BUG v5.12 : firewall - not all params visibile from terminal

RouterOS Beginner Basics
1

I have an RB750GLwith ROS v5.12.

I used the setup wizard from winbox used to create a hotspot.

Can someone tell me how I can view the Extra-Hotspot part of the firewall rules from a terminal using either /ip firewall filter print or export?

From within winbox I see parameters (within the Extra section) such as
Hotspot: !auth
to client

These Extra parameters are completly invisible from within a terminal.

The following is an example of what I see - look at the first 2 rules!

[admin@MikroTik] /ip firewall filter> print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=forward action=jump jump-target=hs-unauth 

 1 D chain=forward action=jump jump-target=hs-unauth-to 

 2 D chain=input action=jump jump-target=hs-input 

 3 D chain=input action=drop protocol=tcp dst-port=64872-64875 

 4 I chain=hs-input action=jump jump-target=pre-hs-input 

 5 D chain=hs-input action=accept protocol=udp dst-port=64872 

 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 7 D chain=hs-input action=jump jump-target=hs-unauth 

 8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

 9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
2

Try using “print detail”.

3

Thanks for the reply.

I have tried “print detail”, “print all” and also other combinations: I have never succeeded in seeing the Extra hotspot parameters.

On further investigation, I find within http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot it says:

From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules):

0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

Clearly with v5.12 this does not work. Thus this a ROS bug - I have changed the title accordingly.

4

Does export show them?

5

No:

[admin@MikroTik] /ip firewall filter> export 
# feb/04/2012 08:25:32 by RouterOS 5.12
# software id = 8XH3-XH53
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
[admin@MikroTik] /ip firewall filter>

“export” only shows 1 rule whilst “print all” shows 11 (the one shown by export together with the 10 dynamic ones).

Neither export nor print show the Extra Hotspot parameters.

As an experiment I also introduced a new filter firewall rule from Winbox in which I set the Extra Hotspot params by hand. “export” now shows:

[admin@MikroTik] /ip firewall filter> export        
# feb/04/2012 08:38:20 by RouterOS 5.12
# software id = 8XH3-XH53
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=forward comment=test disabled=no
[admin@MikroTik] /ip firewall filter>

Thus “export” not only does not show the dynamic rules but neither does it show the Extra params.

6

Yeah, sorry, my brain was only half working, export never includes dynamic stuff. The print thing sounds like a bug you should report to MikroTik support.

7

Sorry, how do I report the bug? I thought that it was enough to write on the forum.

8

Yeah, I have similar problem with export, I can’t export tcp-flags

Saludos

9

See their disclaimer from the top of the front page - “Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum” Also see - http://www.mikrotik.com/support.html

I’ve always been a bit surprised that they don’t have some kind of web based bug reporting/tracking system for users, but email seems to be the only way.

10

Thankyou, I’ll do it.

11

I have sent the following to support@mikrotik.com and from which I obtained Ticket#2012020566000092:

Subject: RouterOS v5.12 Bug Report: TCP Flags and Hotspot firewall settings cannot be viewed from CLI.

This mail is to inform you of a bug in RouterOS v5.12. I have not used any previous version and so I am unable to say whether it exists also in those versions.

I have an RB750GL with ROS v5.12.

One other forum poster has confirmed that he too has the same issue.

Description

It is not possibile from the cli to print or export the firewall settings for Advanced: TCP flags and Extra: Hotspot. Filter, NAT, and Mangle are all impacted. Other settings may also be affected.

This means that verification of the firewall rules can only be done via Winbox and clicking on each and every rule and then on each tab within the rule.


Evidence

The bug can be reproduced by creating manually via Winbox a Firewall rule of filter, NAT or mangle and, where applicable, setting the following:
Advanced: TCP flags
Extra: Hotspot

These settings are can not be shown from the command line when using export, print detail, print all, etc

I first noticed the problem by examining the dynamic firewall rules created by the Hotspot wizard. Without seeing the Hotspot settings they are incomprehensible. Here are the first few lines:

[admin@MikroTik] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth
1 D chain=forward action=jump jump-target=hs-unauth-to

Note that the Manual at > http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot > says:

From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules):
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

Some aspects of the bug have been discussed on the forum at: > http://forum.mikrotik.com/t/bug-v5-12-firewall-not-all-params-visibile-from-terminal/53937/1

If you need any further information please do not hesitate to ask

12

Received the following reply from MikroTik support:

Thank you very much for the report.
We are aware of the problem, we will try to fix it in the next RouterOS version.

13

I have installed v5.13 and I have verified that the problem has been fixed.

Thankyou Mikrotik!