My set of Feature Requests

Hey everyone

Let me start by saying that I’m very happy with the MikroTik router. i believe they are doing a great job, providing us something stable and powerful with just the fraction of what the equivalent Cisco would cost. after working with it for quite a while, i came up with a list of things that i would really like to see.

Also, this list is sorted based on priority (well, in my perspective)

1- A lot of people have said it already, and i say it again. Do not abandon OpenVPN just to promote SSTP. tcp meltdown is a serious issue that could only be avoided by NOT using tcp tunneling. OpenVPN udp tunnel is an accepted solution that is being supported in a lot of devices. we need it in RouterOS as well.

2- Ability to add dynamic rules (if the router is able do it, so should we. that includes but not limited to: filter rules, address-lists, nat , mangle, routes , … )

3- Ability to create rules base on hotspot usernames

4- Ability to mark a connection base on webproxy access list match. ( so it could be used for queuing, firewall rules, … that would be an awesome feature, and frankly, shouldn’t be that hard to implement. just to be clear, the connections between the clients and the web proxy should be marked not the connections between web proxy and the outside world. cause i dont see much use for the latter )

5- Ability to add users in active hotspot menu via api or script (aka log-in users via api)

6- Ability to exclude some ip ranges and/or ports from hotspot user statistics while the user is authenticated

7- Ability to add other ips instead of only gateway to check for accessability in routing table ( to clarify, there are lots of times when a gateway is reachable even when the connection is down. for example an adsl modem acting as a gateway, always has its internal ip available. but if check_gateway could ping e.g. 8.8.8.8 through that internal ip, we would know for sure whether the connection is down or not, without the need of any script)

8- Ability to see Rx/Tx rate in ‘/ip proxy connections’ . as well as the info about the requested http/ftp ( for example: ‘HTTP GET http:// crl.microsoft.com/pki/crl/products/microsoftrootcert.crl’ and so on for POST as well as other methods and ftp)

9- Add authentication support for internal socks as well as webproxy services

10- Add ftps support to /ip services. and also add ability to create ftp users and set permissions on folders base on users.

11- Allow specifying udp and tcp simultaneously for a rule ( there are lots of times that a port needs to be opened/forwareded/… for both udp and tcp. we could avoid a lot of unnecessary extra rules by being able to specify both udp and tcp in the same rule)

12- Include more details in queue statics for pcq queue (for example: being able to see every classifier and see the details for each of them)

13- (winbox) ability to lock any tabs that moving rules is possible on them ( for example filter rules, nat,…) to avoid accidental moving. ( weirdly enough, it happens a lot. and sometimes even without you noticing it)

14- (winbox) right click → add , should add the rule right there not at the bottom

Please let me know your thoughts

1- > A lot of people have said it already, and i say it again. Do not abandon OpenVPN just to promote SSTP. tcp meltdown is a serious issue that could only be avoided by NOT using tcp tunneling. OpenVPN udp tunnel is an accepted solution that is being supported in a lot of devices. we need it in RouterOS as well.

AGREE!!! Fix the unstable OVPN and add UDP!!!

2- > Ability to add dynamic rules (if the router is able do it, so should we. that includes but not limited to: filter rules, address-lists, nat , mangle, routes , … )

Dynamic based on what??? Do you mean like a time-based rule or something?

3- > Ability to create rules base on hotspot usernames

Not practical. Most hotspot usernames come from radius… so the router has no way of knowing the usernames.

11- > Allow specifying udp and tcp simultaneously for a rule ( there are lots of times that a port needs to be opened/forwareded/… for both udp and tcp. we could avoid a lot of unnecessary extra rules by being able to specify both udp and tcp in the same rule)

There really aren’t very many services i can think of that use udp+tcp on same port.

13- > (winbox) ability to lock any tabs that moving rules is possible on them ( for example filter rules, nat,…) to avoid accidental moving. ( weirdly enough, it happens a lot. and sometimes even without you noticing it)

A feature to prevent carelessness?

14- > (winbox) right click → add , should add the rule right there not at the bottom

Could be useful.

2- > Ability to add dynamic rules (if the router is able do it, so should we. that includes but not limited to: filter rules, address-lists, nat , mangle, routes , … )

+1. It will be very nice if can customize parameters of dynamic simple queues at the user profile section when using PPPoE and Hotspot servers. I always want it.

3- > Ability to create rules base on hotspot usernames

Guess ROS can do it. Because ROS knows which user assigned which IP. But I think you can do it using on-login script, where in User Profiles section.

10- > Add ftps support to /ip services. and also add ability to create ftp users and set permissions on folders base on users.

I think ROS is the router. So need only simple FTP server, it is enough. You know, when write files to ROS storage, ROS CPU usage is very high on process “flash”.

12- > Include more details in queue statics for pcq queue (for example: being able to see every classifier and see the details for each of them)

+1. It will be very useful.

13- > (winbox) ability to lock any tabs that moving rules is possible on them ( for example filter rules, nat,…) to avoid accidental moving. ( weirdly enough, it happens a lot. and sometimes even without you noticing it)

+1. Yes, it happens always. So I avoid to use Winbox.

14- > (winbox) right click → add , should add the rule right there not at the bottom

I think not necessary. You can copy old rule and create, where you want to place new rule. Or you can add using CLI command “place-before=”

3- Ability to create rules base on hotspot usernames

use “on login” and “on logout” to add and remove certain rules.

2- Ability to add dynamic rules (if the router is able do it, so should we. that includes but not limited to: filter rules, address-lists, nat , mangle, routes , … )

same as above. with scheduler,netwatch and other facilities, you can have this

6- Ability to exclude some ip ranges and/or ports from hotspot user statistics while the user is authenticated

what statistics? use radius and calculate statistics how you wish.

Alright, i believe some of those requests, need more explanation. i apologize for any confusions that it might have caused. ill try to explain more:

what i mean, is to be able to create dynamic rules instead of static ones. so we could avoid unnecessary writes to the NAND disk. cause from what i understand, dynamic rules are created in memory, unlike static rules that are being written on disk. i have some scripts that check the users usage and add them to different address lists, so different shaping could apply to them. i would really like to be able to create dynamic entries in address list, so i don’t have to worry about adding and deleting hundreds of entries everyday from the NAND disk. and i’m pretty sure adding that ability to other places, also would become handy. i might need to create a new script to add different routing tables. and i would really love if i could create them as dynamics for the same reason.
and as otgooneo pointed out, ability to edit dynamic rules would be useful as well.
Also, on a side note, i would like to thank ‘mojiro’ to find a clever workaround to achieve adding dynamic address lists: http://forum.mikrotik.com/t/how-to-manually-create-dynamic-rules-address-list-entries/50480/1

It IS practical imo. hotspot marks all the packets that are going to and coming from interface. thats why ‘auth , from-client, to-client’ already exist as hotspot parameters in rules. they just need to add the usernames as well to the marked packets. but as normis,otgooneo here and Sergejs in email support pointed out, it could already be done by using “on login” and “on logout” scripts. if we could also add dynamic rules(for the reason that i mentioned above), this would be no issue any more.

when you are working with a lot of windows at the same time, it easily happens. and its not like adding that ability, could harm anyone. if you don’t like it, you could simply don’t use it.

Also Sergejs didn’t like this request so much. he rejected it on sight! . the main point of ROS is routing ofc. but one could argue why they’ve added SMB function then. not that i’m complaining, just saying it would be cool to have ftps as well. about the ROS cpu usage going up on write to disks, i really don’t have enough experience on that matter to comment. but if its the case, even SMB would become pretty useless.

there is a reason that its the last requested feature but it would be still handy.

it appears that you’ve misunderstood me there. hotspot counts every single packet that is being transferred between the user and the interface the hotspot server is running. when you specify limit-bytes-in and/or limit-bytes-out and/or limit-bytes-total or even when you are getting those traffic statics via radius, there are lots of times that you want to exclude some ips (like internal ones for example), to be counted for users. its not only MY request, it appears that quite a lot of people are looking for the same feature. these are just a few of them:

http://forum.mikrotik.com/t/how-to-bypass-hotspot-usage-counters-for-specific-subnets/49945/1
http://forum.mikrotik.com/t/hotspot-fetures-or-limitations/45613/1
http://forum.mikrotik.com/t/exclude-traffic-accounting-for-a-specific-ip/35291/1
http://forum.mikrotik.com/t/exclude-ip-address-from-accounting/48302/1
http://forum.mikrotik.com/t/hotspot-exclude-sites-from-radius-accounting/51029/1

there are more. just search the forum for yourself.

I also have one more feature request:

Add the option to invert ( ! ) limit and dst-limit . from what i understand, this is supported in linux iptables: http://www.zoominternet.net/~lazydog/iptables-tutorial.html#LIMITMATCH
quite frankly, most of the times, you need to use those ( specially dst-limit ), to lessen DOS effects. so you need to do some filtering when the packets BREAK the limit. i had to actually create 3 different firewall filter rules to reproduce the invert flag effect ( one rule to jump to a custom chain which itself includes 2 rules: first one with dst-limit specified and set the action to return. and the second one to drop the packets that passed the first one).
when it comes to DOS, every unnecessary rule counts. these 3 rules, could have been simply replaced by only one, if inverted flag was supported in dst-limit

what i mean, is to be able to create dynamic rules instead of static ones. so we could avoid unnecessary writes to the NAND disk

that’s not how it works, all RouterOS configuration is stored in memory, and is written to NAND after some 5 minutes. This is why you will lose config if you power cycle the device shorly after configuration. NAND writes are not a concern when talking about adding rules. The only NAND writes come from proxy, dude, user manager, graphs, logs.

are you sure about this? cause as soon as i add/delete or change any settings, i can see that “sector writes since reboot” and “total sector writes”, goes up immediately(v 5.14) . do you mean that those do not resemble the actual time of write?
and even if that’s the case, as i said, i’m adding and removing hundreds of entries every day. almost all of them will be kept for more than 5 minutes, so the NAND writing will happen.

yes, I am 100% sure. why do you need to add/remove so many rules per day? maybe there is some other way to accomplish your goal?

They are not rules but address list entries. i have a script that checks the users usage in hotspot and if its more than for example 100MB , it adds their ip address to the address list so their bandwidth could be shared and limited with pcq . the script will remove those entries at the end of each day. so the next day, the users could start fresh

That doesn’t make sense! 5 minutes??? I have many times made a configuration change and immediatly (within seconds) power cycled. In fact, I tried it just now to make sure.

#1
Make a rule

#2
Immediately Unplug Power

#3
Plug in power

#4
Rule is exactly there as I just made it

The process which stores the rules to disk, runs periodically, independently from when you add the rules. So it can take anywhere from 0 seconds to 5 minutes.

then how do you explain “sector writes since reboot” and “total sector writes” , going up right after you make a change (every time) ? sorry for doubting you. it just seems that something doesn’t add up. could it be that it used to be 5 minutes but you’ve change it at some point?
or maybe although those counters will go up immediately , the actual write may not happen at the same time
Not that it really matters tho. but it would be nice to know more about this awesome OS

I use hotspot “on login” and “on logout” scripts. When user login, I create mangle rules for them and when it log out i remove them so there is no wasted package checing in process. It would be very nice if I could have this stored only in memory…

http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting

jandafields, you’re lucky guy! the probability to catch the last second before the save is 0,33 percent xD

Thank you very much for pointing that out. its exactly my requested feature! i wonder why no one else mentioned it. I’m not exactly sure at this point how this works though. but that might have something to do with the fact that i know a little about routing. i should study more on this subject. tnx again