/system telnet address=192.168.1.20 port=80
Sorry Normis, and no disrespect to you, but what does influence this list? People screaming for proper vrf seperation, IPSec VTI Support, DHCP Option 82 Snooping in ROS, Proper BNG Features, IPv6 Needs alot of fixing, BFD (YMMV), BGPv4 MIB and many others.no, the list does not influence our priorities, just gives us ideas about what people want to see.
[me@router] > put [ping 8.8.8.8 count=3]
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 57 9ms
1 8.8.8.8 56 57 10ms
2 8.8.8.8 56 57 8ms
sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=9ms max-rtt=10ms
3
There is indeed. Thanks Sob, you are a legend!@Wyz4k: There's also Select All in right-click menu.
Hi Chupakha I just wanted to say thanks for your patience, I am just a tad slow and finally get what you are saying.The same with TCP Flags and ICMP Option in Advanced tab.
Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens when the signal hasSo what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.
One of the problems with RFCs and standards is that often 90% of manufacturer network devices only follow RFCs and standards by only 90%.Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There are standards for fast handover but they weaken the security. Also there are standards to provide roaming information so the clients know what other AP's to lookYeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There is only one association, a client does not reassociate if they move from one AP to another. There is not a loss of service when a client moves to a closer AP.So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
Sounds interesting. But is part of the evolution in wireless also not that now the spectrum is saturated where 10 years ago is was hardly used? I mean, my first Mikrotik 2,4Ghz 802.11b outdoor AP on a 8dBi omnidirectional had no problem to communicate with my laptop at some 300-400 meters away. And that communication was the sending of an e-mail.I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).
Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).
Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)
If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.
The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.
North Idaho Tom Jones
The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is the feature requests channel. I am requesting a very basic feature that will take all of 30 seconds for somebody to add.If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.
/ip ssh set always-allow-password-login=yes
Not for winbox though.This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.Code: Select all/ip ssh set always-allow-password-login=yes
Yeah. Also not for WebBox, not for Telnet, not for API...Not for winbox though.
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
{
/interface bridge port remove [find interface=ether1]
/ip dhcp-client add disabled=no interface=ether1
}
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!orCode: Select all{ /interface bridge port remove [find interface=ether1] /ip dhcp-client add disabled=no interface=ether1 }
Code: Select all/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Just press Terminal on the left of WinBox. If you use "{ }" - commands inside of brackets will be executed when you press Enter after the bracket. Like this:Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection
[admin@s.internal] > {
{... :put "here"
{... :put "we"
{... :put "go!"
{... }
here
we
go!
[admin@s.internal] >
Now you'd wish manufacturers to give one of their main tools to keep clients with them away...A WiFi TDMA mode that is compatible with UBNT airMAX.
We usually have a mix of MikroTik/UBNT access points and clients in our network so we can only use bare 802.11 even when TDMA would perform much better.
Alternative: an IEEE standard for this mode that is implemented by both companies.
+1Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.
RoMON works only over L2 transparent links. A proxy could be operating at IP level. A nice feature would be to add an IP-level layer to RoMON so you can@TomjNorthIdaho
RoMON
If you can connect to 1st mikrotik via TCP (ssh), than using putty, you can configure additional port forwards on the fly.Winbox proxy ???
It might be nice to be able to connect to another Mikrotik using the 1st mikrotik as a proxy to be able to connect up to a 2nd Mikrotik.
Where , an admin might not be able to directly connecte to the 2nd mikrotik, but if the 1st mikrotik can mac/IP connect to the 2nd then allow a winbox proxy connection through the 1st mikrotik to a 2nd mikrotik.
When testing P2MP networks for best throughput and latency you need to run a test from several CPE's (in a 'all MT' network) and then switch between the different protocols and setting to see what gives best result.
Each time though the connection with AP is lost due a config change, the CPE needs to be opened up again in its winbox session. And each time all settings for the bandwidth test are gone... each time you need to fill these again..
Can bandwidth test not be made to at least remember its settings? It has to be stopped when the CPE drops the connection over the interface the test runs, but it would be o so helpful if the settings for the test just come back after the winbox session is opened again. Just click on 'run' and the test can run again..
Would make it a great time saver in troubleshooting and fine tuning P2MP networks...
+1Please implement a proper auto channel selection that looks at the usage and noise floor of each frequency in the scanlist before choosing a channel.
And not one that just counts how many devices it sees per frequency (as per now): viewtopic.php?f=7&t=122063&p=677377#p600476
So you see it under /system healt print ?CRS112-8P-4S:
SNMP Oid's for PSU1 + PSU2 Voltage or at least a status.
Currently only Temperature under system health supported.
Feature requests - SNMP OID Ethernet link speed
It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).
These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.
North Idaho Tom Jones
$ snmpwalk -v2c -c public 192.168.88.1 |grep ifSpeed
IF-MIB::ifSpeed.1 = Gauge32: 0
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
IF-MIB::ifSpeed.3 = Gauge32: 1000000000
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 100000000
IF-MIB::ifSpeed.6 = Gauge32: 1000000000
IF-MIB::ifSpeed.7 = Gauge32: 0
IF-MIB::ifSpeed.8 = Gauge32: 0
IF-MIB::ifSpeed.9 = Gauge32: 1000000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000
IF-MIB::ifSpeed.12 = Gauge32: 100000000
IF-MIB::ifSpeed.14 = Gauge32: 1000000000
IF-MIB::ifSpeed.15 = Gauge32: 0
IF-MIB::ifSpeed.17 = Gauge32: 0
IF-MIB::ifSpeed.18 = Gauge32: 100000000
IF-MIB::ifSpeed.21 = Gauge32: 10000000
IF-MIB::ifSpeed.22 = Gauge32: 0
IF-MIB::ifSpeed.24 = Gauge32: 0
IF-MIB::ifSpeed.25 = Gauge32: 1000000000
+1 !!!!!!Feature requests - SNMP OID Ethernet link speed
It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).
These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.
North Idaho Tom Jones
snmpwalk -v2c -c public 192.168.0.1 .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 1000000000
IF-MIB::ifSpeed.5 = Gauge32: 1000000000
IF-MIB::ifSpeed.6 = Gauge32: 10000000
IF-MIB::ifSpeed.8 = Gauge32: 1000000000
IF-MIB::ifSpeed.9 = Gauge32: 100000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000
snmpwalk -v2c -c public 192.168.0.1 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: ether1-Wan
IF-MIB::ifDescr.2 = STRING: bridge_vlan1
IF-MIB::ifDescr.3 = STRING: ether3
IF-MIB::ifDescr.4 = STRING: ether4-Win_Server
IF-MIB::ifDescr.5 = STRING: ether5-Linux_server
IF-MIB::ifDescr.6 = STRING: pptp-in1
IF-MIB::ifDescr.8 = STRING: ether2-Cisco-Switch
IF-MIB::ifDescr.9 = STRING: bridge-vlan20
IF-MIB::ifDescr.10 = STRING: eth2-vlan20
snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: wlan1
IF-MIB::ifDescr.2 = STRING: ether1
IF-MIB::ifDescr.3 = STRING: ether2
IF-MIB::ifDescr.4 = STRING: ether3
IF-MIB::ifDescr.5 = STRING: ether4
IF-MIB::ifDescr.6 = STRING: bridge
snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 50000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 10000000
IF-MIB::ifSpeed.6 = Gauge32: 100000000
news?hi guys, it seems to me that it is still not possible to change the date format in dd/mm/yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio
Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
+1I would like to see something like triggers when an interface state changes, so router can run a script (like ip-up/ip-down on "real" Linuxes).
The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
There is no support to have several lists or several addresses in a single firewall item. You can only do that by having several separate items and indeed that is what happens when you try that in Linux.
(you insert a simple rule with different addresses and when you look later you have several rules in your table)
It would not be a good idea to do that because it introduces new possibilities for bugs.But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?
Tom:NV2 - increase NV2 client scan-for-AP b4 connect to AP
Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.
North Idaho Tom Jones
How about performing an IP / neighbor command on your main router (that should 'see' all units) and order by device type? You'll immediately see if a units is 'n' or 'ac'. My antenas all have their designated AP in their name so I can then also set the filter and thus see in an instance which units are 'n' or 'ac' (and thus can do 80Mhz wide channel in 'ac') for each AP.Re: Feature requests (ability to view wireless capabilities)
Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.
My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.
I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.
North Idaho Tom Jones
rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.
it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.
in general you only need to remove the check that was required in rfc4271.
this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.
opened a support request for it earlier today:Just ran into this issue today.
@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.A WISP could possibly use something like this to play a sound file ...
It would pretty much be a tool for what ever a Mikrotik admin might want/need. Also , because I am suggesting it be an optional package, it would not necessarily be pre-loaded on a fresh Mikrotik router. This optional package could potentially be a nifty tool when used with scripts (including netwatch) to provide audio/verbal information. Also , because I know this type of motherboard speaker driver works on old/slow 16 MHz 16-bit computers , it would not be a Mikrotik resource drain sucking performance away from L2/L3 throughput.@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.A WISP could possibly use something like this to play a sound file ...
How about the possibilities of a new wireless driver for Wireless chipsets ? With a developent package , a new wireless driver could be created (using all of the available Atheros chipset registers/settings) to make new high-performance high-thoughput wireless drivers (such as a new/better nv2 'TDMA') system that might way outperform the current Mikrotik properitery hybrid TDMA (nv2). Or how about the tens of thousands of Linux drivers and applications/tools/utilities already freely available.Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...
But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.
Yes it would certainly be nice to have user-mode daemons under isolated user IDs so they cannot mess with the MikroTik part of the system, but frankly I doubt that the infrastructure for that is currently in place."my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system.
I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
System > scripts > environment (both winbox and webfig) ( it's only the current values however)There sould be a new section, a table in webfig and in winbox for global variables with initial values.
Such request is pretty useless. Defince what you consider "complete"? Which features you are missing?I join the request, i need secure way to use NordVPN.
I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
This can be done using scripting. The underlying mechanism in the kernel does not support a DNS name so it would have to be solved in a similar way.Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
Isn't the support already here for some time?.. quite long time...Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
What's new in 6.33 (2015-Nov-06 12:49):
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
Why not just unset it?Yes, it's there, but only for remote address. Local address accepts only IP address.
Yeah, in nginx you simply use try_files for your custom files on local server and proxy_pass to the original MikroTik server for the restIn that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)
But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)
I should have provided more detail.Isn't the support already here for some time?.. quite long time...Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
What's new in 6.33 (2015-Nov-06 12:49):
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.Please add:
MAC address lists
Port lists in Firewall
Having MAC addresses in a list would not be very useful for that. What you want is to match MAC address by prefix, usually by the first 3 octets (manufacturer).+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.
So, updates work via plain HTTP? No encryption?Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done
Why shame? There is absolutely no problem with that!So, updates work via plain HTTP? No encryption?
Shame!
Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt).Why shame?
Yeah, it's fine. Until it somehow gets exploited in the future.Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.
Microsoft's policies are not an example to be copied.You know, Windows is using http download for windows update as well.
I never inferred that. Logging in to some website is COMPLETELY DIFFERENT from downloading a firmware update.Sure,
So next time you login to your web-banking do not check for TLS.
TLS would remove the possibility to have a local update repository on a closed network. At least until the update URL is made configurable.So yeah, TLS would not hurt and could help some people sleep better.
This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
Create a 'viw' /session, with those things enabled (And maybe your favourite screens setup and layed out), then use that as your default session view, along with unticking autosave so no matter what you do in that session it resets next time you log-in.The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually
That would be almost okay if the graphs had some authentication built into them as well as opposed to just an ip whitelist.This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.
Here is a screenshot form my Splunk Mikrotik project found here: viewtopic.php?t=137338Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
If IP whitelist is not enough, you can limit it to VPN via firewall.1) unsecured graphing which can't be queried using a script anyway
Mikrotik has "The Dude" which works well enough as SNMP server. It is not masterpiece, has its own bugs, but works.2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik
Unsure what do you mean. You can query SNMP from router.... and no ability to query snmp registers from the router itself.
Everyone will ask for different average. Someone will ask for 5m, someone for 1hour, someone for 1day... Cmon, if you have such specific requirements, is it really that hard to make own script, which will grab SNMP counters and show you absolutely anything you can imagine?Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...
It's okay, I apologize for getting a bit irritated as well. I appreciate your suggestion and will give it a try.@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you
Your feature is already implemented in RC/testing version. And some people don't like it...I'm new to the forum, and I'd like to know where is the right place for a feature request.
No, RADIUS is not a pool manager it can assign statics, software behind RADIUS would need to still manage a pool, which can get out of sync if you miss a stop record or something.That is already possible via RADIUS!
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201
Proposed:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200,201
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201
Proposed:
/interface list add name=sfp-list
/interface list member add interface=sfp1 list=sfp-list
/interface list member add interface=sfp2 list=sfp-list
/interface ethernet switch vlan add ports=sfp-list vlan-id=200,201
Thanks for explanation, I didn't know what's the underlying implementation of interface lists. Well, the idea(1) is still nice to have, since my vlan table entries contain same trunk ports.Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.
There should simply be the possibility to add "user graphing" where an SNMP OID is entered and the value is graphed. It has been requested before.It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.
PLEASE!MT please consider doing some BGP and routing-related fixes for christmas.
Would make A LOT of MT users very, very happy! Just to give some examples:
- multi-threading
- BGP4 SNMP MIBs
- better BGP convergence time
- faster route table searches
- fix ipv6 route reflection
- add RPKI support
Hello. It's not a feature request.Hello, why mikrotik does not have the ability to better define user permissions based on roles?
I fully underwrite these features requests. The problem is only I have made almost the same, and more, request on Winbox improvement several times over the years and never even got a reply..... None of these 'ergonomic' adjustments are ever implemented.Features Request!
a. Winbox, lets suppose we want to remove 5 columns and add 6 more. That would require to do 11 times the same thing since the list closes every time. Wouldn't it be easier (for the users not the programmer!) to have check box in front of every option, so as to check-uncheck whatever needed?
b. Winbox again. Wouldn't a rule copy from the start page be easier using the right click? got add-remove-enable-disable etc but no copy. Less windows-less clicks
c. Again winbox! Start page of a menu again (e.g. Firewall). A drop menu for the options (when double-clicked?) would be much faster to change an option. Combined with the second request, making a copy of rule and changing one option would be sth like right click-->copy rule--> double click new rule option-->choose new option.
Yup - it can be a little frustrating when a video about Mikrotik is not in English (the only language I know).And now, for something completely different: (no, not the larch)
With all those YouTube videos from MUM taken from all over the world, it would be nice when the language of the video is always visible in the title.
Some of them are in English or another language I could understand, but more often they are completely incomprehensible to me and it would be useful to make that selection already in the title listing.
Very true! Note that in no way I would suggest not to put videos in other languages on the channel.But - I am also very aware that English is not the only language used in the world.
Youtube has that, but it is not really usable right now except when you want to have fun.- However , with todays technology , I suspect that somewhere there just might be a really smart computer than in real-time can verbally translate the spoken language in a video to English and optionally print the translated language on the bottom of the video at the same time.
I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.Indeed - it would be nice to separate the non-English videos.
RPKI is really neededRPKI/ROV guys, please. No need to re-invent the wheel.
See RTRlib for a lightweight, open-source C library: http://rpki.realmv6.org/
PS: Perfect for a weekend hackathon @ Mikrotik HQ while the weather outside is bad
It is sort of possible to do that, by clicking the "log" checkmark on the last page (the matched traffic will appear in the log).Something like TORCH on firewall rule!
It would be great if i can select firewall rule and click on torch - and see what traffic is triggering on that rule!
.
time - same logline
time - same logline
the line above are repteated X times.
time - end of repeated lines
|
time - new logline
.
As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.
When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:the line above are repeated X times.
In RAW I don't have those control options and thinking further about it.As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.
Of course there can still be a lot of new connections logged this way.
Making it optional on rule level is the way to go. The user have to decide, if it is going to be used or not.When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:the line above are repeated X times.
viewtopic.php?t=137338
When you read logs external programs its hard to understand what is repeated and get the message back together.
And do you have many boxes that sends syslog to same server, it makes it even worse.
So if implemented, this need to be an option.
[Feature Request] :resolve DNS Client Improvements
One of the advantages of RouterOS is its scriptability and the strength of its shell syntax for getting things done. New improvements in the :system and :tool areas have given us more tools than ever, and augmenting existing features with script="" hooks have given us even more places to use those tools. However, it seems like an important scripting primitive (for a network device, at least) has been neglected for some time: :resolve.
You are right. That’s why in this year’s MUM in Tirana i changed the title and description of my presentations from English to Albanian (the language I was going to give them)I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.Indeed - it would be nice to separate the non-English videos.
I just would like to see the language of the video in the listing.
https://wiki.mikrotik.com/wiki/Manual:T ... _Generatoradd multi-cpu(multi-core) support to Bandwidth Test Tool.
this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.
What's hard on doingWhen do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?
When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.
ssh mikrotik "/log print" | less
1. I am not doing ssh. 2. I don't want to print anything. I just want to quickly look in my log and highlight a line or try to find just one setting (one mac leaving or connectiong for example on an antenna) so I can see what happened or where something went wrong.What's hard on doingWhen do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?
When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.?Code: Select allssh mikrotik "/log print" | less
That is actually already possible.Please make address lists available as destinations in ip route menu.
What's new in 6.41 (2017-Dec-22 11:55):
...
*) bgp - added 32-bit private ASN support;
...
i need me too complete supporto for IPSEC/IKEv2 with EAP Authentication implementation for NordVPNI'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.Please,
add multi-cpu(multi-core) support to Bandwidth Test Tool.
this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.
Since beta version "6.44beta39", bandwidth test utilizes all of the CPU cores.Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.Please,
add multi-cpu(multi-core) support to Bandwidth Test Tool.
this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.
A single btest session uses a single CPU - however … multiple btest sessions (a mix of send & receive btest(s) appear to use multiple CPUs.
A single CPU assigned to my CHR ROS system can actually btest using vmxnet-3 Ethernet interfaces through the physical 10-Gig network cards can reach near 10-Gig throughput to another CHR btest device on a different VMware ESXi server.
Additionally , two CHRs running on the same physical VMware ESXi servers using vmxnet-3 interfaces can easily btest to each other at rates faster than 10-Gig (in my case , I have tested two CHRs on the same system at almost 19-Gig. And , a CHR running a btest to the loopback interface 127.0.0.1 can easily hit over 20-Gig. I have never seen a Mikrotik motherboard btest to the loopback 127.0.0.1 interface at even 1/4th that speed.
Also - in my opinion , a CHR running on a decent SuperMicro with fast Intel XEON CPUs and lots of CPU cache has always totally and easily way out performed all Mikrotik motherboards that I have tested. For example, a full BGP load on a 10-Gig feed is almost 10-times faster than a CCR1036 Mikrotik router.
Also - again in my opinion, a CCR1036 is good at speeds less than 2-Gig , and a CRS is more of a switch than a router and they are slower. On both your CCRs and CRS mikrotiks , run a btest to 127.0.0.1 and you will discover they are not all that fast or even in the neighborhood of performance a CHR with good hardware can deliver.
North Idaho Tom Jones
- a mptcp enabled kernel
pound as a loadbalancer service
implement letsencrypt including automatisation for certificare renewals.
That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)
That is possible with scripts. See my RouterOS Scripts (or at github), especially mode-button-event and mode-button-scheduler.I would love to see the functionality of the Mode button expanded. Specifically, it would be useful to be able to assign different actions taken based on whether the button was pressed once, double-pressed, triple-pressed, or long-pressed.
You can get rid of this. If you do not need the file just add "keep-result=no" to your fetch command. If you do need the file I suppose you read the content later? Just switch to return value to a variable.If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages.
I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages.
Not true on MacOS/Wine Winbox.That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)
What I would like to see is an option to disconnect only after 1-2 minutes of link-down, so it is possible to survive a router reboot somewhere inbetween.
Strange! Under Windows and with Linux/Wine this does not happen, whenever the link is lost you get disconnected within 3 seconds.Not true on MacOS/Wine Winbox.
You get disconnected but it won't through you out (but the clock stops to work!).
+1In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.
Now that you mention this, what about being able to personalize the parameters being shown on the dashboard? It would be useful to use a script to show any value or calculation.Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg
You could replicate this with logging and a syslog (remote) logging server. Bit of a workaroundI would like to receive SNMP traps when WiFi client registration occurs...
for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik
It's very useful for smart home automation scenarios
As joegoldman write, syslog is your friend. Look at the project in my signature using Splunk to monitor Mikrotik.I would like to receive SNMP traps when WiFi client registration occurs...
2019-01-24 08:48:09 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -45
2019-01-24 08:36:55 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -43
2019-01-24 07:51:17 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -39
2019-01-23 10:05:08 wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -32
winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.
A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.
A request:
Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.
Actually you can do(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
/system default-configuration print file=default-cfg
Why do you think so? Did they said something (even unofficially)?Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Actually you can do(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).after installing IPv6 package and you will get the default config with IPv6 related stuffCode: Select all/system default-configuration print file=default-cfg
I think so, because NO development of these components has appeared aside from some minor bug fixes, for several years.Why do you think so? Did they said something (even unofficially)?Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.
We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.
To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.
+infinity agree with that, Why in the logs cannot log the hostname/comment if is there, is very annoying to see/debug: mac abc123 connected mac abc123 disconnectedIt would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
DHCP server lease script can help you:It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
:local leaseHostName;
:if ($leaseBound = 1) do={
:set leaseHostName $"lease-hostname";
:log info ("DHCP server: $leaseServerName => MAC: $leaseActMAC => IP: $leaseActIP => Host Name: " . $leaseHostName);
};
https://wiki.mikrotik.com/wiki/Manual:N ... v2_networkMikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
+1Can we get standard 802.11s support?
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
SSH forwarding introduces a session takeover scenario, so there is security value of this feature (which is why other vendors implement it). Perhaps a default of 1h or never is better.I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.
The topic is marked as "Solved"
IEEE1588 and SyncE would be great, but requires specific support in hardware level
Also +1+1Can we get standard 802.11s support?
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards
[...]
Please implement mesh protocols compatible with non-RouterOS devices!