Feature requests

pe1chl · Mon Oct 29, 2018 8:04 pm

But - I am also very aware that English is not the only language used in the world.

Very true! Note that in no way I would suggest not to put videos in other languages on the channel.
It is very good that they are there, it only would be much more convenient when you can look in the listing and play only videos in languages you understand.
Which of course is different for everyone.

- However , with todays technology , I suspect that somewhere there just might be a really smart computer than in real-time can verbally translate the spoken language in a video to English and optionally print the translated language on the bottom of the video at the same time.

Youtube has that, but it is not really usable right now except when you want to have fun.

NEOhidra · Tue Oct 30, 2018 2:56 am

Indeed - it would be nice to separate the non-English videos.

pe1chl · Tue Oct 30, 2018 10:46 am

Indeed - it would be nice to separate the non-English videos.

I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.
I just would like to see the language of the video in the listing.

schadom · Wed Oct 31, 2018 9:09 pm

RPKI/ROV guys, please. No need to re-invent the wheel.
See RTRlib for a lightweight, open-source C library: http://rpki.realmv6.org/

PS: Perfect for a weekend hackathon @ Mikrotik HQ while the weather outside is bad

chubbs596 · Thu Nov 01, 2018 7:18 am

RPKI/ROV guys, please. No need to re-invent the wheel.
See RTRlib for a lightweight, open-source C library: http://rpki.realmv6.org/

PS: Perfect for a weekend hackathon @ Mikrotik HQ while the weather outside is bad

RPKI is really needed

pants6000 · Fri Nov 02, 2018 5:43 pm

Actual tcpdump.

I know and use the existing local and remote sniffing tools, but they are not a satisfying replacement for a quick and simple "tcpdump -X" from the CLI.

bkusic · Fri Nov 02, 2018 7:58 pm

Hi,
it would be great to develop a new product - an edge next-generation firewall (NGFW)...

My whole network is Mikrotik based - its GREAT. The only thing I would see is a real and fancy Mikrotik firewall.

Bruno Kusic

Chupaka · Sat Nov 03, 2018 2:06 pm

What's not real in current firewall?

anav · Tue Nov 06, 2018 5:34 pm

I am an english speaker and quite enjoy foreign language MUM and mikrotik youtube videos. One can sense the passion for the products in the voices.
Of course it helps when some languages revert to use english for the numbers LOL. All to say, the only comment I have is the lack of PDFs and/or videos for some of the presentations can be frustrating. At least a PDF I can translate very easily. I am with pelchi in that diversity is grand and an indication of which language would be helpful.
I was looking at DHCP leases (static) on youtube just last night and went through a number of non-english ones. Some were rather long, but in the end it was
either choose the dhcp lease menu selection of (make static) or right click on the mouse for that lease and at the popup windows type menu, select at the bottom (make static) and in both cases the mysterious D (dynamic) disappears on the far left of the lease line. There, Video of about 20 seconds.

StreamlinkUK · Tue Nov 06, 2018 11:50 pm

Would be great to get support for either dnsmasq, or some other feature to enable forwarding of mac-address to remote DNS server, (i,e for parental controls and other applications)
http://www.thekelleys.org.uk/dnsmasq/do ... q-man.html

specifically these options :

--add-mac[=base64|text]
Add the MAC address of the requestor to DNS queries which are forwarded upstream. This may be used to DNS filtering by the upstream server. The MAC address can only be added if the requestor is on the same subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) is not yet standardised, so this should be considered experimental. Also note that exposing MAC addresses in this way may have security and privacy implications. The warning about caching given for --add-subnet applies to --add-mac too. An alternative encoding of the MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
--add-cpe-id=<string>
Add an arbitrary identifying string to o DNS queries which are forwarded upstream.

OnixJonix · Mon Nov 12, 2018 12:01 pm

Something like TORCH on firewall rule!
It would be great if i can select firewall rule and click on torch - and see what traffic is triggering on that rule!

pe1chl · Mon Nov 12, 2018 2:29 pm

Something like TORCH on firewall rule!
It would be great if i can select firewall rule and click on torch - and see what traffic is triggering on that rule!

It is sort of possible to do that, by clicking the "log" checkmark on the last page (the matched traffic will appear in the log).
Of course you must be careful when doing this on large amounts of traffic. But I have often used it for traffic that has only
a few pkts/second and it works fine.

msatter · Mon Nov 12, 2018 5:06 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log. The first two and last one/two lines are writen so the time between lines can by seen.

First the two logline written. When it is repeated then the shown counter is increased:

.
time - same logline
time - same logline
the line above are repteated X times.
time - end of repeated lines
|
time - new logline
.

pe1chl · Mon Nov 12, 2018 7:11 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.

As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.
Of course there can still be a lot of new connections logged this way.

Jotne · Mon Nov 12, 2018 7:36 pm

the line above are repeated X times.

When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:
viewtopic.php?t=137338

When you read logs external programs its hard to understand what is repeated and get the message back together.
And do you have many boxes that sends syslog to same server, it makes it even worse.
So if implemented, this need to be an option.

msatter · Mon Nov 12, 2018 8:44 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.
As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.
Of course there can still be a lot of new connections logged this way.

In RAW I don't have those control options and thinking further about it.

On enabling logging the option to group logline for that specific rule. Control is so still with the user.

msatter · Mon Nov 12, 2018 8:49 pm

the line above are repeated X times.
When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:
viewtopic.php?t=137338

When you read logs external programs its hard to understand what is repeated and get the message back together.
And do you have many boxes that sends syslog to same server, it makes it even worse.
So if implemented, this need to be an option.

Making it optional on rule level is the way to go. The user have to decide, if it is going to be used or not.

pe1chl · Tue Nov 13, 2018 4:18 pm

Please consider implementing a way to run a user program in an environment as far protected as possible, but lighter than MetaROUTER which requires a full OS and hardware virtualization.
Some discussion is on page 4 of the Feature Request: OpenVPN [ovpn] udp tunnels topic.

E.g. make a folder on the flash device or external storage, the user puts the executable binary there and possible configuration data, RouterOS runs the executable
in a chroot to that folder, normal networking is possible but possibly also a tun/tap device that is configured just like for the MetaROUTER.
User code is run as a nonprivileged user and without any access to RouterOS configuration or environment.

This would allow users to run their own OpenVPN server, Wireguard server, advanced DNS server, DNS to HTTPS relay and more, without
having to wait for MikroTik implementing those services.
Only support required would be some common shared library files to link to (others could be statically linked).
Users can use the usual gcc cross-compilation facilities to generate their binaries.
Advanced tricks like virtual machines with their associated stability issues and unavailability on certain processors would be unnecessary for this feature.

Wyz4k · Thu Nov 15, 2018 8:11 am

RFC 5424 compliant syslog client so that I can use a cloud syslog server. https://help.sumologic.com/03Send-Data/ ... log-Source

eduplant · Sat Nov 17, 2018 8:38 am

Hello, I just posted a feature request in a separate thread but wanted to at least link it here for possible visibility:

[Feature Request] :resolve DNS Client Improvements

One of the advantages of RouterOS is its scriptability and the strength of its shell syntax for getting things done. New improvements in the :system and :tool areas have given us more tools than ever, and augmenting existing features with script="" hooks have given us even more places to use those tools. However, it seems like an important scripting primitive (for a network device, at least) has been neglected for some time: :resolve.

The rest can be found in the thread here.

Thanks!

mada3k · Sat Nov 17, 2018 7:25 pm

Netinstall for Linux/BSD
DMVPN or something smilar would be great
SNMP monitoring of OSPF-neighbour and BGP peer-status
Sectioned view in Firewall/Filter.
TACACS
802.1x

GuJack20 · Sat Nov 17, 2018 9:25 pm

Indeed - it would be nice to separate the non-English videos.
I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.
I just would like to see the language of the video in the listing.

You are right. That’s why in this year’s MUM in Tirana i changed the title and description of my presentations from English to Albanian (the language I was going to give them)

So the video in youtube has an Albanian title, the .pdf has an albanian name too. Very easy i think for everyone.
MikroTik should just ask the presenter to write the title and description of each presentation in the language that is going to be given.

usv111 · Thu Nov 22, 2018 1:40 pm

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

Chupaka · Fri Nov 23, 2018 2:11 pm

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

https://wiki.mikrotik.com/wiki/Manual:T ... _Generator

WirelessRudy · Fri Nov 23, 2018 3:24 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.

expert · Fri Nov 23, 2018 5:20 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.

What's hard on doing

ssh mikrotik "/log print" | less

?

WirelessRudy · Fri Nov 23, 2018 5:50 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.
What's hard on doing
Code: Select all
ssh mikrotik "/log print" | less
?

1. I am not doing ssh. 2. I don't want to print anything. I just want to quickly look in my log and highlight a line or try to find just one setting (one mac leaving or connectiong for example on an antenna) so I can see what happened or where something went wrong.
Why do I need to ssh into it when I am after 15 years still perfectly happy with winbox. And why should I need to print a log first before I do the things that is already any other program running on my screen?
What is so hard to just make my mouse highlight a line? This feature has been asked for by many over the years...

muetzekoeln · Sat Dec 01, 2018 7:21 pm

I have a small feature request. For me it would be very helpful. There are some (about 35) IP networks better reachable by a special gateway than by default gateway (no BGP!).
It would be great if there would be an address list table where all these networks listet and add only one ip route for the list. Today address lists can only be used in firewall.

I know one can use firewall rules to establish routes, but I find this a little bit confusing.

Please make address lists available as destinations in ip route menu.

pe1chl · Sat Dec 01, 2018 11:31 pm

Please make address lists available as destinations in ip route menu.

That is actually already possible.
You add a route to 0.0.0.0/0 via your special gateway in the ip route table with a routing mark name you choose.
Then in your ip firewall mangle table you add a forward rule matching your address list and setting the action "mark routing" and select your mark name.

schadom · Sun Dec 02, 2018 8:35 am

I'd love to see some routing and BGP-related improvements and features (like RPKI Origin Validation).
According to ROS changelogs, it's now almost over a year ago since the last BGP-related fix has been released:

What's new in 6.41 (2017-Dec-22 11:55):
...
*) bgp - added 32-bit private ASN support;
...

We've seen a lot of bridge, cloud, wireless and w60g-related stuff going on during the last months.
Now it's really the time to focus a little bit on routing again... make routing great again

lucasimo88 · Mon Dec 03, 2018 9:56 pm

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

i need me too complete supporto for IPSEC/IKEv2 with EAP Authentication implementation for NordVPN

muetzekoeln · Tue Dec 04, 2018 2:37 pm

Please support preference field in IPv6 router advertisements. Incoming and outgoing. RFC 4191.

Wed Dec 05, 2018 2:49 am

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.
A single btest session uses a single CPU - however … multiple btest sessions (a mix of send & receive btest(s) appear to use multiple CPUs.
A single CPU assigned to my CHR ROS system can actually btest using vmxnet-3 Ethernet interfaces through the physical 10-Gig network cards can reach near 10-Gig throughput to another CHR btest device on a different VMware ESXi server.
Additionally , two CHRs running on the same physical VMware ESXi servers using vmxnet-3 interfaces can easily btest to each other at rates faster than 10-Gig (in my case , I have tested two CHRs on the same system at almost 19-Gig. And , a CHR running a btest to the loopback interface 127.0.0.1 can easily hit over 20-Gig. I have never seen a Mikrotik motherboard btest to the loopback 127.0.0.1 interface at even 1/4th that speed.
Also - in my opinion , a CHR running on a decent SuperMicro with fast Intel XEON CPUs and lots of CPU cache has always totally and easily way out performed all Mikrotik motherboards that I have tested. For example, a full BGP load on a 10-Gig feed is almost 10-times faster than a CCR1036 Mikrotik router.
Also - again in my opinion, a CCR1036 is good at speeds less than 2-Gig , and a CRS is more of a switch than a router and they are slower. On both your CCRs and CRS mikrotiks , run a btest to 127.0.0.1 and you will discover they are not all that fast or even in the neighborhood of performance a CHR with good hardware can deliver.

North Idaho Tom Jones

Wed Dec 05, 2018 8:24 am

Multithread support for btest is already added:
Version 6.44beta39 has been released.
*) btest - added multithreading support for both UDP and TCP tests;

Wed Dec 05, 2018 8:42 am

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.
Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.
A single btest session uses a single CPU - however … multiple btest sessions (a mix of send & receive btest(s) appear to use multiple CPUs.
A single CPU assigned to my CHR ROS system can actually btest using vmxnet-3 Ethernet interfaces through the physical 10-Gig network cards can reach near 10-Gig throughput to another CHR btest device on a different VMware ESXi server.
Additionally , two CHRs running on the same physical VMware ESXi servers using vmxnet-3 interfaces can easily btest to each other at rates faster than 10-Gig (in my case , I have tested two CHRs on the same system at almost 19-Gig. And , a CHR running a btest to the loopback interface 127.0.0.1 can easily hit over 20-Gig. I have never seen a Mikrotik motherboard btest to the loopback 127.0.0.1 interface at even 1/4th that speed.
Also - in my opinion , a CHR running on a decent SuperMicro with fast Intel XEON CPUs and lots of CPU cache has always totally and easily way out performed all Mikrotik motherboards that I have tested. For example, a full BGP load on a 10-Gig feed is almost 10-times faster than a CCR1036 Mikrotik router.
Also - again in my opinion, a CCR1036 is good at speeds less than 2-Gig , and a CRS is more of a switch than a router and they are slower. On both your CCRs and CRS mikrotiks , run a btest to 127.0.0.1 and you will discover they are not all that fast or even in the neighborhood of performance a CHR with good hardware can deliver.

North Idaho Tom Jones

Since beta version "6.44beta39", bandwidth test utilizes all of the CPU cores.

shiyiqiang08 · Wed Dec 05, 2018 9:04 am

can rb450Gx4 add wireless?
i need small device but high performance ,but the rb450Gx4 or RB850G has no wireless.

iperezandres · Wed Dec 05, 2018 10:51 am

It would be awesome to be able to save the winbox personalized views, instead of having to rearrange every window every time we connect to a new device.

UPDATE: as it turns out, it already exists the solution: viewtopic.php?f=14&t=120033

marosi · Thu Dec 06, 2018 11:42 am

So dudes, christmas is coming soon and here are my wishes

- a mptcp enabled kernel
- sstp vpn combined with mptcp

this would make it possible to take (v)dsl lines combined with 4G/lte and establish vpn tunnels to a central vpn server.
the reassambling of packets is done by the mptcp kernel.

this would be a outstanding feature.
https://en.wikipedia.org/wiki/Multipath_TCP

and the second one would be to implement pound as a loadbalancer service combined with letsencrypt certificates, wich would be my third wish.
implement letsencrypt including automatisation for certificare renewals.
the ppl could use routerboard hardware from 3011 to ccr1072 as loadbalancers for reasonable costs and connect the ports direct to a webfarm.

the useability in sum would increase quadratically.

muetzekoeln · Thu Dec 06, 2018 12:15 pm

- a mptcp enabled kernel

+1, although it's status is "experimental". Would also play nicely together with LISP (RFC6830) viewtopic.php?f=19&t=81674&p=699943&hil ... 30#p699943. In addition BBR is included in mptcp, which would be great.
BBR together with a proxy service (see below) would help for legacy end user devices with old tcp stacks.

pound as a loadbalancer service

+1, something like Pound would be really useful!

implement letsencrypt including automatisation for certificare renewals.

+1 again

pe1chl · Wed Dec 12, 2018 11:25 am

winbox: please add some "windows list" feature, e.g. a button for every open window to the right of the "Session:" field below the menu bar.
this can be useful to have an overview what windows are open and to raise them when they are inadvertently lowered below another window.

I normally have the "Log" open fullsize and open all other windows on top of that. When I click somewhere outside of a window by accident,
all opened windows disappear behind that Log window and I have to re-open them from the menu.

Alternatively, it could be useful to have a "lower window" widget or right-click option so I can lower the Log window again (so all other open
windows appear on top of it).

WeWiNet · Wed Dec 12, 2018 6:12 pm

pe1chl +1,
that would be awesome. hate to fiddle around the various windows...

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)

pe1chl · Wed Dec 12, 2018 7:46 pm

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)

That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!
What I would like to see is an option to disconnect only after 1-2 minutes of link-down, so it is possible to survive a router reboot somewhere inbetween.

eworm · Fri Dec 14, 2018 9:47 pm

I would love to see the functionality of the Mode button expanded. Specifically, it would be useful to be able to assign different actions taken based on whether the button was pressed once, double-pressed, triple-pressed, or long-pressed.

That is possible with scripts. See my RouterOS Scripts (or at github), especially mode-button-event and mode-button-scheduler.

solelunauno · Wed Dec 19, 2018 11:47 am

I use the USB port to activate a N.O. relais that will remove power form an IP surveillance camera to hard reset it.
I use the N.O. relais because 1) a relais failure will let the camera ON, instead than OFF; 2) the relais consumes almost 0,6W of power and my installations are often battery powered (solar panels, etc).
But until now there isn't a feature in RouterOS to let usb power OFF all the time, so I use a script scheduled at startup:
/system routerboard usb power-reset duration=720d
It will be great if I could power ON and OFF usb as I already do with POE output.
Thanks

bmatic · Wed Dec 19, 2018 1:36 pm

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages.

I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages.

Log.png

eworm · Wed Dec 19, 2018 3:11 pm

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages.

I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages.

You can get rid of this. If you do not need the file just add "keep-result=no" to your fetch command. If you do need the file I suppose you read the content later? Just switch to return value to a variable.

muetzekoeln · Thu Dec 20, 2018 12:44 pm

It would be nice to have zero-wait DFS in RouterOS, like AVM and Aerohive have it.

This is to eliminate wait time on 5GHz band after changing operational channel because of Radar detection.

RouterOS could do continuous background scanning (using Scanlist) to find "available" and "unavailable" channels (https://www.etsi.org/deliver/etsi_en/30 ... 20007a.pdf). On radar detection (on active channel) it could (randomly) choose a new channel from the available channels and inform clients of the frequency change before shutting down current operational channel and switch to the new channel.

WeWiNet · Fri Dec 21, 2018 1:56 pm

Pe1chl

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)
That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!
What I would like to see is an option to disconnect only after 1-2 minutes of link-down, so it is possible to survive a router reboot somewhere inbetween.

Not true on MacOS/Wine Winbox.
You get disconnected but it won't through you out (but the clock stops to work!). I can open still windows, with data/settings, modify them etc.
Then after a while you might really get thrown out but you won't know when the disconnect happened, and from which point
onwards the modifications were lost.
For this a clear flag (green=clock updates, yellow=no update for 1-3 seconds, red= no update for over 4 seconds) would be really helpful.
Knowing that the clock is precised and stops (even on Mac) using that as trigger should be simple to implement and really nice at same time.

pe1chl · Fri Dec 21, 2018 2:13 pm

Not true on MacOS/Wine Winbox.
You get disconnected but it won't through you out (but the clock stops to work!).

Strange! Under Windows and with Linux/Wine this does not happen, whenever the link is lost you get disconnected within 3 seconds.
Very inconvenient, because sometimes I have 3-4 devices open at the same time and when I reboot one of them I lose all windows even before BGP+BFD re-calculates the routes.
I would in fact prefer such a status indicator and some more patience from winbox (and the router at the other side) so that it survives such events.

cowgirl · Fri Dec 21, 2018 4:35 pm

Multi Chassis Link Aggregation for CCR1xxx and CRS3xx

Best regards
Alexandra

pe1chl · Tue Jan 15, 2019 2:38 pm

In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
(within a queue tree, the values in the parent item. in the top item, maybe the interface speed when available. or percentages could be disallowed there)

When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.

muetzekoeln · Tue Jan 15, 2019 4:55 pm

In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.

+1

Yes please, this is very useful!

SaurVLZ · Wed Jan 16, 2019 1:09 pm

Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.

winbox upg.jpg

iperezandres · Wed Jan 16, 2019 3:01 pm

Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg

Now that you mention this, what about being able to personalize the parameters being shown on the dashboard? It would be useful to use a script to show any value or calculation.

pe1chl · Wed Jan 16, 2019 3:42 pm

Of course when you need a dashboard with all kinds of customized parameters it is easy to make that using SNMP.
I would make such a thing on a local webserver in Perl or PHP but undoubtedly there exist "user friendly" packages for Windows that can do that too.
And of course MikroTik have "the Dude" which can do that as well.

muetzekoeln · Fri Jan 18, 2019 2:19 pm

RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.

You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper

This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388

Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.

MikrotikOdessa · Sat Jan 19, 2019 11:48 am

I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik

It's very useful for smart home automation scenarios

Pada · Mon Jan 28, 2019 11:10 pm

I would love the following Winbox (and WebFix) features to be added:

Setting default options for Tools > Torch, because I always have to first deselect "Src. Address6" & "Dst. Address6" and then select "Port" & "Protocol"
Setting to prevent drag & drop of Firewall rules to prevent accidental changes in firewall order

joegoldman · Mon Jan 28, 2019 11:54 pm

I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik

It's very useful for smart home automation scenarios

You could replicate this with logging and a syslog (remote) logging server. Bit of a workaround

Jotne · Tue Jan 29, 2019 8:42 am

I would like to receive SNMP traps when WiFi client registration occurs...

As joegoldman write, syslog is your friend. Look at the project in my signature using Splunk to monitor Mikrotik.
I there dropped using SNMP at all, since then have to add/scan for all new devices.
Now a script on the router calls home with all information needed.

This is how the log lines looks like from Router using Syslog (even shows the signal strength and what VLAN used)

2019-01-24 08:48:09	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -45
2019-01-24 08:36:55	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -43
2019-01-24 07:51:17	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -39
2019-01-23 10:05:08	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -32

pe1chl · Fri Feb 01, 2019 2:32 pm

winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

When managing a router via a slow network or when using winbox over something like RDP or X2GO and when it shows a page that has a lot of counters (e.g. firewall filter wih >200 filters) the winbox client is very busy with updating the page and it becomes difficult to actually do something (like moving a rule).
I would like to just pause the updating or configure it to update like every minute instead of "all the time".

mkx · Fri Feb 01, 2019 2:45 pm

winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

++

While at it, do it for WebFig as well.

DmitryAVET · Sat Feb 02, 2019 11:29 pm

Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

Keenetic (ex Zyxel) provide AUTOMATIC sertificates by Let's Encrypt:
https://blog.keenetic.com/keenetic-join ... r-society/

Why Mikrotik can't provide same?

SSL for WWW services, include WebFig, especcially remote, hotspot...

Check this out:

ssl.png

its cool!

kiler129 · Sun Feb 03, 2019 7:57 am

A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

mkx · Sun Feb 03, 2019 10:24 am

A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

++

Specially so as loading IPv6 package means it doesn't have default settings (i.e. firewall rules) and user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).

pe1chl · Sun Feb 03, 2019 11:41 am

That is certainly true, but frankly even more important is to bring the IPv6 functionality up to par with what is available in IPv4.
There is a separate topic about that.
Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)

krafg · Sun Feb 03, 2019 3:37 pm

A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

mkx · Sun Feb 03, 2019 3:46 pm

A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

There are plenty of high-quality third-party antennae available ... one only needs appropriate connector coverters (many antennae come with FME connectors, so one needs SMAtoFME pigtails).

kiler129 · Mon Feb 04, 2019 1:59 am

(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).

Actually you can do

/system default-configuration print file=default-cfg

after installing IPv6 package and you will get the default config with IPv6 related stuff

Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)

Why do you think so? Did they said something (even unofficially)?

metricmoose · Mon Feb 04, 2019 6:39 am

We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

mkx · Mon Feb 04, 2019 8:50 am

(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
Actually you can do
Code: Select all
/system default-configuration print file=default-cfg
after installing IPv6 package and you will get the default config with IPv6 related stuff

I know that ... but vast majority of SOHO users (and those seem to be the focus of MT lately) don't ... they struggle to enable IPv6 and don't bother with the rest of config ... just as they don't bother about IPv4 config, but luckily the default firewall for IPv4 is quite decent lately.

4lphanumeric · Tue Feb 05, 2019 8:08 am

Ability to swap the rx/tx representation in the graphing setting.

Normal : In -> green, Out -> blue
Swapped: In -> blue, Out -> green

pe1chl · Tue Feb 05, 2019 11:52 am

Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Why do you think so? Did they said something (even unofficially)?

I think so, because NO development of these components has appeared aside from some minor bug fixes, for several years.
And also note they are trying to hire new developers for quite some time already.

Also, it appears the watchful eye that reminds the others in the room at the development meeting that IPv6 exists has disappeared.
New features like Kid Control and Detect Internet are developed and released WITHOUT IPv6 support.

neos14 · Mon Feb 11, 2019 11:02 am

Please add support for SNMP views.
To be able to provide limited set of OID's for specific SNMP community.

dravnieks · Tue Feb 12, 2019 4:45 pm

flashing every router with netinstall is minor, and fast process, only issue, in later versions configuration is not persistant after reset.

Have you tried to aply default configuration on 40 Fritzbox routers?

40 Hap AC2 i would get flashed in less than 2 hours, get 24 port poe switch and pile of patch leads. Uploading config to Fritz will take 10 minutes per router because of endless reboots and button confirmations.

We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

muetzekoeln · Wed Feb 13, 2019 1:09 pm

It would be useful to have link-up and link-down event scripts for PPPoE client.
And please make "message" from Authenticate-Ack and Authenticate-Nak available for parsing.

Some carriers communicate DSL connection speed by using Authenticate-Ack message [PAP AuthAck id=0x1 "SRU=uploadspeed#SRD=downloadspeed#]:
https://www.ip-phone-forum.de/threads/s ... st-2274697
https://www.onlinekosten.de/forum/showt ... ost2466544

Wed Feb 13, 2019 3:19 pm

PPP profile already has on-up on-down events.

Wed Feb 13, 2019 4:43 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

raffav · Wed Feb 13, 2019 6:53 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

+infinity agree with that, Why in the logs cannot log the hostname/comment if is there, is very annoying to see/debug: mac abc123 connected mac abc123 disconnected

logistic69 · Wed Feb 13, 2019 11:14 pm

Please Include VPN templates for IOS, windows 10.
it is nightmare trying to make work 6.43 to accept IOS 12.1 simply don't work.
or post a update wiki how to do it, avaery time a new router OS release came up it broke something in VPN.
sadly i need to change to other brand in other to do it.

Thu Mar 14, 2019 11:35 pm

Feature Request (1 of 2):
Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
I would like to see an ability to use a WPA-2 encryption on nv2 wireless networks.

Feature Request (2 of 2):
This is from a post I originally placed in the General forum under Public-Mikrotik-Bandwidth-Test-Server(s).

I would like to see a new optional Mikrotik ROS package which can perform http speedtests between Mikrotiks and client connected computers (something similar to http://my-mikrotik-IP-address/speed-btest).
… Where an optional login/password could be used to perform a http UDP-or-TCP up-or-down bandwidth test
… Where a client computer behind NATted Mikrotik could perform speedtests to their inside Mikrotik gateway IP address , and/or to any Mikrotik IP address out on the Internet.
… Where the Mikrotik admin has some control for maximum bandwidth, number of simultaneous speed-btest testers, and setting to limit how often a client can perform a http speed-btest.
… The Mikrotik http speed-btest should be a simple TCP-up, then TCP-down, then UDP-up then UDP down, followed by a round-trip-ping response time.
… The output after the http speed-btest could then report all kinds of information , including the number of dropped packets during each test -and- it would also be nice to show at what speeds RED ( Random Early Detection ) begins kicking in with dropped packets.
I suspect this type of a Speed-btest server could become very very popular. And the http speed-btest web page could show some pre-configured ISP hosting information and a URL indicating "Powered by Mikrotik" which links to Mikrotik. Mikrotik just might get a boost in sales from something like this.

ditonet · Thu Mar 14, 2019 11:54 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

DHCP server lease script can help you:

:local leaseHostName;
:if ($leaseBound = 1) do={
:set leaseHostName $"lease-hostname";
:log info ("DHCP server: $leaseServerName => MAC: $leaseActMAC => IP: $leaseActIP => Host Name: " . $leaseHostName);
};

Chupaka · Fri Mar 15, 2019 11:50 am

Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).

https://wiki.mikrotik.com/wiki/Manual:N ... v2_network

DanielJB · Wed Mar 20, 2019 12:51 pm

It is extremely useful to use the 'wait' parameter in "/interface lte at-chat" eg wait=yes.

Please can it be added for "/interface ppp-client at-chat" also as is missing?

muetzekoeln · Wed Mar 20, 2019 3:39 pm

Can we get standard 802.11s support?

+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards

But to mesh RouterOS with coming commercial devices it would need Wi-Fi EasyMesh:
https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh

Please implement mesh protocols compatible with non-RouterOS devices!

DanielJB · Thu Mar 28, 2019 4:42 am

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

On my Unix systems, I set TMOUT for root in a similar way.

pe1chl · Thu Mar 28, 2019 11:26 am

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.

DanielJB · Thu Mar 28, 2019 12:07 pm

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.

SSH forwarding introduces a session takeover scenario, so there is security value of this feature (which is why other vendors implement it). Perhaps a default of 1h or never is better.

pe1chl · Thu Mar 28, 2019 2:46 pm

I think other vendors only implement it because it is on standard recommendation (or even requirement) lists, not really for security.
Similar to requiring (very) frequent password changes, requiring complicated passwords, etc.
All things that could be valuable in some limited scenarios but are imposed on everyone and everything just for the sake of being able to set a checkmark.

pe1chl · Tue Apr 09, 2019 4:25 pm

When a user or admin logs in incorrectly the following message is logged:

system,error,critical login failure for user xxxxx from ...

Please remove the username (xxxxx in this case) from this log message or provide a system setting to do that.
Logging the username for login failures is a security risk.

pe1chl · Thu Apr 11, 2019 11:03 am

Please add an ARP mode that replies to ARP requests with info from the local ARP cache.
E.g. local-proxy-arp-cache
When the router receives an ARP request on an interface where this is enabled, it first does a lookup in its own ARP table.
When the entry is found there, a reply is sent that is exactly the same as when that particular device would answer the ARP.
When not, either an ARP request is made first and after reply the data is replied from the cache as above, or the router
replies with its own MAC address as in local-proxy-arp. (whatever is more convenient to implement)

This is useful in large WiFi installations where filtering has been implemented to reduce the amount of broadcast traffic.
Usually in such a setup, devices can not communicate with each other because they do not hear each other's ARP requests.
A workaround for that is to setup local-proxy-arp in the router, but the result is that all such communication is flowing
via the router. This can be optimized by telling the requester the MAC address of the desired peer device on behalf of
that device.

muetzekoeln · Thu Apr 11, 2019 12:27 pm

Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

+1 again

viewtopic.php?t=92673

Chupaka · Thu Apr 11, 2019 12:31 pm

+1 again

viewtopic.php?t=92673

The topic is marked as "Solved"

Sob · Thu Apr 11, 2019 5:33 pm

Yeah, about that "solved"... If Let's Encrypt support is solved by the solution (workaround is better word^(*)) presented in that thread, then we can magically solve all other RouterOS shortcomings right away. Why didn't we think about it before, it's so simple, just add Linux machine to your router! You can solve pretty much anything that way.

(*) Don't get me wrong, I don't have anything against it, it's nice idea, definitely better than nothing and can be good enough for someone.

anav · Thu Apr 11, 2019 6:50 pm

I already did that Sob! I added an RPI for my DNS.

mada3k · Thu Apr 11, 2019 11:04 pm

IEEE1588 and SyncE would be great, but requires specific support in hardware level.

A more stressful issue is the need for BGP RKPI support.

vecernik87 · Fri Apr 12, 2019 2:48 am

To be honest, this is one of features which would be amazing and very appreciated.
Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS.
Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd party service and that never happened in the past (same as we don't have integrated support for 3rd party ddns or 3rd party VPN provider)

muetzekoeln · Fri Apr 12, 2019 8:56 am

IEEE1588 and SyncE would be great, but requires specific support in hardware level

IEEE1588 works without hardware support, but performance is not so good. It even works over WLAN:
https://www.researchgate.net/profile/Wu ... ion_detail

There are switch chips (also from QC) with support for IEEE1588 and sometimes SyncE since many years. It would be nice to know which Mikrotik products already have these built-in. Someone with this knowledge out there??

It could also support a better TDMA protocol as suggested here:
viewtopic.php?t=87471#p465494
viewtopic.php?t=70793&start=100#p515551

Maybe Mikrotik can also offer an affordable GNSS-based POE-powered IEEE1588 grandmaster-clock device for mast mounting ....

dohmniq · Fri Apr 12, 2019 2:19 pm

Can we get standard 802.11s support?
+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards
[...]
Please implement mesh protocols compatible with non-RouterOS devices!

Also +1
I'm involved in a commercial project that is looking to use 802.11s but I have to install OpenWRT on Routerboards to get 802.11s support.
AFAIK, 802.11s is baked into the Linux kernel which is also used for RouterOS?
Using wireless snooper on RouterOS you wouldn't even know there was a 802.11s mesh on your frequency!

hel · Mon Apr 15, 2019 12:11 pm

Please add attribute or other way to set total-max-limit/total-limit-at via RADIUS.
There's no way to do changes to a dynamic queues. In case of PPPoE network we can't use manual queues.
Total-max-limit is used to limit up+down to a some total value.

Mon Apr 15, 2019 5:55 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones

jprietove · Mon Apr 15, 2019 6:45 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones

Isn't it the existing Session -> Close Windows?

akschu · Mon Apr 15, 2019 11:11 pm

This is what I need, a way to make a firewall list based on ipsec identity. All that's needed to make this work is the ability to define src-address-list when responder=yes:

/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-firewallrulesA src-address-list=firewallrulesA responder=yes

/ip ipsec identity
add auth-method=rsa-signature certificate=vpnserver remote-certificate=fred generate-policy=port-strict mode-config=ike2-firewallrulesA peer=ike2 policy-template-group=ike2-policies

When someone starts IP sec with the certificate=fred, then they are connected to mod-config and added to address-list firewallrulesA where we can firewall the road-warrior to specific services by simply using the address list.

Right now the only way to do this is to define an IP pool or static address for every firewall ruleset you want to tie to a user/certificate.

Mon Apr 15, 2019 11:42 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Isn't it the existing Session -> Close Windows?

Hmmm , yea I know if I exit my winbox to a remote Mikrotik then the all the sessions associated with that winbox connection close.

What I am looking for is a simple way to have a winbox session to a remote Mikrotik , then have a quick/easy method to close all the open windows in that winbox session yet still keep my winbox session running.

Example - in my attachment image - a new selection to auto close everything with an X marked in red. Yet keep the Winbox still connected to the remote Mikrotik.

vadimkara · Tue Apr 16, 2019 8:44 am

Please add multi peer priority/fallback to ipsec policy.

jprietove · Tue Apr 16, 2019 11:28 am

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones

Or I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check it

pe1chl · Tue Apr 16, 2019 12:45 pm

I would like to see a windows list in winbox, either as a menu item or by having a button corresponding to each window in the top bar (similar to the task bar in Windows).
This can be used to raise windows that are buried after opening others.
And/or a right-click function to lower a window.

I commonly open a "Log" window and set it fullsize, then open other windows on top of it.
When I mistakenly click outside an opened window, the Log window raises to top and covers everything else, without any way to get those raised again.
One of those additions could solve that.

Tue Apr 16, 2019 5:27 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Or I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check it

OOooo

I must be a dummy. I see it now and it's easy.
Thanks for the info
North Idaho Tom Jones

dada · Thu Apr 18, 2019 3:42 pm

Hi,

I would like to see PPPoE snooping feature in ROS. It could allow to identify (at login time) to what AP is an PPPoE user connected to for example.

muetzekoeln · Thu Apr 18, 2019 4:27 pm

When improving PPPoE, please look also into RFC4938. The link metrics extensions make sense with wireless links as well as with DSL, where bandwidth can change for an up-state interface.
PADQ information could be applied to QoS/queue parameters if made available by PPP event scripts (new events necessary).

Thu Apr 18, 2019 6:58 pm

Request - CHR ISO to allow CHR install on a bare metal platform.

Reason for request:
#1 - CHR running on the free version of VMware ESXi has a limitation of 8 CPUs per virtual hosted system.
#2 - The cost of VMware ESXi license to enable greater than 8 CPUs to a virtual hosted system can be quite expensive.

An ISO install version on a bare metal box could permit the following:
- Boot on USB (bare metal BIOS configured to make the USB appear as an IDE drive).
- Utilize E1000e ethernet interfaces (10-Gig).
- Utilize all cores (dual multi-core Xeon CPUs). Example - two Xeon CPUs with 28-cores (not counting HT), could allow a CHR to function with 56 (or much more) Xeon CPUs.

A bare-metal CHR may be up to hundreds of times faster than a virtual hosted CHR (with 8 CPUs), running hundreds/thousands of complex firewall rules.

I have tried x86 on bare metal , but I've experience X86 ROS lockups under heavy loads.
I am researching a v-to-p (virtual machine to physical machine) conversion - and it may be possible - but uncertain and untested.

North Idaho Tom Jones

McSee · Sat Apr 20, 2019 1:41 pm

Can't believe that RoS console still doesn't have such basic feature as a command history search !

Like Ctrl-R/Ctrl-S in bash. Type Ctrl-R then few letters and it will show you previous command from the history with these letters, with Ctrl-R to move to the next result up and Ctrl-S down.

And no filter in log viewer in Winbox even after numerous requests ?

mfr476 · Sat Apr 20, 2019 3:08 pm

Is It posible more improvement in 5ghz ac wireless?

libove · Mon Apr 22, 2019 2:30 pm

There are several discussions in these and other forums about how to implement port knocking in RouterOS. And, at a basic level, they all can work.
In short, they tend to be "detect proto on port, add src to address-list KNOCKPHASE1", "detect proto on port2 when src already on address-list KNOCKPHASE1, add src to address-list KNOCKEDSUCCESSFULLY", "allow in when src on address-list KNOCKEDSUCCESSFULLY".
The problem is that certain types of port scans can trigger this.
So we'd also want "... and src has NOT appeared on any OTHER port, or on these ports in the wrong order".
That turns out to be messy with RouterOS as it is today. Possible, but messy. (At the least, you end up with ports on both a successfully-knocked list AND a blacklist, and rule execution order plus the admin having a good memory or good documentation is required to avoid mental confusion...)

So, a feature request for RouterOS, formal, flexible port knocking.
Knocking should allow any combination and order of ports and protocols, up to N layers deep. (At least three. e.g. TCP/4321 followed by UDP/7654 followed by ICMP type 8 subtype 0)
The formal port knocking implementation offered as part of RouterOS should have, built-in, an optional "... and no other traffic from src in the past few seconds/minutes". (That's the part that's hard to implement cleanly with today's RouterOS).

thanks,

muetzekoeln · Thu Apr 25, 2019 2:47 am

I would like to have an option to select and enable DFS (in the variants ETSI, FCC and JP) when using 5GHz superchannel/no_country_set setting.

pe1chl · Thu Apr 25, 2019 10:54 am

So, a feature request for RouterOS, formal, flexible port knocking.
Knocking should allow any combination and order of ports and protocols, up to N layers deep.

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
However, a reasonable request would be to implement a new firewall rule action "remove src from address list" (and maybe "remove dst from address list"),
which would allow you to build what you want using the existing "add" action to add addresses to a list as they walk through the desired port knocking steps,
and use the "remove" action when they do things that do not match your desired steps (so they fall back to initial state).

vecernik87 · Tue Apr 30, 2019 9:57 pm

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).

Kids control.
'nuff said

muetzekoeln · Fri May 03, 2019 1:47 pm

Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

Someone wrote a lightweight ACMEv2 client in C:
https://github.com/ndilieto/uacme

So it should be possible to implement as ROS package.

Sob · Fri May 03, 2019 6:35 pm

I'm sure that MikroTik can easily write their own ACME client. But it's even more important how it should fit into RouterOS and work for as many scenarios as possible.

For example, maybe you just want certificate for https WebFig (or SSTP server). Sounds easy, right? There's already a webserver on router, so simple http-01 validation can be used. But what if you don't want or can't open port 80 (AFAIK http-01 always starts with plain http on standard port 80)? It would be the case on at least half of routers where I'd like to use Let's Encrypt certificates, because there's typically only one public address and standard http(s) ports are already forwarded to some internal webserver. There would have to be support for dns-01 validation and it has different problems too.

I think it's doable, I tried some suggestions in Support for ACME/Let's Encrypt certificate management thread, but so far it doesn't look like anyone from MikroTik though "oh yes, it's super-awesome, we need to have that!" Maybe try to invent some other foolproof plan that will finally convince them.

mtk89 · Sat May 04, 2019 4:59 pm

I'm sure that MikroTik can easily write their own ACME client. But it's even more important how it should fit into RouterOS and work for as many scenarios as possible.

For example, maybe you just want certificate for https WebFig (or SSTP server). Sounds easy, right? There's already a webserver on router, so simple http-01 validation can be used. But what if you don't want or can't open port 80 (AFAIK http-01 always starts with plain http on standard port 80)? It would be the case on at least half of routers where I'd like to use Let's Encrypt certificates, because there's typically only one public address and standard http(s) ports are already forwarded to some internal webserver. There would have to be support for dns-01 validation and it has different problems too.

I think it's doable, I tried some suggestions in Support for ACME/Let's Encrypt certificate management thread, but so far it doesn't look like anyone from MikroTik though "oh yes, it's super-awesome, we need to have that!" Maybe try to invent some other foolproof plan that will finally convince them.

From the manual page (https://ndilieto.github.io/uacme/ ), it appears uacme supports dns-01 challenges and allows total flexibility by the --hook option, which calls an external script to accept, decline or set up the challenge environment.

If specified, uacme executes PROGRAM (a binary, a shell script or any file that can be executed by the operating system) for every challenge with the following 5 string arguments:

METHOD one of begin, done or failed.

begin is called at the beginning of the challenge. PROGRAM must return 0 to accept it. Any other return code declines the challenge. Neither done nor failed method calls are made for declined challenges.

done is called upon successful completion of an accepted challenge.

failed is called upon failure of an accepted challenge.

TYPE challenge type (for example dns-01 or http-01)

IDENT The identifier the challenge refers to

TOKEN The challenge token

AUTH The key authorization (for dns-01 already converted to the base64-encoded SHA256 digest format to be provisioned as _acme-challenge DNS TXT record).

mutinsa · Sun May 05, 2019 5:08 pm

SNTP Client from base package support this feature "out of box"

For NTP Client from ntp package this script may be temporary solution
https://github.com/mutin-sa/MT_ROS_Scri ... TP/ntp.txt

I've tried to search this topic, but I haven't found it (hope there are not any duplicates):

NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

Sat May 11, 2019 12:54 am

Feature Request Client SSID dont-care on connect

First - this may sound like a bit of a strange ROS feature request , but this would be a very powerful feature that no other wireless company can offer at this time.

A bit of my background so that you understand my reasoning for this request :
- As a WISP (and fiber-to-the-home ISP), we have hundreds of Mikrotik APs and 1,000+ client Mikrotiks
- All APs use the same SSID
- All of our tower locations have multiple (dozens) of APs on each tower (all with the same SSID)
- Clients (nv2 Mikrotik clients) do not necessary connect to the strongest/best AP which may be facing in the direction of the client Mikrotik. As a result, we often have many many client Mikrotiks that are not connected to the best/strongest AP. This often results in everybody on that AP running a little slower because of the few clients that are connected with slower connect rates and higher wireless retries.

So , after more than 10+ years of hands-on experiencing clients often not connecting to the most preferred Mikrotik AP, I have a feature request to ask Mikrotik for …

Feature request #1
- A new SSID setting for Mikrotik wireless clients (802.11 & nv2 & nstream)
- A new optional setting on the client SSID that is a dont-care character.
- Where any AP SSID that matched the client SSID up to the dont-care character will qualify to an AP for the client to connect to.
-- Example ;
--- Client has a dont-care optional setting checked
--- The client dont-care character is a "#" character
--- The client SSID is configured at "WISP-something.com#"
--- The client sees multiple APs with these SSIDs: "WISP-something.com" and "WISP-something.com#" and "WISP-something.com#1" and "WISP-something.com#2" and "WISP-something.com#131" and "WISP-something.com#betty"
--- The Mikrotik client can connect to any SSID that starts with "WISP-something.com"

Feature request #2
- A new SSID setting for Mikrotik wireless clients ((802.11 & nv2 & nstream)
- A new option to configure Mikrotik clients to specify a preferred list of SSIDs to connect to.
- The 1st SSID selection is always the 1st SSID the client will try to connect to
- The 2nd SSID selection is only used when the client can not connect to the 1st selection
- The 3rd SSID selection is only used when the client can not connect to the 1st or 2nd selection
- The 4th SSID selection is only used when the client can not connect to the 1st or 2nd or 3rd selection.
--- Example of use , A Mikrotik Client with these optional settings:
--- 1st "WISP-something.com#2"
--- 2nd "WISP-something.com#betty"
--- 3rd "EISP-something.com#131"
--- 4th (last fall back SSID selection) "EISP-something.com#"

With feature both feature request ( 1 and 2 above ) , Mikrotik clients now have a preferred ordered connect SSID list. If the 1st and 2nd SSIDS are off-line, then the Mikrotik client will try to connect to the 3rd SSID selection in the list. If the first 3 preferred SSIDS are off-line, then the client Mikrotik can use the dont'care character and connect to any other matching SSIDs.

Something like this will surely help any WISP using Mikrotik products who have a large base of Mikrotik wireless devices.

With these 2 new requested features in Mikrotik ROS clients, a WISP can now; A - have some control as to what APs client Mikrotiks connect to & B - configure client load sharing on all WISP APs.

FYI - and yes I do know there is a connect-list feature that uses signal strength (for APs and clients) but that feature also has it's own other set of issues and problems.

North Idaho Tom Jones

muetzekoeln · Sat May 11, 2019 1:29 pm

Why use SSID for this? This may bring compatibilty problems. Wouldn't a preferred list of AP's (e.g. by address instead of SSID) on the client alone help with your issues? So no change on the AP side necessary.

pe1chl · Sat May 11, 2019 5:54 pm

And it is already available... you can make a connect list with different MAC addresses for the same SSID.

Mon May 13, 2019 5:38 pm

And it is already available... you can make a connect list with different MAC addresses for the same SSID.

Yea , using a connect list with MAC address could almost work (almost).

Using a MAC address connect method presents a management problem for all clients when an AP needs to be replaced or upgraded.
A change of an AP, can result in a different MAC address , which then can result if every wireless client needing to be re-configured.
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.

North Idaho Tom Jones

Mon May 13, 2019 5:42 pm

Why use SSID for this? This may bring compatibilty problems. Wouldn't a preferred list of AP's (e.g. by address instead of SSID) on the client alone help with your issues? So no change on the AP side necessary.

Re compatibility problems - that is the reason I stated optional setting. Default on an upgrade to a newer ROS with such a feature should be default Off.

faraujo88 · Mon May 13, 2019 5:54 pm

It would be great if dhcp-server has an option to set a queue limit to each lease, and remove when the guest got out, automatically.. or RouterOs already does that?

pe1chl · Mon May 13, 2019 7:31 pm

Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.

When you have to manage 300 devices you should have some mechanism in place to support remote management.
It can be done with MikroTik. I have seen solutions for that presented at MUM events.
E.g. you make a scheduled job that runs once a day and attempts to download some file with a naming convention depending on the client, and when it exists it imports that file.
(it would be a good idea to have some version numbering so you can avoid re-running the same file every day after it has been already run once)

There should be more explicit support for that in the Dude.

Mon May 13, 2019 11:01 pm

Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
When you have to manage 300 devices you should have some mechanism in place to support remote management.
It can be done with MikroTik. I have seen solutions for that presented at MUM events.
E.g. you make a scheduled job that runs once a day and attempts to download some file with a naming convention depending on the client, and when it exists it imports that file.
(it would be a good idea to have some version numbering so you can avoid re-running the same file every day after it has been already run once)

There should be more explicit support for that in the Dude.

Re: … mechanism in place to support remote management …
I have my own custom scripts (Linux for-IPs-In-a-List.txt ssh/telnet send/expect) which work very well to bulk manage my client Mikrotiks.

Re: … good idea to have some version numbering so you can avoid re-running the same file …
My custom management scripts do this and much more

The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available.
With my two requested features, these new settings would only need to be performed when the client is installed.

The issue is that there is a whole bunch of Mikrotik admins that do not use Dude or custom scripts and only manage client Mikrotiks manually one-at-a-time.
With my suggestion, there would be no need for any type of bulk management (if any AP is replaced) if my two feature requests would be implemented in ROS.

itmethod · Tue May 14, 2019 1:52 am

Routeros openvpn server needs a way to push routes to the clients.

This is very much needed.

I have multiple clients windows and Linux. and need multiple usernames to have different routes pushed to them, as-well as a global route push. so I don't have to have seperate vpn servers. or multiple client config files and have to worry about user having right config file.

The current routes option in ROS is the iroute command for the ccd files. and it puts routes into the routers/servers routing table to the clients lan.

pe1chl · Tue May 14, 2019 11:00 am

The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available.

These issues are completely independent. You need a bulk management method to distrubute any configuration changes to your clients, but apparently you already have it.
Then you need to know WHAT you want to configure in your clients. I would say that is an application-specific problem that has to be adapted for your specific network.

The tools (e.g. connect list) are already there. You can load a connect list with a couple of MAC addresses and finally a generic SSID to connect. You should find your
clients online, and then maybe you need some form of remotely managed "scan" to know what network to connect.
This is not something you are going to solve with a complicated method such as you proposed. It will fail in some way, if not in your network then in someone else's who tries to use it.
Keep things simple and keep them in your own hands.

Tue May 14, 2019 10:14 pm

Frequency Usage - add more fields (counts & average)

Here is a suggestion - add some additional fields when performing a Frequency Usage
- Add a new field showing the Number-of-Usage-Hits for the current scan (per frequency)
- Add a new field showing the Peak-Usage-Strength for the current scan (per frequency)
- Add a new field showing the Average-Strength for the current scan (per frequency)
- Add a new field showing the total sum of Usage (per frequency)

With these additional Frequency-Usage fields, it would then be easy to run an extended length Frequency-Usage scan (Ooo say 15 minutes or so) then review the results to easily locate the least-used/most-available contiguous frequencies. Now the Mikrotik admin can add/configure APs to operate with frequencies/channels which have the least amount of background noise.

North Idaho Tom Jones

anuser · Thu May 16, 2019 4:09 pm

Reboot-Button within WinBox => CAPsMAN => Remote CAP, i.e. click on cap and simply reboot it.

jaceyk · Mon May 20, 2019 3:36 pm

The ability run traffic-generator with a single core on a multi-core device.

The reason is that multi-core Mikrotik routers don't seem to be able to detect Out-of-Order packets. The single-core routers that I've tried have no such problem.

Even though using a single core would bring the performance way down, it would still be sufficient for a sequence-error test.

I could test from one point to another with all cores to check bandwidth, and test again with one core sending 100mbps for 24 hours to check for reordering.

To be clear, I'm only speculating that the reason that CCRs can't see OoO packets with Traffic-Generator is because they're multi-cored. If that's wrong then my feature request is just to fix traffic-generator for CCRs.

stejjh · Thu May 23, 2019 8:14 am

I have seen this mentioned elsewhere but not here – add digest authentication support to fetch for http/https requests please

Thanks

J

neticted · Fri May 24, 2019 11:18 am

Using a MAC address connect method presents a management problem for all clients when an AP needs to be replaced or upgraded.
A change of an AP, can result in a different MAC address , which then can result if every wireless client needing to be re-configured.
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.

I had similar issue (although I do not run commercial ISP but community network). My solution was to use my own MAC addresses (invented for the purpose) for network adapters.That means, after I replace adapter, I set designated MAC for that AP and clients see no difference.

neticted · Fri May 24, 2019 11:43 am

I would like to propose some improvements in user interface of Winbox

- Allow changing order of columns in tabular view.

Now, order is fixed and it becomes quite cumbersome if you have to follow some columns that are last in the row and you do not have large enough screen. Allowing user to set order of columns would help him ordering columns due to current importance.

- Allow selecting visible columns (option Show Columns) in more user friendly manner.

Selecting columns that are visible is quite cumbersome on data that has lots of columns. User has to scroll down through the list to find columns, and when he selects column list is closed, so, for another column, you have to start adding from scratch.

Better solution would be that Select Columns is modal windows (dialog) which provides list of columns avoiding need for scrolling throuugh the list and with check boxes, so user can in single pass set or unset columns that he wants to be visible.

- Comments should be treated as any other column

Comments have different treatment comparing to other row data as they may be displayed in separate line (which is good). Sometimes it is more practical to see them as columns and there is option to set it but that setting lives only until Winbox is closed. On restart, columns are again displayed as separate line. I am not referring to global setting but for custom setting for specific table view.

It should be treated as ordinary column, meaning if user selects is to be visible as column it should stay that way.

- Some columns could be treated as comment

When comment is displayed not inline there is usually plenty of empty space where additional info could be shown. It would be good if we could have option to choose some columns that would be displayed in comment space. That would provide better space usage and improvement of user experience.

For example, when I set logging on firewall rule, it would be great if that information is visible in comment space.

- Allow customization of toolbar on main window

Every admin has set of options he frequently use and it would be good to have them easily accessible instead going through menus again and again. Make toolbar on main windows that can be customized in two ways:

1) user can simply set button that opens specified settings

2) user can set button that starts specified script

- Allow Hide Password option to be directly accessible

One that was option set on main window so user could simply check or uncheck password visibility. Now, that option is hidden in menu. That causes two user experience problems: option is hidden so user has to look for it through the menu, and password visibility status is not visible, meaning, user may leave password visibility inappropriately set to visible as he does not see option status.

In most occasions, password visibility is needed just temporarily and for very short time, so it is better user experience if it is possible to see status and change it quickly by simple click.

That option could be simply set as checkbox on far right on main windows toolbar as it used to be.

- Allow setting favorite connections

With large number of routers tabular list of saved router connections becomes cluttered. Grouping and notes do help sorting it out, but it would really help if user can set some connections that he needs frequently as favorites so he can have them easily accessible in some way (listed in separate tab or listed on top or some other method).

jo2jo · Sun May 26, 2019 11:42 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones

I would love to see this also. Often on lower end RBs people dont realize how much CPU load winbox/mgmt can have on the device. the more winbox windows open, the more updates that have to be sent, thus more CPU load (im talking in a single winbox session/window / connected to a single routerboard).

The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed). the new feature im looking for (and i think this user above too), is a button or menu option to close all windows in the current session, without exiting winbox. Often pressing ESC key will close some windows, but there are quite a few that ESC does not work on (like terminal windows, understandably).
thanks

pe1chl · Mon May 27, 2019 2:51 pm

A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
I would love to see this also.

Then why did you not notice the replies made to Tom that this feature is already available?

Chupaka · Mon May 27, 2019 7:02 pm

The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).

wrong

jo2jo · Tue May 28, 2019 1:50 am

The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).
wrong

oh wow, you are correct, choosing session-> close all windows , does infact accomplish this (wo existing the app). thanks!

moham96 · Thu Jun 13, 2019 2:51 pm

How about adding "use peer DNS" to the OVPN Client similar to other clients like PPPoE and dhcp client, right now when i establish a connection to the openvpn server I'm forced to have the advertised openvpn dns server, I can disable the dns server on the openvpn server but I would like other clients to have the vpn dns resolver and only one of my routers to disable peer dns

2019-06-13-142337_1020x512_scrot.png

pe1chl · Thu Jun 13, 2019 4:19 pm

It would be nice to have some feature to move an entire network with all its interface-related settings to another interface.
I.e. interface list, bridge port, IP/IPv6 addresses, dhcp client or server, firewall entries, and all other config that refers to an interface.
Use case: you want to move an internal network or the ISP link to another port or from a port to a bridge or a VLAN.
As a workaround it is of course possible to always use a bridge instead of directly attaching config to an interface, but you have to know that beforehand

luciano · Thu Jun 13, 2019 10:26 pm

Will be nice if Socks and Webproxy became individual packages. So we can disable and hardening the box.

Sob · Fri Jun 14, 2019 12:35 am

Both proxies are disabled by default, so they just take space in menu and little bit on disk, but that's it. Ability to uninstall them completely wouldn't change much, they already don't do anything if you don't enable them. I can understand that seeing some things in menu can annoy people for whatever reason (they don't use them, believe that they don't belong on router, ...). But there's a question if making everything separate package is really worth the effort.

pe1chl · Mon Jun 24, 2019 5:49 pm

Please add possibility to add "unknown" entries in the /ip dns static list.
This is useful especially with regexp entries like ".*\.168\.192\.in-addr\.arpa$" -> unknown.
(to avoid bombarding the upstream resolver with requests about rdns for local networks)

ivanfm · Tue Jun 25, 2019 5:27 pm

Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)

netwatch with option to set src-address will make easier to test connections on multi connection routers.

flyfinlander · Tue Jul 23, 2019 10:12 am

Can you please add the option in "IPSEC policy" to choose Dst. and Src. address from an IP list, not just one IP or range?

ekerlostw · Fri Jul 26, 2019 10:45 am

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Jotne · Fri Jul 26, 2019 11:35 am

any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Can you post the command that fails? There may be a solution to test for poe interface before command is run.

pe1chl · Fri Jul 26, 2019 12:12 pm

any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Can you post the command that fails? There may be a solution to test for poe interface before command is run.

A workaround for this was already found in another topic.

mkx · Fri Jul 26, 2019 1:24 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out

pe1chl · Fri Jul 26, 2019 1:47 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out

pppoe has no relation to poe!

mkx · Fri Jul 26, 2019 1:51 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
pppoe has no relation to poe!

Aargh ... suits me for not being careful enough when reading

pe1chl · Sat Jul 27, 2019 11:04 am

Please allow for multiple DNS resolver instances (with independently configured external servers, static entries, and cache).
The current single DNS resolver could just be 1 item in a list, to which others can be added.
These resolvers could be tied to internal interfaces using an interface list or they could listen on one or more addresses specified in their entry, whatever is more convenient.

Reason: you may want to use a different DNS service, like OpenDNS or another DNS with filtering capabilities, for your guest network.
Or you may want to have LAN systems resolve via a local DNS resolver like Windows Server and have the guest network only use internet DNS.

msatter · Sat Jul 27, 2019 12:31 pm

Able to disable dynamic DNS servers when using an IKEv2 connection to a VPN provider as NordVPN. This to have only the manual entered DNS server receiving requests and no fallback to the dynamic provided DNS servers of the VPN provider.

msatter · Tue Aug 13, 2019 11:04 am

Using Address Lists not only with IP address and Domain Name but also with the ASN number.

Never found a way to block in routing incoming traffic using ASN and I had to fallback on generating my own Address List to filter those IP ranges out.

pe1chl · Tue Aug 13, 2019 11:14 am

The AS number is only directly available when the router has a full BGP routing table from internet.
When you are just connected using a static default route to internet (i.e. typical endpoint on a single ISP) the AS number is not available.
The cost to lookup the AS number is high to very high (depending if you use some special DNS service or the basic WHOIS method) so it cannot be done on every packet.
There would have to be a very clever cache of AS numbers corresponding to recent traffic, and it probably would work only when a dedicated service was set up for this purpose.
I know that a DNS service that can do this does exist, but I don't think they will be very happy when many MikroTik routers start using this for one out of 100 packets they receive.

Maybe for this special case where you want to block a certain AS number a special service could be setup that returns the subnets advertised by that AS number in the format required to load them into an address list. One of those people that sell blocklists here on the forum could do that, if they had BGP routing to internet (which I don't think they do right now).

msatter · Tue Aug 13, 2019 1:28 pm

Thanks pe1chl. I had yesterday some kind of only sync requests on ports 80 and 443 from serveral different AS numbers fom Dutch, Lituania, Ukrain and China sourced server/service providers.

I blocked in 12 hours almost 50 000 connections in RAW, now it is quiet again.

pe1chl · Tue Aug 13, 2019 7:34 pm

I have seen that as well. This is a DDoS amplification: those SYN packets are not really coming from the servers or even AS that you think, but they are spoofed by the DDoS operator.
The idea is that for every SYN they send to you, you will send a number of SYN ACK packets to the address that they spoofed, and thus to the addresses of that service provider.
As they do this for many websites the "return traffic" of unidentified SYN ACK packets to that provider can be large and be used as an attack, while the websites used in the amplification note little.
So the addresses you are trying to block are not the abusers but the victims. You might block legitimate visitors doing this, although it is unlikely.

It is not really necessary do do anything about this, it is not an attack on your system and as long as you don't send an unreasonable number of SYN ACK to an incoming SYN, your system should not be overwhelmed with traffic or lingering connections. If necessary you can reduce the number of retries, e.g. like this:

echo 2 > /proc/sys/net/ipv4/tcp_synack_retries

(to change the default from 5 to 2 in Linux)

Of course the REAL problem is that ISP's are not doing source address filtering. When everyone applied source address filters to the networks they host or serve to endusers, this attack would not be possible.

Fesiitis · Thu Aug 15, 2019 7:24 pm

I'm waiting for ike2 support for eap as responder. Hope this feature will be added soon, since support for this as initiator was added in v6.45.1 update.

ursy · Mon Aug 19, 2019 4:54 pm

RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.

You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper

This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388

Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.

Hello Muetzekoeln,

The topic is very interesting for me and I would need some clarifications from your topic:

1. Is any Mikrotik device supporting IEEE1588?
2. Is there any Mikrotik equipment which can be considered "transparent switch"? Im interested in particular about RB1100AH and heX-mini
If this is possible, then how can I enable this function?
3. When you are mentioning "IEEE1588 timestamping in hardware", you refer to a dedicated hardware inside of Mikrotik that can send sync packets or 1PPS output signal?
4. Can "Boundary Clock" be implement on Mikrotik?
5. How can I enable Mikrotik to transport PTP packets? Is this a default option? If yes, how the ptp packets are recognized/isolated?

Thank you in advance!

mkx · Mon Aug 19, 2019 5:15 pm

Answer to questions 1,2,4 and 5 is: No.

Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active devices can be attributed to constant path delay (just think of it as being some 500km longer). Namely: the big thing about IEEE1588 (as compared to NTP) is to get around the delay jitter which kills precision of normal NTP. And delay jitter is there due to active devices doing buffering, not due to changing speed of light in fibre.

Answer to question 3 is: probably your understanding of IEEE1588 concept is not right. The Ptp-aware switches need HW support for timestamping ... because IEEE1588 requires very precise knowledge of delay imposed by device on PtP packet passing by. Which means the following steps done in hardware:

add ingress timestamp to a packet immediately after it is received by ingress port (before it hits any cache or processing queue)
get precise estimation of egress timestamp for that packet (which needs to take into account all remaining processing and cache waiting time)
calculate delay from the above timestamps and adjust the PtP header.

So to enable IEEE1588, device needs HW support for the timestamping and currently none of Mikrotik's gear has it (or it has it exposed).

And the procedures above have nothing to do with 1PPS.

pe1chl · Mon Aug 19, 2019 5:40 pm

The relevant question of course is: how often will it happen that installations with strict requirements like IEEE1588 will use equipment from MikroTik?
Will it lead to a lot of new sales when MikroTik switches do support IEEE1588?
IMHO there are LOTS of things missing from MikroTik switches, and IEEE1588 is only one of them.
It would require quite a lot of work to bring the switches up-to-par against enterprise switch offerings, and maybe it would not be very effective because it likely takes a lot of time before people that normally buy enterprise switches from the wellknown manufacturers would consider MikroTik as a less expensive but equally capable alternative.

ursy · Mon Aug 19, 2019 5:47 pm

Answer to questions 1,2,4 and 5 is: No.

Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active devices can be attributed to constant path delay (just think of it as being some 500km longer). Namely: the big thing about IEEE1588 (as compared to NTP) is to get around the delay jitter which kills precision of normal NTP. And delay jitter is there due to active devices doing buffering, not due to changing speed of light in fibre.

Answer to question 3 is: probably your understanding of IEEE1588 concept is not right. The Ptp-aware switches need HW support for timestamping ... because IEEE1588 requires very precise knowledge of delay imposed by device on PtP packet passing by. Which means the following steps done in hardware:

add ingress timestamp to a packet immediately after it is received by ingress port (before it hits any cache or processing queue)

get precise estimation of egress timestamp for that packet (which needs to take into account all remaining processing and cache waiting time)

calculate delay from the above timestamps and adjust the PtP header.

So to enable IEEE1588, device needs HW support for the timestamping and currently none of Mikrotik's gear has it (or it has it exposed).

And the procedures above have nothing to do with 1PPS.

Thank you very much MKX,

Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?

Thank you again

mkx · Mon Aug 19, 2019 9:37 pm

Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?

1. No idea. If I have to choose, then I'd hesitantly choose a yes.
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.

pe1chl · Mon Aug 19, 2019 9:55 pm

2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.

I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the
accurate sync (using chrony).

mkx · Mon Aug 19, 2019 10:05 pm

2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the
accurate sync (using chrony).

That makes sense. I was wondering about combining NTP (for coarse estimation) with 1PPS (for precission) in a RB device and then propagating the time to "end users" via LAN but not using IEEE1588.

pe1chl · Mon Aug 19, 2019 11:21 pm

That is likely not accurate enough to achieve such results. I connect the 1PPS to the DCD input of an old-style RS232 port (with UART on the bus, not via USB) and I achieve jitter like 3-5us.
This is possible because the edge of the 1PPS pulse directly generates an interrupt in the UART, and in the interrupt handler the nanosecond timestamp is read and put in a queue for processing by the kernel.
Such results are difficult to achieve without similar timestamping on the network interface (as is required for IEEE1588).

ursy · Tue Aug 20, 2019 11:31 am

Hi PE1CHL,

I'm using also a NTP server in a hEX combined with an external 1PPS signal generator. The NTP client is a unix machine which is synchronized with the hEX NTP server and via internal bus is fetching 1PPS signal. I'm to calculate the jitter.
1. Is there a way to combine the NTP with 1PPS inside of any Mikrotik gears conducting to a very accurate clock, as @MKX was wondering?
2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant?
3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of the clock?

Thank you!

ursy · Tue Aug 20, 2019 11:45 am

Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?
1. No idea. If I have to choose, then I'd hesitantly choose a yes.
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.

Hi Mkx,
I have the answer to the question:
"Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?"

According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS):
Note: The time is not stratum 1 as RouterBOARD devices do not have PPS implemented

mkx · Tue Aug 20, 2019 12:10 pm

1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?

1. No idea. If I have to choose, then I'd hesitantly choose a yes.

According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS):
Note: The time is not stratum 1 as RouterBOARD devices do not have PPS implemented

I knew that. The reason for my hesitation is this: many (but not all) GPS modules have 1PPS output enabled and then it's up to hardware and software implementation if that 1PPS signal is available/used or not. MT devices don't use 1PPS signal, but if GPS modules are general enough, they might have 1PPS signal available and it might be possible to make that signal available to some 3rd device (as in your use case). It would require hardware modification though.

pe1chl · Tue Aug 20, 2019 12:13 pm

Hi PE1CHL,

I have no practical experience with PTP. Some years ago I needed clocks on a couple of servers very accurately synced for a co-channel FM transmitter network we were building.
What I had available was professional GPSDOs with 10 MHz and 1 PPS output, and of course the network (which happens to be MikroTik-routed but that is not significant).
The GPSDOs were of different types. I wrote some software to get the current time out of them but some were so old that they could not provide correct date (due to GPS week rollover) and on some sites we did not own the GPSDO so we could only tap the 10 MHz and 1 PPS via distribution amplifiers and not the (usually RS232) time info.

So what I did was like this:
- install chrony on the involved servers (Linux of course, when you run Windows servers there is no point in all of this...)
- configure external time servers for the basic time synchronization to within 10ms (usually within 1ms).
- connect 1 PPS hardware signal to RS232 DCD input via a suitable pulse stretcher and line driver (not really required with all GPSDOs, some already deliver 100ms pulse which is fine)
- load "ldattach 18 /dev/ttyS0" to input the PPS signal to the kernel pps device
- configure "refclock PPS /dev/pps0 refid PPS" into chrony to use PPS signal

This results in chrony status like this:

MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
#* PPS                           0   4   377    16   +719ns[ +834ns] +/- 4782ns
^- lpk.pi2nos.ampr.org           1   9   377   104   +106us[ +111us] +/-  244us
^- pi2nos.ampr.org               1  10   377   672   +915us[ +938us] +/- 2275us
^- pi3goe.ampr.org               1  10   377   931    +95us[ +109us] +/- 5718us

So local PPS time distribution is simply as a discrete signal not via the network (PTP/IEEE1588). See it as a coax with BNC connectors running between the racks.
The majority of equipment is synchronized "just" with NTP, only the critical servers that control the transmitters (1 server per site) are wired up to the PPS.

mkx · Tue Aug 20, 2019 12:36 pm

2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant?
3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of the clock?

2. In IEEE1588 deployment there are different profiles. Perhaps the most stringent profiles are ITU-T G.8275.1 and G.8275.2 Telecom Profiles, which require accuracy of under a micro-second. I don't think this kind of precision is possible using off-the-shelf hardware and external 1PPS source. Most of real-life implementations (e.g. LTE base station network) require less stringent synchronization with precision of 1-10 micro seconds and in such cases the "home brewn" 1PPS solution gives adequate results. One needs to beware that profile requirements are one thing while IEEE1588 network actual performance is another thing, usually elements of such network are performing even better as the profile requirements are about end-2-end performance (from master clock to client across all boundary clocks) and in worse-case scenario jitter of individual nodes on the path accumulates.

3. Process of tagging/untagging might add considerable jitter (if done in software as per bridge vlan filtering) or only slight jitter (if done by switch chip). But as mentioned before: all active gear under non-trivial load adds to jitter in RTT and the only way to eliminate that is that equipment adds highly precise information about delay of each individual PTP packet to packet itself ... PTP gear doesn't introduce lower jitter per-se, it just can measure the packet delay with high precission.

There's actually another NTP problem that PTP addresses: non-symmetrical path delay. NTP allows measuring round-trip-delay and client then can only assume that RTT is symmetrical (same in both directions) to set own absolute time. If the delay is not symmetrical (either due to asymmetrical connection speed/load with buffering or due to asymmetrical routing or any other reason), then this can cause some systematic offset in times. PTP is more or less broadcast solution where master clocks broadcast time, border clocks add delay information to those packets (both constant connection delay as well as dynamic "fly-by" delay) and clients can calculate accurate absolute time. Feedback from client to master clock is not strictly necessary.
In LAN environments, where link speeds are likely symmetrical and links are rarely congested, this NTP phenomenon is not a big problem.

killersoft · Thu Aug 22, 2019 9:12 am

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.

Thu Aug 22, 2019 9:15 am

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.

This is already done in v7

huntermic · Thu Aug 22, 2019 12:27 pm

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7

There is no v7

msatter · Thu Aug 22, 2019 12:36 pm

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7

There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

huntermic · Thu Aug 22, 2019 12:42 pm

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7

There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

Yep, i missed that part...…

pe1chl · Thu Aug 22, 2019 4:33 pm

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7

Maybe you can put a topic here of those features that are already done in v7?
Then it would be easy for people to check before making a request. And also keep us happier while we are waiting for it.

msatter · Thu Aug 22, 2019 5:41 pm

There is a page in the Wiki, which is empty, that could be used for feature request to be implement and implemented in v6 or v7:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

tclafoe · Wed Aug 28, 2019 7:24 pm

Hi,

for a project my routers need to contact a central server via https on a regular basis.
The tool "fetch" allows to verify the identiy of the server (" check-certificate").
All our routers for this project are equipped with individual certifcates.
So it would be possible for the central server to check the identiy of the requesting router - if only "fetch" would allow that.....
I guess the basic mechanisms are already there, as openvpn etc. allows that.
I also assume that "fetch" is something like the linux tools "curl" or "wget" under the hood - if that is correct, then it is probably not very difficult to implement this feature as both linux tools have it already available.

Greetings,
Lars

Magres · Thu Aug 29, 2019 12:52 pm

Please,

to \system reset-configuration add flag keep-certificates that let to keep all the certificates, CRL etc.

add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot

thanks

SiB · Thu Aug 29, 2019 1:00 pm

Please, to \system reset-configuration...

and if I provide with run-after-reset= aditional delay. Delay must be ~10second to all interfaces up and then run this .rsc script.

Currently to all backup-export's file I must use bash script to add first line with /delay 10s; to can use any backup-export into this feature.

asterisco · Thu Aug 29, 2019 2:09 pm

Hi Mtik developers,

Any chance in near release of WAP 60 radius autentication of STAs ? (not getting L1 if radius deny)

Thanks!
Antonio

muetzekoeln · Thu Aug 29, 2019 2:58 pm

add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot

+1

Have seen it in professional equipment before. Very useful!!

Chupaka · Thu Aug 29, 2019 3:28 pm

add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot
+1

Have seen it in professional equipment before. Very useful!!

Do you both know about Safe Mode?

SiB · Thu Aug 29, 2019 3:39 pm

And the https://wiki.mikrotik.com/wiki/Manual:Partitions is very great with a proper additional scheduler/script-ing.

muetzekoeln · Thu Aug 29, 2019 4:15 pm

Do you both know about Safe Mode?

Safe Mode is quite the opposite of the requested commit!

The idea is to collect all changes and apply them at once!

SiB · Thu Aug 29, 2019 4:39 pm

Safe Mode is quite the opposite of the requested commit!
The idea is to collect all changes and apply them at once!

https://wiki.mikrotik.com/wiki/Manual:P ... s#Commands => save-config-to

Chupaka · Thu Aug 29, 2019 4:52 pm

The idea is to collect all changes and apply them at once!

{
command1
command2
...
commandN
}

Magres · Fri Aug 30, 2019 12:40 pm

Do you both know about Safe Mode?

Safe mode is quite restricted and rather a winbox feature than something universal. The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode and :commit for writing changes to the persistant memory and :reject respectively.

Chupaka · Fri Aug 30, 2019 1:40 pm

Safe mode is quite restricted and rather a winbox feature than something universal.

Huh?..

The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode

Ctrl+X

and :commit for writing changes to the persistant memory

Ctrl+X again

and :reject respectively.

Ctrl+D

Magres · Fri Aug 30, 2019 1:47 pm

Safe mode is quite restricted and rather a winbox feature than something universal.
Huh?..

The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode
Ctrl+X

and :commit for writing changes to the persistant memory
Ctrl+X again

and :reject respectively.
Ctrl+D

and what about ansible + ssh ?

pe1chl · Fri Aug 30, 2019 2:11 pm

and :commit for writing changes to the persistant memory
Ctrl+X again

There is a difference in philosophy. In RouterOS you can use "safe mode" to make some changes and they will be rolled back when you lose the connection.
I'm not sure what happens with the changes when you powercycle the router halfway.
In some other equipment any change that you make is only made in memory and there is a separate command like "save" or "write" to
write all changes you made in memory back to the nonvolatile memory device. A powercycle before that will reset all configuration to what it was
when you last saved it. Commands exist to reboot the device (to its last saved configuration) after some elapsed time.
So you can work on the device for a time interval you choose yourself, and when you lose connection you wait until the interval elapses and you
get your connection back with the last saved settings. During your work you can disconnect, it will not affect this thing.

Advantage: you can work e.g. on VPN settings that result in disconnect/reconnect which is not possible in RouterOS "safe mode".
Disadvantage: there is always the risk that you forget to save some change, and months later, when the power is cycled, you suddenly find
yourself back at an older configuration. Of course when you work regularly with such devices you have it wired in your fingers to always type
"write mem" or "save" or click some button whenever you have changed something. But for MikroTik users such a change would be major
and would certainly lead to some frustration and misunderstanding.

There is also another model where you can batch up some changes and then you "apply" them all in one transaction. That is similar to the { commands }
construct in RouterOS. However this is not available in GUI modes (winbox/webfig).

Chupaka · Fri Aug 30, 2019 2:36 pm

and what about ansible + ssh ?

What's wrong with ansible + ssh?

Magres · Fri Aug 30, 2019 4:09 pm

and what about ansible + ssh ?
What's wrong with ansible + ssh?

It's not obvious to send CTRL+_ commands over ssh
While reconfiguring routeros the ssh session could be broken and all the changes will be discarded due to safe mode.

Chupaka · Fri Aug 30, 2019 5:15 pm

It's not obvious to send CTRL+_ commands over ssh

Yeah, reading the docs is kind of requirement...

While reconfiguring routeros the ssh session could be broken and all the changes will be discarded due to safe mode.

Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.

pe1chl · Fri Aug 30, 2019 5:41 pm

Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.

Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all changes upon any disconnect, without some form of timeout.
I have experienced a couple of times that I could not complete a change without disconnect/re-connect and so was unable to use "safe mode".
Fortunately RouterOS often allows things that other systems don't, so it is possible to o through the steps required without much risk of a permanent lockout.

Still I think it would be useful to have some more where all changes are only made in memory and are not saved until that mode is left, independent of disconnection.
You could setup a scheduled job to do a reboot, then set memory-mode and make your changes and test them, and when everything is fine you save the changes
and remove the job. When you get locked out the job reboots the router and it falls back to previously saved configuration.

Chupaka · Fri Aug 30, 2019 6:51 pm

Well, for now you can do a backup and setup a scheduler job to restore that backup, right?