+1In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.
Now that you mention this, what about being able to personalize the parameters being shown on the dashboard? It would be useful to use a script to show any value or calculation.Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg
You could replicate this with logging and a syslog (remote) logging server. Bit of a workaroundI would like to receive SNMP traps when WiFi client registration occurs...
for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik
It's very useful for smart home automation scenarios
As joegoldman write, syslog is your friend. Look at the project in my signature using Splunk to monitor Mikrotik.I would like to receive SNMP traps when WiFi client registration occurs...
2019-01-24 08:48:09 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -45
2019-01-24 08:36:55 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -43
2019-01-24 07:51:17 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -39
2019-01-23 10:05:08 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -32
winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.
A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.
A request:
Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.
Actually you can do(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
/system default-configuration print file=default-cfg
Why do you think so? Did they said something (even unofficially)?Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Actually you can do(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).after installing IPv6 package and you will get the default config with IPv6 related stuffCode: Select all/system default-configuration print file=default-cfg
I think so, because NO development of these components has appeared aside from some minor bug fixes, for several years.Why do you think so? Did they said something (even unofficially)?Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.
We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.
To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.
+infinity agree with that, Why in the logs cannot log the hostname/comment if is there, is very annoying to see/debug: mac abc123 connected mac abc123 disconnectedIt would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
DHCP server lease script can help you:It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
:local leaseHostName;
:if ($leaseBound = 1) do={
:set leaseHostName $"lease-hostname";
:log info ("DHCP server: $leaseServerName => MAC: $leaseActMAC => IP: $leaseActIP => Host Name: " . $leaseHostName);
};
https://wiki.mikrotik.com/wiki/Manual:N ... v2_networkMikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
+1Can we get standard 802.11s support?
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
SSH forwarding introduces a session takeover scenario, so there is security value of this feature (which is why other vendors implement it). Perhaps a default of 1h or never is better.I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.
The topic is marked as "Solved"
IEEE1588 and SyncE would be great, but requires specific support in hardware level
Also +1+1Can we get standard 802.11s support?
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards
[...]
Please implement mesh protocols compatible with non-RouterOS devices!
Isn't it the existing Session -> Close Windows?A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
Hmmm , yea I know if I exit my winbox to a remote Mikrotik then the all the sessions associated with that winbox connection close.Isn't it the existing Session -> Close Windows?A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
Or I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check itA feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
OOoooOr I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check itA feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).So, a feature request for RouterOS, formal, flexible port knocking.
Knocking should allow any combination and order of ports and protocols, up to N layers deep.
Kids control.I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Dear Mikrotik, what about automatic sertificates from Let's Encrypt?
From the manual page (https://ndilieto.github.io/uacme/ ), it appears uacme supports dns-01 challenges and allows total flexibility by the --hook option, which calls an external script to accept, decline or set up the challenge environment.I'm sure that MikroTik can easily write their own ACME client. But it's even more important how it should fit into RouterOS and work for as many scenarios as possible.
For example, maybe you just want certificate for https WebFig (or SSTP server). Sounds easy, right? There's already a webserver on router, so simple http-01 validation can be used. But what if you don't want or can't open port 80 (AFAIK http-01 always starts with plain http on standard port 80)? It would be the case on at least half of routers where I'd like to use Let's Encrypt certificates, because there's typically only one public address and standard http(s) ports are already forwarded to some internal webserver. There would have to be support for dns-01 validation and it has different problems too.
I think it's doable, I tried some suggestions in Support for ACME/Let's Encrypt certificate management thread, but so far it doesn't look like anyone from MikroTik though "oh yes, it's super-awesome, we need to have that!" Maybe try to invent some other foolproof plan that will finally convince them.
If specified, uacme executes PROGRAM (a binary, a shell script or any file that can be executed by the operating system) for every challenge with the following 5 string arguments:
METHOD one of begin, done or failed.
begin is called at the beginning of the challenge. PROGRAM must return 0 to accept it. Any other return code declines the challenge. Neither done nor failed method calls are made for declined challenges.
done is called upon successful completion of an accepted challenge.
failed is called upon failure of an accepted challenge.
TYPE challenge type (for example dns-01 or http-01)
IDENT The identifier the challenge refers to
TOKEN The challenge token
AUTH The key authorization (for dns-01 already converted to the base64-encoded SHA256 digest format to be provisioned as _acme-challenge DNS TXT record).
I've tried to search this topic, but I haven't found it (hope there are not any duplicates):
NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
Yea , using a connect list with MAC address could almost work (almost).And it is already available... you can make a connect list with different MAC addresses for the same SSID.
Re compatibility problems - that is the reason I stated optional setting. Default on an upgrade to a newer ROS with such a feature should be default Off.Why use SSID for this? This may bring compatibilty problems. Wouldn't a preferred list of AP's (e.g. by address instead of SSID) on the client alone help with your issues? So no change on the AP side necessary.
When you have to manage 300 devices you should have some mechanism in place to support remote management.Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
Re: … mechanism in place to support remote management …When you have to manage 300 devices you should have some mechanism in place to support remote management.Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
It can be done with MikroTik. I have seen solutions for that presented at MUM events.
E.g. you make a scheduled job that runs once a day and attempts to download some file with a naming convention depending on the client, and when it exists it imports that file.
(it would be a good idea to have some version numbering so you can avoid re-running the same file every day after it has been already run once)
There should be more explicit support for that in the Dude.
This is very much needed.Routeros openvpn server needs a way to push routes to the clients.
These issues are completely independent. You need a bulk management method to distrubute any configuration changes to your clients, but apparently you already have it.The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available.
I had similar issue (although I do not run commercial ISP but community network). My solution was to use my own MAC addresses (invented for the purpose) for network adapters.That means, after I replace adapter, I set designated MAC for that AP and clients see no difference.Using a MAC address connect method presents a management problem for all clients when an AP needs to be replaced or upgraded.
A change of an AP, can result in a different MAC address , which then can result if every wireless client needing to be re-configured.
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
I would love to see this also. Often on lower end RBs people dont realize how much CPU load winbox/mgmt can have on the device. the more winbox windows open, the more updates that have to be sent, thus more CPU load (im talking in a single winbox session/window / connected to a single routerboard).A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
Then why did you not notice the replies made to Tom that this feature is already available?I would love to see this also.A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session
North Idaho Tom Jones
wrongThe suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).
oh wow, you are correct, choosing session-> close all windows , does infact accomplish this (wo existing the app). thanks!wrongThe suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).
netwatch with option to set src-address will make easier to test connections on multi connection routers...and the possibility to set source address (e.g. remote ipsec hosts)Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
A workaround for this was already found in another topic.Can you post the command that fails? There may be a solution to test for poe interface before command is run.any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
pppoe has no relation to poe!I don't know how to script it, but possibility is available already: /interface print where type=pppoe-outNeed feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Aargh ... suits me for not being careful enough when readingpppoe has no relation to poe!I don't know how to script it, but possibility is available already: /interface print where type=pppoe-outNeed feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Hello Muetzekoeln,RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.
You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper
This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388
Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.
Thank you very much MKX,Answer to questions 1,2,4 and 5 is: No.
Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active devices can be attributed to constant path delay (just think of it as being some 500km longer). Namely: the big thing about IEEE1588 (as compared to NTP) is to get around the delay jitter which kills precision of normal NTP. And delay jitter is there due to active devices doing buffering, not due to changing speed of light in fibre.
Answer to question 3 is: probably your understanding of IEEE1588 concept is not right. The Ptp-aware switches need HW support for timestamping ... because IEEE1588 requires very precise knowledge of delay imposed by device on PtP packet passing by. Which means the following steps done in hardware:
- add ingress timestamp to a packet immediately after it is received by ingress port (before it hits any cache or processing queue)
- get precise estimation of egress timestamp for that packet (which needs to take into account all remaining processing and cache waiting time)
- calculate delay from the above timestamps and adjust the PtP header.
So to enable IEEE1588, device needs HW support for the timestamping and currently none of Mikrotik's gear has it (or it has it exposed).
And the procedures above have nothing to do with 1PPS.
1. No idea. If I have to choose, then I'd hesitantly choose a yes.Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?
I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
That makes sense. I was wondering about combining NTP (for coarse estimation) with 1PPS (for precission) in a RB device and then propagating the time to "end users" via LAN but not using IEEE1588.I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
accurate sync (using chrony).
Hi Mkx,1. No idea. If I have to choose, then I'd hesitantly choose a yes.Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
1. No idea. If I have to choose, then I'd hesitantly choose a yes.
According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS):
Note: The time is not stratum 1 as RouterBOARD devices do not have PPS implemented
I have no practical experience with PTP. Some years ago I needed clocks on a couple of servers very accurately synced for a co-channel FM transmitter network we were building.Hi PE1CHL,
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
#* PPS 0 4 377 16 +719ns[ +834ns] +/- 4782ns
^- lpk.pi2nos.ampr.org 1 9 377 104 +106us[ +111us] +/- 244us
^- pi2nos.ampr.org 1 10 377 672 +915us[ +938us] +/- 2275us
^- pi3goe.ampr.org 1 10 377 931 +95us[ +109us] +/- 5718us
2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant?
3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of the clock?
This is already done in v7Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
There is no v7This is already done in v7Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
There is as you can see at the top of this page:There is no v7This is already done in v7Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
There is no v7This is already done in v7Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
There is as you can see at the top of this page:
BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)
Maybe you can put a topic here of those features that are already done in v7?This is already done in v7Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
and if I provide with run-after-reset= aditional delay. Delay must be ~10second to all interfaces up and then run this .rsc script.Please, to \system reset-configuration...
+1add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot
Do you both know about Safe Mode?+1add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot
Have seen it in professional equipment before. Very useful!!
Safe Mode is quite the opposite of the requested commit!Do you both know about Safe Mode?
https://wiki.mikrotik.com/wiki/Manual:P ... s#Commands => save-config-toSafe Mode is quite the opposite of the requested commit!
The idea is to collect all changes and apply them at once!
The idea is to collect all changes and apply them at once!
{
command1
command2
...
commandN
}
Safe mode is quite restricted and rather a winbox feature than something universal. The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode and :commit for writing changes to the persistant memory and :reject respectively.Do you both know about Safe Mode?
Huh?..Safe mode is quite restricted and rather a winbox feature than something universal.
Ctrl+XThe suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode
Ctrl+X againand :commit for writing changes to the persistant memory
Ctrl+Dand :reject respectively.
and what about ansible + ssh ?Huh?..Safe mode is quite restricted and rather a winbox feature than something universal.
Ctrl+XThe suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode
Ctrl+X againand :commit for writing changes to the persistant memory
Ctrl+Dand :reject respectively.
There is a difference in philosophy. In RouterOS you can use "safe mode" to make some changes and they will be rolled back when you lose the connection.Ctrl+X againand :commit for writing changes to the persistant memory
What's wrong with ansible + ssh?and what about ansible + ssh ?
It's not obvious to send CTRL+_ commands over sshWhat's wrong with ansible + ssh?and what about ansible + ssh ?
Yeah, reading the docs is kind of requirement...It's not obvious to send CTRL+_ commands over ssh
Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.While reconfiguring routeros the ssh session could be broken and all the changes will be discarded due to safe mode.
Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all changes upon any disconnect, without some form of timeout.Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.
We need to have the possibility to set the parameters GPON password and GPON serial number in MikroTik RouterOS to authenticate in ISP OLT
Isn't "dst-limit" what you're looking for?Please add hashlimit: http://ipset.netfilter.org/iptables-extensions.man.html
Isn't "dst-limit" what you're looking for?Please add hashlimit: http://ipset.netfilter.org/iptables-extensions.man.html
Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all changes upon any disconnect, without some form of timeout.Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.
I have experienced a couple of times that I could not complete a change without disconnect/re-connect and so was unable to use "safe mode".
Fortunately RouterOS often allows things that other systems don't, so it is possible to o through the steps required without much risk of a permanent lockout.
Still I think it would be useful to have some more where all changes are only made in memory and are not saved until that mode is left, independent of disconnection.
You could setup a scheduled job to do a reboot, then set memory-mode and make your changes and test them, and when everything is fine you save the changes
and remove the job. When you get locked out the job reboots the router and it falls back to previously saved configuration.
I would like to bump this. Since there is now PTP support in 6.46beta55.IEEE1588 and SyncE would be great, but requires specific support in hardware level
IEEE1588 works without hardware support, but performance is not so good. It even works over WLAN:
https://www.researchgate.net/profile/Wu ... ion_detail
There are switch chips (also from QC) with support for IEEE1588 and sometimes SyncE since many years. It would be nice to know which Mikrotik products already have these built-in. Someone with this knowledge out there??
It could also support a better TDMA protocol as suggested here:
viewtopic.php?t=87471#p465494
viewtopic.php?t=70793&start=100#p515551
Maybe Mikrotik can also offer an affordable GNSS-based POE-powered IEEE1588 grandmaster-clock device for mast mounting ....
Yes , I would think a router would be transparent to routed traffic.The way I understand things setting of net.inet.tcp.delayed_ack doesn't do anything to the traffic routed through a router, it only affects traffic generated by the router. So it's not clear to me how could this setting affect speed of e.g. NFS connection between two external devices being routed by the router (benefitial effect on btest is clear).
Add an "interface watch" for link-up / link-down functionality to script in. Similar to Netwatch host.
Isn't that what "dst-limit" actually does?It would be useful when the Limit (rate limiting) specifier in a IP or bridge firewall rule could specify that the limit is not on the rule itself but on the hash of the source address (IP address, subnet or MAC address).
I.e. with a single rule you can accept traffic from multiple source hosts each limited at the specified rate.
This is the "hashlimit" module in iptables.
AH yes it looks like it... I overlooked that.Isn't that what "dst-limit" actually does?
tool netwatch set 0 comment="OhNo Re-Activation again"
do {ip firewall layer7-protocol add name=NetWatchTimeSince comment=[/system resource get uptime] } on-error={};
/local NetWatchDuration ([/system resource get uptime] - [/ip firewall layer7-protocol get [find name=NetWatchTimeSince] comment])
/log warning ("Netwatch: UP | check 1.1.1.1 | OffLine Duration was: ".$NetWatchDuration)
/ip firewall layer7-protocol set [find name=NetWatchTimeSince] comment=[/system resource get uptime];
+1 This was write here few times and I try not add this again."number of missed/received pings" setting before the netwatch triggers
Netwatch works as *sys user, he not create global variable. L7 comment works after reboot gut it's not necessary.But of course in this case (where it does not have to survive reboot) you can use global variables for that.
We specifically need public IP (DDNS and NTP is also OK, but not required).@algisr It sounds like you want to use the demo mode as a free DDNS tool.
If that's what you are looking for there are already plenty of sites which offer free DDNS
SHIFT + INSERT not work ? (old ctrl+v from DOS times...). In WinBox>Terminal worksEnable basic Clipboard Paste in Woobm terminal.... Better to say: stop denying it..
SSTP VPN works very similar (SSL tunnel) and I haven't seen ISP which would block TCP port 443.......
The reason, why we are using Stunnel, not other solutions is that it is very similair as simple HTTPS for DPI of internet providers, who are denying usage of openvpn and others too.So, vpn is not applicable solution in most of cases.
Please, review the possibility to include Stunnel client in feature of Router OS or, please, propose alternative way to connect to my Stunnel server,
jo2jo
Basic TCP single scan is build-in into telnet.we need a basic portscan tool in rOS
+1In some cases it would be useful to allow to add static DHCP leases with the same address but different MAC address. The warning message displayed now should remain, but with an option to ignore it.
E.g.: we will get new printers. We like to keep the same addresses. The new printer will replace the old one at the same location. The MAC addresses of the new printers are known beforehand.
It would be useful to add new static leases for the new printers with the same address as the printer they replace, then wait for the technician to swap all printers, then delete all old static leases.
As it is now, we will have to change each lease as the technician moves along, requiring a contact for each printer being replaced.
Another use case is to assign the same address to a device which can be connected either via ethernet or wireless (and which auto-disables the wireless when ethernet is active).
I think it would be more useful as a limited-user capability where users can be created that have preciselyGive the ability to secure firewall rules.
Welcome to the Safe ModeFor remote systems it will be not good if the managemend firewall rules are deleted.
Just an example, that's cool:Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
> /sys history print detail
Flags: U - undoable, R - redoable, F - floating-undo
U redo=/interface eoip remove bridge2
undo=
/interface eoip add arp=enabled arp-timeout=auto disabled=no mac-address=\
6A:F5:C8:E5:62:12 mtu=auto name=bridge2
action="device removed" by="admin" policy=write time=mar/13/2020 14:06:52
> /interface/bridge/add name=brrr
> /sys history print detail
Flags: U - undoable, R - redoable, F - floating-undo
U redo=/interface eoip add name=brrr undo=/interface eoip remove *3
action="device added" by="admin" policy=write time=mar/16/2020 16:44:09
+1Don't forget to add VRF for management interface!
I'm against that. It is completely useless, and it tends to racism.Consider a GeoIP package allowing for firewall filtering by Country
I think the queue trees should allow an additional form of rate configuration in the form of a percentage of the rate of the next higher level in the queue tree.Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare.
WiFi6 ist 2.4 and 5 GHz.WiFi 6 ( 6 GHz )
lmao, oh god, political correctness has now extended to routers.....I'm against that. It is completely useless, and it tends to racism.Consider a GeoIP package allowing for firewall filtering by Country
My first claim is that it is useless. And I will explain that:lmao, oh god, political correctness has now extended to routers.....I'm against that. It is completely useless, and it tends to racism.Consider a GeoIP package allowing for firewall filtering by Country
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
My claim was: It is completely useless, and it tends to racism.So I don't know whether using discrimination per country is racist, but it is definitely useless.
Hmm. here is a counter use-case:My claim was: It is completely useless, and it tends to racism.So I don't know whether using discrimination per country is racist, but it is definitely useless.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
As I explained before, that is not going to work. Your own users may appear to come from another country.Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D.
this is was nearly my user-case. a local WISP. and at one point it was very attempting to do so to fence off all failed authentication to our VPN service. Most of them are from one country.Imagine you have a service for users from your own country only.
And as I did write, how to access these services if the user are out travelling in another country?Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D.
You are WAY overthinking this. It's really as simple as an address list generated from IANA that says i.e.My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.
That would not be an 'input' chain, that would be forward chain, so the rule would not block traffic going to a server that resides behind the router. Only traffic directly destined to the router itself would get blockedYou may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.
But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
It isn't useless. It's not about 100% perfect security either (such a thing doesn't exist). It's just about reducing the broader attack spectrum. In the same way most people move the default Winbox port off 8291 to something else, that isn't 100% effective so therefore its a useless feature? may as well not have it?If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router.That would not be an 'input' chain, that would be forward chain.
I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much betterIt's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up.
I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.
I hoped you would have understood by now that this is not possible because there is no simple attribute on a packet that indicates it is "from Australia" so such filters can only work with that address list of thousands of entries in place.I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.
The use of separate packages for part of functionality (like routing, advanced tools, PPP, etc) has been abandoned in v7. Everything is now in a single package except the truly special things like UPS monitoring.Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.
Remember, you don't need to convince anyone in this forum, just MikroTik. Non-technical reasons and user's business decisions aside, first question is what exactly should MikroTik provide. I see big difference between just support for something and providing all the data.So why are you so opposed to having a country feature?
But you can just handle them in the input firewall, right? That is where I regulate the other services as well, when they are enabled.The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!
Never mind - I got an email that says Dude uses the same ports as Winbox.Put Dude ports 2210 and 2211 in IP-Services where it belongs
Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.
The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!
This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !
I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.
Also - it might be a good idea to add ICMP to the IP-Services section
North Idaho Tom Jones
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
Again - thank you for your prompt reply(s) to my questionsThat is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
When you do not like that, add a firewall rule (probably with address list) for the filtering.
Yes, that is how it works. In Linux this is called "TCP Wrappers" with their associated config files "/etc/hosts.allow" and "/etc/hosts.deny". It sits between the listening TCP port and the daemon that runs the connection, it first accepts the connection (or rather the kernel does that), looks up the source network in those files, and if not allowed it just closes the connection again. This whole thing was invented before firewalls were available in operating systems.Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.option to specify multiple adress lists inside single firewall rule?
No, it's bad idea. USB Stick are detected and dhcp-client is automatical created, you can do many fix to your needs by scripts&schedulers.Add support for LTE Devices to be controlled via CAPsMAN
That's right yes. reason = "Shutting down because DHCP broken script triggered a restart."When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
Yes, that would be a useful approach. Unfortunately I operate in an infrastructure-less environment where the configurations are built up and destroyed dynamically and as such we don't have a syslog server option.When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes- vendor class identifier (a string)
In the light of MAC address randomization it becomes less and less useful...- MAC address (a value and a mask)
Ok I was not aware of that. Indeed it is most like what I need except that I would like an extra match capability on MAC address/mask.Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes- vendor class identifier (a string)
But that is in fact one of the the applications I have for it :-)In the light of MAC address randomization it becomes less and less useful...- MAC address (a value and a mask)
Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to have some way to remind users to switch off MAC randomization for a particular SSID.But that is in fact one of the the applications I have for it :-)In the light of MAC address randomization it becomes less and less useful...- MAC address (a value and a mask)
You may be surprised as a network engineer, but SWos does not require this information!Can I have a link to the Feature requests for SWos
I am looking for feature of subnet mask default gateway on SWos software.
Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.
Regards,
David
Network Engineer, CCNA
They listing at that post :) and now... ros7.1beta3Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)
Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.
SecondedWinbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.
Thanks.
I refer to the option you have in Windows: select the title bar of the window you want to snap, and drag it to the edge of your screen. An outline indicates where the window will snap to once you drop it. Drag it to the left or right side of your screen depending on where you want to snap it to. Some other interfaces allow you to snap windows against each other.Maybe you should explain what "snapping capabilities" are?
I like your taskbar aproach and the access to the open windows. And also compatible with the tile suggestion.Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.
In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.
Easy for a teddy bear with straw for a neck!!!at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.
That feature has been present for years. But people don't bother to really study the matter so they often will not find that by themselves.As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.
That makes no sense! TCP and UDP are different protocols, they cannot be grouped.more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
As I said before: people don't bother to really study the matter so they often will not find that by themselves.Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.
TCP&UDP for 53, 3389 can be done by 2 rules, not 4.That makes no sense! TCP and UDP are different protocols, they cannot be grouped.