Running hAPax3, wifiwave2, 7.12 and all was working perfectly for weeks. Then, with no config changes to the router or to the environment, one and only one device (an Ecobee smart thermostat) stopped working, with “key handshake timeout” in the logs.
I upgraded to 7.13beta2 but that did not change anything.
I tried enabling FT, disabling PMKID, Management Protection, Skip DFS channels ALL as well as DISABLED; etc. – on both the master and slave wifi interfaces.
I am 100 miles from the site, so I am unable to power cycle the thermostat, but it is clearly trying to connect.
02:46:35 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:46:36 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:46:42 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:46:43 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:46:49 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:46:49 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:46:55 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:46:56 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:02 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:03 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:09 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:10 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:16 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:16 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:23 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:23 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:29 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:30 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:36 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:37 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:43 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:44 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -49
02:47:50 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -52
02:47:50 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:47:56 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:47:57 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:03 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:48:04 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:10 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:48:11 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:17 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -53
02:48:17 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:24 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:48:24 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:30 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:48:31 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:37 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -47
02:48:38 wireless,debug 44:61:32:D7:94:A7@2point4 associated, signal strength -48
02:48:44 wireless,debug 44:61:32:D7:94:A7@2point4 disassociated, key handshake timeout, signal strength -52
Here’s my export:
# 2023-11-24 02:54:22 by RouterOS 7.13beta2
# software id = I91B-8C6D
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDF
/interface bridge
add admin-mac=18:Fxxxxx auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
disabled .width=20/40/80mhz configuration.country="United States" .mode=\
ap .ssid=76-5ghz disabled=no security.authentication-types=wpa2-psk \
steering.rrm=no .wnm=no
set [ find default-name=wifi2 ] channel.band=2ghz-g .skip-dfs-channels=all \
.width=20mhz configuration.country="United States" .mode=ap .ssid=76-2ghz \
disabled=no security.authentication-types=wpa2-psk .disable-pmkid=no \
steering.rrm=no .wnm=no
/interface wireguard
add listen-port=51830 mtu=1420 name=wireguard1
/interface wifi
add configuration.country="United States" .mode=ap .ssid=2point4 disabled=no \
mac-address=1A:FD:74:FE:87:EA master-interface=wifi2 name=2point4 \
security.authentication-types=wpa2-psk steering.rrm=no .wnm=no
add configuration.country="United States" .mode=ap .ssid=Guest disabled=no \
mac-address=1A:FD:74:FE:87:E8 master-interface=wifi1 name=Guest-wifi1 \
security.authentication-types=wpa2-psk steering.rrm=no .wnm=no
add configuration.country="United States" .mode=ap .ssid=Guest disabled=no \
mac-address=1A:FD:74:FE:87:E9 master-interface=wifi2 name=Guest-wifi2 \
security.authentication-types=wpa2-psk steering.rrm=no .wnm=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL
add name=TRUSTED
/interface wifi security
add authentication-types=wpa2-psk disabled=yes name=common-auth wps=disable
/interface wifi
add configuration.mode=station .ssid=tasmota-DEA63D-1597 mac-address=\
1A:FD:74:FE:87:EB master-interface=wifi2 name=Tasmota-connect security=\
common-auth security.authentication-types=""
/ip pool
add name=default-dhcp ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-script="\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n\r\
\n:local thistime [/system clock get time]\r\
\n:local thishour [:pick \$thistime 0 2]\r\
\n:local thisminute [:pick \$thistime 3 5]\r\
\n:local thissecond [:pick \$thistime 6 8]\r\
\n:local identitydatetime \"\$[identity get name]_\$yyyy-\$MM-\$dd_\$thish\
our:\$thisminute:\$thissecond\"\r\
\n:local datetime \"\$yyyy-\$MM-\$dd_\$thishour:\$thisminute:\$thissecond\
\"\r\
\n:local systemname \"\$[identity get name]\"\r\
\n\r\
\n:if (\$leaseBound=1) do={\r\
\n\r\
\n :log info \"testing after condition BOUND\" }\r\
\n\r\
\n:if ([/ip dhcp-server lease find where dynamic mac-address=\$leaseActMA\
C]!=\"\") do={\r\
\n\r\
\n :log info \"testing after condition DYNAMIC\"}\r\
\n\r\
\n:local recipient \"j@nnn.com\"\r\
\n\r\
\n:if ((\$leaseBound=1) && ([/ip dhcp-server lease find where dynamic ma\
c-address=\$leaseActMAC]!=\"\")) do={\r\
\n\r\
\n :log info \"testing after conditions BOUND and DYNAMIC\" \r\
\n\r\
\n :tool e-mail send to=\$recipient subject=\"\$systemname DHCP Lease A\
ssigned to \$leaseActMAC\" body=\"MAC address \$leaseActMAC received IP ad\
dress \$leaseActIP with a hostname of \$[/ip/dhcp-server/lease/get value-n\
ame=host-name [find where mac-address=\$leaseActMAC]] from DHCP Server \$l\
easeServerName on \$datetime from \$systemname\"\r\
\n\r\
\n :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
\n\r\
\n}\r\
\n\r\
\n" lease-time=12h name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=Guest-wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=Guest-wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=2point4 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=ALL
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
add interface=wireguard1 list=LAN
/interface wifi access-list
add action=accept comment="76 LR TV" disabled=no mac-address=\
48:9E:9D:07:E3:C2
add action=accept comment="76 Front Deck Switch Tasmota" disabled=no \
mac-address=C4:5B:BE:DF:1B:A9
add action=accept comment="76 Entryway switch tasmota-DEA63D-1597" disabled=\
no mac-address=C4:5B:BE:DE:A6:3D
add action=accept comment=THR316 disabled=no mac-address=C0:49:EF:F7:BA:0C
add action=accept comment="Shelly1 switch to THR316 Equipment" disabled=no \
mac-address=34:94:54:6A:7C:36
/interface wireguard peers
add allowed-address=10.10.100.1/24,192.168.2.0/24 comment=212 \
endpoint-address=xxxxx.dyndns.org endpoint-port=51820 interface=\
wireguard1 persistent-keepalive=40s public-key=\
"xx2xxxxXrW4Ds="
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
"WG client on BI PC" interface=wireguard1 public-key=\
"R5Sxxxxjt9TV4="
add allowed-address=10.10.100.8/32 comment=Laptop interface=wireguard1 \
public-key="DcTpxxxxQqFSxc="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=\
"355 hEX being UDM" endpoint-address=xxxx.dyndns.org endpoint-port=\
51833 interface=wireguard1 persistent-keepalive=40s public-key=\
"Q8CPxxxxx5omLZq3g="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=\
"255 Hex behind UDM" endpoint-address=xxxx.dyndns.org \
endpoint-port=51835 interface=wireguard1 persistent-keepalive=40s \
public-key="6E3qxxxxxPMwbRc="
add allowed-address=\
10.10.100.2/32,192.168.40.0/24,192.168.40.0/24,10.10.100.40/32 comment=\
371 endpoint-address=xxxxx.dyndns.org endpoint-port=52820 interface=\
wireguard1 persistent-keepalive=40s public-key=\
"zoZxxxxlohI="
add allowed-address=192.168.30.0/24,10.10.100.30/32 disabled=yes \
endpoint-address=xxxxx.dyndns.org endpoint-port=51830 interface=\
wireguard1 persistent-keepalive=40s public-key=\
"EJxxxxxgUic="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
endpoint-address=xxxx.dyndns.org endpoint-port=51870 interface=\
wireguard1 persistent-keepalive=40s public-key=\
"OtpxxxxxayGqT8="
/ip address
add address=10.10.100.30/24 interface=wireguard1 network=10.10.100.0
add address=192.168.30.2/24 interface=bridge network=192.168.30.0
add address=192.168.4.2/24 interface=Tasmota-connect network=192.168.4.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
add disabled=yes interface=Tasmota-connect
/ip dhcp-server lease
add address=192.168.30.197 client-id=1:c0:49:ef:f7:ba:c comment="THR316 76" \
mac-address=C0:49:EF:F7:BA:0C server=defconf
add address=192.168.30.189 comment="Shelly1 switch to THR316 Equipment" \
mac-address=34:94:54:6A:7C:36 server=defconf
add address=192.168.30.196 comment="76 Entryway switch tasmota-DEA63D-1597" \
mac-address=C4:5B:BE:DE:A6:3D server=defconf
add address=192.168.30.134 comment="76 Front Deck Switch Tasmota" \
mac-address=C4:5B:BE:DF:1B:A9 server=defconf
add address=192.168.30.133 comment="Emporia Vue 76" mac-address=\
0C:B8:15:2C:A8:A4 server=defconf
add address=192.168.30.130 comment="76 LR TV" mac-address=48:9E:9D:07:E3:C2 \
server=defconf
add address=192.168.30.128 client-id=1:c0:49:ef:60:7a:c comment=\
"THR316 76 Water" mac-address=C0:49:EF:60:7A:0C server=defconf
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.30.2
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.10.100.30 comment=defconf name=76-10.10.100.30.local
add address=192.168.30.2 comment=defconf name=76.local
add address=192.168.30.101 comment="automatic-from-dhcp (magic comment)" \
name=espressif.76.local ttl=15m
add address=192.168.30.189 comment="automatic-from-dhcp (magic comment)" \
name=shelly1-3494546A7C36.76.local ttl=15m
add address=192.168.30.196 comment="automatic-from-dhcp (magic comment)" \
name=tasmota-DEA63D-1597.76.local ttl=15m
add address=192.168.30.134 comment="automatic-from-dhcp (magic comment)" \
name=tasmota-DF1BA9-7081.76.local ttl=15m
add address=192.168.30.133 comment="automatic-from-dhcp (magic comment)" \
name=Emporia.76.local ttl=15m
add address=192.168.30.131 comment="automatic-from-dhcp (magic comment)" \
name=76.76.local ttl=15m
/ip firewall address-list
add address=xxxx.dyndns.org list=mtdale
add address=xxxx.dyndns.org list=212
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=xxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=51830 protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
in-interface=wireguard1
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="REMOVE\?" src-address-list=admin
add action=accept chain=input src-address-list=212
add action=accept chain=input src-address-list=mtdale
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow WG to subnet" disabled=yes \
dst-address=192.168.1.0/24 in-interface=wireguard1
add action=accept chain=forward disabled=yes in-interface=wireguard1 \
protocol=udp
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allow wireguard to subnet" disabled=\
yes dst-address=192.168.30.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow wireguard to subnet" \
in-interface=wireguard1
add action=accept chain=forward comment="Allow subnet to enter WG" \
out-interface=wireguard1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 log=yes protocol=tcp \
to-addresses=192.168.4.1 to-ports=80
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.4.0/24 log=\
yes to-addresses=192.168.4.2
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.40.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.70.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.20.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
/ip ssh
set forwarding-enabled=both
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=yes list=\
bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\
bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \
list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=yes list=\
bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \
protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\
546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \
protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\
yes protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \
protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \
dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\
yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\
yes protocol=ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=76
/system logging
add topics=event
add topics=account
add topics=firewall
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=3.pool.ntp.org
/system package update
set channel=development
/system scheduler
add interval=1d name=dyndns on-event=dyndns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-10-18 start-time=21:25:36
add interval=10m name=WG-iface-restart on-event=WG-iface-restart policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-03-11 start-time=13:29:33
add interval=3d name=export-download on-event=export-download policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-06-22 start-time=01:59:47
add disabled=yes interval=5d name=iplist on-event=IPlist policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-04-10 start-time=06:49:31
add interval=2d name=dynamic-data-rextended on-event=dynamic-data-rextended \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-09-30 start-time=02:58:29
/system script
add dont-require-permissions=no name=dyndns owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n/export show-sensitive file=\"\$identitydate\"\r\
\n\r\
\n# Export public IP and mail it\r\
\n\r\
\n/ip/address print file=\"IP-\$identitydate\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"IP-\$[\$identitydate\
].txt\" dst-path=\"/mikrotik-backups/IP-\$[\$identitydate].txt\" address=1\
92.168.2.22 port=21 user=xxx password=xxx\r\
\n\r\
\n/file remove \"IP-\$[\$identitydate].txt\"\r\
\n\r\
\n# Set needed variables\r\
\n\t:local username \"xxxx\"\r\
\n\t:local clientkey \"9ac4xxx3aa78bc3\"\r\
\n\t:local hostname \"xxxx.dyndns.org\"\r\
\n\r\
\n\t:global dyndnsForce\r\
\n\t:global previousIP\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
t-path=\"/dyndns.checkip.html\"\r\
\n\t:delay 1\r\
\n\t:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n\t:local resultLen [:len \$result]\r\
\n\t:local startLoc [:find \$result \": \" -1]\r\
\n\t:set startLoc (\$startLoc + 2)\r\
\n\t:local endLoc [:find \$result \"</body>\" -1]\r\
\n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - usefu\
l for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r\
\n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
\n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
date on\" }\r\
\n\r\
\n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n\t\t:set dyndnsForce false\r\
\n\t\t:set previousIP \$currentIP\r\
\n\r\
\n\t\t/tool fetch mode=https \\\r\
\n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
ostname=\$hostname&myip=\$currentIP\" \\ \r\
\n\t\tdst-path=\"/dyndns.txt\"\r\
\n\r\
\n\t\t:delay 1\r\
\n\t\t:local result [/file get dyndns.txt contents]\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
\n\t} else={\r\
\n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n\t}\r\
\n\r\
\n"
add dont-require-permissions=no name=export-download owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n/export show-sensitive file=\"\$identitydate\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$[\$identitydate].\
rsc\" dst-path=\"/mikrotik-backups/\$[\$identitydate].rsc\" address=192.16\
8.2.22 port=21 user=mikrotik password=xxx\r\
\n\r\
\n/file remove \"\$[\$identitydate]\""
add dont-require-permissions=no name=WG-iface-restart owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
foreach i in=[/interface/wireguard/peers/find where disabled=no endpoint-a\
ddress~\"[a-z]\\\$\"] do={\r\
\n :local LastHandshake [/interface/wireguard/peers/get \$i last-handshak\
e]\r\
\n :if (([:tostr \$LastHandshake] = \"\") or (\$LastHandshake > [:totime \
\"5m\"])) do={\r\
\n \r\
\n :log info \"WG-iface-restart script found WG peers with last handsh\
ake greater than 5 minutes; then reset the endpoint-address to reload dns \
of endpoint\"\r\
\n\r\
\n /interface/wireguard/peers/set \$i endpoint-address=[/interface/wire\
guard/peers/get \$i endpoint-address]\r\
\n\r\
\n :local endpoint [/interface/wireguard/peers/get \$i endpoint-address]\
\r\
\n :log info \"WG-iface-restart script found WG peer with last handshake\
\_greater than 5 minutes; then reset the endpoint-address to reload dns of\
\_endpoint: \$endpoint\"\r\
\n\r\
\n }\r\
\n}\r\
\n"
add dont-require-permissions=no name=IPlist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Export public IP and mail it\r\
\n\r\
\n/ip/address print file=\"76-IP-\$[\$nowdate]\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"76-IP-\$[\$nowdate].\
txt\" dst-path=\"/mikrotik-backups/76-IP-\$[\$nowdate].txt\" address=192.1\
68.2.22 port=21 user=xxxx password=xxxx\r\
\n\r\
\n/file remove \"76-IP-\$[\$nowdate].txt\""
add dont-require-permissions=no name="Get Date-Time" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local isodateonly do={\r\
\n /system clock\r\
\n :local vdate [get date]\r\
\n :local vdoff [:toarray \"0,4,5,7,8,10\"]\r\
\n :local MM [:pick \$vdate (\$vdoff->2) (\$vdoff->3)]\r\
\n :local M [:tonum \$MM]\r\
\n :if (\$vdate ~ \".../../....\") do={\r\
\n :set vdoff [:toarray \"7,11,1,3,4,6\"]\r\
\n :set M ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGE\
PCTOVEC\" [:pick \$vdate (\$vdoff->2) (\$vdoff->3)] -1] / 2)\r\
\n :if (\$M>12) do={:set M (\$M - 12)}\r\
\n :set MM [:pick (100 + \$M) 1 3]\r\
\n }\r\
\n :local yyyy [:pick \$vdate (\$vdoff->0) (\$vdoff->1)]\r\
\n :local dd [:pick \$vdate (\$vdoff->4) (\$vdoff->5)]\r\
\n :return \"\$yyyy-\$MM-\$dd\"\r\
\n}\r\
\n\r\
\n:put \$[\$yyyy-\$MM-\$dd]"
add dont-require-permissions=yes name="Get Date-Time 2" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global simplercurrdatetimestr do={\r\
\n /system clock\r\
\n :local vdate [get date]\r\
\n :local vtime [get time]\r\
\n :local vdoff [:toarray \"0,4,5,7,8,10\"]\r\
\n :local MM [:pick \$vdate (\$vdoff->2) (\$vdoff->3)]\r\
\n :local M [:tonum \$MM]\r\
\n :if (\$vdate ~ \".../../....\") do={\r\
\n :set vdoff [:toarray \"7,11,1,3,4,6\"]\r\
\n :set M ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGE\
PCTOVEC\" [:pick \$vdate (\$vdoff->2) (\$vdoff->3)] -1] / 2)\r\
\n :if (\$M>12) do={:set M (\$M - 12)}\r\
\n :set MM [:pick (100 + \$M) 1 3]\r\
\n }\r\
\n :local yyyy [:pick \$vdate (\$vdoff->0) (\$vdoff->1)]\r\
\n :local dd [:pick \$vdate (\$vdoff->4) (\$vdoff->5)]\r\
\n :local HH [:pick \$vtime 0 2]\r\
\n :local mm [:pick \$vtime 3 5]\r\
\n :local ss [:pick \$vtime 6 8]\r\
\n\r\
\n :return \"\$yyyy-\$MM-\$dd \$HH:\$mm:\$ss\"\r\
\n}\r\
\n\r\
\n:put [\$simplercurrdatetimestr]\r\
\n\r\
\n:put [\$yyyy]\r\
\n\r\
\n"
add comment=test dont-require-permissions=yes name=test owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n:local identity \"\$[identity get name]\"\r\
\n:local Host \$host\r\
\n:local Status [get [find where host=\"\$Host\"] status]\r\
\n:local Interval [get [find where host=\"\$Host\"] interval]\r\
\n\r\
\n:log info \"script=netwatch watch_host=\$Host comment=\\\"\$Comment\\\" \
status=\$Status interval=\$Interval\"\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$identity \$Statu\
s\" body=( \"\$Host\" )"
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local arrMonths {jan=\"01\";feb=\"02\";mar=\"03\";apr=\"04\";may=\"05\";ju\
n=\"06\";jul=\"07\";aug=\"08\";sep=\"09\";oct=\"10\";nov=\"11\";dec=\"12\"\
}\r\
\n:local today [/system clock get date]\r\
\n:local dateinside \"\$[:pick \$today 7 11]-\$(\$arrMonths->[:pick \$toda\
y 1 3])-\$[:pick \$today 4 6]\"\r\
\n:local backupfile \"\$[/system identity get name]_\$dateinside_\$[/syste\
m clock get time]_\$[/system resource get uptime].backup\""
add dont-require-permissions=no name=script2 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thisBox [/system identity get name];\r\
\n\r\
\n:global simplercurrdatetimestr do={\r\
\n /system clock\r\
\n :local vdate [get date]\r\
\n :local vtime [get time]\r\
\n :local vdoff [:toarray \"0,4,5,7,8,10\"]\r\
\n :local MM [:pick \$vdate (\$vdoff->2) (\$vdoff->3)]\r\
\n :local M [:tonum \$MM]\r\
\n :if (\$vdate ~ \".../../....\") do={\r\
\n :set vdoff [:toarray \"7,11,1,3,4,6\"]\r\
\n :set M ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGE\
PCTOVEC\" [:pick \$vdate (\$vdoff->2) (\$vdoff->3)] -1] / 2)\r\
\n :if (\$M>12) do={:set M (\$M - 12)}\r\
\n :set MM [:pick (100 + \$M) 1 3]\r\
\n }\r\
\n :global yyyy [:pick \$vdate (\$vdoff->0) (\$vdoff->1)]\r\
\n :local dd [:pick \$vdate (\$vdoff->4) (\$vdoff->5)]\r\
\n :local HH [:pick \$vtime 0 2]\r\
\n :local mm [:pick \$vtime 3 5]\r\
\n :local ss [:pick \$vtime 6 8]\r\
\n\r\
\n :return \"\$yyyy-\$MM-\$dd-\$HH:\$mm:\$ss\"\r\
\n}\r\
\n\r\
\n#:put [\$simplercurrdatetimestr]\r\
\n\r\
\n\r\
\n#:tool e-mail send to=xx@xxx.com subject=\"\$thisBox UP\" bo\
dy=( \$simplercurrdatetimestr \$thisBox UP to 24.168.72.1\" )\r\
\n\r\
\n:tool e-mail send to=xx@xxx.com subject=\"\$thisBox UP\" bod\
y=(\$simplercurrdatetimestr)"
add dont-require-permissions=no name=dynamic-data-rextended owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/system\r\
\n:local identitydate \"\$[identity get name]_\$[clock get date]\"\r\
\n:local stringexec \"/system iden print; :put \\\"\\\\r\\\\n\\\"; /ip c\
loud pri; :put \\\"\\\\r\\\\n\\\"; /ip dhcp-server lease pri det; :put \\\
\"\\\\r\\\\n\\\"; /int bridge host pri det\"\r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wifiwav\
e2 reg pri det\"\r\
\n} \r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wireles\
s reg pri det\"\r\
\n}\r\
\n\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]\r\
\n:delay 1s\r\
\n:execute \$stringexec file=tmpresults.txt\r\
\n:delay 2s\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no address=192.168.2.22 port=21 us\
er=mikrotik password=xxx \\\r\
\n src-path=tmpresults.txt dst-path=\"/mikrotik-backups/\$identitydate-\
dynamicdata.txt\"\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]"
add dont-require-permissions=no name="DHCP to DNS" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_SPDX-License-Identifier: CC0-1.0\
\n\r\
\n\r\r\r\r\
\n\r\
\n\r\r:local domains [:toarray \"76.local\"]\
\n\r\
\n\r\r:local dnsttl \"15m\"\
\n\r\
\n\r\r\
\n\r\
\n\r\r:local magiccomment \"automatic-from-dhcp (magic comment)\"\
\n\r\
\n\r\r:local activehosts [:toarray \"\"]\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach lease in [/ip dhcp-server lease find] do={\
\n\r\
\n\r\r :local hostname [/ip dhcp-server lease get value-name=host-name \$\
lease]\
\n\r\
\n\r\r :local hostaddr [/ip dhcp-server lease get value-name=address \$le\
ase]\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len \$hostname] > 0) do={\
\n\r\
\n\r\r :foreach domain in \$domains do={\
\n\r\
\n\r\r :local regdomain \"\$hostname.\$domain\"\
\n\r\
\n\r\r :set activehosts (\$activehosts, \$regdomain)\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain]] = 0) \
do={\
\n\r\
\n\r\r /ip dns static add name=\$regdomain address=\$hostaddr comme\
nt=\$magiccomment ttl=\$dnsttl\
\n\r\
\n\r\r } else={\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain comme\
nt=\$magiccomment]] = 1) do={\
\n\r\
\n\r\r /ip dns static set address=\$hostaddr [/ip dns static find\
\_name=\$regdomain comment=\$magiccomment]\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach dnsentry in [/ip dns static find where comment=\$magiccomme\
nt] do={\
\n\r\
\n\r\r :local hostname [/ip dns static get value-name=name \$dnsentry]\
\n\r\
\n\r\r :if ([:type [:find \$activehosts \$hostname]] = \"nil\") do={\
\n\r\
\n\r\r /ip dns static remove \$dnsentry\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r"
/tool e-mail
set from=j@nnn.com port=587 server=smtp.gmail.com tls=starttls \
user=j@nnn.com
/tool graphing interface
add
add interface=wireguard1
add interface=bridge
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=ALL
/tool mac-server mac-winbox
set allowed-interface-list=ALL
/tool netwatch
add disabled=yes down-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$thisBox DOWN\" b\
ody=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\
\$thisBox DOWN to 192.168.2.2\" )" host=192.168.2.2 http-codes="" \
interval=10s test-script="" thr-avg=200ms thr-loss-count=10 type=simple \
up-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$thisBox UP\" bod\
y=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\$\
thisBox UP to 192.168.2.2\" )"
add disabled=yes down-script="" host=66.dddd http-codes="" interval=10s \
test-script="" type=simple up-script=""
add disabled=yes down-script="" host=192.168.88.1 http-codes="" interval=10s \
test-script="" type=simple up-script=""
add disabled=yes down-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$thisBox DOWN\" b\
ody=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\
\$thisBox DOWN to 8.8.8.8\" )\r\
\n" host=8.8.8.8 http-codes="" interval=10s test-script="" type=simple \
up-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$thisBox UP\" bod\
y=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\$\
thisBox UP to 8.8.8.8\" )"
add disabled=no down-script="\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n:local identity \"\$[identity get name]\"\r\
\n/tool netwatch\r\
\n:local Host \$host\r\
\n:local Status [get [find where host=\"\$Host\"] status]\r\
\n:local Interval [get [find where host=\"\$Host\"] interval]\r\
\n\r\
\n:log info \"script=netwatch watch_host=\$Host comment=\\\"\$Comment\\\" \
status=\$Status interval=\$Interval\"\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$identity \$Statu\
s\" body=( \"\$Status \$Host \$identitydate\" )" host=2xxxx1 \
http-codes="" interval=5m test-script="" type=simple up-script="\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n:local identity \"\$[identity get name]\"\r\
\n/tool netwatch\r\
\n:local Host \$host\r\
\n:local Status [get [find where host=\"\$Host\"] status]\r\
\n:local Interval [get [find where host=\"\$Host\"] interval]\r\
\n\r\
\n:log info \"script=netwatch watch_host=\$Host comment=\\\"\$Comment\\\" \
status=\$Status interval=\$Interval\"\r\
\n\r\
\n:tool e-mail send to=j@nnn.com subject=\"\$identity \$Statu\
s\" body=( \"\$Status \$Host \$identitydate\" )"
/tool romon
set enabled=yes
/tool sniffer
set filter-mac-address=44:61:32:D7:94:A7/FF:FF:FF:FF:FF:FF
What is going on? Anything I can do?
Thank you.