when posting the config of your router, post it in code tags as text and not just upload the file.

Some like this

Jotne

As I can see, he did fix this after my first post abut it.

I have made the change as suggested but it does not make any difference to the download speed of the LAN connection.

Jotne

I think its only for MT staff.

Jotne

Script updated to 3.9

Gives better command history for Router OS v7 or newer.
Fixed better handling with NTP/SNTP information

PS script can be updated without update Splunk software.

Jotne

Its better if you post the config directly and not just the file, but like this: # may/24/2020 07:40:23 by RouterOS 6.46.6 # software id = 0Q6R-8P8C # # model = RB941-2nD # serial number = 9D740A0996CE /interface bridge add admin-mac=74:4D:28:33:0F:88 auto-mac=no comment=defconf name=bridge /interfa...

Jotne

To get better detail about the field, use as-value. Try cut/past this script. Its part of my Splunk script to monitor all wifi clients. (see signature) { :if ([:len [/interface wireless find ]]>0) do={ :foreach logline in=[/interface wireless registration-table find] do={ :local output "$[/interface...

Jotne

Most of the work is just a copy from this: viewtopic.php?t=147251
That is ok, but giving the original creator some credit, or just a link to the original post would be fine

Jotne

You are welcome.

As for the first part, to get information, you could do:

:foreach i in=[find] do={:put ([get $i]->"address")}

You need to handle it as an array. To get a kv field you do use the $array->"field" Where the array her are found by the [get $i]

Jotne

This should do:

:foreach i in=[find] do={set $i address=192.168.20.2/32}

or since its just one IP and no subnet:

:foreach i in=[find] do={set $i address=192.168.20.2}

Jotne

Script updated to 3.8
Fixed so that some information only get collected every hour, even if scripts run every 5 min.
This is to not flod system with duplicate information.

Jotne

Do you need to administrate the router from the outside? If yes, VPN is the way to go for Router admin from the outside. If VPN is not possible to use, then to access the route: 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing open ports. 3. Use a long and go...

Jotne

Splunk reads data since rights on the files are set by syslog so Splunk can read them and inputs.conf tells it to read them. -rw-r--r-- 1 syslog syslog 2520311 May 22 12:56 20200522-12.log The "r" in all three places makes all able to read the files. To test, log in as the Splunk user: sudo su - spl...

Jotne

1 S 10.. PTR http://www. sensor1.com 1d

You can not have space in DNS names, so www.sensor1.com should work. (this belongs to sensor-1.com)

If this is purely to access server on internal net, do use a name that does not belongs to someone else.
example sensor1.home

Jotne

In my work splitting an Ethernet cable to get more separate lines is a no go.
Add a new cable if you need more lines.

Jotne

Ahh, that explains it! Yes, then I think it's it's quite likely that my ISP is to blame. They also block other things like any outbound TCP connections TO port 25. I guess all this makes sense to prevent malicious activity, but it is annoying. TCP/25 is normal to block due to email spam from variou...

Jotne

And here is the script. Schedule it to run every 5 min and it will send all new command to syslog { if ([:tonum [:pick [/system resource get version] 0 1]] > 6 ) do={ global cmd local f 0 foreach i in=[system history find] do={ if ($i = $cmd) do={:set $f 1} if ($f<>1) do={ :log info message="StartCM...

Jotne

It seems that MT is working on some in v7. Adding a filter rule, then system history show the complete command: V7_Beta] > /system/history/print detail Flags: U - undoable, R - redoable, F - floating-undo U redo=/ip firewall filter add action=accept chain=forward disabled=no dst-address=0.0.0.0/0 lo...

Jotne

With more than 300 post, you are not 100% new user.
RouterOS is closed source, so no underlying access.

Jotne

no Linux root access is possible then... nothing for me then...

Do you have any other RouterOS with Linux root access?
Why ask for it on v7?
What do you miss on RouterOS since you need root access?

Jotne

Here is an example on how to remove space from an variable.
Or actually it takes all text up until first space.

{
:local test "MyTest "
:put "Before *$test*"
:set test [:pick $test 0 [:find $test " "]]
:put "After *$test*"
}
Before *MyTest *
After *MyTest*

Jotne

Do you know of a script that converts from epoch to mikrotik date / time? Not seen, but should not be to hard to make. Problem is that MT uses various from of date logging. * If log time is less than 24 hours (or is it from this date, not sure) it uses time only: 13:56:28 * Older logs with month an...

Jotne

I have posted a solution in this thread. https://forum.mikrotik.com/viewtopic.php?t=75555 You then have a script that converts date to epoc time so that you can do the math. Not an optimal solution, but should work. I have sent email to support@mikrotik.com for them to implement better date handling...

Jotne

This: /interface ethernet print give only information about the interface it self and its mac address. Not mac-address that ar connected to it. [xxx] > /interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 RS ether1 1500 00:50:5A:AA:5F:75 enabled [xxxx] >...

Jotne

I did try to see if it was possible to get the mac from all interface, not just bridge, but still no luck. But if there are some I do miss and its possible, it should be possible to make a script that covers both bridges and ports. Mye ethernet1 is connected to the wan and do not have any bridge. Th...

Jotne

And as I do write, this shourtcut links is just a redirect.
You need to open all involved site, like whatsapp.com

Jotne

If you use RouterOS built in dynamic DNS updater /ip cloud, you get a free DNS to use some like this:

6f3806e0aaaa.sn.mynetname.net

Then you can use this directly, or point other service like DuckDNS, Dyndns to the name and no more manual or scripted update neded.

Jotne

This seems to work: { :local ip /interface bridge host :foreach ID in=[find] do={ :local inf [get $ID interface] :local mac [get $ID mac-address] :local idmac [/ip arp find mac-address="$mac"] :if ([:len $idmac] > 0) do={ :set ip [/ip arp get $idmac address] } :put "interface=$inf mac=$mac ip=$ip" }...

Jotne

/ip arp print

or

/ip arp print detail

Jotne

I do agree that this is a wrong as well.
172.16.16.1 is not a public IP, so they should change what they write or another example IP.

Jotne

Maybe it redirect you to some other page that you have not open?
It seems to redirect to whatsapp.com, that also need to be open i guess.

Jotne

I did try this some time ago, and my kid did change his mac, so did not help at all

Could be an option to block all mac address, except the one you allow, but would not be any fleksible at all.

https://www.groovypost.com/howto/change ... ws-10-why/

Jotne

If you have not yet done, you should send an email to support@mikrotik.com.

Jotne

For a KV array, you can do:

{
:local array [ :toarray "producer=ford;color=blue" ]
:set ("$array"->"type") "mustang"
:put $array
}
producer=ford;color=blue;type=mustang

Jotne

Other question: Is there an option, to give comments to the IP-Adresses in Traffic Throughput Monitor? Sometimes the IPs are solved to Hostnames, but I would be happy to define comments as well. What commend do you like? Name of host are resolved when Splunk uses DNS to find its name. There are sev...

Jotne

All MikroTik routers run RouterOS and can be setup as hotspot.
You can use a router without wifi as hotspot and use a Cisco Wifi accesspoint if you like.

Jotne

Did not understand the question.
My post above clearly stats that if you run Splunk as a non root user you need an external server to receive sysloge.
At least if you uses port below 1024, Splunk will not work. So Mikrotik send udp/515->rsyslog server <- Splunk reads the file.

Jotne

Google search is a nice tool to find these types of stuff.

Example here:
https://wiki.mikrotik.com/wiki/Manual:Tools/email

Jotne

If you do use Splunk as a non root (recomended) user, you need an external Syslog server. This setup needs Splunk for Mikrotik v3.0 to read field correctly. (out soon) This is how to set it up using Ubuntu server. Should work on most version. rsyslog comes default with Ubuntu so no need to install a...

Jotne

Other question: Is there an option, to give comments to the IP-Adresses in Traffic Throughput Monitor? Sometimes the IPs are solved to Hostnames, but I would be happy to define comments as well. I do recommend using Linux for Splunk. Its created for Linux, later exported to work in Windows. My inst...

Jotne

MikroTik should explain what it means with contains in the firewall filter when address is selected.
I would say that this still is a bug and needs to be fixed.

Searching for address contains 192 should give positive on all these lines

192.168.0.1
10.192.20.45
16.23.192.53
72.100.20.192

Jotne

MAX_TIMESTAMP_LOOKAHEAD = 23

Added in the upcoming 3.0

Jotne

I have a mikrotik device connected to the internet via pppoe. I need to be able to monitor the device via snmp. In my project using Splunk to monitor RouterOS I stopped using SNMP, since public IP may change. I do us script on the router that sends all needed information to a sentral Syslog server....

Jotne

What about this search? sourcetype=mikrotik module=script script=sysinfo | dedup host | rex "version=\"(?<version>[^\"]*)\" board-name=\"(?<board_name>[^\"]*)\" model=\"(?<model>[^\"]*)\" serial=(?<serial>\S*) identity=\"(?<identity>[^\"]*)\"" | table host identity serial model board_name version

Jotne

Can you try to run i manually.

Splunk-app:Mikrotik->Reports->Click on name "device lookup updater"

Do you get any information? (Try it twice)
If not, what do you get

Splunk-app:Mikrotik->Reports-> "device lookup updater" Open in Search

Jotne

In API I do not know. but on console for v7.0 b5 both with and without colon do works.

Some strange that RouterOS then allow you to skip the Colon, when manual clearly stats that you need it?

Jotne

You are 100% correct.
I did fix this by using coalesce

| eval identity=coalesce(identity,host)

Version 3.0 will be out soon with this fix and som other stuff as well.
PPPoE logging
IPv6 IP support in firewall

Jotne

I Mikrotik Router OS scripting.
Is there any reason to use the Colon : in front of commands

Eks This works

:do {:put "hello"}

And so do this:

do {put "hello"}

Is there any reason to use one or another.

Jotne

From a terminal window try tu run the script manually. :put [/wireless access list find where comment ~"limit"] If this does not show anything, you do not have any access list with comment "limit" If you see data then try cut/past this to cli. { :foreach i in=[/wireless access list find where commen...

Jotne

And the answer in the post you link was:

You can't.

PS please post image to the forum and not using link.
Using the Attachments function below the post when edit it and upload the image.

Jotne

Same script, with tabs and without not needed semicolon. :log info message=("Start Check Logged Users") :local tmpAllTheUsersLogged value=[/user active find] :if ([:len $tmpAllTheUsersLogged] > 0) do={ :local tmpMessage value="" :foreach tmpArrayItem in=$tmpAllTheUsersLogged do={ :set $tmpMessage va...

Jotne

An serious error found in the script in 2f. If NTP module is missing, the whole script fails. Fixed in new version 3.6.

Jotne

Post the image in the forum, its better then external link. Click the Attachments below the post.
.
.

error.png

Jotne

Its better to post the file in the post here. Click the Attachments under the post and add the file, like this: export-data_clean.rsc Or just cut and past the code inn to the post with code tags </> like this: # may/10/2020 21:53:59 by RouterOS 6.45.2 # software id = ZJ3M-ESHW # # # /interface ether...

Jotne

VPN is the way to go for Router admin from the outside. If VPN is not possible to use, then to access the route: 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing open ports. 3. Use a long and good password. 4. Use access list to prevent any random internet fr...

Jotne

Do you see any data in other graphs?

Jotne

Thanks for the contribution, but always add the file to the board, not use link to a site. Especially when its not in English.
To attach a file, click the Attachments folder below the edit field and add the file, like this:

PSPad-RB.rar

Jotne

When you use set of a variable, it should be declared fist (but works without), so either this; :local result :set $result [:resolve mt.lv] :put $result Or set it directly when declare the variable like this: :local result [:resolve mt.lv] :put $result One line local result [:resolve mt.lv]; :put $r...

Jotne

Auto upgrade MT routers may fail. There has over the last years been several times bug has been introduced or change to some like Wifi that made the router stopped working. So a delay is minimum thing that should be in the script. But If I had lots of routers and lots of time, I would have setup a w...

Jotne

Its possible by setting an gloabal variable with history of the user logged inn, but would be some complicated.

You can also look at my Splunk project in my signature. There you can see in an external app all logged in user/when and get it nice graphed.

Jotne

Post your config:

/export hide-sensitive

Jotne

This will list all static DHCP leases and put Name and Address in to variables for later use: { :foreach i in=[/ip dhcp-server lease find where !dynamic] do={ local Name [/ip dhcp-server lease get $i host-name] local Address [/ip dhcp-server lease get $i address] :put "Name=$Name IP=$Address" } }

Jotne

Did you search the forum?
viewtopic.php?t=78746
Even if this post is old, its still valid

Send an email to supprort@mikrotik.com with this as a future request.

Jotne

Even better, export all.

/export hide-sensitive

Jotne

Should do

Jotne

1.1.1.1 is not an NTP server.

Find a server from this pool.
https://www.pool.ntp.org

Jotne

My bad.

When NTP is not installed, it uses a simple NTP or SNTP, not sure.

You set it up from CLI, did not find any info in WinBox

/system ntp client set enabled=yes
/system ntp client set primary-ntp=1.1.1.1
/system ntp client print

Jotne

Here is an updated version that could be used to both get current time or convert data from input. Example current time :put [$EpochTime] 1588597644 Convert time :put [$EpochTime "may/01 16:23:50"] 1588343030 EpochTime "15:23:50"] 1588598630 When date not give, it uses current day/month/year :global...

Jotne

Found this thread: viewtopic.php?f=9&t=75555

If I am able to change the script to take input, I will try to make a script that convert the time field to epoch time.
Then it should be easy to calculate older than 7 days.

Jotne

Thanks for the script. This is some I have complained to MT support about. Some like this should be built in to the RouterOS software. As it is now, its impossible to handle time in RouterOS. Example: From Cli, look at log time. For event less then 24 hour, only time is shown. For event more than 24...

Jotne

My hEX (RB750Gr3) do route fine between VLAN.
Main VLAN (my home)
Guest VLAN
DMZ VLAN

As mkx write

BTW, hEX can route around (or slightly less than) 400 Mbps ...

Jotne

SNTP is not the same as NTP
Do you have the NTP package installed? Look at:
System -> Packages
There you should see under name a NTP package.

Not sure if SNTP can respond to other NTP request, it may only be a NTP client and not a server.

Jotne

/ip firewall address-list remove [find where comment=$user && name=RC] This does not work since in Winbox an entry is called name, but from terminal its called list So: /ip firewall address-list remove [find where comment=$user && list=RC] If you from terminal type this: /ip firewall address-list p...

Jotne

Since I already need to use the ACL FW for normal LAN users As you see many other reply to your post that your should not use L2 Firewall. You need then to handle one and one mac/ip address. How do you know someone does not fake mac so they get changed to the other side of the firewall? One way to ...

Jotne

p.s. semicolon these are the rules of good form

That was long time ago, things changes.

Jotne

You create a VLAN for all Guest, then add the port for the guest to this VLAN, same with create a own guest Wifi.
Then you make filter rules.

I do not recommend at all mixing in Layer 2 firewall. Do a VLAN and stick til Layer 3 Routing/firewall. Make it simple.

Jotne

I can not help you at the moment, since I do not have any external MT but its some interesting approach. Since you try from one Mikrotik Router to another Miktroik Router, have you tested L2TP/IPSec to see what speed you do get? Do you see new entry in the access list knock1000 on the main router wh...

Jotne

How did 100.100.100.209 end up in your address list? Just because he did connect to you using ppp? Since its not dynamic D, then someone or a script did add this. Another thing 100.100.100.209 is part of the public internet, and should not be used internally. Give the whole story. Are you using pppo...

Jotne

How do the name get there in the first place?

Jotne

What is wrong with this thread?

viewtopic.php?f=9&t=160654

Jotne

So you have a unique firewall filter for every user? Why would you have that? When do the filter rule get created? As I wrote before, no need for semicolon at end of line.... And use code tags around the code. Its a button like this </> above the post when edit/write it. You also have an extra } tha...

Jotne

Not sure why its not working, but since you already have the ID of the line to delete, just use the ID like this: { :foreach i in=[/ip firewall address-list find where creation-time~"apr" && list~"mylist"] do={ :local address [/ip firewall address-list get $i address] :log info "Removing $address in...

Jotne

I have not tested your script, but some tips. No need for semicolon ; at the end of each line, only between commands on same line. Change this: :log info "fqdn: $hostname"; :log info "ip: $leaseActIP"; :log info "registering: $leaseBound"; :log info "matching records: $recordExists"; to :log info "f...

Jotne

It seems that you try to do some that its not common to do (firewall in local lan). Why? It may be better to use different subnet. Your next post should be a diagram, and also do /export hide-sensitive so we get the whole picture. Also stop spamming the forum with post Do not multipost. If you have ...

Jotne

We are saying that you mix thing. User logging inn to the router using web/winbox/telnet/ssh, has nothing to do with /ppp secret. To get all user logged inn to router, do: { :foreach UsersID in=[/user active find] do={ :local User [/user active get $UsersID] # change line below to email :put $User }...

Jotne

RouterOS was installed, and it said and says it operates in Bridge Mode as opposed to Router Mode (= selectable). So you are using the device as a switch? If so you have to turn on use ip firewall for the switch. If not, nothing will pass trough the filter rules, if I am correct. /interface/bridge/...

Jotne

I can see you can do this as a test, but in a production router I have not done any thing like this.
Make a good configuration and let it stay.

Jotne

If there is noe solution, start with a default configuration, delete fast track. Then add inn one and one rule.

Jotne

If ports are not member of a bridge, then packets need to go trough the routing process.
https://help.mikrotik.com/docs/display/ ... n+RouterOS
https://www.youtube.com/watch?v=MF0lGclPa5E

Jotne

Start by disabling fast track, then we can have a look at the counters. https://www.youtube.com/watch?v=6LaqhDm6PHI

Also try to understand this page as well.
https://help.mikrotik.com/docs/display/ ... n+RouterOS

Jotne

Can you explain why you are doing this. I would not have dared to delete any access list (filter rule) just by number. If this are temporary access list I would have used some form of naming, and deleted them by name. This way script can not by accident delete important rules, and in worst case prev...

Jotne

Not sure what you try. What is the final goal? Why do you need to get users password in a script? /ppp secret This is where all user for remote connection (VPN) are stored. name=winbox This sounds like and admin user and should not be found here: /ppp secret winbox is a bad username both as vpn and ...

Jotne

I do agree that RouterOS is no good to debug. IF some stops, it should log a line telling where and what failed. At least on-error should pick this up so that the sctipt does not stop. I do see that this problem has been around for 10 years+ https://forum.mikrotik.com/viewtopic.php?t=26893 You need ...

Jotne

You are welcome.

This is why I always run scripts from command line wrapped in {} and change :log to :put, to see all what is going on.

Jotne

This works and was just posted some days ago by me. https://forum.mikrotik.com/viewtopic.php?f=9&t=160442&p=789115&hilit=address#p789115 { :local newIP 192.168.0.1 if ([:len [/ip firewall address-list find where address=$newIP list=Control]]=0) do { /ip firewall address-list add address=$newIP list=...

Jotne

I was thinking of blocking Apple devices

Jotne

Its som hard to debug such a big script. If you wrap the script in {} and past it to the terminal, its easier to see where things go wrong. Same with put instead of log. All on screen when things are running. Also split the scripts up in parts and cut/past part by part to terminal. What version is y...

Jotne

Not sure what is wrong, but I do use Splunk (syslog) with RouterOS to get all DHCP information.
Look at link in my signature for example.

Jotne

I know this error is due to fact that ROS is "forgetting" some dynamic entries during script execution but thiis is basically single, atomic instruction. This can be how ROS handles subroutines. Without showing the whole script its not easy to see what is wrong. Add the whole script in { } and cut ...

Jotne

This command should do:

/ip firewall mangle reset-counters-all

Jotne

I do agree that it can be done.
But around 100 buildings, 2-30 doors to enter in every building, it would be some mess to update

Jotne

Runs for the hills....................... Hint: Put a password on that guest wifi and busstop users wont be able to login. ;-P

Not as easy as it sounds. User now help them self and authenticate using SMS. If there is a password, users need to have a way to know the password.

Jotne

Will CCR2X series come out straight with ROSv7 or will it be part of the v6 family first?

Do you expect an answer from MT on this? They will not respond.

My guess, no, v7 is in early beta stage.

Search found 1638 matches