MikroTik

Jotne

Start by writing your goal.

Eks I have this data,
From those, I like to find blabla
Then my output should be....

Jotne

Not sure why its locked.

I will collect what I find here, and then send a email to support when I have a large list:

This commands fails from termianl. Works fine on <=6.46beta

/ip accounting uncounted print

not enough permissions (9)

Jotne

One of my Splunk scripts does not work on v7.0 beta 2 { :local SystemInformation true if ($SystemInformation) do={ :local version ([/system resource get version]) :local board ([/system resource get board-name]) :local model ([/system routerboard get model]); :local serial ([/system routerboard get ...

Jotne

Id is just a temporary variable that do changes all the time. Use id only after you have find some thing.

Eks

/tool user-manager user find where name="test"

This will give an id that could be used later on.

Jotne

In my project Mikrotik for Splunk, I do get this information using syslog to send it out of all routers. See example here: viewtopic.php?f=23&t=137338#p698803

Jotne

It should be fixed, but in the meantime send your logs to an external syslog server.

See my project here: viewtopic.php?t=137338

Jotne

RouterOS is a rather complex and if you are new, you will get lost. But after learning it, you will love it. There are nearly nothing you cant achieve with it. Youtube are a great source of learning things. This guy has posted 96 video on various Mikrotik topic: https://www.youtube.com/user/rodrick4...

Jotne

Since many routers do not use switch chip, but bridges instead, this solution my work:

:local if "ether1"
if ([:len [/interface bridge host find where on-interface=$if]] > 30) do={
  /interface ethernet set $if arp=disabled
} else={
  /interface ethernet set $if arp=enabled
}

PS not tested.

Jotne

It should work on both SSH and terminal within Mikrotik. I do all my script testing from terminal, mostly SSH, since its easy to see whats going on. [admin@test] > :put "hello world" hello world [admin@test] > Look at my Splunk for Mikrotik in my signature. There I do use script to get lots of data ...

Jotne

Why use all these complicate code, when you can just go to IP Cloud and turn it on. Then router does everything for you.

To get the IP address in code:

:put [/ip cloud get public-address]

Jotne

:put #sends output to terminal
:log # sends output to log screen

Start by reading this https://wiki.mikrotik.com/wiki/Manual:Scripting

Open a terminal window or SSH/Telnet to the router.
Cut an past this to the terminal

{
:local test "hello world"
:put $test
}

Jotne

You was very close. Only miss quote on the variable "00:00:00:00:00:00" /ip firewall mangle remove [/ip firewall mangle find src-mac-address="00:00:00:00:00:00"] PS use code tags around your code post. Select code, click <\> I always use :put to test of some works or not. Try these two and see diffe...

Jotne

i have a special user ("root") for a ssh (Key based) call to an raspian like

What is your goal with this? why call the PI?

Jotne

Doing the upgrade to the subsequent version via the downgrade first does not look like a straightforward way. And that seems to be the only way for this device, unless npk becomes smaller in size. It will become better since 6.46 is smaller than 6.45. It was just some version of 6.45 that was on th...

Jotne

Did you try as I write above? Downgrade to a smaller version before upgrade? example 6.43.7

Jotne

Then try this:

{
/interface bridge host
:foreach i in=[find] do={
:local localmac [get $i mac-address]
:put "Found ths MAC Address in $localmac"
}
}

To see all information

/interface bridge host print

Jotne

Depending on your device switch implementation, you may not see mac address this way. Do you get any output from this? /interface bridge filter print I guess no. Try this instead: /ip arp print You will not see what mac address its connected to what port, it port is part of a bridge. You will then s...

Jotne

Downgrade to 6.43.7 went fine.

Now you can try to upgrade to 6.45.6. Since 6.43.7 takes less space compare to your previous version was larger, 6.45.6 may now fit.

Jotne

due to bridge configuration changes

Can you post what did change?

Jotne

Not directly an answer to your question, but this how I would do it. Schedule this script (not tested since I do not have hotspot) :foreach logline in=[/ip hotspot active find] do={ :local output "$[/ip hotspot active print as-value from=$logline]" :set ( "$output"->"script" ) "hotspot" :log info me...

Jotne

As for using :global instead of :local, there wasn't a reason besides being able to see the script output on the script>Environment tab. I do always run the script from command line using :put to see whats going on like this: { :local systemtemp [/system health get temperature] :put $systemtemp } P...

Jotne

I know this post is well over a year old, but since no one has responded to it I thought I would. Please edit your post. Select code block and click the </> button above the text field to code tag scripts. like this :global "systemtemp" [/system health get temperature] :global "cputemp" [/system he...

Jotne

Posting a screen shot showing the problem would help.
And if its a bug, this is not the correct place to ask for help.
Send an email to support@mikrotik.com

Jotne

Did you read this thread?
viewtopic.php?p=748889

Jotne

Should read before I post

From the .ko file

vermagic=4.14.131 SMP mod_unload ARMv7 p2v8

So 4.14.131

I guess 5.x is to new for MT, only some month.

Jotne

Hopefully its close to this:

Latest linux release 5.2.11 (29 August 2019)

At least based on 5.x and 4.x

Jotne

To get only the mac of the blocked users:

{
foreach logline in=[/ip dhcp-server lease find where block-access=yes] do={
  :put [/ip dhcp-server lease get $logline mac-address]
}
}

Jotne

Use Code tags on your code. Mark test an click </> above your post. Also post with tabs to make script more readable. And write some more what this is, whey to use it and when. Here is a repost with code tags and tab. ##################################################################################...

Jotne

else if and switch case are not implemented at the moment

So you are working on it? I am waiting with high expectation

Jotne

Also change your first post and change title from:
i have a problem, need help
to some like this
Need help with DMZ config without access to local network?

More people may take time to read it.

Jotne

SwOS version 2.10 released!, but no post for MikroTik about it. Click on 2.9 Changelog and you see this: What's new in v2.10: *) do not ignore RSTP port state when forwarding DHCP, PPPoE or IGMP snooped packets; *) IGMP snooping: send out IGMPv3 queries by default; *) IGMP snooping: handle IGMPv3 le...

Jotne

Not tested, but may work. Downgrade to an older or upgrade to beta image that is a smaller image than you currently have installed, then upgrade to 6.45.5, or wait for 6.46 that looks to be smaller. List of SMIPS version and the size of them. Version bytes 6.46.38b 7445921 6.45.5 7689899 6.45.4 7722...

Jotne

Sorry did not test it that way.

If you use it a a global function I assume its gone after reboot. So you need some script to restore it.

Jotne

Removed

Jotne

Google is your friend.

viewtopic.php?f=9&t=56933

Jotne

What router do you have, and what firmware are you on?
Old firmware have been hacked.

Jotne

1. Blocking only DNS, is not the best option. Use DNS redirect to your choice of DNS. This way equipment with fixed DNS like Chreomecast still works, and you still can control DNS filter. 2. You Video is very cluttered. Get rid of TIFTOK in front of the Video (if needed it, put it down on the side)....

Jotne

I know, but MT could add BC or other Linux tool to the script to handle decimal.

Lokking forward to v 7.0

Jotne

However: Does forcepoint work with _ALL_ domains ? (facebook, google ...)

Yes it does.

But there are some domains that are white listed like banking etc.
Also if you try to install an App on your computer that do releay on HTTPS, it will not work without being white listed.
Eks Ultrasurf ++

Jotne

But do you have SSH to your router wide open on public internet????

Jotne

I am always working with some changes, and release new version when I have spare time to do it :) Here is the working list for 2.8 # 2.8 (xx.xx.2019) # Added interface changes # Updated script to 2.7, added uncounted traffic and fastrack test, fixed when missing temperature # Updated script to 2.8, ...

Jotne

In notepad++ you can select few lines and press TAB to create a tab-in-many-row-at-once and SHIFT+TAB to reduce tabs in selected row. Easy.

Did not know. Good tips.

Jotne

Interesting.

I may implement this in ver 2.8

Jotne

Will be solved in ROS 7.......

Jotne

Math is not broken. Router os support only integers. 2019 Is this still true? { local speed 10 :put $speed :local speedknots ($speed * 5) :put $speedknots } 10 50 { local speed 10 :put $speed :local speedknots ($speed * 1.5) :put $speedknots } 10 Script Error: cannot multiply time interval by ip pr...

Jotne

It seems that RouterOS does not support decimals

But to do math, you need parentheses.

{
local speed 10
:put $speed
:local speedknots ($speed * 5)
:put $speedknots
}

Jotne

For test I do use many version of backup config and it could be nice to have folder to store them in.
One for wifi, one for hotspot etc.

Problem is that on my hAP lite I needed to delete all file to be able to upgrade due to the small space on the box.

Jotne

I am some shocked.
A script on 200+ lines is needed just to create a folder in RouterOS.
This is some MT should add a built in function.

Jotne

@krafg I tried to read your script, but it was very hard to understand do to formatting. Please use tab for each loop when you make script. I have modified for you. Try to copy past it to notapad++ and you see what I mean. { :global ledsafter 10 :global ledsbefore 20 :global runloop true :do { /int...

Jotne

Tried upgrading hAP from 6.45.1 to 6.45.5. Result: Not enough space for upgrade!

On my hAP lite, I had to delete all backup files and other files from the flash folder to be able to upgrade. Så this may be your problem as well.

Jotne

Version

 :put [/system resource get version]
6.44.5 (long-term)

Board name

:put [/system resource get board-name]
hEX

Model

:put [/system routerboard get model]
RouterBOARD 750G r3

See script in my signature (Splunk) for more example

Jotne

Topic of previous (6.45.3) version: https://forum.mikrotik.com/viewtopic.php?f=21&t=150767 This does not help. Someone needs to make a post in previous version with a link to this new version so that people who subscribe to previous version, see that a new version is released. Then its ok to close ...

Jotne

:put [ /ip firewall filter find action=drop ] it seems should provide a ilst of all rules that have action=drop in them. What I get is this: *2f;*9;*a;*c;*19;*20;*27;*31 Great, right? It's the last rule on the list so I figured it was line 31. I can see it via /ip firewall print. Not right, it coul...

Jotne

You should edit the header of the post to:

Wireless feature requests ROS 7.0

So its easy to see that it has to do with v7.

Jotne

Have you looked at this thread?
viewtopic.php?f=2&t=131383

Jotne

:local myarray {1;2;3;4} :set $MyArray ($MyArray, $Value); This way is more like a join of two variable, compare to work with an array. Better way to work with arrays are like this: { :local myarray {type="ford";model="mustang";color="green"} :set ( "$myarray"->"year" ) "2015" :set ( "$myarray"->"c...

Jotne

Did you have a look at this post?
viewtopic.php?t=75081

Jotne

Here is one big problem with ping. Router Interface 1 (Public IP 1) ----------- ISP 1 DG --------------Internet Router Interface 2 (Public IP 2) ----------- ISP 2 DG --------------Internet Lets say you have if1 as default gw and set a ping to ISP1 IP to see if he his up or down. Then line to IPS1 go...

Jotne

What you can do, is to force all to use only correct DNS. Then you can block DNS to facebook, youtube etc. Or you can use third party DNS like openDNS that can block DNS. But this does not prevent user from using VPN/Proxy+++ Eks: https://nl.hideproxy.me/index.php#p745235 openDNS can block some of t...

Jotne

Maybe if you post why you need to downgrade, we can be able to solve it without need to downgrade.

Jotne

:put [/interface vlan enable [find where vlan-id!=10]]

Jotne

I think you could probably change it to MAX_TIMESTAMP_LOOKAHEAD = 29 The timestamp in your events is "08-18-2019 19:09:43.054 +0200" and Splunk needs to know that all of that is part of the timestamp in order to parse things properly. If you use 23 for the lookahead, Splunk may not catch the timezo...

Jotne

Edit you post, select your script and click code button </> to get a better formatting on your post.

So it become like this :)

Jotne

Or just

/export hide-sensitive

Copy/Past result here.

Jotne

How did they get there?

Jotne

*) log - increased log message length limit to 1024 characters;

Working fine
Reported 02.08.2019
Fixed 22.08.2019
That was quick, thanks.

Jotne

Good to see that the video posted is real.

In the video its mention beta99 3 Apr 2019
Your post shows alpha220 14 Aug 2019
Maybe you are going backwards

We are waiting and looking forward to testing this new version

Jotne

Then I do not know what is wrong with your system. This is the correct name Joel and it has data. .id=*2;comment=;name=Joel;rx-byte=2780384118;rx-drop=0;rx-error=0;rx-packet=4765960;tx-byte=9822790120;tx-drop=0;tx-error=0;tx-packet=9641311;tx-queue-drop=37539; Not sure if I can do any more help This...

Jotne

Change :log info to :put and you get output on your console and wrap the code in {} and you can run int from command line to test thing out. So this works fine: { :local myVar :set myVar "test" :put "$myVar" } PS ; is not needed, only when multiple commands on same line You can also skip the set (de...

Jotne

This should do: { :local ver [/system resource get version] :put [:pick $ver 0 [:find $ver " "]] } :local ver [/system resource get version] Get the line [:find $ver " "] gets position of space [:pick $ver 0 [:find $ver " "]] get text from position 0 to first space See manual here: https://wiki.mikr...

Jotne

For me it then sounds like you have a time problem. Its important that all clock is synced by using NTP. Look at time on your router and on Splunk server. It should be within the same second. Or date stamp is in the wrong format. Not sure how you can get this, since MT sends it in correct format. Yo...

Jotne

Should be doable if logg store data as long as one month.

See here on how to get an idea on data calculation.
viewtopic.php?t=119703

Jotne

Then try this and post answer here.

:put [/interface print as-value stats]

Should give data for all interface. Do you se "joel" as a name there.

Jotne

I see that you have used 60 minutes.
The you also have to schedule the script to run 60 min , not 5 min as I have used as standard.
If not you will get double logging and IP will be added multiple times.

Jotne

Agree. Hopefulle MT reads this post and add it to their train

Jotne

Not a respond to your question, but do you relay need old, obsolete, not encrypted, not secure PPTP VPN?
You should change to a better, newer VPN solution like L2TP/IPsec or SSTP.

Jotne

You do not have the possibility to try a test server and install Splunk as root with only follow the first post?`

Whats wrong in your case is a riddle.

Jotne

I guess the book is good to understand whats beneath many of the functions. But take care on some function that has changed rather dramatically lately. Like how to interfaces works with bridge configuration.

Jotne

I do recomed TKSJa's video. Hi has posted nearly 100 tutorial videos.
Gives you step by step instruction.

https://www.youtube.com/user/rodrick4u/videos

Jotne

Strange. Are you 100% your server is listening on Syslog UDP/514? Here is how to test. Search for this with REAL-TIME - 1 minute window "hello" Then on a linux server run this command. (Change IP (local host 127.0.0.1) to your server if you do test this on an other server : echo "<14> test hello" | ...

Jotne

If I am correct, you have renamed wan1 interface to joel?

Do you get any data from this?

:put [/interface print as-value stats where name="Joel" rx-byte]

What version do you run? This seems to be old naming: ether2-master

Jotne

Stable channel has been full of serious bugs lately. Not only Stable, some month ago MT change some Wifi handling that did break lots of wifi links on both LTS and Stable. Problem was some function some used that was not correct for their country, and when MT changed it by force, it did gave proble...

Jotne

What does then stop? (looks correct)
You should from the scrip (if you have installed it) get data every 5 minutes.
So search for star and search for 30 min window, you should see data coming in all the time.

Jotne

See if your prefix is correct at section 2b. On wrong characters and it break all.

You can also do a search with only a start * and set it to last 24 hour and see what data you get.

Jotne

PPTP is old, outdated, no encryption so should be avoided. Use a newer/better protocol like L2TP/IPSec or SSTP or other.

Jotne

Then this thread could be closed, and you can use the other thread.

Jotne

Interesting question. Will have a look at it when I am back from holiday.

Jotne

I did test out PPTP first, but are now running L2TP/IPSec PSK.
It could be using a certificate as well.

There are several tutorials on the net on how to set it up.

PPTP is a non encrypted tunnel, so no security at all. Do not use.

Jotne

Fixed

Jotne

That I do understand, but if I know my PC is connected to ether2, its not easy to find out what mac is on ether2

Jotne

I haven't thought about that, but can see that it not an optimal solution if that is the case.
Possible some from MT can give a respond on this ..

Jotne

I did some experiment on my hAP lite to represent Wifi signal strength.

Have a look here:
viewtopic.php?t=142132

Jotne

Interface is Bridge1 for all innside mac on hEX

/ip arp print
 0 DC 10.10.10.41     00:1A:EC:0C:1C:83 Bridge1
 1 DC 10.10.10.32     90:BA:1A:68:DA:D1 Bridge1
...
...

Jotne

This is already mention in section 1b) If you install Ubuntu, (i think from 16.x), rsyslog is installed as default. But its not listening on port 514/UPD as default and you need to edit the config and restart syslog to get it running. So it should normally not be any conflict. But in production envi...

Jotne

You do not need semicolon at end of each line ; , only when multiple commands on same line.

Use this to see what type your variable is.

:put [:typeof $myStr]

It its not string, you can force it to string.

:if ([:tostr $myStr] = "something") do={:put "yes"}

Jotne

Look at my Mikrotik for Splunk int the signature.
There are one view for hotspot user etc.
Can easily be adopted to more view.

Jotne

This give your output, but its ugly

{
:local info "ch-nl2.nordvpn.com"
:local pos
:for i from=0 to=9 do={
	:local test [:find $info $i]
	:if ([:typeof $test]="num") do={set $pos $test}
	}
:put [:pic $info 0 $pos] 
}
ch-nl

Jotne

It does not look like the :find command support regex, just string match. So this does not work: :put [:find $"ch-nl2.nordvpn.com" "[0-9]"] It then makes it hard to find on the string where an unknown number starts. You can loop trough and test number by number from 0-9, but its ugly. find :find <ar...

Jotne

I do not run hotspot, but can try to help.

What command do you run to get this list:

user1 AAAAAA ip address=10.5.50.2
user2 AAAAAA ip address=10.5.50.7
user3 AAAAAA ip address=10.5.50.11

Jotne

This should do: Schedule it to run every 5 min. It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour. # Created Jotne 2019 v1.0 # # Add user who tries wrong user or password to address-list # Find all "login failure" error last 5 min :local logl...

Jotne

This is the message you get when using wrong username or password:

system,error,critical MikroTik: login failure for user per from 192.168.88.10 via winbox

Give me some minute and I will fix a script. But take care, this can block your self from entering the system.

Jotne

Updated Now also block user with these type of message: SPI e14750001eda995ec not registred for 89.50.40.10[4500] # Created Jotne 2019 v1.2 # # This script add ip of user who with "IPSEC negotiation failed" and "SPI* not registered" to a block list for 24hour # Schedule the script to run every 5 min...

Jotne

Strange interface name.
ether may hit both ether1, ether2++++
Also you need to enable same interface you disable. Can not be two different name.

Can you post output of

/interface print

Jotne

You do not need to end every line witch ;.
Its only needed when you have several commands on same line.

Jotne

To list all interface type /interface print They will be named some like ehter1, ether2 etc. # interface to control :local if ether1 :global grx :local rx [/interface get $if rx-byte] :local mbrx ($rx/1048576) :local diff ($mbrx-$grx) :put "diff=$diff local=$mbrx global=$grx" :if ($diff>1024) do={ :...

Jotne

A search like this should give all message:

sourcetype=mikrotik module=system

IF not try this:

sourcetype=mikrotik

Or at last just this

Jotne

The filter rule prefix was changed to be more uniform. So I may have mixed up some from script to Splunk code. One the "Live Attack" dashboard, click Edit->Source. There you will near the top find some like this: <search id="base_search"> <query> sourcetype=mikrotik module=firewall rule=FI_D_port-te...

Jotne

:put [/ip arp get [f where mac-address=A0:48:1E:B8:8D:58] interface]

This may not work. On hEX routers, it will just show name of the bridge where the interface is connected, not the physical interface.

Jotne

This may then work. It takes the MAC address of the unit found by MNDP (CDP), should only be one. local if "ether2" local mac "20:DB:F2:1D:A0:0B" :if ([/interface get $if running] = true) do={ :local ifmac [/ip neighbor get [find interface~"^$if;"] mac-address] :if ($ifmac != $mac) do={ :log info "$...

Jotne

You could then use the first solution I did post that take down the interface if some one turns off or remove the equipment.

If the wap is an Mikrotik Wifi wap, you can use nearly the same as above, but use /ip neighbor print information to see that correct neighbor still is present. MNDP (CDP).

Jotne

I do see that mac address are handled differently on different devices. hAP-Lite /interface ethernet switch host print hEX /ip arp print does not work, since it list mac pr interface group (bridge) So I do see mac for Bridge1 covers port 2-5 And mac for ether1 outside Also mac for each other VLAN is...

Jotne

Connect a PC to one of the ethernet port and use WinBox mac access.

Jotne

A follow up. 3. Consider 802.1X. Setting up 802.1x is not that you can do quick and easy. At least not for only one device. This does nearly the same. Schedule it to run every minutes. (or 5 minutes) :if ([/interface get ether2 running] = true) do={ :local mac [/interface ethernet switch host get [f...

Jotne

2. Parse your logs and look for the AP-facing ethernet port going down. As soon as it goes down, disable it. No need parse logs, just schedule this script to run every minute. :if ([/interface get ether2 running] = false) do={ :log info "ether2 is not running, shutting down" /interface ethernet set...

Jotne

@naiyuan

Edit you first post an change Please help to some better.

Jotne

I was some off in previous post. This should get you started { :global grx :local rx [/interface get ether1 rx-byte] :local mbrx ($rx/1048576) :local diff ($mbrx-$grx) :put "diff=$diff local=$mbrx global=$grx" :if ($diff>1024) do={ :put "larger" :global grx $mbrx :put "turn off interface"} } Since I...

Jotne

I do have some problem/bug with my script to help you out. This should get the rx-byte on interface ether1 , but gives nothing. :put [/interface print as-value stats where name="ether1" rx-byte] This works: :put [/interface print as-value stats where name="ether1"] .id=*1;comment=;name=ether1;rx-byt...

Jotne

If you do run all server on Windows IIS or Linux Apache, they can both handle multiple Webservers based on DNS. But If you have many Webservers on different system or on different ports, you can use a reverse proxy server like HAProxy. Redirect 80(443) to the HAProxy server, then it can based on rul...

Jotne

From all the problem I see that MT have after updating routers, I would not recommend to do an automatically upgrade without any possible to control it when it should run. At least on remote devices. I did lost my L2TP IPSec tunnel after upgrade due to change in config. So take care with this. Anoth...

Jotne

What is your goal by making the routers talk to each other?

Jotne

After some investigation I found out that RouterOS cuts Syslog message at 256 characters. Then add info of what module and prefix. So the total message may be longer than 256 characters, but not the body of the message. If I do send message to terminal using :put they are inn full length. Here are s...

Jotne

Nice to see official release of 6.45.3. But there was no need of removing my thread https://forum.mikrotik.com/viewtopic.php?t=150735 I feel like a criminal ;) Since MT did not post this info, I try to help out. What's new in 6.45.3 (2019-Jul-29 12:11): Just close it with a link to this thread....

Jotne

I do put the script in curly brackets {} and cut past it to the terminal.
This way it runs as you should run it from the script option.
Also I do use a lot of :put to see what is going on with the variables.

Jotne

One day since 6.45.3 released on download, nothing here on the forum.
Can't remember seeing this behavior before.

Jotne

Updated script to 3.1

Fixed CDP, since some devices sends long version with new lines breaking up the log lines. (Cisco)

PS still have problem that line is cut in Splunk. Not sure if its MT not sending whole line, or Splunk that cuts the lines.
I do only get 278 characters.

Jotne

6.45.3

*) rb4011 - fixed SFP+ interface linking (introduced in v6.45.2);

Jotne

Some years ago Cisco bought OpenDNS and have now a solution based on this called Umbrella https://umbrella.cisco.com/products/features An ISP can setup redirect for port 53 to their preferred DNS. They can then control what DNS you should see, and at the same time log everything using Umbrella or ot...

Jotne

If you did read what Sindy says, we need the complete configuration to see if the error is elsewhere.
Do post output of this command.

/export hide-sensitive

Jotne

Look at my post here:
viewtopic.php?f=9&t=148397&p=730484#p730484

I did make a script that take those IPSec testers and back lists them for 30 day.

Jotne

Splunk can handle may routers. I have just set it up for more simple to use in my project using Splunk for MikroTik routers. One nice thing with it, is that it does not use SNMP (SNMP is good at many things, but does not like dynamic IP). You just add a script to each router that do send you all the...

Jotne

I do agree that MT should not have had these problems. Since with MT you can do nearly everything with it, setup proxy or socks server, its much more interesting to get inn to an MikroTik Router Why you should not open your router form outside has been discussed here many times before. If you need a...

Jotne

Splunk do handle real time alerts (or close to) https://docs.splunk.com/Documentation/Splunk/7.3.0/Alert/DefineRealTimeAlerts It should not depend of type of action you are using, starting a program, sending sms, email, wechat etc. Alerts should go out. But you should not use to many alerts, since i...

Jotne

The reason why you see this, is that your IP is an string. Adding 0 to it, it seems that RouterOS convert it to an IP, and you can subtraction. Correct way to do it, is to convert it to an IP, then do the subtraction. Cut and past this code and you will see what Is going on. You can try to swap :set...

Jotne

any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Can you post the command that fails? There may be a solution to test for poe interface before command is run.

Jotne

Since there is absolutely no support of 802.11k in RouterOS, answer is pretty clear - Routerboards are not compliant.

802.11k is just 11 years old. Take some time to implement

Jotne

Why do you try an old 6.45beta? 6.45.2 is released as well as 6.46beta.

Jotne

You can open it for a specific IP, not DNS.
But you can make a script that looks at the DNS and if IP changes, update the rule.
Schedule it to run every 5 min.

Jotne

No need for extra app to send message. Sending email using a gmail account is easy and works well. But there is a big issue. If you have a free Splunk license, you do loose a lot of thing. * Monitor and Alerting (needed for sending alerts) * 500MB pr day maximum * Cluster * Universal Forwarder * HA ...

Jotne

not enough storage to update.

You should hold off and wait for 6.46.
MT is aware of the problem and seems to work on solution for the small space devices.
From 6.46Beta16

*) smips - reduced RouterOS main package size (disabled LTE modem, dot1x and SwOS support);

Jotne

Ahh, did not think about that. Will read through the nice documentation.

MT should rename the documentation or Winbox to make it mot clear what is what.
Using different name on the configuration in various location makes a mess

Jotne

Limit has:
Rate
Burst
Mode
I do need to handel each source by it self, not all in once, since it will add a user who tries to hack to a black list.
Dst-Limit has Src.address.

Do any know of a good example and explanation on how rate limit works in RouterOS?

Rate.jpg

Jotne

Where do I find count?

I have for Dst-Limit:
Rate:
Burst:
Limit By:
Expire:

If the link above is the manual for dst-limit, it does not match field name I do see in winbox

Jotne

I am trying to setup some security against some of my ports and have trouble tun understand and find information regarding rate limit. When I setup return for some packets in Dst. Limit for a Filter Rule I have following values to set. Rate: Burst: Limit By: Expire: The one I am sure about is Limit ...

Jotne

Seems to be impossible.

Found this in another thread written some years ago:

seems like ip-scan is interactive tool, so you cannot use it in scripts...

Jotne

Script in section 2f) updated to 3.0

Do now get CDP neighbors

Jotne

No, only one ICMP rule.
Strange is that upgrading from 6.43.16 to 6.44.5 resolved the problem.

Jotne

Please stop quoting the quote. Quote only part needed to quote, use Post Reply in post to answer a post...

Jotne

The advantage of this strategy is that you don't need special knocking software. Interesting idea, but you do not need spesial tool to do port knocking. To port knock on my router, i do open three web site, one by one. Port number is just an example port. http://my-router-ip:44444 http://my-router-...

Jotne

Script in section 2f) updated to 2.9

It now support to get interface counters and you can also set modules true/false if you do not like to monitor one section.
If you do not have wifi/dhcp, you can just set them to false.

Jotne

Then use an external log server (Kiwi/splunk/++++)

Jotne

What is the problem?

Log does not show older event? Or there are too many events for you to find the event?
If there are too many events, you can search by filtering.
Post one example log and I may be able to help.

Jotne

No, you can not use your DNS provider to redirect to different port. When you do an DNS request, you only get an IP address of the server to reach. There ware two (may be more) solution for this. If both your Webserver are on the same server, both Windows and Linux can have multiple server that it r...

Jotne

Use an external Syslog tool like Splunk. Store it there and analyze it.
See link in my signature on how to get it up and running.
viewtopic.php?f=23&t=137338

PS
If you post your current OSPF logs, I may be able to add a view for it in Splunk

Jotne

Do you see current OSPF alarms in log?
You may need to add Debug for OSPF logs:

Winbox
System-Logging-Rules-Add
Topics:ospf
Actions:memory

Jotne

As far as I understand you do not need a Firewall (filter) rule when setting up NAT.
Rule will be open for all on outside to use
But if you like to allow some or block some other from using your NAT, you need filter rules.

Jotne

@ fengyuclub
Nice to see you are getting it to work.

@ All
Section 2c) Logging prefix has been updated with sample on how to name to logs.

Jotne

As far as I read from other post, 4.x

Jotne

That does not explain why things stopped up, and why an upgrade(or reboot) did solve the problem.
I added it to logged rules, so will have a look in Splunk to see who hits this rule, and when.

Jotne

So you say this rule in may router is the root cause?

/ip firewall filter
add action=drop chain=input comment="Drop ICMP on outside IF" in-interface=ether1 protocol=icmp

But how come that one VLAN is ok and other is not?
Why did a firmware upgrade solve the problem?

Jotne

I have a hEX with main VLAN (1) and guest VLAN (20) For some reason guest could not reach a handful of websites, like netflix.com, some apple sites ++ This happens some week ago, and I did not know anything about it before today. So what happen for some week ago? I did upgrade from 6.43.4 to 6.43.16...

Jotne

Complete it would be:

:if ([:len $array1] > 0) do={
	:log info message="2"
} else={
	:log info message="1"}

Jotne

Logging in RouterOS is a mystery. Something are logged and some other not. Example. Did an upgrade of hAP Lite from 6.45.1 to 6.45.2. Nothing in the log that it was upgraded, nor that it rebooted during process. If you post the script, I may be able to help you with it to see what is wrong. Have som...

Jotne

I can not upgrade hAP lite - not enough space. Clean install hAP lite. ERROR: not enough disk space, 7.4MiB is required and only 7.4MiB free Edit: Did have some backup files, removed upgrade OK Edit2: After upgrade, no information about upgrade in the log, no information that router reboots. I thin...

Jotne

[ Changes in this release: *) bonding - fixed bonding running status after reboot when using other bonds as slave interfaces (introduced in v6.45); *) interface - fixed missing PWR-LINE section on PL7411-2nD and PL6411-2nD (introduced v6.44); *) ipsec - allow peer argument only for "encrypt" polici...

Jotne

In Splunk, search ignore case

Even if this works, I like better the view in Splunk MikroTik Traffic, that uses accounting for creating the graphs.
There you can see who is generating the traffic, compare to only see what interface traffic goes in/out.

Jotne

Try this Add this to the Data_to_Splunk_using_Syslog script # Get interface data (test) # ---------------------------------- :foreach interface in=[/interface find where (name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1")(name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1") ] do={ :delay 100...

Jotne

When you have multiple interface, use only one section, no a section for every interface change :foreach interface in=[/interface find where (name~"WAN-ether2") ] do={ to :foreach interface in=[/interface find where (name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1") ] do={ Test code that shoul...

Jotne

I was at an hotell in Brazil where there was many private appartement as well. Since it was just one big Wifi subnet, I could see all that uses Chromecast . It showed up on my phone and I could start/stop mute/unmute all streams. :) So with only one big net, its not simple to block you from seeing o...

Jotne

I would also suggest by starting with a default configuration of your router, then adapt it to what you need. This way you get more standard config.

Jotne

Info It seems that data you get from monitor are just moment blink of data going through the interface. So it will fly up and down for every time you run it. If it would be like cisco, average last 5 min, it would be perfect to rune every 5 min. Not sure if it are useful at as is. If you have not re...

Jotne

Try upgrade your RouterOS

Jotne

Can you try another script and see if it stays?
example:

:local test "Hello World"
:put $test

Jotne

Yes its PKI.

"Available from" do help some.
But I would say that VPN is the best option if you need to reach the router config from outside.

Jotne

publicated on the internet.

How does your application handle security in that case when VPN is not used?
Port knocking?
Use non default ports?
DSA key pair?
etc

Jotne

they will do it directly Lets say you have a Router, a Printer and a PC Printer does listen on port `9200`. Normal you could setup a print queue on the PC that points to Printer/9200 For some reason PC can not use port 9200. So you could then setup Router to listen in port 8000. Make the Router NAT...

Jotne

So what's exactly not working? @cmdorexe You do just show some code and does not respond to the question. What does not work? If you try to run a script from cli, you need to wrap it in {} Example :local test "more" :put $test Needs to be { :local test "more" :put $test } This do work also [ :local...

Jotne

LOL

Jotne

A very good point Sindy.

Hopefully they (MT) do read this and change it in later release.

If you look at my old post here: viewtopic.php?t=124291
not all is done in simple and straight forward manner.

Jotne

@mkx

Thanks allot for the good and long explanation.
You are correct in your assumption., this is an upgraded router.

Just not to confuse my brain, I did sett all interface to speed=1Gbps and now it does not show speed when run /interface ethernet export

Jotne

Did test on my router.
Script Run Count did not reset after a reboot. For me it shows the number as before reboot.

This is some strange, since many have problems with other counter and variables (global) that are lost after reboot.

Jotne

RB750Gr3 works fine as a switch when configured correctly.
It has a MT7621 switch chip, more info here: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

Start by posting your config:

 /export hide-sensitive

Jotne

This is highly offensive to Latvians. We have no connection to russia and I won't even mention the backdoors absurdity. Someone have to look at the map :) As far as I know, only US has been caught red handed: https://www.certificationkits.com/nsa-upgrade-process-cisco-equipment-pictures/ nsa1.jpg

Jotne

I do understand that, but when you just like to see interface info and write this and get: /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan speed=100Mbps Its not intuitive at all what is then the speed is showing. speed=100Mbps could then be. Actual speed? Auto negotiation off sp...

Jotne

My router is running 6.43.13 This shows correct speed, by why other commands show 100Mbps is for me strange. /interface ethernet monitor ether1-Wan once name: ether1-Wan status: link-ok auto-negotiation: done rate: 1Gbps full-duplex: yes tx-flow-control: no rx-flow-control: no advertising: 10M-half,...

Jotne

Where do you see 100MB? All my interface are running and connecting to 1GB devices, but commands shows 100MB [secret@XY155] > /interface ethernet print detail Flags: X - disabled, R - running, S - slave 0 R name="ether1-Wan" default-name="ether1" mtu=1500 l2mtu=1596 mac-address=6C:CC:AB:88:34:3E ori...

Jotne

It can be done.
I do use IP accounting to see the traffic going trough the router.
This way are more generic and does work without any modification.
If you monitor one and one interface, this has to be adopted for each setup.

Jotne

When you select the first column, you can select from address, comment, dynamic ++. For all the field, the second column do change. So since you can for address select contains and contains not. For this reason it has to do something to the search, but I can not figure out how it works If it does no...

Jotne

You can not do that with Mikrotik router since HTTPS packet are encrypted. But with a corporate network that controlling the PC, you can use products like Forcepoint (https://www.forcepoint.com/) When you do surfing it will replace the HTTPS certificates and Forcepont will surf on behalf of the clie...

Jotne

This may be a Bug that MT should fix. As far as I can see, when selecting Address filter under Address List in WinBox , the drop-down contains does not work. If I like to find all IP that contains 192 , contains should be the word to select. It should then find both: 192.168.88.1 10.192.44.32 in , o...

Jotne

What command do you use on the router to see this data?

Jotne

If the goal is to reach inn to IP 192.168.88.189 on port 12000/tcp, try this instead. add chain=dstnat action=dst-nat to-addresses=192.168.88.189 protocol=tcp in-interface=ether1 dst-port=12000 PS change in-interface to your outside interface, or use in-interface-list=WAN if you have an outside grou...

Jotne

Look at my project for using Syslog to monitor Mikrotik Router using Splunk.

viewtopic.php?t=137338

Jotne

Warning!!!! Mixing various logs in on line and you do not get what you want. This: /system logging print detail Flags: X - disabled, I - invalid, * - default 1 topics=dhcp,hotspot,!debug prefix="MikroTik" action=remote are not the same as this: /system logging print detail Flags: X - disabled, I - i...

Jotne

I do agree with R1CH. Using resource on securing your router and services are more important than using black list that are not up do date. Change all admin users on all your exposed system (webserver etc) Use long and complex password that are changed now and then. Do not open admin function to you...

Jotne

This did make me update my MikroTik for Splunk script to handle when routers does not have temperature, so changed from: :local voltage ([/system health get voltage]/10) :local temperature ([/system health get temperature]) :log info message="script=health voltage=$voltage V temperature=$temperature...

Jotne

All the view for MikroTik in Splunk has a host drop down. So if you have more than one router, just select the host you like to monitor. There is one possible problem, if you have many routers with same IP that sends log to same Splunk. That could be solved using unique ID for each router and some s...

Jotne

I am learning from this as well, see there are other ways to do things :) So to clean your code some. You do not need ; at the end of each line, only when there are multiple commands on same line, use ; to separate it. Also no need to use variables, use the code directly. Use tab in if/loop etc to m...

Jotne

That is why I need the output of the above command. Some data are coming from the logg. Some are comming from scripting Log: ------- dhcp,dhcp_static,dns,firewall,ipsec,upnp script: ------- IPSEC_failed,address_list,healt,pool,resource,sysinfo,traffic,uncounted,upnp So I guess you have some log prob...

Jotne

DNS information are coming from standard logs on the router. What do you get if you go to search window and search with the following line: sourcetype=mikrotik earliest=-24h latest=now() | stats count by module I do get some like this: module count dhcp 12764 dns 324512 firewall 1349 ipsec 7 script ...

Jotne

One way is to use "parse" command

Can you post an example on this?

Search found 1302 matches