Community discussions

MikroTik App
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Feature requests: improve dot1x and others

Mon Apr 13, 2020 10:19 pm

My features wish list:
Switch
  • bridge: learn-limit per bridge port, counter reset condition (on router reboot, on port down/up, manual etc)
  • dot1x: guest vlan for clients unsupporting dot1x - found workaround impemented in 7.2
  • dot1x: authentication per host (allow multiple (un)authenticated hosts on one port)
  • general: mc-lag or stacking for HW redundancy (mc-lag implemented in 7.1)
  • bridge: more support for interface-list in configuration already implemented, don't know in which version
Router
  • ppp: push routes for VPNs (through DHCP-Info response) for split tunneling, same like split-include in IKEv2
  • dns: filtering request based on source IP
  • dns: action redirect requests to external DNS (regex or domain filtering) implemented in 6.47
  • general: more support for interface-list in configuration (for ex. Routing rules)
  • proxy: ssl proxy - redirect incoming requests to http(s) servers based on sni (=SSL offload, only for powerful RBs) - can by implemented in container
  • proxy: mDNS reflector for running mDNS across VLANs - can be implemented in container, but native support would be better
  • IPsec: posibility to choose IPsec Proposal / Profile in IPIP, EoIP, L2TP etc. configuration
  • ikev2: optionally add dynamic routes for ikev2 connected clients (like with PPP links) for proxy-arp functional
WiFi
  • (Why Mikrotik missed oportunity in WiFi4EU?) - not actual
  • ap: add roaming standards 802.11r/k/v - also between APs already implemented
  • ap: add band steering or something like this (push multibands (2G/5G) client to specific band on defined conditions) already implemented
  • CAPsMAN: compatibility wifiwave2 APs with old (non wifiwave2) APs
  • ap/radius: add quest/quarantine vlan options - similar behavior like in dot1x
Last edited by 5nik on Thu Sep 14, 2023 11:27 am, edited 8 times in total.
 
ulysses
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Fri Sep 25, 2015 1:26 pm

Re: Feature requests: improve dot1x and others

Fri Jun 12, 2020 2:36 pm

A bold plus one here
 
User avatar
kiler129
Member
Member
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Feature requests: improve dot1x and others

Fri Jun 19, 2020 12:52 am

  • dns: filtering request based on source IP
Do you have a specific purpose here which cannot be achieved with the firewall now? Remember that the UDP IP cannot be trusted anyway.

  • dns: action redirect requests to external DNS (regex or domain filtering)
Days of UDP DNS are counted like HTTP ones were ~2 years ago. Now Firefox ships with DoH by default, Chrome which is a market leader will probably follow suit soon. IMHO it's a waste of time to implement any advanced DNS filtering/inspection/modification in ROS since it will be obsolete soon with DoH gaining popularity.

  • proxy: ssl proxy - redirect incoming requests to http(s) servers based on sni (=SSL offload, only for powerful RBs)
I don't think this is a good fit for a router - such tasks are usually handled by specialized load balancers dealing with the mess of TLS & HTTP protocols as they are (since standards are one thing and how browsers & servers handle that is a way other thing). Additionally, this will get very quickly obsolete with ESNI which is in draft and prepared to work with TLS1.3. IIRC this will be an IETF standard in mid 2021 backed by CloudFlare & Google.

  • ap: add roaming standards 802.11r/k/v
  • ap: add band steering or something like this (push multibands (2G/5G) client to specific band on defined conditions)
Actually if the 1st thing is implemented the 2nd is not needed. The whole point of 802.11 is that the client decides what to do and not the AP. Trying to mess with this (e.g. zero handoff) is a hack around the protocol which causes plenty of problems. If MT implements actual protocols to inform the clients about conditions from the AP's perspective modern clients can roam without any problem.

The second thing is kind-of implementable today with access list & powers but kicking clients manually based on signal is a poor way of dealing with lack of 802.11r/k/v.
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Fri Jun 19, 2020 10:31 am

  • dns: filtering request based on source IP
Do you have a specific purpose here which cannot be achieved with the firewall now? Remember that the UDP IP cannot be trusted anyway.
Yes, I have. For example, if I want have local DNS server for multiple LANs with different purpose, when some LANs need some records that other LANs shouldn't see / know them. Or in case of DNS split. Yes, I know about DoT / DoH, but this technology are available only in browsers. There are many devices and aplications, that support only old DNS (over UDP).
  • dns: action redirect requests to external DNS (regex or domain filtering)
Days of UDP DNS are counted like HTTP ones were ~2 years ago. Now Firefox ships with DoH by default, Chrome which is a market leader will probably follow suit soon. IMHO it's a waste of time to implement any advanced DNS filtering/inspection/modification in ROS since it will be obsolete soon with DoH gaining popularity.
Actually this has been implemented in 6.47.
  • proxy: ssl proxy - redirect incoming requests to http(s) servers based on sni (=SSL offload, only for powerful RBs)
I don't think this is a good fit for a router - such tasks are usually handled by specialized load balancers dealing with the mess of TLS & HTTP protocols as they are (since standards are one thing and how browsers & servers handle that is a way other thing). Additionally, this will get very quickly obsolete with ESNI which is in draft and prepared to work with TLS1.3. IIRC this will be an IETF standard in mid 2021 backed by CloudFlare & Google.
In this point I agree with you. It si not primary function of router (but SMB is not too). It should help provide multiple https services (from different servers) through one public ipv4 to internet.
  • ap: add roaming standards 802.11r/k/v
  • ap: add band steering or something like this (push multibands (2G/5G) client to specific band on defined conditions)
Actually if the 1st thing is implemented the 2nd is not needed. The whole point of 802.11 is that the client decides what to do and not the AP. Trying to mess with this (e.g. zero handoff) is a hack around the protocol which causes plenty of problems. If MT implements actual protocols to inform the clients about conditions from the AP's perspective modern clients can roam without any problem.

The second thing is kind-of implementable today with access list & powers but kicking clients manually based on signal is a poor way of dealing with lack of 802.11r/k/v.
[/quote]
The problem is with clients, that don't want roam or they have another bad behavior. I disagree with you, that only client should decides what to do. I think, AP should have mechanismus to push clients to another bands or another APs in network with multiple APs.
Yes, today on MT, I can defined minimal signal strength of connected clients, below that AP kicks clients. But this solution is very problematic in areas with worse coverage.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Feature requests: improve dot1x and others

Fri Jun 19, 2020 2:40 pm

My features wish list:
  • dns: action redirect requests to external DNS (regex or domain filtering)
This is already in RouterOS as of 6.47 (FWD records in IP->DNS->Static).
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Fri Jun 19, 2020 2:52 pm

My features wish list:
  • dns: action redirect requests to external DNS (regex or domain filtering)
This is already in RouterOS as of 6.47 (FWD records in IP->DNS->Static).
I know it. OK, I edited first post. Wish I could edit next items in list when next RoS version comes. :)
 
ursal
just joined
Posts: 1
Joined: Thu Jul 30, 2020 3:59 pm

Re: Feature requests: improve dot1x and others

Thu Jul 30, 2020 4:38 pm

One more vote for
dot1x: authentication per host (allow multiple (un)authenticated hosts on one port)
 
alex32c
just joined
Posts: 19
Joined: Tue Apr 07, 2020 1:53 am

Re: Feature requests: improve dot1x and others

Fri Aug 14, 2020 9:08 am

++1
 
LostSoul
just joined
Posts: 1
Joined: Tue May 15, 2018 8:41 am

Re: Feature requests: improve dot1x and others

Fri Aug 14, 2020 12:23 pm

Please add vtep "local port" options in vxlan vtep options .

Without this option, it is impossible to configure work through nat without port forwarding.

urgently needed, maybe there is already a closed beta version where is it completed?
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Tue Jul 06, 2021 9:38 pm

Next wish done - mc-lag in v7 beta 6. Edited wish list
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Tue Sep 14, 2021 3:03 pm

Next edit: dot1x: guest vlan for clients unsupporting dot1x - founded workaround
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Feature requests: improve dot1x and others

Tue Sep 14, 2021 3:31 pm

Next edit: dot1x: guest vlan for clients unsupporting dot1x - founded workaround
Which is..? :)
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Tue Sep 14, 2021 3:41 pm

Next edit: dot1x: guest vlan for clients unsupporting dot1x - founded workaround
Which is..? :)
I founded this in documentation:
auth-types (dot1x | mac-auth; Default: dot1x)
Used authentication type on a server interface. When both options are selected at the same time, the server will prefer dot1x authentication type and only after 3 retrans-timeout periods, the authentication type will fall back to mac-auth. In order for mac-auth authentication type to work, the server interface should receive at least one frame containing a client's device source MAC address.
So, I activated both auth types and for "dumb" client mikrotik tries auth them by their MAC, radius server refuse it and mikrotik assign port to reject-vlan-id.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Feature requests: improve dot1x and others

Tue Sep 14, 2021 5:15 pm

Got it, thanks!
 
5nik
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests: improve dot1x and others

Fri Jan 21, 2022 4:27 pm

Finally guest-vlan-id (and server-fail-vlan-id) spotted in documentation for v7.2. No more workarounds!
I wish they support more switch chips for Bridge VLAN filtering offload. Even older chips like Atheros8327 and others.
 
marcojakko
just joined
Posts: 1
Joined: Wed Jan 25, 2023 1:42 pm

Re: Feature requests: improve dot1x and others

Wed Jan 25, 2023 1:45 pm

Greetings everyone, i'll UP one feature request :)

dot1x: authentication per host (allow multiple (un)authenticated hosts on one port)

Actually it should also allow per mac address assigned VLAN (via radius response message).
 
zigfridus
just joined
Posts: 2
Joined: Wed Mar 29, 2023 2:01 pm

Re: Feature requests: improve dot1x and others

Wed Mar 29, 2023 3:04 pm

Hello everyone

I give my vote for this feature:
dot1x: authentication per host (allow multiple (un)authenticated hosts on one port)
 
User avatar
Letni
Member
Member
Posts: 376
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: Feature requests: improve dot1x and others

Sat Apr 29, 2023 1:54 am

+1 bridge: learn-limit per bridge port, counter reset condition (on router reboot, on port down/up, manual etc)
 
pedroolguin123
just joined
Posts: 1
Joined: Tue Sep 12, 2023 9:39 pm

Re: Feature requests: improve dot1x and others

Wed Dec 13, 2023 1:38 pm

Hello network people,

I support this motion:
dot1x: authentication per host (allow multiple (un)authenticated hosts on one port)

BR,

Who is online

Users browsing this forum: No registered users and 23 guests