Community discussions

MikroTik App

Search found 3021 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11
by msatter
Wed Aug 09, 2023 10:51 am
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5595

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

I found it very disturbing that this tread was closed while I was still very active with this, even while the problem did not effect me directly. Mikrotik could activate short time, the options to logout removed users/disabled users automaticly. First in local and other services. An other thing is s...
by msatter
Wed Aug 09, 2023 10:35 am
Forum: Announcements
Topic: v7.11rc is released!
Replies: 195
Views: 48495

Re: v7.11rc is released!

There is someting like I think I found a bug and like to know if any others have the same expierence on that. Sometimes I was just "holding it wrong" and got info to solve my "bug". The forum is a good filter for bugs, before escalating to actual reporting it as a confirmed bug t...
by msatter
Tue Aug 08, 2023 11:48 am
Forum: Scripting
Topic: Useful scripts
Replies: 116
Views: 295771

Re: Useful scripts

Some script lines to logout non-existing/deactivated users and sessions that are left open for a long time. This now apply to only local sessions (terminal). Disconnect users that are are removed as user: :foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"...
by msatter
Tue Aug 08, 2023 2:20 am
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5595

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

@Amm0, thank for finding that and it indeed closes the terminal (CLI) in the Winbox of the user that does not exits anymore. Disabled user is an other possible option. This is can select the correct user to be booted from the terminal. Winbox seems to cache stuff and with that it can reconnect. :for...
by msatter
Mon Aug 07, 2023 1:57 pm
Forum: General
Topic: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.
Replies: 35
Views: 5595

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

I wrote a small script that detect logged in users that do not exist in /users: ::foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"name"]) do={} else={:put "Warning: found a removed user(s) being still be logged in: $[:tostr [/user/active get $i...
by msatter
Sat Aug 05, 2023 11:16 am
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 3193

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You should give pe1chl the credits for giving you tips on the fasttrack rule.
by msatter
Fri Aug 04, 2023 6:55 pm
Forum: General
Topic: Router OS V7 TCP Retransmission vpn site to site two mikrotik
Replies: 23
Views: 2187

Re: Router OS V7 TCP Retransmission vpn site to site two mikrotik

@Amm0 that is a good point and who is answering on the other side, the server/client or the router. When the router answers then on behalve then the VPN connection is
not used.

@all
Run the MTU adjuster on the returning traffic and check that the ICMP can also reach the client on the inside.
by msatter
Fri Aug 04, 2023 6:44 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 3193

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You missed the first question and the second one. I already stated why I think it's a MTU problem.

But you are free to request support from Mikrotik themselves by mailing them on support@mikrotik.com
by msatter
Fri Aug 04, 2023 12:25 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 3193

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

You state re-transmissions then the question is your network sending out the request, or the other side because it did not got an acknowledgement from you? Secondly did you see any traffic hitting the MTU rule I gave? With this one you don't need to state a wished MTU and it will adapt to the MTU si...
by msatter
Thu Aug 03, 2023 9:06 pm
Forum: General
Topic: Implementing address list-based routing with RouterOS v7 [SOLVED]
Replies: 17
Views: 3193

Re: Implementing address list-based routing with RouterOS v7 [SOLVED]

When TCP connections are taking long or even not complete then think of MTU problems. For that I have the following rule in Mange: add action=change-mss chain=forward comment="WireGuard & IKEv2 Sync" in-interface-list=PMTU-IN log-prefix=MSS new-mss=clamp-to-pmtu \ passthrough=yes proto...
by msatter
Wed Aug 02, 2023 7:56 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4701

Re: find addresses with same octets

Doing this for years now, the list is contains now almost 2200 /24 ranges collected since September 2021.

Underneath the log when a range is placed on the block list when reaching the set limit which is set to three.
PermBlock.JPG
The last address ranges added to the block list:
PermBlock2.JPG
by msatter
Wed Aug 02, 2023 4:14 pm
Forum: General
Topic: SFP Temperature is 255C after Router OS upgrade [SOLVED]
Replies: 12
Views: 3177

Re: SFP Temperature is 255C after Router OS upgrade [SOLVED]

Yes. Yours and submit a support request with Mikrotk.

viewtopic.php?p=1008211#p1008211
by msatter
Tue Aug 01, 2023 2:48 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4701

Re: find addresses with same octets

I have to admit to see all those postings was funny, while I already posted here the script for that, years ago.

But then, I would out of place to post a direct link.
by msatter
Mon Jul 31, 2023 10:17 am
Forum: General
Topic: Automatically initiate WireGuard connection
Replies: 18
Views: 1850

Re: Automatically initiate WireGuard connection

The tunnel is one and the connection is two.
by msatter
Sun Jul 30, 2023 11:08 pm
Forum: General
Topic: Automatically initiate WireGuard connection
Replies: 18
Views: 1850

Re: Automatically initiate WireGuard connection

25 Seconds is the same as the advised keep-alive for WireGuard.
by msatter
Sat Jul 29, 2023 12:45 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105629

Re: v7.11beta [testing] is released!

I assume the wrong interface is the first WAN. Traffic answered on behalf by the router is related. In a earlier topic it was just dropped or set to TTL:0

viewtopic.php?p=1010043
by msatter
Fri Jul 28, 2023 8:33 pm
Forum: Announcements
Topic: CVE-2023-30799
Replies: 14
Views: 29428

Re: CVE-2023-30799

Example: I hire a expert to setup my router. That person needs access on admin level and that person could gain "super-admin" level and makes changes that are not logged and normally not allowed. When the temp. account is deleted the changes stay in place. My impression from what I read he...
by msatter
Fri Jul 28, 2023 2:43 pm
Forum: Scripting
Topic: find addresses with same octets
Replies: 39
Views: 4701

Re: find addresses with same octets

Ok. ;-)
by msatter
Thu Jul 27, 2023 9:51 pm
Forum: Announcements
Topic: CVE-2023-30799
Replies: 14
Views: 29428

Re: CVE-2023-30799

Thanks. :-)
by msatter
Wed Jul 26, 2023 9:22 pm
Forum: General
Topic: L7 regex to block IKEv1 connections
Replies: 1
Views: 451

Re: L7 regex to block IKEv1 connections

RegEx is a mask that is moving over an "text" and can be hooked to the end of the beginning but not on a specific point in a "text".

A dot is a single position so ^..... ....v1 (55 dots in total) provides you the location of the 56 position. Or if supported ^.{56}v1
by msatter
Wed Jul 26, 2023 8:34 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67939

Re: v6.49.8 [long-term] is released!

... it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothing in the release notes. No, post #22 above probably sums up the status completely (not mentioning 6.4 8 .7 does mean something). But since 6.49.8...
by msatter
Wed Jul 26, 2023 3:49 pm
Forum: Announcements
Topic: Click here
Replies: 35
Views: 9502

Re: Click here

All for the views. ;-)
by msatter
Wed Jul 26, 2023 2:03 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67939

Re: v6.49.8 [long-term] is released!

As stated in the CVE - "MikroTik RouterOS stable before 6.49.7...". Yes, 6.49.8 is built on 6.49.7. Thus it includes the same fix.

I visited a lonely page that feels completely neglected by Mikrotik: https://blog.mikrotik.com/security/ also supplies RSS feed for Mikrotik.
by msatter
Tue Jul 25, 2023 7:53 pm
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 134713

Re: Built in function library

@mike548141 It is even simpler:
@> /system/hardware print
bad command name hardware (line 1 column 9)
@> /system/hardware/print 
syntax error (line 1 column 17)

Try
 /system/routerboard print
by msatter
Tue Jul 25, 2023 1:06 am
Forum: General
Topic: Poe catching fire?
Replies: 3
Views: 706

Re: Poe catching fire?

Looks like lighting and Mikrotik have a product for that protects: https://mikrotik.com/product/rbgesp GESP is Gigabit Ethernet Surge Protector that can be used to protect the network from lightning or surge damages. Here’s what a typical use-case would be like. You have a mast with some antennas. A...
by msatter
Mon Jul 24, 2023 12:20 pm
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 134713

Re: Built in function library

@mike548141 When you have commands that could not work on every device then you can avoid errors by using do {} on-error={} :do { /system/hardware } on-error={ :error "error: script not executable on this device " } :do { /system/hardware } on-error={ :log "error: script X not executa...
by msatter
Thu Jul 20, 2023 2:44 am
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3188

Re: Structured IPv6 Address

This assumption by me was wrong. The value is treated as a boolean and then 0 = false and any other number is true.
by msatter
Thu Jul 20, 2023 1:06 am
Forum: General
Topic: Wireguard Wizard - 7.11b4
Replies: 27
Views: 2979

Re: Wireguard Wizard - 7.11b4

@own3r1138

When completely manual then there should still be a sanity check applied and also any DNS stated checked, that the returned IP is matching any of the local addresses of that router.
by msatter
Thu Jul 20, 2023 12:53 am
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3188

Re: Structured IPv6 Address

nil is a bit more complex, when I thought about it later: > :local a false; :put [:typeof $a] bool > :local a ; :put [:typeof $a] nothing > :local a nil ; :put [:typeof $a] str > :local a [:toip 192.168.88.999]; :put [:typeof $a] nil > :local a [:toip 192.168.88.1]; :put [:typeof $a] ip So to me &qu...
by msatter
Wed Jul 19, 2023 10:30 pm
Forum: General
Topic: Something NEEDS to be done about the default passwords
Replies: 169
Views: 13507

Re: Something NEEDS to be done about the default passwords

Thinking out of the box here. When the board is not matching the case then you have this problem. Did you check if the replied MAC is still as the one on the box, after a reset?
by msatter
Wed Jul 19, 2023 7:20 pm
Forum: Scripting
Topic: Delete all files in a folder (and make an exception)
Replies: 10
Views: 2701

Re: Delete all files in a folder (and make an exception)

/file/remove [find name~"flash/\\.xyz\$"]
Update: thanks Amm0 and I removed the first "/" and added a \ before $.
by msatter
Wed Jul 19, 2023 4:36 pm
Forum: General
Topic: Wireguard Wizard - 7.11b4
Replies: 27
Views: 2979

Re: Wireguard Wizard - 7.11b4

Well done, Although It would be awesome if Mikrotik could implant the WG Wizard in the main Wireguard section so one could use it for peer config generation like what we have now in OVPN. Then WG needs more enties to do that. The external IP-address/domain and the allowed address range to be able t...
by msatter
Wed Jul 19, 2023 3:46 pm
Forum: Scripting
Topic: Structured IPv6 Address
Replies: 16
Views: 3188

Re: Structured IPv6 Address

Some scripting tips (v6/v7): :toip6 returns a valid IP address and if not valid it returns "nil" which is an :if compare the same as "false/invalid", first a direct usage and the second one is a indirect usage. FROM: if ([:typeof $address] = "nil") do={ :error "\&q...
by msatter
Wed Jul 19, 2023 2:56 pm
Forum: Beginner Basics
Topic: need advise on none dynamic and none static in mangle [SOLVED]
Replies: 2
Views: 1247

Re: need advise on none dynamic and none static in mangle [SOLVED]

Hi not my 'friend', From the manual: Value of none-dynamic (00:00:00) will leave the address in the address list till reboot Value of none-static will leave the address in the address list forever and will be included in configuration export/backup https://help.mikrotik.com/docs/display/ROS/Filter#F...
by msatter
Tue Jul 18, 2023 7:41 pm
Forum: General
Topic: feature request: src/dst-addr-type connected
Replies: 2
Views: 371

Re: feature request: src/dst-addr-type connected

What did I just read!?
by msatter
Tue Jul 18, 2023 1:48 pm
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2944

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

@4lphanumeric five is indeed just a number abd I could have chosen two or any number higher. It just allows to block a specific up to five times before starting again as long the dst/src address is on the list syncreset. All traffic goes througha VPN so my ISP only sees the outside off a tunnel and ...
by msatter
Tue Jul 18, 2023 2:48 am
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2944

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

Think about it you sitting, and waiting for the correct bus. one, is take the first bus and if you not get on that bus you have to wait again for bus six or then eleven.... two, get on the second bus and if you don't catch that one, take bus seven or even twelve.... It is not timing out, you hide (d...
by msatter
Tue Jul 18, 2023 12:39 am
Forum: Forwarding Protocols
Topic: Suggestion: Hooks to Scripts on /routing/filter/rule actions
Replies: 10
Views: 2494

Re: Suggestion: Hooks to Scripts on /routing/filter/rule actions

This is the sample function for adding to an address-list in filter/mangle/raw rules: :global ruleAddresToList do={ /ip firewall address-list add list=$listName address=$Address timeout=$Timeout } This is then the call to the function with the name "ruleAddresToLIst" from a rule to add and...
by msatter
Mon Jul 17, 2023 11:33 pm
Forum: General
Topic: TCP Reset Attack Mitigation on Router Level [SOLVED]
Replies: 22
Views: 2944

Re: TCP Reset Attack Mitigation on Router Level [SOLVED]

The first reset will be matched and and dropped in a period of 5 seconds. The next four will be accepted or accepted because the address-list entry has timed out. By adding more nth you can filter more reset replies. Underneath the first two reset replies are dropped within 5 seconds. /ip firewall r...
by msatter
Sun Jul 16, 2023 11:26 am
Forum: Beginner Basics
Topic: Forward secondary IP to web server
Replies: 4
Views: 1020

Re: Forward secondary IP to web server

Thanks for the disclaimer. ;-)

Try with line 8 in NAT disabled.
by msatter
Thu Jul 13, 2023 1:23 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 631763

Re: Feature requests

Second request on bigger variables. Using fetch I can write a bigger file to disk in one go. But then I can't read those back when the file is bigger than 4KB, despite the variable in not a limiting factor anymore in ROS. This could be first one, so the request above for direct download in variable ...
by msatter
Thu Jul 13, 2023 12:26 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 631763

Re: Feature requests

Now the 4096 byte limit on variables is lifted and variables are now limited by the amount of available memory. https://help.mikrotik.com/docs/pages/diffpagesbyversion.action?pageId=47579229&selectedPageVersions=29&selectedPageVersions=28 :too fetch is still limited to 64512 bytes when using...
by msatter
Thu Jul 13, 2023 10:46 am
Forum: Scripting
Topic: $INQUIRE - prompt user for input using array of questions + $CHOICES
Replies: 21
Views: 3221

Re: $INQUIRE - prompt user for input using array of questions, ft. inline functions (>[])

Press TAB for options or F1 for help: @ > [:terminal/ .. -- go up to root cuu -- move cursor up el -- erase line inkey -- read key style -- set output text style Small menu example with active help and (audio) feedback on error: { :local readKeyString do={ # written by msatter 2020-2021 # keyFlag sh...
by msatter
Thu Jul 13, 2023 10:03 am
Forum: Scripting
Topic: $INQUIRE - prompt user for input using array of questions + $CHOICES
Replies: 21
Views: 3221

Re: $INQUIRE - prompt user for input using array of questions, ft. inline functions (>[])

If you look at the input screen as a CRT TV then you can redrawn the page with the lines and entered data once on confirmed line, or even every key. Then you can correct previous entered data by using the cursor buttons by using the [:te cuu] for example to go up after redrawn page. The page with li...
by msatter
Thu Jul 13, 2023 12:01 am
Forum: Scripting
Topic: Max size of variables still at 4096!? Anwser is NO
Replies: 5
Views: 3602

Re: Max size of variables still at 4096!? Anwser is NO

Example script of reading a file from a webserver directly into a variable and generate a address-list from it. # Turris Import by Blacklister # 20210823 new version that directly download from a http(s) server # 20230712 new variable length allows to read big files in one go { /ip firewall address-...
by msatter
Wed Jul 12, 2023 10:07 pm
Forum: Scripting
Topic: Max size of variables still at 4096!? Anwser is NO
Replies: 5
Views: 3602

Max size of variables still at 4096!? Anwser is NO

I was browsing through help.mikrotik and noticed the removal of the notice in scripting about limit for variables in RouterOS. https://help.mikrotik.com/docs/pages/viewpreviousversions.action?pageId=47579229 v. 29 Apr 04, 2023 16:13 Testing Department Remove deprecated note on variable size limit. N...
by msatter
Wed Jul 12, 2023 8:34 pm
Forum: General
Topic: Weird log message in Mikrotik RB2011
Replies: 2
Views: 439

Re: Weird log message in Mikrotik RB2011

They are warnings and not error.
by msatter
Wed Jul 12, 2023 12:10 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

Then show that to us. Don't sit on it.....share.
by msatter
Tue Jul 11, 2023 11:39 pm
Forum: The User Manager
Topic: default admin account
Replies: 3
Views: 2680

Re: default admin account

No you not doing anything wrong. It is protecting you from locking yourself out of the router. You first have to create or have a second user with full access, and as you have already done. Then set the Admin to read, apply, expire the password and then disable it. I prefer to expire the password af...
by msatter
Tue Jul 11, 2023 10:50 pm
Forum: The User Manager
Topic: default admin account
Replies: 3
Views: 2680

Re: default admin account

You can disable it, after taking away any rights to make changes.

Newer router come with a default password printed on the device so you need to register that also for each router.
by msatter
Tue Jul 11, 2023 10:36 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

Thank Mikrotik for making the path in v7 backward compatible with v6.

I learned yesterday a new way to find active setings in v6, so still things to be found in v6. Please use the suggestion about the TAB and you can do your scripting yourself the next time.
by msatter
Tue Jul 11, 2023 2:41 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

If Unimus execute line by line you could use this for v6 and v7: # v6 & v7 compatible /ip firewall nat #shows enabled rules with no src-addres-list :foreach r in=[find where !disabled !src-address-list] do={:put [get $r]} # shows disabled rules with a src-address-list :foreach r in=[find where d...
by msatter
Tue Jul 11, 2023 2:08 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

@idgolstein All you need to know, is stated when you start terminal in Winbox. MikroTik RouterOS 6.49.2 (c) 1999-2021 http://www.mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments[i][/i] [Tab] Completes the command/word. If the input is...
by msatter
Mon Jul 10, 2023 9:22 pm
Forum: Scripting
Topic: timeout value in address list
Replies: 9
Views: 2311

Re: timeout value in address list

ROS v6: :foreach item in=[find list=<LIST NAME> timeout~"."] do={:put [get $item]} :foreach item in=[find list=<LIST NAME> !timeout] do={:put [get $item]} Flags: X - disabled, D - dynamic # LIST ADDRESS CREATION-TIME TIMEOUT 0 ;;; test test 7.7.7.7 jul/10/2023 19:46:53 1 D test 1.1.1.1 jul...
by msatter
Mon Jul 10, 2023 3:39 pm
Forum: Scripting
Topic: timeout value in address list
Replies: 9
Views: 2311

Re: timeout value in address list

Again, check status not value! With timeout: /ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> timeout] do={:put [get $item]} Without timeout: /ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> !timeout] do={:put ...
by msatter
Fri Jul 07, 2023 3:04 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 803

Re: why Input & Output rules (Please help)

It seems to be clear now.
by msatter
Thu Jul 06, 2023 12:53 am
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 36468

Re: Forum moderation volunteers

Air Force One must then have routers installed with ROS 7.10 for quite some time. They now have a special stairs in the back of the plane. Far away from the routers in the front of the plane. Hope it helps. Update: good news , RouterOS 7.10 was not the cause of the tripping on the stairs. Potus also...
by msatter
Wed Jul 05, 2023 10:03 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 803

Re: why Input & Output rules (Please help)

Then what is your problem? You wrote in the OP that all was working. IN = external new traffic incoming OUT = traffic generated by the router itself or encrypted traffic als generated by the router (policy) FORWARD = internal network to the outside and there you have your PCC lines. Connection marki...
by msatter
Wed Jul 05, 2023 5:42 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 803

Re: why Input & Output rules (Please help)

Post can't be deleted.
by msatter
Wed Jul 05, 2023 1:16 pm
Forum: General
Topic: why Input & Output rules (Please help)
Replies: 8
Views: 803

Re: why Input & Output rules (Please help)

Dear Sir, why do I need to add input and output rules in Mangle for PCC LoadBalancing? but without these rules, my PCC Loadbalancing working fine. ip firewall mangle add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=y...
by msatter
Thu Jun 29, 2023 9:09 pm
Forum: General
Topic: Partial match on address lists - exist? or feature request?
Replies: 6
Views: 749

Re: Partial match on address lists - exist? or feature request?

That would be possible if address lists could be grouped. Mikrotik did not add that to ROS so it is not possible. But looking at your example, use one name for both entries. The second one with a timeout will stop existing in the listing when the counter reach zero. Strange that you did not test tha...
by msatter
Thu Jun 29, 2023 3:26 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105629

Re: v7.11beta [testing] is released!

@mantouboji for a client the IP address does not to be renewed until TTL expires. So what is the TTL of your DNS registration? WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then...
by msatter
Thu Jun 29, 2023 1:47 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105629

Re: v7.11beta [testing] is released!

@mantouboji for a client the IP address does not to be renewed until TTL expires. So what is the TTL of your DNS registration? WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then ...
by msatter
Wed Jun 28, 2023 3:23 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 36468

Re: Forum moderation volunteers

I think someone pressed the "stow" button on the cats: https://cdn.teslanorth.com/wp-content/uploads/2023/06/cats-dish.jpg I have only a "stew" button overhere. Let's see what it does.....oh no, poor animals...in China they would now call dinner!! In Guangdong and Guangxi provin...
by msatter
Wed Jun 28, 2023 11:30 am
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 36468

Re: Forum moderation volunteers

You can't do three clicks without seeing a cat. They are a real pest.
by msatter
Tue Jun 27, 2023 8:04 pm
Forum: General
Topic: The "best" load balancing method for poor men ?
Replies: 19
Views: 1820

Re: The "best" load balancing method for poor men ?

Then pe1chl gave you your answer. Choose only src or dst addres so keep the outgoing IP address seen by the loadbalancer/server on the other side. There cause is not at your side but on the other side forcing you have the same IP address. That is why I use a address-list named fixed-VPN for those si...
by msatter
Tue Jun 27, 2023 1:14 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

Changed the title back to ICMP only as I did many tests and was unable to replicate TCP/UDP packets leaking so I suspect I probably saw those show up when I was messing around with configs. I do continue to see the related ICMP packets being dropped as per the original scenario I outlined above. No...
by msatter
Tue Jun 27, 2023 12:54 pm
Forum: General
Topic: The "best" load balancing method for poor men ?
Replies: 19
Views: 1820

Re: The "best" load balancing method for poor men ?

PCC with "both addresses and ports" I used many times works like a charm but breaks https connections. Then I included !port443 into pcc rules but, since almost all traffic today is https, this mechanism is deprecated. What is nowadays the best load balancing/aggregation method to share m...
by msatter
Mon Jun 26, 2023 4:34 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP/TCP/UDP) Marked for Wireguard Tunnel

Thanks for confirming this and for the correction. The position of the rule is in filter fine and it is then just before SRC-NAT is applied. In NAT there is since ROS 7 also an input and output chain so you can detect there also if something is leaking from by router self.
by msatter
Mon Jun 26, 2023 1:34 pm
Forum: RouterBOARD hardware
Topic: hEX Router Reset button broke off
Replies: 14
Views: 3968

Re: hEX Router Reset button broke off

Just contact you seller about this. The switch seems to be surface soldered. Removing the loose switch from the case should not void your warranty because you made sure this way that no further damage was done when using the hEX. Better would be not have used the hEX again before contacting the hEX....
by msatter
Mon Jun 26, 2023 11:53 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP/TCP/UDP) Marked for Wireguard Tunnel

I had till now not any related traffic going out so testing is not possible here. Can you put this log line in and check if this is detecting the same packets. It is a Postrouting and allow any last minute routing by routing adjustment to be done. It looks only a traffic coming form your router itse...
by msatter
Sun Jun 25, 2023 5:42 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

@wisroute thanks and then invalid will catch that. Unmarked is traffic that is not present in connection tracking. add action=change-ttl chain=prerouting connection-state=invalid,untracked in-interface=wireguard log=yes log-prefix=KillInvalidInWG new-ttl=set:0 passthrough=no invalid - a packet that ...
by msatter
Sun Jun 25, 2023 4:18 pm
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

So the packet return is flagged related and so you can combine that with that it is generated by the router self on behalf of the disconnected client. Then you can kill that packet returning anywhere, by killing it. Routing in Mangle is not available on output so that avenue is closed. /ip/firewall/...
by msatter
Sun Jun 25, 2023 3:48 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

I assume the the parsed code is executed from the root and not from inside the path.
by msatter
Sun Jun 25, 2023 3:42 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

I have the same rule and and yours routes traffic coming in through WiFi. Output is local so you have to match on the connection-mark you set. In Mangle output you can route it or kill it by setting TTL to 0.
by msatter
Sun Jun 25, 2023 2:03 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

Converted to code: :put [:parse ":foreach r in=[/ip/firewall/nat find where !disabled !src-address-list] do={:put [/ip/firewall/nat get $r]}"] (evl /foreachcounter=$r;do=;(evl (evl /putmessage=(evl (evl /ip/firewall/nat/get))));in=(evl (evl /ip/firewall/nat/findwhere=$chain;$action;$jump-t...
by msatter
Sun Jun 25, 2023 1:16 am
Forum: General
Topic: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel
Replies: 32
Views: 3436

Re: Router Leaking Packets (ICMP) Marked for Wireguard Tunnel

Very interesting, could you test this in Mangle if the output counter increases? /ip/firewall/mangle add action=mark-packet chain=input in-interface-list=WireGuard new-packet-mark=encrypted passthrough=yes add action=passthrough chain=output out-interface-list=!WireGuard packet-mark=encrypted passth...
by msatter
Sat Jun 24, 2023 11:01 pm
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

:put (/ip/firewall/nat get [find where !disabled !src-address-list]) It's shorter, did't know you can use negation here. But this line is not working when multiple rules are found, you can't use get from list, must be in loop and must be surrounded with [] to even execute. :put ([/ip/firewall/nat g...
by msatter
Sat Jun 24, 2023 6:22 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

I meant for Asus routers. Wrong forum I see now. Sorry. ;-)
by msatter
Sat Jun 24, 2023 1:27 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

Indeed it needs a script to be generate the data file. On import you just import the file that contains a helper to process the data and put it in the correct place in ROS.

That's makes it ideal for distribution of data to many routers.
by msatter
Sat Jun 24, 2023 1:14 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

You can read BIG files when you put the script for reading the data in the same file. Using a variable as call to the function, allows to import data as it was used with addresslists. Every variable is a new call of the function and so it will be repeated till there are no more vatiables left. It wi...
by msatter
Fri Jun 23, 2023 12:58 pm
Forum: Beginner Basics
Topic: INFO: MikroTik new default device password practice
Replies: 23
Views: 3326

Re: INFO: MikroTik new default device password practice

This is great that Mikrotik is catching up. An extra prominent note in the box that this device has been improved an is using a non blank password. This a possitive note about improving security. It could also be integrated in ROS so that in the login screen displays default a pointer/instruction wh...
by msatter
Fri Jun 23, 2023 1:22 am
Forum: Scripting
Topic: get a list of enabled NAT rules with no src address list
Replies: 38
Views: 5088

Re: get a list of enabled NAT rules with no src address list

Why that complicated, treat the fields as having also a state:
/ip/firewall/nat/print where !disabled !src-address-list

:put (/ip/firewall/nat get [find where !disabled !src-address-list])
by msatter
Fri Jun 23, 2023 1:01 am
Forum: General
Topic: Can someone give me the command line, to delete pppoe-out1
Replies: 16
Views: 1426

Re: Can someone give me the command line, to delete pppoe-out1

When you go in terminal to pppoe and then press TAB or F1 then it will show the available options. You can use set or edit to change a specific field.

Then you can add that to line you have in your script without the remove ofcourse.
by msatter
Thu Jun 22, 2023 5:00 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

Not overhere on ROS 7.10 I'm also on 7.10 > /system/routerboard/print routerboard: yes model: D53G-5HacD2HnD serial-number: XXXXXXXX firmware-type: ipq4000L factory-firmware: 7.1beta5 current-firmware: 7.10 upgrade-firmware: 7.10 > :execute ":put ([/interface lte at-chat lte1 wait=yes input=\&...
by msatter
Thu Jun 22, 2023 4:50 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

If you want to restore the stored data or transfer to a differen router then selective path exporting and exporting is the simple way. I don't know how thatworks with LTE or SMS because I don't have that. In this posting is mentioned that extension does not need to be RSC. https://forum.mikrotik.com...
by msatter
Thu Jun 22, 2023 4:37 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

:execute ":put ([/interface lte at-chat lte1 wait=yes input=\"AT+CMGL=4\" as-value ]->\"output\")" file="sms"
Works also with .txt extension in file param, then it will not append .txt to filename.
Not overhere on ROS 7.10
by msatter
Thu Jun 22, 2023 2:12 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

@optio Why still self limit to 4096 bytes!? Many people here walked into this limitation for many years and some found little gems in RouterOS which works around problems. One of those is ":execute" Lets keep it simple, this will store the output of a command or script to a file like it w...
by msatter
Thu Jun 22, 2023 12:42 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

@optio Why still self limit to 4096 bytes!? Many people here walked into this limitation for many years and some found little gems in RouterOS which works around problems. One of those is ":execute" Lets keep it simple, this will store the output of a command or script to a file like it wa...
by msatter
Wed Jun 21, 2023 9:36 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

This was the startingpoint: https://forum.mikrotik.com/viewtopic.php?p=819118 I think that it is more correct to continue in this topic, and not in the one where the link is. I tried doing something like this: :local sms [/system script get "sms.txt" source]; :put $sms But it gives an err...
by msatter
Tue Jun 20, 2023 5:19 pm
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

This was the startingpoint: viewtopic.php?p=819118
by msatter
Tue Jun 20, 2023 12:21 am
Forum: Scripting
Topic: The maximum size of a read/written file.
Replies: 70
Views: 7690

Re: The maximum size of a read/written file.

You can read large files by not using a script to read the file but put the script in the file in a form of a function and import the RSC file.

Exporting large files is possible and rename it then to an RSC file so they can be imported again.
by msatter
Mon Jun 19, 2023 1:36 pm
Forum: Beginner Basics
Topic: Is it possible to provide dst-nat action in prerouting chain?
Replies: 3
Views: 857

Re: Is it possible to provide dst-nat action in prerouting chain?

Assuming you are matching on a domain/url, I would use connection marking instead of packet marking.

This because not every packet contains that domain/url.
by msatter
Thu Jun 15, 2023 10:40 am
Forum: Announcements
Topic: v7.10rc is released!
Replies: 183
Views: 52909

Re: v7.10rc is released!

"!) " could be used to indicate a new functionality and might not be fully developed. "Adding" should be te first step and later you can use "update".

!) added:
^!) update:
<!) retracted:
>!) fixed:
*) = bugfix
-*) = retracted bugfix
+*) = fixed bugfix
by msatter
Sat Jun 10, 2023 12:29 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1256

Re: Outbound from 5060 port

/ip firewall nat add chain=srcnat action=src-nat to-ports=5060 protocol=tcp src-address=192.168.0.0/24 dst-address=5.49.132.66 dst-port=5060 add chain=srcnat action=src-nat to-ports=5060 protocol=tcp src-address=192.168.0.0/24 dst-address=5.13.25.125 dst-port=5060 Because your src-address is a rang...
by msatter
Fri Jun 09, 2023 11:57 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1256

Re: Outbound from 5060 port

You have changed it now in your OP, it now states that it is your not actual public address.

It is also a good thing, to use non existing public IP adresses in postings to avoid that an other router is being tried to be compromised based on data stated by you.
by msatter
Fri Jun 09, 2023 10:46 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1256

Re: Outbound from 5060 port

Please remove your PUBLIC IP from your posting. This is in your own interest.
Thx, but don't worry, this is fake addresses.
Then you lied in your opening post stating "My external address is".
by msatter
Fri Jun 09, 2023 8:30 pm
Forum: Beginner Basics
Topic: Outbound from 5060 port
Replies: 8
Views: 1256

Re: Outbound from 5060 port

Please remove your PUBLIC IP from your posting. This is in your own interest.
by msatter
Fri Jun 09, 2023 2:11 pm
Forum: General
Topic: How to get Facebook & Youtube IP Address list
Replies: 2
Views: 1348

Re: How to get Facebook & Youtube IP Address list

You can look if you get a result with whois on a linux system:

Facebook
whois -h whois.radb.net '!gAS32934'

Youtube
whois -h whois.radb.net '!gAS36561'
whois -h whois.radb.net '!gAS15169'
whois -h whois.radb.net '!gAS43515'
whois -h whois.radb.net '!gAS36040'
by msatter
Thu Jun 08, 2023 12:06 pm
Forum: Scripting
Topic: How do I use global variables in Netwatch?
Replies: 1
Views: 1627

Re: How do I use global variables in Netwatch?

You could use a work around by using static DNS, Layer7 or comments depening of the type variable to store.

Use a repeating schedule to update the values from Global and back.
by msatter
Thu May 25, 2023 2:04 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

Is the "Select all" from a code block working for anyone? It only sends me to the top of the topic..
I don't think that this ever worked anyway..
That is correct. The link underneath is just to the topic itself.
by msatter
Thu May 25, 2023 1:52 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

If MikroTik does not give us back prosilver, I would like to now way. What do they loose by having it as an option? I have used prosilver at this forum for 5+ years..... . . forum.mikrotik.com##.announcements.forumbg This I can not use, since it also remove announcements for the announcement forum ...
by msatter
Thu May 25, 2023 12:23 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

I also use uBlock to hide the tongue-in-cheek videos on the Mikrotik site. uBlock is literal a lifesaver, so you have choice in your own browser. The lines I collected here during the past years. ! https://forum.mikrotik.com/ forum.mikrotik.com###wrap > .transparent.main-header forum.mikrotik.com###...
by msatter
Wed May 24, 2023 1:55 pm
Forum: Announcements
Topic: Announcement regarding CVE-2023-32154
Replies: 23
Views: 28525

Re: Announcement regarding CVE-2023-32154

Source: https://www.zerodayinitiative.com/advisories/ZDI-23-710/ ADDITIONAL DETAILS 12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto. 05/09/23 – ZDI asked for an update. 05/10/23 – The ZDI re-disclosed the report at the vendor’s request. 05/10/23 – The ZDI informed the ...
by msatter
Wed May 24, 2023 1:10 pm
Forum: Announcements
Topic: v7.10beta [testing] is released!
Replies: 249
Views: 51822

Re: v7.10beta [testing] is released!

Question not answered about how many times it retries, or if interface still needs to be toggled to re-establish a connection after IP change.. As long as it fails to resolve, seems to me the way it will work. There is no max times mentioned so it keeps trying...... .....every retry counts as one i...
by msatter
Wed May 24, 2023 12:56 pm
Forum: Announcements
Topic: v7.10beta [testing] is released!
Replies: 249
Views: 51822

Re: v7.10beta [testing] is released!

@EdPa can you give more details about "wireguard - retry "endpoint-address" DNS query on failed resolve;" How many times will it retry? Does this solve our problems with dynamic ips on peers where we need to re-toggle tunnel to fix it after IP change? I am using RoundRobin from ...
by msatter
Tue May 23, 2023 11:46 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

1st world problems..
Atleast for what is left of it.
by msatter
Tue May 23, 2023 11:42 am
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change



we reverted to Canvas
Also if you are not logged-in.......?
Thanks for fixing this.
by msatter
Mon May 22, 2023 3:14 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

Unfortunately, we have found, that the "Canvas" skin that was used here for many years, was causing the PHP issues. It is no longer maintained by the author. Until we can find a new / maintained skin, we have defaulted to the standard PHPBB skin. If it is very bad, make suggestions to wha...
by msatter
Mon May 22, 2023 2:33 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11394

Re: EDITED Forum THEME / SKIN change

canvas <--> pro silver

I selected Canvas, instead of pro silver, after my eyes started hurting. It was then again as before!?
by msatter
Mon May 22, 2023 2:26 pm
Forum: General
Topic: Routing table ignoring routing mark
Replies: 7
Views: 4778

Re: Routing table ignoring routing mark

What is the difference between IPsec tunnel mode and IPsec transport mode? IPsec tunnel mode is used between two dedicated routers, with each router acting as one end of a virtual "tunnel" through a public network. In IPsec tunnel mode, the original IP header containing the final destinat...
by msatter
Mon May 22, 2023 2:06 pm
Forum: Announcements
Topic: MikroTik joins the Fediverse
Replies: 46
Views: 32474

Re: MikroTik joins the Fediverse

https://blog.mikrotik.com/ is the blog still valid place for security updates? (where to follow, rss still enabled, or are there better places to get notifications, if something goes wrong?) Yes. There have been no security incidents lately, this is why there is nothing new there. That went fast: h...
by msatter
Fri May 19, 2023 12:33 pm
Forum: Announcements
Topic: MikroTik joins the Fediverse
Replies: 46
Views: 32474

Re: MikroTik joins the Fediverse

Hear hear! Creating side channels looks good for your 'friends' or management but this forum should remain the working horse for communications and exchange of ideas and knowledge. All the social stuff is just a distraction, which some people seems to need to know that they exist. Take it away, the...
by msatter
Fri May 12, 2023 11:55 am
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 44497

Re: FORUM MAINTENANCE: Password reset will be needed

This is my signature: [IN READ-ONLY MODE] Loving my freedom and so, no PayPal, no TikTok, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Running: RouterOS 7.7 and 7.2.1 / Winbox 3.37 64bits It states that Google is one of the bad boys. If it only was ...
by msatter
Thu May 11, 2023 8:19 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 44497

Re: FORUM MAINTENANCE: Password reset will be needed

"Your signature contains 233 characters.The maximum number of allowed characters is 1."

I must have missed the memo on that too.
by msatter
Thu May 11, 2023 6:49 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 44497

Re: FORUM MAINTENANCE: Password reset will be needed

I got notifiactions for the first time ever.....from three years ago.

Update: it advises each time to sent an e-mail to support because off a general error. Better leave it off then.
by msatter
Thu May 11, 2023 12:13 pm
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 44497

Re: FORUM MAINTENANCE: Password reset will be needed

What are the reasons to dislike Discourse?
The reason is, oneday you can't post anymore, then you can again and not then anymore.....forever.

Discourse exclude people and don't give a damn about that. If you don't move, Discourse will leave you behind.
by msatter
Thu May 11, 2023 11:11 am
Forum: Announcements
Topic: FORUM MAINTENANCE: Password reset will be needed
Replies: 162
Views: 44497

Re: FORUM MAINTENANCE: Password reset will be needed

Has MikroTik ever considered moving the forums to a more modern solution than phpBB? I know of several forums that were able to migrate from phpBB to Discourse fairly easily, and it has some very nice features.. OOOOOOOOOOOH NOOOOOOOOO NOT DISCOURSE!!!!!! PLEASE PLEASE PRETTY PLEASE HAVE MERCY WITH...
by msatter
Wed May 10, 2023 2:24 pm
Forum: General
Topic: ⚠️WARNING: RouterOS v7.10+ will break all scripts based on [/system clock get date] or other date(s)
Replies: 63
Views: 13031

Re: ⚠️WARNING: RouterOS v7.10+ will break all scripts based on [/system clock get date]

If Mikrotik was only a just a bit smarter then they had introduced with new format a new variable containing the new date format.

Someting like: [/system clock get isodate]

Just my two cents....
by msatter
Tue May 09, 2023 4:44 pm
Forum: Announcements
Topic: Newsletter #113 | May 2023
Replies: 103
Views: 42352

Re: Newsletter #113 | May 2023

Marketing seems to go of the rails.
by msatter
Thu Mar 02, 2023 11:29 am
Forum: Announcements
Topic: Newsletter 111
Replies: 24
Views: 19636

Re: Newsletter 111

I am pleased that manuals are at least written more clearly.
by msatter
Thu Mar 02, 2023 1:45 am
Forum: Announcements
Topic: Newsletter 111
Replies: 24
Views: 19636

Re: Newsletter 111

Interesting wording, "permantly remove", me thinking "break off" would be a better wording for that.

Or do you need a hacksaw to remove permantly, those parts?
by msatter
Sun Jan 08, 2023 1:08 am
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1414

Re: Percentage IN PCC Load Balancd [SOLVED]

You can be the judge on that.
by msatter
Sat Jan 07, 2023 10:30 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1414

Re: Percentage IN PCC Load Balancd [SOLVED]

@chechito: really? Secondly, that is 80:20

Simpler, 5/4 to Wan2 what is left to Wan1.
Do you now get, how it can work?

Bye
by msatter
Sat Jan 07, 2023 5:19 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1414

Re: Percentage IN PCC Load Balancd [SOLVED]

Even simpler: 1/3 goes to two and the rest goes to one. You so only need one PCC line that marks traffic for routing2 and the rest you just mark for routing1 as long it is not marked earlier for routing2. add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=WAN_C...
by msatter
Sat Jan 07, 2023 1:35 pm
Forum: General
Topic: Percentage IN PCC Load Balancd [SOLVED]
Replies: 8
Views: 1414

Re: Percentage IN PCC Load Balancd [SOLVED]

66% = 1/3->1 2/3->1 3/3->2
by msatter
Thu Jan 05, 2023 1:49 am
Forum: General
Topic: DNSSEC
Replies: 43
Views: 23533

Re: DNSSEC

If you have a resolver that handles DNSSEC in front of RouterOS it won't return an IP address when the DNSSEC it invalid. Cache poisoning can also happen on the client. The AD flag could be stored to indicate a valid DNSSEC or AD is False to to indicate why IP is not returned. RouterOS has a basic D...
by msatter
Fri Dec 16, 2022 12:11 pm
Forum: General
Topic: export one firewall address list out of many
Replies: 10
Views: 4046

Re: export one firewall address list out of many

A little teaser of the options available and it is a complete eco system that produces address-list in RSC format that is standalone and has the script and list integrated in one file. Ideal for distribution. The script is over 200 lines including many comments. :set $helpText " Backup function...
by msatter
Wed Dec 14, 2022 11:05 pm
Forum: General
Topic: export one firewall address list out of many
Replies: 10
Views: 4046

Re: export one firewall address list out of many

RouteOS can perfectly fine export one address-list out of many with a script, on it's own. And import them also again.

You just have to put the effort into it to write the script.

Bye
by msatter
Tue Dec 13, 2022 11:19 pm
Forum: RouterOS beta
Topic: Feature request: overwrite addresslist entries
Replies: 10
Views: 2833

Re: Feature request: overwrite addresslist entries

Rename address-list -> import new list -> rename renamed address-list to current address-list -> remove renamed address-list still/only containing the double entries. Does not work for me, supposing I rename address-list by set list="new-name" [find list="old-name"] Renaming sto...
by msatter
Tue Dec 13, 2022 9:57 pm
Forum: RouterOS beta
Topic: Feature request: overwrite addresslist entries
Replies: 10
Views: 2833

Re: Feature request: overwrite addresslist entries

Rename address-list -> import new list -> rename renamed address-list to current address-list -> remove renamed address-list still/only containing the double entries. Très simple.

Bye
by msatter
Thu Nov 10, 2022 11:14 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Try without defining a delimiter. So omitting it.
}
        :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
        :log info "Address list <$description> successfully updated"
        }
by msatter
Wed Oct 05, 2022 9:53 pm
Forum: Scripting
Topic: invalid internal item number [SOLVED]
Replies: 13
Views: 5184

Re: invalid internal item number [SOLVED]

I use a regualar expression to match. That is the ~ sign instead of a = . The searched interface name has to be also unique or there will no match. If you have two PPPoE (pppoe-in pppoe-out) then matching on pppoe does not cut. You have to match on the difference and the shortest one is "in&quo...
by msatter
Mon Oct 03, 2022 11:03 pm
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2292

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Wow guys, having a bad day?

Apologies for the Google link, posted this question from my mobile after it came up in my feed.
It was not mainly directed at you.....
by msatter
Sun Oct 02, 2022 9:08 pm
Forum: General
Topic: Issue in scripting [SOLVED]
Replies: 8
Views: 1736

Re: Issue in scripting [SOLVED]

;log has to be :log....twice
by msatter
Sat Oct 01, 2022 12:37 pm
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2292

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

If you put up a link, have atleast the decency to remove all Google tracking shit!
https://www.bleepingcomputer.com/news/security/ethernet-vlan-stacking-flaws-let-hackers-launch-dos-mitm-attacks/
by msatter
Mon Sep 26, 2022 10:49 am
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2189

Re: Using NoTrack for WireGuard tunnel

"So all in all - you can use notrack for a Wireguard tunnel, but only where no NAT is required, so typically for a site-to-site one." I see RouterOS handling this without a problem. This is my intepretation. Router as WG client, router initiates a UDP connection to server through NAT, Rout...
by msatter
Fri Aug 26, 2022 12:14 am
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2189

Re: Using NoTrack for WireGuard tunnel

I addressed the tunnel and not the actual traffic going through that tunnel. You still have complete control if traffic is going to be encrypted traveling through that tunnel or not and will take an other path. RouterOS handles the tunnel and that explains that I despite the tunnel being fasttracked...
by msatter
Thu Aug 25, 2022 9:58 pm
Forum: General
Topic: Using NoTrack for WireGuard tunnel
Replies: 16
Views: 2189

Using NoTrack for WireGuard tunnel

I noticed that fasttracking the tunnel of a WireGuard connect did not matter and the dummy counters did not increase. So that traffic is being split of and handled directly. Then I remembered that was also done for IPSEC: However, this can add a significant load to the router's CPU if there is a fai...
by msatter
Sun Aug 21, 2022 1:33 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 9
Views: 4515

Re: The "output" chain and VRFs/routing marks

useful information
Instead you could use bookmark in your browser. Right-click the posting date line an select add bookmark.
by msatter
Thu Aug 18, 2022 1:13 am
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 46167

Re: v7.5beta [testing] is released!

Sadly I can't reproduce that:
/ip/dns/static add address-list=mikrotik match-subdomain=yes name=mikrotik.com type=FWD 
:put [:resolve www2.mikrotik.com]
159.148.147.252
Nothing is added to the address-list mikrotik.
by msatter
Wed Aug 17, 2022 10:55 pm
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 46167

Re: v7.5beta [testing] is released!

I'm usually good at spotting what things are for, but I'm gonna need some help here. If I do: /ip/dns/static add address=192.168.88.10 address-list=dnstest name=device.local ttl=600 Nothing happens at first. Then when router's DNS resolver receives query for device.local, address list "dnstest...
by msatter
Wed Aug 17, 2022 6:32 pm
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 46167

Re: v7.5beta [testing] is released!

*) dns - added "address-list" parameter for static DNS entries (CLI only);

WOW!
by msatter
Sun Aug 07, 2022 11:57 am
Forum: General
Topic: SIP in, to NAT or to ROUTE
Replies: 0
Views: 681

SIP in, to NAT or to ROUTE

In a topic about SIP not conveying the source address SIP server NAT was the cause of looking a correct dst-NAT not working out like expected. This because there was simple src-masquerade present in NAT. Underneath the packet flows and you see on the top right dst-NAT which is the rule being used by...
by msatter
Sat Jul 02, 2022 11:47 am
Forum: Announcements
Topic: v7.4beta [testing] is released!
Replies: 189
Views: 60998

Re: v7.4beta [testing] is released!

Anyone managed to find a better way to use the data provided by netwatch (status, since etc) I currently only had successful results with something like this: snip... Not the best way to do it, if you have multiple monitored hosts with the same IP it will obviously fail to work properly. I've tried...
by msatter
Fri Jun 17, 2022 1:00 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

*** Update *** My support e-mails went unanswered so I tried chat. I had all the info ready and the terminal running to try suggestions and after the person had to check thing out a solution was given. Using the browser can be avoided by using the legacy mode of the Linux client with the command: n...
by msatter
Thu Jun 16, 2022 11:30 am
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

*** WARNING WARNING WARNING *** DON'T RESET your NordVPN account password when you notice that you can't login to your account on the NordVPN website. You will lose the usage of your VPN connections because you are forced to use a multi factor authentication on the same device, through the NordVPN ...
by msatter
Fri Jun 10, 2022 1:21 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

@Simonej: I explained the misunderstanding here: https://forum.mikrotik.com/viewtopic.php?p=938735#p937764 You need to check the sequencing of the items in that line. On the removed being showed, the cause is what is currently going on in the forum and the reaction from Mikrotik and/or moderators an...
by msatter
Thu Jun 09, 2022 8:13 pm
Forum: General
Topic: Routing priority issue
Replies: 40
Views: 5120

Re: Routing priority issue

Thanks for confirming this. I am back to 7.2rc6 due to a problem with IPTV streams breaking and now that gives problems . :( Update: Found the cause why the IPTV steams where breaking up. It was quite a search and even WireGuard did not give away why. Using torch I noticed that traffic was returning...
by msatter
Thu Jun 09, 2022 7:09 pm
Forum: General
Topic: Routing priority issue
Replies: 40
Views: 5120

Re: Routing priority issue

before: 1-main 2-not-main 3-main
now: 1-not-main 2-not-main 3-main

My problem is 1-not-main now because before all traffic was main. That is why we don't have no no-mark option in routing...as it is always marked according to ROS. That has been changed now since 7.2rc6 and before.
by msatter
Thu Jun 09, 2022 6:20 pm
Forum: General
Topic: Routing priority issue
Replies: 40
Views: 5120

Re: Routing priority issue

Filtering on active routing-mark:
add action=mark-routing chain=prerouting new-routing-mark=WireGuard routing-mark=main

Looking at routing-mark=main to see if there is already a routing mark present. When not then route-mark traffic
by msatter
Thu Jun 09, 2022 5:35 pm
Forum: General
Topic: Routing priority issue
Replies: 40
Views: 5120

Re: Routing priority issue

If traffic is not route marked main by default anymore how do I see what the assigned routing mark is. Mikrotik writes the one with the strictly order/priority. Then having a "no-mark" routing-mark in the mangle like as with connection-mark could then detect traffic not yet routing marked....
by msatter
Thu Jun 09, 2022 4:19 pm
Forum: General
Topic: Routing priority issue
Replies: 40
Views: 5120

Re: Routing priority issue

It was curious what was up with this and it indeed a nasty one. My config was also broken. Looking in the mangle pre-routing routing marking the counters did not increase. Only the one catching traffic that should be mangled but has not been not mangled and setting the TTL to zero, to avoid traffic ...
by msatter
Wed Jun 08, 2022 7:43 pm
Forum: General
Topic: How to force "Actual MTU" on PPPoE client [SOLVED]
Replies: 8
Views: 1549

Re: How to force "Actual MTU" on PPPoE client [SOLVED]

Wow, that was an exciting half hour and a bit.
by msatter
Tue Jun 07, 2022 3:22 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

This then a testing version of the list downloader with support for the :global $checkurl function: The function I put underneath the script and has to be executed so it gets stored in :global. The script runs also without $checkurl . I have adapted the function so that it does not use the files sys...
by msatter
Tue Jun 07, 2022 11:55 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

My posting by me states: $update url=[$checkurl https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv] delimiter=, listname=turris timeout=8d heirule=http nolog=1 So $update url=[$checkurl htt... and not $update [$checkurl url=htt.. Update: first test with using the function checkurl: {....
by msatter
Mon Jun 06, 2022 2:44 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

You missed adding :global checkurl this because you have to define a global variable before you can use it in a script.
by msatter
Sun Jun 05, 2022 11:32 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

When the connection is active you see an dynamic line appear in NAT.

Copy that line and change the action dst-addres to 100.69.69.69 and save. That IP goes nowhere.

When the VPN goes down this line is still there and also it catch traffic when the VPN is still cranking up.
by msatter
Sun Jun 05, 2022 1:17 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Hmm that seems not to be possible and the IKEv2 connect directly to WAN and in my case that is the PPPoE.

The thread is marked only for ROSv6 so even the writer didn't found a way to implement also the kill-switch.
by msatter
Sun Jun 05, 2022 12:23 am
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

A basic way is to add a second route that takes over when when the dynamic route of the VPN is deactivated.
/ip route
add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10
Then why not move also to WireGuard when using NordVPN?
by msatter
Sat Jun 04, 2022 11:13 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Yes.

No, in the rules/lines (new-)routing-mark is still being used.
by msatter
Sat Jun 04, 2022 12:26 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

I see that the total: is zero and then nothing is imported in the script. The download shows 25KiB so there must be something going wrong. I am currently on RouterOS 7.2RC6 status: connecting status: finished downloaded: 25KiB total: 0KiB duration: 1s Why there is a Could not connect: in a direct do...
by msatter
Fri Jun 03, 2022 9:00 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

To integrate checking for a redirect I tested it quick and dirty with these adaptations: The import script changes: { /ip firewall address-list :local update do={ :global checkurl :if ($url ~ "invalid URL protocol") do={:log error "Could not import $listname due to a problem with the ...
by msatter
Fri Jun 03, 2022 7:30 pm
Forum: General
Topic: How to search a large IP Firewall Address List?
Replies: 8
Views: 3400

Re: How to search a large IP Firewall Address List?

The list being displayed in Winbox is only done for you. RouterOS most likely uses hashes to handle traffic which is much much faster. Searching an address take some time and because it takes time you rather use foreach so you can make the change directly on find. Avoiding so a second loop to implem...
by msatter
Fri Jun 03, 2022 1:57 pm
Forum: Beginner Basics
Topic: Which MTU size should I set on my interfaces?
Replies: 15
Views: 13295

Re: Which MTU size should I set on my interfaces?

Next to the used MTU is the L2-MTU and that one is MTU that the interface can handle. As you wrote setting the VLAN higher is allowing the PPPoE sit above 1500. Then having a higher actual MTU on VLAN you would expect that RouterOS would reflect that in the actual MTU of the ether interface. But the...
by msatter
Fri Jun 03, 2022 1:46 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

No, following redirects is something that Mikrotik could implement in their code. Using JavaScript is something that is not feasible in RouterOS. In the meantime you could an other device to download the files and the router is then downloading those from that device. That was the way I did it, befo...
by msatter
Fri Jun 03, 2022 1:28 pm
Forum: Beginner Basics
Topic: Which MTU size should I set on my interfaces?
Replies: 15
Views: 13295

Re: Which MTU size should I set on my interfaces?

Also the fiber to 1520 MTU.

Seeing the MTU of the PPPoE is now 1500, confusing but if it works then it works. Test is with ping in tools. Ping to google.com and set the packet size to 1500 and mark the do not fragment both in the advanced tab.

Then start and see if the ping packets are passing.
by msatter
Fri Jun 03, 2022 10:13 am
Forum: Beginner Basics
Topic: Which MTU size should I set on my interfaces?
Replies: 15
Views: 13295

Re: Which MTU size should I set on my interfaces?

My main router is directly connected to the ISP fiber modem and it's "authenticated" using PPPoE. The ISP fiber modem is giving you a MTU 1492 (default for PPPoE) and then you are doing a PPPoE over PPPoE? Fiber (modem) 1492, VLAN on that also 1492 and then a PPPoE of 1472. First if you h...
by msatter
Thu Jun 02, 2022 11:27 pm
Forum: Beginner Basics
Topic: Which MTU size should I set on my interfaces?
Replies: 15
Views: 13295

Re: Which MTU size should I set on my interfaces?

You have only to "determne the MTU from packets that are returning: /ip firewall mangle add action=change-mss chain=forward in-interface="Telenor PPPoE" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn The MTU seems strange because the VLAN is 1492 and so the PPPoE MTU...
by msatter
Thu Jun 02, 2022 5:48 pm
Forum: General
Topic: Configurable (or shorter) negative DNS cache TTL needed
Replies: 8
Views: 6595

Re: Configurable (or shorter) negative DNS cache TTL needed

Tried for years to convince Mikrotik of this. In the end, I am running now a separate DNS resolver to do this for the router.
by msatter
Wed Jun 01, 2022 5:30 pm
Forum: General
Topic: Totally off-topic - is this a fibre cable? [SOLVED]
Replies: 12
Views: 1633

Re: Totally off-topic - is this a fibre cable? [SOLVED]

I Concur with tangent. The Orange/brown cable is ground/null wire. The white could have each a other stripe for phase one, two or three.

There is an extra unprotected wire in it and the fibers you see, is a string that helps the cable when being pulled through tubes/pipes.
by msatter
Tue May 31, 2022 12:37 pm
Forum: General
Topic: PCC connection marking with fallback, controled by Netwatch
Replies: 1
Views: 387

Re: PCC connection marking with fallback, controled by Netwatch

Scripts to let the WG connections take a scheduled nap: /tool/netwatch set interval=1h [find host=198.18.0.1] set interval=1d [find host=198.18.0.2] set interval=1d [find host=198.18.0.3] set interval=1d [find host=198.18.0.4] :delay 5s /ip/firewall/mangle set disabled=yes [find new-connection-mark=...
by msatter
Tue May 31, 2022 12:06 pm
Forum: General
Topic: PCC connection marking with fallback, controled by Netwatch
Replies: 1
Views: 387

PCC connection marking with fallback, controled by Netwatch

I was thinking how I could create a better fallback when one or more of multiple WireGuard connection fail at the same time. I already disable the WG connection when a IP address inside the WG connection is not pingable anymore by using Netwatch and a Routing Rule to get the correct WG connection. I...
by msatter
Tue May 31, 2022 11:12 am
Forum: General
Topic: Load Balancing [HELP]
Replies: 26
Views: 3456

Re: Load Balancing [HELP]

This is really confusing now.... ...so I noticed something interesting... if I test speed via Ookla (speedtest.net) I seem to be utilising both WANs on upload and download, but I also noticed whilst one of the LAN clients was downloading a big update file this was coming down only on WAN1, so no co...
by msatter
Tue May 31, 2022 11:06 am
Forum: General
Topic: Load Balancing [HELP]
Replies: 26
Views: 3456

Re: Load Balancing [HELP]

snip..... @msatter, did you indeed mean to enable fasttracking? Since any kind of load distribution except the ECMP one depends on mangle, you can not permit fasttracking for all the traffic, at best it can be permitted for traffic going through one of the WANs. I didn't know which router was used ...
by msatter
Mon May 30, 2022 8:42 pm
Forum: General
Topic: Load Balancing [HELP]
Replies: 26
Views: 3456

Re: Load Balancing [HELP]

Beter make this both-addresses:2/0 and both-addresses:2/1 also include the dst-port and src-port. Then both ISP being used is more likely and also check if you have enabled fasttracking also.

Ingdaka is also refering to plitting the connections.
by msatter
Mon May 30, 2022 8:15 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

AWESOME @msatter ! It's working with delimiter=("\n") seems to be mandatory also on your updated version of the script, correct? I only tested it on the first link you stated blocklist-DE. It is a very simple one, use NewLine when the length of the found delimiter is zero. Found delimiter...
by msatter
Mon May 30, 2022 8:09 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Did you try the updated script that uses "\n" when no delimiter was detected? If a list has matching posix in the header then the script could be pick a wrong delimiter. Then you can over write that setting it manual. How did you get on with posix yourself after reading my earlier answer t...
by msatter
Sun May 29, 2022 1:48 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Due to problem with "\n" have to be set manually I have adapted the script to do this for your this when no delimiter has been found: { /ip firewall address-list :local update do={ :put "Starting import of address-list: $listname" :if ($nolog = null) do={:log warning "Starti...
by msatter
Sun May 29, 2022 12:57 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Try with adding delimiter=("\n") to the $update line
by msatter
Fri May 27, 2022 4:42 am
Forum: Beginner Basics
Topic: VPN killswitch in ROS7 [SOLVED]
Replies: 7
Views: 3042

Re: VPN killswitch in ROS7 [SOLVED]

However, , it doesn't seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1? Did you manage to translate it to ROS7 successfully? I also have this problem. Yo...
by msatter
Thu May 26, 2022 10:48 am
Forum: General
Topic: How to fetch TX RX rate using api
Replies: 5
Views: 1267

Re: How to fetch TX RX rate using api

That would be a coincidence that I would have been giving Pear2 format, because you didn't mentioned it upfront. 8) Then this notation is an array containing the correct values and how you are going to having Pear2 handle that is up to your Pear2 skills. On the earlier manual page mentioned by me ar...
by msatter
Thu May 26, 2022 2:15 am
Forum: General
Topic: ipsec policy dst-address property can't use range ROS6LT [SOLVED]
Replies: 6
Views: 1103

Re: ipsec policy dst-address property can't use range ROS6LT [SOLVED]

If you put that range into /ip/firewall then if possible it gets converter into a range: 192.168.4.0/24 for example. If not then you use there a begin and end.

In /ip/ipsec/policies you can't do that and you have to use a range /24 and so you have to use three ranges if that is possible in policies.
by msatter
Wed May 25, 2022 6:55 pm
Forum: Scripting
Topic: Using "do and else" in script. [SOLVED]
Replies: 14
Views: 2481

Re: Using "do and else" in script. [SOLVED]

Currently, the mode of transportation is clearly still a push buggy. :lol:
by msatter
Wed May 25, 2022 12:12 pm
Forum: Beginner Basics
Topic: HELP - How to Run a Script Everyday Exact time [SOLVED]
Replies: 4
Views: 2398

Re: HELP - How to Run a Script Everyday Exact time [SOLVED]

Register the time Global) when the script completes. Set a delay of 3600 seconds at the start of the script. Set the start time to 23:00:00 Next day, makes the delay = 3600s-$toredTime (Global) On reboot/start Global $toredTime is not existing so create a check to set it to 00:00:00 as first in a sc...
by msatter
Tue May 24, 2022 8:30 pm
Forum: General
Topic: Wireguard dynamic enpoint address
Replies: 7
Views: 2231

Re: Wireguard dynamic enpoint address

That is indeed the correct behaviour. You have to dectect the change on your own and stop the service, clear DNS cache, restart the service.

There ate scripts for that, maybe I might have written even on that.

You might have a look overhere: viewtopic.php?p=908766
by msatter
Mon May 23, 2022 8:40 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

DoH and DoT are not the same. DoT is a encrypted version of DNS resolv requests. In the Netherlands, the Dutch government enforces a EU decrete, that all ISP filter certain results. The Dutch coalition FOIC is making news with requesting a ruling by the European court FOIC, a coalition of internet ...
by msatter
Mon May 23, 2022 12:09 pm
Forum: General
Topic: How to fetch TX RX rate using api
Replies: 5
Views: 1267

Re: How to fetch TX RX rate using api

In RouterOS it is: /interface monitor-traffic <pppoe-Tct.babul@sai> once an how it is in API you have to find out yourself by trying. The name of the interface is the one you gave to it. And here is my line. Replace wlan1 with the name you gave to the wlan connection: ["/interface/monitor-traff...
by msatter
Mon May 23, 2022 1:01 am
Forum: General
Topic: How to fetch TX RX rate using api
Replies: 5
Views: 1267

Re: How to fetch TX RX rate using api

The manual on this can be found here: https://help.mikrotik.com/docs/display/ROS/API
by msatter
Sun May 22, 2022 2:18 pm
Forum: Scripting
Topic: API Links
Replies: 155
Views: 218090

Re: API Links

by msatter
Sun May 22, 2022 2:16 pm
Forum: Scripting
Topic: [ API ] NodeRed (Javascript)
Replies: 2
Views: 1053

Re: [ API ] NodeRed (Javascript)

Some more ready to use NodeJS can be found here: https://github.com/aluisiora

It is not specific written for NodeRed but nice examples and it is looking for someone who continue the development.
by msatter
Sat May 21, 2022 8:22 pm
Forum: Scripting
Topic: auto renew LetsEncrypt cert
Replies: 5
Views: 4618

Re: auto renew LetsEncrypt cert

That would be 60d 00:00:00
by msatter
Sat May 21, 2022 6:55 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Have the same question. The only thing that holds me on ROS6.
In RouterOS you first have to define the route before you can refer to it.
/routing table
add  fib name=nordvpn_blackhole
by msatter
Sat May 21, 2022 6:50 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 96
Views: 58893

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

/ip firewall mangle add action=mark-connection chain=input in-interface=ether2 new-connection-mark=VPN passthrough=yes
Marking connections coming on ether2 with connection mark VPN. You can set more specific filters and you have to change the name of the connection mark.
by msatter
Fri May 20, 2022 2:55 pm
Forum: Scripting
Topic: [ API ] NodeRed (Javascript)
Replies: 2
Views: 1053

[ API ] NodeRed (Javascript)

I am using NodeRed for the solar panels and it is very flexible. I connect to the solar panels inverter with a CAP lite and sometimes the WiFi connection fail. To restore the connection I use NodeRed. There is NodeRed node for Mikrotik devices and using it was a difficult start because of the spare ...
by msatter
Thu May 19, 2022 9:48 pm
Forum: General
Topic: Unknown external IP's in ARP list
Replies: 2
Views: 933

Re: Unknown external IP's in ARP list

I have also a strange IP in ARP that I can't explain except is is also in my address-list. The IP you are showing seems not to be in you address-lsit.
oneBridge.JPG
by msatter
Thu May 19, 2022 1:58 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 278
Views: 74148

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

When I remember it well I first implemented ownposix and then automatic detection superseded that. I kept the ownposix in there for an reason, I think that is what you want to use it for. Re-activate this by removeing the # before :if($own... : #:if ($ownposix = null) do={ # determining the used del...
by msatter
Thu May 19, 2022 1:39 pm
Forum: Scripting
Topic: Functions and function parameters
Replies: 44
Views: 99983

Re: Functions and function parameters

contribution removed
by msatter
Thu May 19, 2022 1:24 pm
Forum: Beginner Basics
Topic: Routing only specified domains via WireGuard tunnel [SOLVED]
Replies: 21
Views: 9746

Re: Routing only specified domains via WireGuard tunnel [SOLVED]

I have a bit of history with MTU and VPN connections and currently I am using WireGuard and IKEv2. I have now a different way of approaching this while before I did it differently. I am not deciding on forehand what the MTU has to be but I let the other side indicate what fits there. Returning traff...
by msatter
Wed May 18, 2022 4:41 pm
Forum: Beginner Basics
Topic: How to get access to banned sites?
Replies: 13
Views: 2079

Re: How to get access to banned sites?

Thanks sob and then the easy way is change "use-peer-dns" back to exclusively and remove 8.8.8.8 from the DNS settings by pushing the upper triangle after 8.8.8.8 till there are no static entries anymore. You are then using only the DNS provided by the VPN. Having local router DNS go throu...
by msatter
Wed May 18, 2022 3:22 pm
Forum: Beginner Basics
Topic: How to get access to banned sites?
Replies: 13
Views: 2079

Re: How to get access to banned sites?

Then check if works also for non-censured sites.
by msatter
Wed May 18, 2022 11:44 am
Forum: Beginner Basics
Topic: How to get access to banned sites?
Replies: 13
Views: 2079

Re: How to get access to banned sites?

Have you checked if the PC is using the DNS provided by the router and change this use-peer-dns=exclusively to no
by msatter
Wed May 18, 2022 11:35 am
Forum: Beginner Basics
Topic: converting .backup to plain text
Replies: 19
Views: 15353

Re: converting .backup to plain text

Crossfig is more sturdy so you can try to restore a v6 backup on a device running v7.
by msatter
Tue May 17, 2022 9:03 pm
Forum: RouterBOARD hardware
Topic: Adding a cooling fan to CRS326
Replies: 61
Views: 27892

Re: Adding a cooling fan to CRS326

I would advise to suck the air out instead of blowing in. Create a flow path and that means closing the middle vent holes between the fan and the holes on the other side.

Air will be sucked in and flow without depositing much dust on the components.
by msatter
Mon May 16, 2022 11:13 pm
Forum: RouterOS beta
Topic: PPPoE disconnected doesn't dial up auomatically
Replies: 9
Views: 3799

Re: PPPoE disconnected doesn't dial up auomatically

I have an Internet connection over PPPoE and when I get disconnected I can connect again but have to wait till the server offers a reconnect. This is a window that passes my connection and can take up to 7 minutes. You can press in winbox the blue-V twice, to force a reconnect but that does not work...
by msatter
Mon May 16, 2022 10:42 pm
Forum: Forwarding Protocols
Topic: ICMP Redirect routing cache [SOLVED]
Replies: 7
Views: 1874

Re: ICMP Redirect routing cache [SOLVED]

I don't know that, however I remembered the topics about routing cache in v7.

viewtopic.php?p=929460#p929436
by msatter
Mon May 16, 2022 10:23 pm
Forum: Forwarding Protocols
Topic: ICMP Redirect routing cache [SOLVED]
Replies: 7
Views: 1874

Re: ICMP Redirect routing cache [SOLVED]

In v7, there is no routing cache anymore: viewtopic.php?p=882429#p882429 and read on.
by msatter
Mon May 16, 2022 8:42 pm
Forum: Scripting
Topic: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]
Replies: 17
Views: 6104

Re: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]

hmmm, connection tracking is only interested in marked connections and it's own administration. When traffic returns it arrives on the correct WAN and correct port so that is easy work for connection tracking. No magic there. No connection re-marking needed. When you browse different source ports ar...
by msatter
Mon May 16, 2022 7:37 pm
Forum: Scripting
Topic: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]
Replies: 17
Views: 6104

Re: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]

That hash is already there and it PCC dst-address only. You mark the connection once and connection tracking does the job for you. When mix ports then there a new connection but the hash will be the same...the dst-address. You will get a uneven distribution. If you want an even distribution then use...
by msatter
Mon May 16, 2022 7:09 pm
Forum: Scripting
Topic: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]
Replies: 17
Views: 6104

Re: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]

HTTPS works fine with different source adresses. The cause is that where you also login, not all do allow different src-addresses. This forum is a good example of that happening. As soon you login, you have to use the same src-address or the forum will lose your login. I addressed that by having an ...
by msatter
Mon May 16, 2022 6:00 pm
Forum: General
Topic: PPPOE disconnects - UK FTTC
Replies: 6
Views: 990

Re: PPPOE disconnects - UK FTTC

Best hook up the TP-Link and note which IPv6 address is used there. Only need the first four to see what kind of connection it is.

You can switch off IPv6 in the 750Gr3 and see if it then connects.
by msatter
Mon May 16, 2022 3:51 pm
Forum: Scripting
Topic: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]
Replies: 17
Views: 6104

Re: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]

Good to see that problem has been resolved. Will sleep much better tonight. ;-)

Can you also resolve real life problems like the war in Ukrain?
by msatter
Mon May 16, 2022 1:17 pm
Forum: Scripting
Topic: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]
Replies: 17
Views: 6104

Re: MikroTik PCC and ECMP Load Balancing script Generator over Unequal multi WAN Links [SOLVED]

Replace the six PCC by lines by only three and the last is also a catch-all.:

2/1 catches three of six
3/1 catches two of six
-/- catches all (one of six). No PCC needed in that line
by msatter
Mon May 16, 2022 1:01 pm
Forum: General
Topic: PPPOE disconnects - UK FTTC
Replies: 6
Views: 990

Re: PPPOE disconnects - UK FTTC

Complaining about IPv6 not being supported.
11:25:34 pppoe,ppp,debug pppoe-out1: received unsupported protocol 0x8057 
by msatter
Sat May 14, 2022 8:50 pm
Forum: General
Topic: how to kick off hotspot user only if they reach time and data limit
Replies: 5
Views: 1388

Re: how to kick off hotspot user only if they reach time and data limit

If you can define only time limit then use that, because if using and the data limit becomes obsolete.
by msatter
Sat May 14, 2022 4:45 pm
Forum: General
Topic: Feature Request : Browser on Winbox
Replies: 20
Views: 17790

Re: Feature Request : Browser on Winbox

Never used that option. Then, to me browsing webpages inside Winbox looks not very safe.

It would be nice if the help pages could be exported to PDF/Word as whole and not only one page. That would be nice for if you are on location without access to the internet.
by msatter
Sat May 14, 2022 11:59 am
Forum: Beginner Basics
Topic: How to remove a dynamic DNS?
Replies: 17
Views: 6656

Re: How to remove a dynamic DNS?

by msatter
Fri May 13, 2022 9:25 pm
Forum: Beginner Basics
Topic: How to remove a dynamic DNS?
Replies: 17
Views: 6656

Re: How to remove a dynamic DNS?

Any sort of VPN active?
by msatter
Fri May 13, 2022 9:04 pm
Forum: Beginner Basics
Topic: How to remove a dynamic DNS?
Replies: 17
Views: 6656

Re: How to remove a dynamic DNS?

Have you restarted the connection also?
by msatter
Fri May 13, 2022 11:32 am
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

DUH....is DS-lite just an DNS server returning adapted IPv4 addresses in special IPv6 format. The NAT is on the side of the ISP and that takes care of the converting and connecting to the IPv4 only device and return traffic on the IPv6 address of the client. If it is only the DNS rewriting the addre...
by msatter
Fri May 13, 2022 10:38 am
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

The only thing I was intersted in if there was the choice to usea third party DNS. The DNS of the router does not prefer IPv4 or IPv6 but you could create a DNS resolver that only return IPv6. Or even better DNS64 adresses if it are IPv4 resovled ones. https://github.com/NLnetLabs/unbound/blob/maste...
by msatter
Thu May 12, 2022 10:42 am
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

Can you do the same flushing with this again: :put [:resolve mikrotik.com server=2001:4860:4860::8888] If so then you can use an other DNS resolver then the one of t-mobile. Then you still lack the conversion of IPv4 traffic to DS-lite so over the LTE you only can use IPv6. I don't know much about D...
by msatter
Thu May 12, 2022 12:04 am
Forum: Scripting
Topic: Importing IP List from file
Replies: 57
Views: 23757

Re: Importing IP List from file

Follow the link in posting five by me.
by msatter
Wed May 11, 2022 11:52 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

Thanks, it is not what I expected so the next one should certainly not work:
:put [:resolve mikrotik.com server=8.8.8.8]
If it works then the DNS resolver of the router answers the resolve request.

Also clear DNS cache: IP DNS Cache and then click flush.
by msatter
Wed May 11, 2022 11:18 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

So no answer. Then try directly from RouterOS and the command in terminal is:

:put [:resolve mikrotik.com server=2001:4860:4860::8888]

and then

:put [:resolve mikrotik.com server=fd00:976a::9]

I wish you and your family the best of health and that flu will be over soon.
by msatter
Wed May 11, 2022 8:32 pm
Forum: RouterBOARD hardware
Topic: CCR1009 rack ears
Replies: 2
Views: 1258

Re: CCR1009 rack ears

I only found the item with Linitx.com but they are out of stock.

Write an e-mail to support at mikrotik.com or maybe an other member here have some extra.
by msatter
Wed May 11, 2022 8:07 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

So Mikrotik.com has IPv6 and IPv4. Then when you use to ping with the IPv4 address then you did not get an answer. This due to as it has become clear by now the you have DS-lite and Mikrotik does not support that. This only allows IPv6 traffic and you are not able to use IPv4 at all. Was I wrong tha...
by msatter
Wed May 11, 2022 1:51 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

On Ds-lite rfc6333 and rfc6334 there is an topic about it, and the needed information can be read out from V7.

viewtopic.php?p=762286

https://help.mikrotik.com/docs/display/ROS/DHCP
by msatter
Wed May 11, 2022 12:14 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way. After https was introduced, DNS was the most easy way for ISP to log what you do. I am living in a fr...
by msatter
Wed May 11, 2022 1:53 am
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

The Netherlands is a less free country than the USA so you are down to four. Luckily is Musk in your country yanking on the steering wheel to get back to the middle of the road now. Ehen you are back in the middle the other countries will line up also. I am really AGAINST DoH in General and DoT inst...
by msatter
Tue May 10, 2022 10:45 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

Hi, me again. Seen this being done so many times and you can't anything about it then taking a different ISP. Normal DNS goes over port 53 TCP/UDP. T-mobile has complete control over those ports and any other DNS resolvers you try to contact are dropped or redirected. Ask written earlier you can swi...
by msatter
Sun May 08, 2022 2:11 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

If you look at the DNS printout you see that it are dynamic-servers. There is no user input possible there. That is not my point. My point is that t-mobile can control what you can visit (resolved) or not, like the EU/Dutch government is doing in the Netherlands forcing ISP's to filter their DNS. T-...
by msatter
Sun May 08, 2022 1:54 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

I still don't believe that's true. Have had plenty of situations were ping worked from winbox but not from local cmd window. So that does not make sense if your statement would be true. What about webfig then ? Or plain ssh ? I need more info to be convinced of that statement. I am writing about Wi...
by msatter
Sun May 08, 2022 1:48 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10 Where are you getting 192.0.0.1 from? That's a special-purpose IANA address , not something you should be using on a private LAN, nor for use by T-Mobile. I suspect you could solve your problem simply by configuring the DHCP client on the router...
by msatter
Sun May 08, 2022 1:04 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

Nope, not for DNS in Winbox. Addres-list excluded that resolves inside the router.
by msatter
Sun May 08, 2022 12:50 pm
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

Ping in Winbox is using the DNS of the device you are using to run Winbox.

If you want to test from the router then use :resolve in terminal.
:put [:resolve "www.mikrotik.com"]
by msatter
Sun May 08, 2022 11:32 am
Forum: Beginner Basics
Topic: Can ping IP's/Websites, but no internet. [SOLVED]
Replies: 61
Views: 13314

Re: Can ping IP's/Websites, but no internet. [SOLVED]

You are using the DNS of a device most likely a modem: 192.0.0.1, fd00 :976a::9, fd00 :976a::10....these IPv6 DNS servers seems indeed to be used by t-mobile. If t-mobile is blocking DNS request made to other DNS servers than you could experience what you describe. See: https://www.reddit.com/r/tmob...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 11