Useful scripts

fgonzalezm · February 11, 2019, 3:36pm

Hi all, i am a newbie on mikrotik, and actually use Winbox for admin the Secrets… anyone have an script to export a TXT file with the complete data from the secrets ? … thanks a lot

hilton · February 13, 2019, 8:47am

Would this not work?

/ppp secret export file=secrets

rostikk · March 11, 2019, 2:48am

HI! I am looking for a way to get the router to act when a certain LAN client (ip address) sends a packet to a certain WAN address. The action would be a webhook. What would be the most effective way to setup something like this? Can anyone point me to the right direction, please?

Would I have to use packet sniffer and fetch?

Thank you!

rostikk · March 13, 2019, 1:16pm

Bump!

I guess, one way to do this is to setup a firewall rule, which would then trigger a script similar to this https://wiki.mikrotik.com/wiki/Wake_on_Lan_before_connection_to_Remote_Desktop

However, the script would have to run every 10 seconds… Is there another way to have the firewall rule trigger a script?

nostromog · March 13, 2019, 4:41pm

I don’t think so. There are a few places where scripts can be triggered in response to events:

in /ppp profile (on-up, on-down), useful for all ppp-based interfaces (pptp, l2tp, sstp, pppoe, ovpn…)
in /ip dhcp-server (lease-script) when a dhcp-lease changes
in /ip dhcp-client (script)
ditto for /ipv6 dhcp-* except that the server attribute is called binding-script
in /tool netwatch (down-script, up-script) to fire when a host is visible
(…) Not sure if there are more hooks

I was missing another one for /interface wireless registration-table, to fire when either our station interface connects, or else when our AP interface gets a station connected. This would be similar to the dhcp stuff at the 802.11 L2 level.
I have also missed generic on-down/on-up for hardware interfaces, similar to ppp actions but at the /interface level.
I’d also woul like a scripted action for logs, something like /system logging add topics=health action=script where the script action would call a script with the log line…

But of course I understand the developers need to concentrate efforts, though, and keep the distribution size under control.

efiniste · May 24, 2019, 10:10am

Did you ever get anywhere with this? I’m trying to figure out the same thing. When my video doorbell is pressed it sends an alert via a “cloud” service. I’m trying to trigger something local too and this would be ideal.

Steve

beeyev · August 3, 2019, 10:19pm

Share couple of my scripts here.

Script automatically updates router to the latest firmware.
When script finds new update it sends email notification that upgrade process has started, system backup and config file are in attachment. After firmware and routerboard got updated, it sends second email which tells that upgrade process has been finished.
You can choose update channel and even allow to update only patch versions.
Link to instruction: https://github.com/beeyev/Mikrotik-Firmware-Auto-Updater
Simple script that updates your public IP in DuckDNS dynamic ip service. (Free dyndns alternative)
Link to instruction: https://github.com/beeyev/Mikrotik-Duckdns-Dynamic-IP-Updater

Jotne · August 4, 2019, 6:32am

From all the problem I see that MT have after updating routers, I would not recommend to do an automatically upgrade without any possible to control it when it should run. At least on remote devices. I did lost my L2TP IPSec tunnel after upgrade due to change in config. So take care with this.
Another thing is that a backup of the router may not work across upgrade, so you may need to downgrade to restore a backup.

You could setup a web page that each router in a script fetch some data. If it get upgrade_hap_lite=ok found on the page, then It can upgrade automatically, since you then can hold the upgrade until you have tested the release in a controlled environment.

I see that you can set it to only upgrade minor version, that may help some with backup restore, but not when MT add error or big changes in minor version as it has happen many times lately. (change in wifi that made it stop depending on what you have setup)

Also you can remove the ; at end of all lines. Only needed if you have more than one command at same line.
You have even some line with ; and some without like:

:if ($osVerNewNum > $osVerCurrentNum) do={
:set isUpdateAvailable true;
:log info (“New firmware version found: $osVerNew”);
} else={
:log info (“New firmware version not found.”)
}

When you send message to the log system, I do like better that it are in a machine readable format. Since I work allot with Splunk, it reads message with out any modification if you do change from:
text some more text data
to:
text_some_more_text=data
if data has spaces, use quotes
router_identity=“rotuer 128”

Eks (join word, use =, remove comma, if there are spaces in data use double quotes example if board_name has space)

"Upgrading firmware on router $[/system identity get name], board name: $[/system resource get board-name],

"script=firmware_upgrade router=$[/system identity get name] board_name=\"$[/system resource get board-name]\" ........

GATYRA · October 24, 2019, 9:11pm

in that case take CLI script editor (inside RouterOS) and edit script in there. Most of the syntax changes can be caught using that. F5 to refresh highlighting.

ceylan · January 30, 2020, 1:52pm

i have problem about my script…
-first of all i am changing mikrotik user name and password and delete standard username
user add name=******* password=******* group=full
user remove admin
/system scheduler add name=“30 gunde reboot” start-date=“jul/12/1970” start-time=“04:00:00” interval=“1d 00:00:00” policy=“read,write” on-event=“:if ([/system resource get uptime] > 30d00h00m00s) do={:if ([/system clock get time] < 06:30:00) do={:if ([/system clock get time] > 04:30:00) do={/system reboot}}}”
at the last ..i am adding scheduler, but when i am checking this scheduler, I saw owner admin. that why scheduler isn’t working
so how can fix this situation ???

i have text file for my this user and system sittings.I’m copying script and open new terminal for past it there.

macsrwe · February 1, 2020, 12:39am

i have problem about my script…
-first of all i am changing mikrotik user name and password and delete standard username
user add name=******* password=******* group=full
user remove admin
/system scheduler add name=“30 gunde reboot” start-date=“jul/12/1970” start-time=“04:00:00” interval=“1d 00:00:00” policy=“read,write” on-event=“:if ([/system resource get uptime] > 30d00h00m00s) do={:if ([/system clock get time] < 06:30:00) do={:if ([/system clock get time] > 04:30:00) do={/system reboot}}}”
at the last ..i am adding scheduler, but when i am checking this scheduler, I saw owner admin. that why scheduler isn’t working
so how can fix this situation ???

i have text file for my this user and system sittings.I’m copying script and open new terminal for past it there.

You may have deleted the user admin, but you are still running as the user admin, so that’s what ownership becomes! Two ways to address this:

Create the script BEFORE deleting the user admin. I have found that such action tends to move all scripts owned by admin to the new full user. But I don’t think this is documented or guaranteed in any way, and I would consider it a kludge.

Or specify “owner=********” when you create the script, most straightforward.

gbudny · February 2, 2020, 7:26am

Hi all,

Let me also share my scripts collection with you - maybe you will find few of them helpful or useful as they are to me;)

https://github.com/gbudny93/RouterOS_Useful_Scripts

Greg

SudiFreeman · February 10, 2020, 11:14am

Hi guys,
A quick one, So I want to upload a certain rule to a number of mikrotik haplites in my network, however I don’t want to keep logging into the particular haplite routers and pasting the rule on the terminal, this is because the routers are too many(over 2000) and it’ll take me forever to login into all of them. Is there a script I can run that will post the rule I want to these routers without me having to login into every one of them. Like a mass rollout of the particular rule to these 2000+ haplites. Please any suggestion will be highly appreciated.

willyfontana · February 29, 2020, 11:01am

Hello SudiFreeman.
If you had all your routers registered in The Dude server, you could write a simple script inside Dude to write the new rules you need to all the routers. I haven’t tested this, but I think it could work.
Please let us know if you tried it and the outcome.
Regards

Harry53 · February 29, 2020, 5:13pm

Thanks a lot Janisk,
your post is very helpful.It is too much helpful.

cj3666 · April 21, 2020, 10:16pm

I am looking for Someone expert to create script for mikrotik Hotspot.

payment for the service.

Thadd · June 20, 2020, 8:44pm

Is there a way to write a script to monitor bandwidth for a simple queue? Basically, I have a connection that keeps maxing out the upload and I want the router to notify me when that specific queue is maxing out for an extensive amount of time.

Jotne · June 23, 2020, 5:09am

Please only post script or comment for script here.
If you like a script, post a request here:
https://forum.mikrotik.com/viewforum.php?f=9

wirelessmate · July 6, 2020, 12:55pm

Hi Greg,
seems like you are pretty efficient with scripting, maybe you could help ?
I want to get all devices with mac address a1:17:23 that are in the subnet emailed or displayed in log.
I understand these are existing in ARP then in dhcp-server leases one could find their names…Can you help?

cheers,
adam

Let me also share my scripts collection with you - maybe you will find few of them helpful or useful as they are to me;)

https://github.com/gbudny93/RouterOS_Useful_Scripts

Greg
[/quote]

gsbiz · July 28, 2020, 2:04pm

Hi All,
This is a little script set I wrote to check the IP of visitors to your service against DNS RBL’s. Handy to block known botnets and/or bad IP’s. This filter is a little complex but simply put it, will record the IP’s of any system connecting to the firewall on port 22 (or any other service port you want to put a JUMP rule in for) and check them against a DNS based Blacklist of known attackers. So you don’t have to put up with the hassle of them on your systems.

First are the firewall filters:

/ip firewall filter add action=jump chain=forward comment="Check intruders in \"Dynamic_blacklist\" chain (SSH)" dst-port=22 in-interface-list=WAN jump-target=dynamic_blacklist protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=DNSBL_unchecked address-list-timeout=30m chain=dynamic_blacklist comment="DNS Blacklist add ip to list to check." connection-state=!established,related in-interface-list=WAN src-address-list=!DNSBL_unchecked
/ip firewall filter add action=return chain=dynamic_blacklist comment="Return to the chain that jumped into dynamic_blacklist chain"
/ip firewall raw add action=drop chain=prerouting comment="Drop blacklist" in-interface-list=WAN log-prefix="DYNAMIC BLACKLIST IP (Raw)" src-address-list=bl_blacklist

Next is the script to check the DNS blacklist, schedule this to run every 5,10 or 15 mins. I chose bl.blocklist.de but you can use your favourite. the script only checks for a positive response it does not localise the return to a particular listing type, though you could improve the script to check for this.

DNS Blacklist Script

# DNS Blacklist service call
:local blserver "bl.blocklist.de"
:local ToListIPList [:toarray ""]
:local octets
:local revip
:local bllookup
:local blresult
:local i
:global returnOctet;

# for each IP in the unchecked list load it into an array
:set i (0);
:foreach fwlist in=[/ip firewall address-list find where list=DNSBL_unchecked] do={
:foreach ip in=[/ip firewall address-list get $fwlist value-name=address] do={
:set ($ToListIPList->"$i") $ip;
:put "$ip is loaded into array at index $i"
#remove ip from address list to check ether way
/ip firewall address-list { remove [find address=$ip list=DNSBL_unchecked]};
:set i ($i + 1);
};
};

#delete entire list=DNSBL_unchecked
#/ip firewall address-list remove [/ip firewall address-list find list="DNSBL_unchecked"];

#take the IPs and Progress;
:foreach ip in=$ToListIPList do={
:put $ip;
# seperate IP into $octets array;
:set octets [$returnOctet $ip 5];
# Reverse the IP address for reverse DNS lookup;
:set revip ([:tostr [:pick $octets 3]] . "." . [:tostr [:pick $octets 2]] . "." . [:tostr [:pick $octets 1]] . "." . [:tostr [:pick $octets 0]]);
# construct the blacklist lookup
:set bllookup ($revip . "." . $blserver);
:put $bllookup;
# perform the lookup and correct an empty response;
:do {
:set blresult [:resolve $bllookup];
} on-error={
#"No blacklist record found, correct the error";
:set $blresult "fail";
}
# check the result
:if ( $blresult != "fail" ) do={
# if the address is listed add it to the blacklist
:put "listing ip";
/ip firewall address-list add address=$ip list=DNSBL_listed timeout=168h;
};
};

The second script is a global function stolen fair and square from Rextended on http://forum.mikrotik.com/t/return-ip-octet-function/77321/1 though i did do a little error correcting on it. Just put this in your scripts so it is accessible by the DNS blacklist script.

:global returnOctet do={
:if ([:typeof [:toip $1]] != "ip") do={ :error message="You did not specify any VALID IP Address."; };
:if ( (($2 + 0) < 1) || (($2 + 0) > 5) ) do={ :error message="You did not specify any VALID argument to return."; };
:local workString value=[:tostr [:toip $1]];
:local endString value="";
:local thisChar value="";
:for i from=0 to=[:len $workString] step=1 do={
:set $thisChar value=[:pick $workString $i ($i+1)];
:if ($thisChar = ".") do={ :set $thisChar value=",";};
:set $endString value=($endString.$thisChar);
};
:local resultArray value=[:toarray $endString];
:if (($2 + 0) = 5) do={ :return value=$resultArray; } else={ :return value=($resultArray->($2 - 1)); };
}