Page 4 of 4

Re: Feature requests

Posted: Fri Dec 21, 2018 4:35 pm
by cowgirl
Multi Chassis Link Aggregation for CCR1xxx and CRS3xx

Best regards
Alexandra

Re: Feature requests

Posted: Tue Jan 15, 2019 2:38 pm
by pe1chl
In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
(within a queue tree, the values in the parent item. in the top item, maybe the interface speed when available. or percentages could be disallowed there)

When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.

Re: Feature requests

Posted: Tue Jan 15, 2019 4:55 pm
by muetzekoeln
In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.
+1

Yes please, this is very useful!

Re: Feature requests

Posted: Wed Jan 16, 2019 1:09 pm
by SaurVLZ
Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg

Re: Feature requests

Posted: Wed Jan 16, 2019 3:01 pm
by iperezandres
Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg
Now that you mention this, what about being able to personalize the parameters being shown on the dashboard? It would be useful to use a script to show any value or calculation.

Re: Feature requests

Posted: Wed Jan 16, 2019 3:42 pm
by pe1chl
Of course when you need a dashboard with all kinds of customized parameters it is easy to make that using SNMP.
I would make such a thing on a local webserver in Perl or PHP but undoubtedly there exist "user friendly" packages for Windows that can do that too.
And of course MikroTik have "the Dude" which can do that as well.

Feature request: IEEE 1588 support

Posted: Fri Jan 18, 2019 2:19 pm
by muetzekoeln
RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.

You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper

This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388

Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.

Re: Feature requests

Posted: Sat Jan 19, 2019 11:48 am
by MikrotikOdessa
I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik


It's very useful for smart home automation scenarios

Re: Feature requests

Posted: Mon Jan 28, 2019 11:10 pm
by Pada
I would love the following Winbox (and WebFix) features to be added:
  1. Setting default options for Tools > Torch, because I always have to first deselect "Src. Address6" & "Dst. Address6" and then select "Port" & "Protocol"
  2. Setting to prevent drag & drop of Firewall rules to prevent accidental changes in firewall order

Re: Feature requests

Posted: Mon Jan 28, 2019 11:54 pm
by joegoldman
I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik


It's very useful for smart home automation scenarios
You could replicate this with logging and a syslog (remote) logging server. Bit of a workaround

Re: Feature requests

Posted: Tue Jan 29, 2019 8:42 am
by Jotne
I would like to receive SNMP traps when WiFi client registration occurs...
As joegoldman write, syslog is your friend. Look at the project in my signature using Splunk to monitor Mikrotik.
I there dropped using SNMP at all, since then have to add/scan for all new devices.
Now a script on the router calls home with all information needed.

This is how the log lines looks like from Router using Syslog (even shows the signal strength and what VLAN used)
2019-01-24 08:48:09	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -45
2019-01-24 08:36:55	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -43
2019-01-24 07:51:17	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -39
2019-01-23 10:05:08	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -32

Re: Feature requests

Posted: Fri Feb 01, 2019 2:32 pm
by pe1chl
winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

When managing a router via a slow network or when using winbox over something like RDP or X2GO and when it shows a page that has a lot of counters (e.g. firewall filter wih >200 filters) the winbox client is very busy with updating the page and it becomes difficult to actually do something (like moving a rule).
I would like to just pause the updating or configure it to update like every minute instead of "all the time".

Re: Feature requests

Posted: Fri Feb 01, 2019 2:45 pm
by mkx
winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

++

While at it, do it for WebFig as well.

Re: Feature requests

Posted: Sat Feb 02, 2019 11:29 pm
by DmitryAVET
Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

Keenetic (ex Zyxel) provide AUTOMATIC sertificates by Let's Encrypt:
https://blog.keenetic.com/keenetic-join ... r-society/

Why Mikrotik can't provide same?

SSL for WWW services, include WebFig, especcially remote, hotspot...

Check this out:
ssl.png
its cool!

Re: Feature requests

Posted: Sun Feb 03, 2019 7:57 am
by kiler129
A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

Re: Feature requests

Posted: Sun Feb 03, 2019 10:24 am
by mkx
A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

++

Specially so as loading IPv6 package means it doesn't have default settings (i.e. firewall rules) and user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).

Re: Feature requests

Posted: Sun Feb 03, 2019 11:41 am
by pe1chl
That is certainly true, but frankly even more important is to bring the IPv6 functionality up to par with what is available in IPv4.
There is a separate topic about that.
Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)

Re: Feature requests

Posted: Sun Feb 03, 2019 3:37 pm
by krafg
A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

Re: Feature requests

Posted: Sun Feb 03, 2019 3:46 pm
by mkx
A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

There are plenty of high-quality third-party antennae available ... one only needs appropriate connector coverters (many antennae come with FME connectors, so one needs SMAtoFME pigtails).

Re: Feature requests

Posted: Mon Feb 04, 2019 1:59 am
by kiler129
(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
Actually you can do
/system default-configuration print file=default-cfg
after installing IPv6 package and you will get the default config with IPv6 related stuff ;)
Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Why do you think so? Did they said something (even unofficially)?

Re: Feature requests

Posted: Mon Feb 04, 2019 6:39 am
by metricmoose
We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

Re: Feature requests

Posted: Mon Feb 04, 2019 8:50 am
by mkx
(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
Actually you can do
/system default-configuration print file=default-cfg
after installing IPv6 package and you will get the default config with IPv6 related stuff ;)

I know that ... but vast majority of SOHO users (and those seem to be the focus of MT lately) don't ... they struggle to enable IPv6 and don't bother with the rest of config ... just as they don't bother about IPv4 config, but luckily the default firewall for IPv4 is quite decent lately.

Re: Feature requests

Posted: Tue Feb 05, 2019 8:08 am
by 4lphanumeric
Ability to swap the rx/tx representation in the graphing setting.

Normal : In -> green, Out -> blue
Swapped: In -> blue, Out -> green

Re: Feature requests

Posted: Tue Feb 05, 2019 11:52 am
by pe1chl
Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Why do you think so? Did they said something (even unofficially)?
I think so, because NO development of these components has appeared aside from some minor bug fixes, for several years.
And also note they are trying to hire new developers for quite some time already.

Also, it appears the watchful eye that reminds the others in the room at the development meeting that IPv6 exists has disappeared.
New features like Kid Control and Detect Internet are developed and released WITHOUT IPv6 support.

Re: Feature requests

Posted: Mon Feb 11, 2019 11:02 am
by neos14
Please add support for SNMP views.
To be able to provide limited set of OID's for specific SNMP community.

Re: Feature requests

Posted: Tue Feb 12, 2019 4:45 pm
by dravnieks
flashing every router with netinstall is minor, and fast process, only issue, in later versions configuration is not persistant after reset.

Have you tried to aply default configuration on 40 Fritzbox routers?

40 Hap AC2 i would get flashed in less than 2 hours, get 24 port poe switch and pile of patch leads. Uploading config to Fritz will take 10 minutes per router because of endless reboots and button confirmations.


We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

PPPoE event scripts

Posted: Wed Feb 13, 2019 1:09 pm
by muetzekoeln
It would be useful to have link-up and link-down event scripts for PPPoE client.
And please make "message" from Authenticate-Ack and Authenticate-Nak available for parsing.

Some carriers communicate DSL connection speed by using Authenticate-Ack message [PAP AuthAck id=0x1 "SRU=uploadspeed#SRD=downloadspeed#]:
https://www.ip-phone-forum.de/threads/s ... st-2274697
https://www.onlinekosten.de/forum/showt ... ost2466544

Re: Feature requests

Posted: Wed Feb 13, 2019 3:19 pm
by mrz
PPP profile already has on-up on-down events.

Re: Feature requests

Posted: Wed Feb 13, 2019 4:43 pm
by BartoszP
It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

Re: Feature requests

Posted: Wed Feb 13, 2019 6:53 pm
by raffav
It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
+infinity agree with that, Why in the logs cannot log the hostname/comment if is there, is very annoying to see/debug: mac abc123 connected mac abc123 disconnected

Re: Feature requests

Posted: Wed Feb 13, 2019 11:14 pm
by logistic69
Please Include VPN templates for IOS, windows 10.
it is nightmare trying to make work 6.43 to accept IOS 12.1 simply don't work.
or post a update wiki how to do it, avaery time a new router OS release came up it broke something in VPN.
sadly i need to change to other brand in other to do it.

Re: Feature requests

Posted: Thu Mar 14, 2019 11:35 pm
by TomjNorthIdaho
Feature Request (1 of 2):
Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
I would like to see an ability to use a WPA-2 encryption on nv2 wireless networks.

Feature Request (2 of 2):
This is from a post I originally placed in the General forum under Public-Mikrotik-Bandwidth-Test-Server(s).

I would like to see a new optional Mikrotik ROS package which can perform http speedtests between Mikrotiks and client connected computers (something similar to http://my-mikrotik-IP-address/speed-btest).
… Where an optional login/password could be used to perform a http UDP-or-TCP up-or-down bandwidth test
… Where a client computer behind NATted Mikrotik could perform speedtests to their inside Mikrotik gateway IP address , and/or to any Mikrotik IP address out on the Internet.
… Where the Mikrotik admin has some control for maximum bandwidth, number of simultaneous speed-btest testers, and setting to limit how often a client can perform a http speed-btest.
… The Mikrotik http speed-btest should be a simple TCP-up, then TCP-down, then UDP-up then UDP down, followed by a round-trip-ping response time.
… The output after the http speed-btest could then report all kinds of information , including the number of dropped packets during each test -and- it would also be nice to show at what speeds RED ( Random Early Detection ) begins kicking in with dropped packets.
I suspect this type of a Speed-btest server could become very very popular. And the http speed-btest web page could show some pre-configured ISP hosting information and a URL indicating "Powered by Mikrotik" which links to Mikrotik. Mikrotik just might get a boost in sales from something like this.

Re: Feature requests

Posted: Thu Mar 14, 2019 11:54 pm
by ditonet
It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping
DHCP server lease script can help you:
:local leaseHostName;
:if ($leaseBound = 1) do={
:set leaseHostName $"lease-hostname";
:log info ("DHCP server: $leaseServerName => MAC: $leaseActMAC => IP: $leaseActIP => Host Name: " . $leaseHostName);
};

Re: Feature requests

Posted: Fri Mar 15, 2019 11:50 am
by Chupaka
Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
https://wiki.mikrotik.com/wiki/Manual:N ... v2_network

"/interface ppp-client at-chat" wait missing

Posted: Wed Mar 20, 2019 12:51 pm
by DanielJB
It is extremely useful to use the 'wait' parameter in "/interface lte at-chat" eg wait=yes.

Please can it be added for "/interface ppp-client at-chat" also as is missing?

Re: Feature requests

Posted: Wed Mar 20, 2019 3:39 pm
by muetzekoeln
Can we get standard 802.11s support?
+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards ;-)

But to mesh RouterOS with coming commercial devices it would need Wi-Fi EasyMesh:
https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh

Please implement mesh protocols compatible with non-RouterOS devices!

Re: Feature requests - SSH autologout for security

Posted: Thu Mar 28, 2019 4:42 am
by DanielJB
For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

On my Unix systems, I set TMOUT for root in a similar way.

Re: Feature requests - SSH autologout for security

Posted: Thu Mar 28, 2019 11:26 am
by pe1chl
For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.

Re: Feature requests - SSH autologout for security

Posted: Thu Mar 28, 2019 12:07 pm
by DanielJB
For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.
SSH forwarding introduces a session takeover scenario, so there is security value of this feature (which is why other vendors implement it). Perhaps a default of 1h or never is better.

Re: Feature requests

Posted: Thu Mar 28, 2019 2:46 pm
by pe1chl
I think other vendors only implement it because it is on standard recommendation (or even requirement) lists, not really for security.
Similar to requiring (very) frequent password changes, requiring complicated passwords, etc.
All things that could be valuable in some limited scenarios but are imposed on everyone and everything just for the sake of being able to set a checkmark.

Re: Feature requests

Posted: Tue Apr 09, 2019 4:25 pm
by pe1chl
When a user or admin logs in incorrectly the following message is logged:

system,error,critical login failure for user xxxxx from ...

Please remove the username (xxxxx in this case) from this log message or provide a system setting to do that.
Logging the username for login failures is a security risk.

Re: Feature requests

Posted: Thu Apr 11, 2019 11:03 am
by pe1chl
Please add an ARP mode that replies to ARP requests with info from the local ARP cache.
E.g. local-proxy-arp-cache
When the router receives an ARP request on an interface where this is enabled, it first does a lookup in its own ARP table.
When the entry is found there, a reply is sent that is exactly the same as when that particular device would answer the ARP.
When not, either an ARP request is made first and after reply the data is replied from the cache as above, or the router
replies with its own MAC address as in local-proxy-arp. (whatever is more convenient to implement)

This is useful in large WiFi installations where filtering has been implemented to reduce the amount of broadcast traffic.
Usually in such a setup, devices can not communicate with each other because they do not hear each other's ARP requests.
A workaround for that is to setup local-proxy-arp in the router, but the result is that all such communication is flowing
via the router. This can be optimized by telling the requester the MAC address of the desired peer device on behalf of
that device.

Re: Feature requests

Posted: Thu Apr 11, 2019 12:27 pm
by muetzekoeln
Dear Mikrotik, what about automatic sertificates from Let's Encrypt?
+1 again ;-)

viewtopic.php?t=92673

Re: Feature requests

Posted: Thu Apr 11, 2019 12:31 pm
by Chupaka
The topic is marked as "Solved" :)

Re: Feature requests

Posted: Thu Apr 11, 2019 5:33 pm
by Sob
Yeah, about that "solved"... If Let's Encrypt support is solved by the solution (workaround is better word(*)) presented in that thread, then we can magically solve all other RouterOS shortcomings right away. Why didn't we think about it before, it's so simple, just add Linux machine to your router! You can solve pretty much anything that way.

(*) Don't get me wrong, I don't have anything against it, it's nice idea, definitely better than nothing and can be good enough for someone.

Re: Feature requests

Posted: Thu Apr 11, 2019 6:50 pm
by anav
I already did that Sob! I added an RPI for my DNS. ;-)

Re: Feature requests

Posted: Thu Apr 11, 2019 11:04 pm
by mada3k
IEEE1588 and SyncE would be great, but requires specific support in hardware level.

A more stressful issue is the need for BGP RKPI support.

Re: Feature requests

Posted: Fri Apr 12, 2019 2:48 am
by vecernik87
To be honest, this is one of features which would be amazing and very appreciated.
Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS.
Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd party service and that never happened in the past (same as we don't have integrated support for 3rd party ddns or 3rd party VPN provider)

Re: Feature requests

Posted: Fri Apr 12, 2019 8:56 am
by muetzekoeln
IEEE1588 and SyncE would be great, but requires specific support in hardware level

IEEE1588 works without hardware support, but performance is not so good. It even works over WLAN:
https://www.researchgate.net/profile/Wu ... ion_detail

There are switch chips (also from QC) with support for IEEE1588 and sometimes SyncE since many years. It would be nice to know which Mikrotik products already have these built-in. Someone with this knowledge out there??

It could also support a better TDMA protocol as suggested here:
viewtopic.php?t=87471#p465494
viewtopic.php?t=70793&start=100#p515551

Maybe Mikrotik can also offer an affordable GNSS-based POE-powered IEEE1588 grandmaster-clock device for mast mounting ....

Re: Feature requests

Posted: Fri Apr 12, 2019 2:19 pm
by dohmniq
Can we get standard 802.11s support?
+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards ;-)
[...]
Please implement mesh protocols compatible with non-RouterOS devices!
Also +1
I'm involved in a commercial project that is looking to use 802.11s but I have to install OpenWRT on Routerboards to get 802.11s support.
AFAIK, 802.11s is baked into the Linux kernel which is also used for RouterOS?
Using wireless snooper on RouterOS you wouldn't even know there was a 802.11s mesh on your frequency!

Re: Feature requests

Posted: Mon Apr 15, 2019 12:11 pm
by hel
Please add attribute or other way to set total-max-limit/total-limit-at via RADIUS.
There's no way to do changes to a dynamic queues. In case of PPPoE network we can't use manual queues.
Total-max-limit is used to limit up+down to a some total value.

Re: Feature requests - Re Winbox , close all

Posted: Mon Apr 15, 2019 5:55 pm
by TomjNorthIdaho
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones

Re: Feature requests - Re Winbox , close all

Posted: Mon Apr 15, 2019 6:45 pm
by jprietove
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Isn't it the existing Session -> Close Windows?

Re: Feature requests

Posted: Mon Apr 15, 2019 11:11 pm
by akschu
This is what I need, a way to make a firewall list based on ipsec identity. All that's needed to make this work is the ability to define src-address-list when responder=yes:

/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-firewallrulesA src-address-list=firewallrulesA responder=yes

/ip ipsec identity
add auth-method=rsa-signature certificate=vpnserver remote-certificate=fred generate-policy=port-strict mode-config=ike2-firewallrulesA peer=ike2 policy-template-group=ike2-policies

When someone starts IP sec with the certificate=fred, then they are connected to mod-config and added to address-list firewallrulesA where we can firewall the road-warrior to specific services by simply using the address list.

Right now the only way to do this is to define an IP pool or static address for every firewall ruleset you want to tie to a user/certificate.

Re: Feature requests - Re Winbox , close all

Posted: Mon Apr 15, 2019 11:42 pm
by TomjNorthIdaho
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Isn't it the existing Session -> Close Windows?
Hmmm , yea I know if I exit my winbox to a remote Mikrotik then the all the sessions associated with that winbox connection close.

What I am looking for is a simple way to have a winbox session to a remote Mikrotik , then have a quick/easy method to close all the open windows in that winbox session yet still keep my winbox session running.

Example - in my attachment image - a new selection to auto close everything with an X marked in red. Yet keep the Winbox still connected to the remote Mikrotik.

Re: Feature requests

Posted: Tue Apr 16, 2019 8:44 am
by vadimkara
Please add multi peer priority/fallback to ipsec policy.

Re: Feature requests - Re Winbox , close all

Posted: Tue Apr 16, 2019 11:28 am
by jprietove
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Or I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check it

Re: Feature requests

Posted: Tue Apr 16, 2019 12:45 pm
by pe1chl
I would like to see a windows list in winbox, either as a menu item or by having a button corresponding to each window in the top bar (similar to the task bar in Windows).
This can be used to raise windows that are buried after opening others.
And/or a right-click function to lower a window.

I commonly open a "Log" window and set it fullsize, then open other windows on top of it.
When I mistakenly click outside an opened window, the Log window raises to top and covers everything else, without any way to get those raised again.
One of those additions could solve that.

Re: Feature requests - Re Winbox , close all

Posted: Tue Apr 16, 2019 5:27 pm
by TomjNorthIdaho
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
Or I'm not understanding you... or for sure it is the existing option "Session->Close All Windows". It closes all the windows without disconnecting the winbox session. Please, check it
OOooo :)
I must be a dummy. I see it now and it's easy.
Thanks for the info
North Idaho Tom Jones

Re: Feature requests - PPPoE snooping

Posted: Thu Apr 18, 2019 3:42 pm
by dada
Hi,

I would like to see PPPoE snooping feature in ROS. It could allow to identify (at login time) to what AP is an PPPoE user connected to for example.

Re: Feature requests

Posted: Thu Apr 18, 2019 4:27 pm
by muetzekoeln
When improving PPPoE, please look also into RFC4938. The link metrics extensions make sense with wireless links as well as with DSL, where bandwidth can change for an up-state interface.
PADQ information could be applied to QoS/queue parameters if made available by PPP event scripts (new events necessary).

Re: Feature requests

Posted: Thu Apr 18, 2019 6:58 pm
by TomjNorthIdaho
Request - CHR ISO to allow CHR install on a bare metal platform.

Reason for request:
#1 - CHR running on the free version of VMware ESXi has a limitation of 8 CPUs per virtual hosted system.
#2 - The cost of VMware ESXi license to enable greater than 8 CPUs to a virtual hosted system can be quite expensive.

An ISO install version on a bare metal box could permit the following:
- Boot on USB (bare metal BIOS configured to make the USB appear as an IDE drive).
- Utilize E1000e ethernet interfaces (10-Gig).
- Utilize all cores (dual multi-core Xeon CPUs). Example - two Xeon CPUs with 28-cores (not counting HT), could allow a CHR to function with 56 (or much more) Xeon CPUs.

A bare-metal CHR may be up to hundreds of times faster than a virtual hosted CHR (with 8 CPUs), running hundreds/thousands of complex firewall rules.

I have tried x86 on bare metal , but I've experience X86 ROS lockups under heavy loads.
I am researching a v-to-p (virtual machine to physical machine) conversion - and it may be possible - but uncertain and untested.

North Idaho Tom Jones

Re: Feature requests

Posted: Sat Apr 20, 2019 1:41 pm
by McSee
Can't believe that RoS console still doesn't have such basic feature as a command history search !

Like Ctrl-R/Ctrl-S in bash. Type Ctrl-R then few letters and it will show you previous command from the history with these letters, with Ctrl-R to move to the next result up and Ctrl-S down.

And no filter in log viewer in Winbox even after numerous requests ?

Re: Feature requests

Posted: Sat Apr 20, 2019 3:08 pm
by mfr476
Is It posible more improvement in 5ghz ac wireless?

formal port knocking

Posted: Mon Apr 22, 2019 2:30 pm
by libove
There are several discussions in these and other forums about how to implement port knocking in RouterOS. And, at a basic level, they all can work.
In short, they tend to be "detect proto on port, add src to address-list KNOCKPHASE1", "detect proto on port2 when src already on address-list KNOCKPHASE1, add src to address-list KNOCKEDSUCCESSFULLY", "allow in when src on address-list KNOCKEDSUCCESSFULLY".
The problem is that certain types of port scans can trigger this.
So we'd also want "... and src has NOT appeared on any OTHER port, or on these ports in the wrong order".
That turns out to be messy with RouterOS as it is today. Possible, but messy. (At the least, you end up with ports on both a successfully-knocked list AND a blacklist, and rule execution order plus the admin having a good memory or good documentation is required to avoid mental confusion...)

So, a feature request for RouterOS, formal, flexible port knocking.
Knocking should allow any combination and order of ports and protocols, up to N layers deep. (At least three. e.g. TCP/4321 followed by UDP/7654 followed by ICMP type 8 subtype 0)
The formal port knocking implementation offered as part of RouterOS should have, built-in, an optional "... and no other traffic from src in the past few seconds/minutes". (That's the part that's hard to implement cleanly with today's RouterOS).

thanks,

Re: Feature requests

Posted: Thu Apr 25, 2019 2:47 am
by muetzekoeln
I would like to have an option to select and enable DFS (in the variants ETSI, FCC and JP) when using 5GHz superchannel/no_country_set setting.

Re: formal port knocking

Posted: Thu Apr 25, 2019 10:54 am
by pe1chl
So, a feature request for RouterOS, formal, flexible port knocking.
Knocking should allow any combination and order of ports and protocols, up to N layers deep.
I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
However, a reasonable request would be to implement a new firewall rule action "remove src from address list" (and maybe "remove dst from address list"),
which would allow you to build what you want using the existing "add" action to add addresses to a list as they walk through the desired port knocking steps,
and use the "remove" action when they do things that do not match your desired steps (so they fall back to initial state).

Re: formal port knocking

Posted: Tue Apr 30, 2019 9:57 pm
by vecernik87
I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Kids control.
'nuff said

Re: Feature requests

Posted: Fri May 03, 2019 1:47 pm
by muetzekoeln
Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

Someone wrote a lightweight ACMEv2 client in C:
https://github.com/ndilieto/uacme

So it should be possible to implement as ROS package.

Re: Feature requests

Posted: Fri May 03, 2019 6:35 pm
by Sob
I'm sure that MikroTik can easily write their own ACME client. But it's even more important how it should fit into RouterOS and work for as many scenarios as possible.

For example, maybe you just want certificate for https WebFig (or SSTP server). Sounds easy, right? There's already a webserver on router, so simple http-01 validation can be used. But what if you don't want or can't open port 80 (AFAIK http-01 always starts with plain http on standard port 80)? It would be the case on at least half of routers where I'd like to use Let's Encrypt certificates, because there's typically only one public address and standard http(s) ports are already forwarded to some internal webserver. There would have to be support for dns-01 validation and it has different problems too.

I think it's doable, I tried some suggestions in Support for ACME/Let's Encrypt certificate management thread, but so far it doesn't look like anyone from MikroTik though "oh yes, it's super-awesome, we need to have that!" Maybe try to invent some other foolproof plan that will finally convince them.

Re: Feature requests

Posted: Sat May 04, 2019 4:59 pm
by mtk89
I'm sure that MikroTik can easily write their own ACME client. But it's even more important how it should fit into RouterOS and work for as many scenarios as possible.

For example, maybe you just want certificate for https WebFig (or SSTP server). Sounds easy, right? There's already a webserver on router, so simple http-01 validation can be used. But what if you don't want or can't open port 80 (AFAIK http-01 always starts with plain http on standard port 80)? It would be the case on at least half of routers where I'd like to use Let's Encrypt certificates, because there's typically only one public address and standard http(s) ports are already forwarded to some internal webserver. There would have to be support for dns-01 validation and it has different problems too.

I think it's doable, I tried some suggestions in Support for ACME/Let's Encrypt certificate management thread, but so far it doesn't look like anyone from MikroTik though "oh yes, it's super-awesome, we need to have that!" Maybe try to invent some other foolproof plan that will finally convince them.
From the manual page (https://ndilieto.github.io/uacme/ ), it appears uacme supports dns-01 challenges and allows total flexibility by the --hook option, which calls an external script to accept, decline or set up the challenge environment.
If specified, uacme executes PROGRAM (a binary, a shell script or any file that can be executed by the operating system) for every challenge with the following 5 string arguments:

METHOD one of begin, done or failed.

begin is called at the beginning of the challenge. PROGRAM must return 0 to accept it. Any other return code declines the challenge. Neither done nor failed method calls are made for declined challenges.

done is called upon successful completion of an accepted challenge.

failed is called upon failure of an accepted challenge.

TYPE challenge type (for example dns-01 or http-01)

IDENT The identifier the challenge refers to

TOKEN The challenge token

AUTH The key authorization (for dns-01 already converted to the base64-encoded SHA256 digest format to be provisioned as _acme-challenge DNS TXT record).

Re: Feature requests

Posted: Sun May 05, 2019 5:08 pm
by mutinsa
SNTP Client from base package support this feature "out of box"

For NTP Client from ntp package this script may be temporary solution
https://github.com/mutin-sa/MT_ROS_Scri ... TP/ntp.txt

I've tried to search this topic, but I haven't found it (hope there are not any duplicates):

NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

Feature Request Client SSID dont-care on connect

Posted: Sat May 11, 2019 12:54 am
by TomjNorthIdaho
Feature Request Client SSID dont-care on connect

First - this may sound like a bit of a strange ROS feature request , but this would be a very powerful feature that no other wireless company can offer at this time.

A bit of my background so that you understand my reasoning for this request :
- As a WISP (and fiber-to-the-home ISP), we have hundreds of Mikrotik APs and 1,000+ client Mikrotiks
- All APs use the same SSID
- All of our tower locations have multiple (dozens) of APs on each tower (all with the same SSID)
- Clients (nv2 Mikrotik clients) do not necessary connect to the strongest/best AP which may be facing in the direction of the client Mikrotik. As a result, we often have many many client Mikrotiks that are not connected to the best/strongest AP. This often results in everybody on that AP running a little slower because of the few clients that are connected with slower connect rates and higher wireless retries.

So , after more than 10+ years of hands-on experiencing clients often not connecting to the most preferred Mikrotik AP, I have a feature request to ask Mikrotik for …

Feature request #1
- A new SSID setting for Mikrotik wireless clients (802.11 & nv2 & nstream)
- A new optional setting on the client SSID that is a dont-care character.
- Where any AP SSID that matched the client SSID up to the dont-care character will qualify to an AP for the client to connect to.
-- Example ;
--- Client has a dont-care optional setting checked
--- The client dont-care character is a "#" character
--- The client SSID is configured at "WISP-something.com#"
--- The client sees multiple APs with these SSIDs: "WISP-something.com" and "WISP-something.com#" and "WISP-something.com#1" and "WISP-something.com#2" and "WISP-something.com#131" and "WISP-something.com#betty"
--- The Mikrotik client can connect to any SSID that starts with "WISP-something.com"

Feature request #2
- A new SSID setting for Mikrotik wireless clients ((802.11 & nv2 & nstream)
- A new option to configure Mikrotik clients to specify a preferred list of SSIDs to connect to.
- The 1st SSID selection is always the 1st SSID the client will try to connect to
- The 2nd SSID selection is only used when the client can not connect to the 1st selection
- The 3rd SSID selection is only used when the client can not connect to the 1st or 2nd selection
- The 4th SSID selection is only used when the client can not connect to the 1st or 2nd or 3rd selection.
--- Example of use , A Mikrotik Client with these optional settings:
--- 1st "WISP-something.com#2"
--- 2nd "WISP-something.com#betty"
--- 3rd "EISP-something.com#131"
--- 4th (last fall back SSID selection) "EISP-something.com#"

With feature both feature request ( 1 and 2 above ) , Mikrotik clients now have a preferred ordered connect SSID list. If the 1st and 2nd SSIDS are off-line, then the Mikrotik client will try to connect to the 3rd SSID selection in the list. If the first 3 preferred SSIDS are off-line, then the client Mikrotik can use the dont'care character and connect to any other matching SSIDs.

Something like this will surely help any WISP using Mikrotik products who have a large base of Mikrotik wireless devices.

With these 2 new requested features in Mikrotik ROS clients, a WISP can now; A - have some control as to what APs client Mikrotiks connect to & B - configure client load sharing on all WISP APs.

FYI - and yes I do know there is a connect-list feature that uses signal strength (for APs and clients) but that feature also has it's own other set of issues and problems.

North Idaho Tom Jones

Re: Feature requests

Posted: Sat May 11, 2019 1:29 pm
by muetzekoeln
Why use SSID for this? This may bring compatibilty problems. Wouldn't a preferred list of AP's (e.g. by address instead of SSID) on the client alone help with your issues? So no change on the AP side necessary.

Re: Feature requests

Posted: Sat May 11, 2019 5:54 pm
by pe1chl
And it is already available... you can make a connect list with different MAC addresses for the same SSID.

Re: Feature requests

Posted: Mon May 13, 2019 5:38 pm
by TomjNorthIdaho
And it is already available... you can make a connect list with different MAC addresses for the same SSID.
Yea , using a connect list with MAC address could almost work (almost).

Using a MAC address connect method presents a management problem for all clients when an AP needs to be replaced or upgraded.
A change of an AP, can result in a different MAC address , which then can result if every wireless client needing to be re-configured.
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.

North Idaho Tom Jones

Re: Feature requests

Posted: Mon May 13, 2019 5:42 pm
by TomjNorthIdaho
Why use SSID for this? This may bring compatibilty problems. Wouldn't a preferred list of AP's (e.g. by address instead of SSID) on the client alone help with your issues? So no change on the AP side necessary.
Re compatibility problems - that is the reason I stated optional setting. Default on an upgrade to a newer ROS with such a feature should be default Off.

Re: Feature requests

Posted: Mon May 13, 2019 5:54 pm
by faraujo88
It would be great if dhcp-server has an option to set a queue limit to each lease, and remove when the guest got out, automatically.. or RouterOs already does that?

Re: Feature requests

Posted: Mon May 13, 2019 7:31 pm
by pe1chl
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
When you have to manage 300 devices you should have some mechanism in place to support remote management.
It can be done with MikroTik. I have seen solutions for that presented at MUM events.
E.g. you make a scheduled job that runs once a day and attempts to download some file with a naming convention depending on the client, and when it exists it imports that file.
(it would be a good idea to have some version numbering so you can avoid re-running the same file every day after it has been already run once)

There should be more explicit support for that in the Dude.

Re: Feature requests

Posted: Mon May 13, 2019 11:01 pm
by TomjNorthIdaho
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
When you have to manage 300 devices you should have some mechanism in place to support remote management.
It can be done with MikroTik. I have seen solutions for that presented at MUM events.
E.g. you make a scheduled job that runs once a day and attempts to download some file with a naming convention depending on the client, and when it exists it imports that file.
(it would be a good idea to have some version numbering so you can avoid re-running the same file every day after it has been already run once)

There should be more explicit support for that in the Dude.
Re: … mechanism in place to support remote management …
I have my own custom scripts (Linux for-IPs-In-a-List.txt ssh/telnet send/expect) which work very well to bulk manage my client Mikrotiks.

Re: … good idea to have some version numbering so you can avoid re-running the same file …
My custom management scripts do this and much more

The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available.
With my two requested features, these new settings would only need to be performed when the client is installed.

The issue is that there is a whole bunch of Mikrotik admins that do not use Dude or custom scripts and only manage client Mikrotiks manually one-at-a-time.
With my suggestion, there would be no need for any type of bulk management (if any AP is replaced) if my two feature requests would be implemented in ROS.

Re: Openvpn server route push

Posted: Tue May 14, 2019 1:52 am
by itmethod
Routeros openvpn server needs a way to push routes to the clients.
This is very much needed.

I have multiple clients windows and Linux. and need multiple usernames to have different routes pushed to them, as-well as a global route push. so I don't have to have seperate vpn servers. or multiple client config files and have to worry about user having right config file.

The current routes option in ROS is the iroute command for the ccd files. and it puts routes into the routers/servers routing table to the clients lan.

Re: Feature requests

Posted: Tue May 14, 2019 11:00 am
by pe1chl
The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available.
These issues are completely independent. You need a bulk management method to distrubute any configuration changes to your clients, but apparently you already have it.
Then you need to know WHAT you want to configure in your clients. I would say that is an application-specific problem that has to be adapted for your specific network.

The tools (e.g. connect list) are already there. You can load a connect list with a couple of MAC addresses and finally a generic SSID to connect. You should find your
clients online, and then maybe you need some form of remotely managed "scan" to know what network to connect.
This is not something you are going to solve with a complicated method such as you proposed. It will fail in some way, if not in your network then in someone else's who tries to use it.
Keep things simple and keep them in your own hands.

Frequency Usage - add more fields (counts & average)

Posted: Tue May 14, 2019 10:14 pm
by TomjNorthIdaho
Frequency Usage - add more fields (counts & average)

Here is a suggestion - add some additional fields when performing a Frequency Usage
- Add a new field showing the Number-of-Usage-Hits for the current scan (per frequency)
- Add a new field showing the Peak-Usage-Strength for the current scan (per frequency)
- Add a new field showing the Average-Strength for the current scan (per frequency)
- Add a new field showing the total sum of Usage (per frequency)

With these additional Frequency-Usage fields, it would then be easy to run an extended length Frequency-Usage scan (Ooo say 15 minutes or so) then review the results to easily locate the least-used/most-available contiguous frequencies. Now the Mikrotik admin can add/configure APs to operate with frequencies/channels which have the least amount of background noise.

North Idaho Tom Jones

Re: Feature requests

Posted: Thu May 16, 2019 4:09 pm
by anuser
Reboot-Button within WinBox => CAPsMAN => Remote CAP, i.e. click on cap and simply reboot it.

Re: Feature requests

Posted: Mon May 20, 2019 3:36 pm
by jaceyk
The ability run traffic-generator with a single core on a multi-core device.

The reason is that multi-core Mikrotik routers don't seem to be able to detect Out-of-Order packets. The single-core routers that I've tried have no such problem.

Even though using a single core would bring the performance way down, it would still be sufficient for a sequence-error test.

I could test from one point to another with all cores to check bandwidth, and test again with one core sending 100mbps for 24 hours to check for reordering.

To be clear, I'm only speculating that the reason that CCRs can't see OoO packets with Traffic-Generator is because they're multi-cored. If that's wrong then my feature request is just to fix traffic-generator for CCRs.

Re: Feature requests

Posted: Thu May 23, 2019 8:14 am
by stejjh
I have seen this mentioned elsewhere but not here – add digest authentication support to fetch for http/https requests please

Thanks

J

Re: Feature requests

Posted: Fri May 24, 2019 11:18 am
by neticted
Using a MAC address connect method presents a management problem for all clients when an AP needs to be replaced or upgraded.
A change of an AP, can result in a different MAC address , which then can result if every wireless client needing to be re-configured.
Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed.
I've been down this road many times in the past and it ain't pretty.
I had similar issue (although I do not run commercial ISP but community network). My solution was to use my own MAC addresses (invented for the purpose) for network adapters.That means, after I replace adapter, I set designated MAC for that AP and clients see no difference.

Re: Feature requests

Posted: Fri May 24, 2019 11:43 am
by neticted
I would like to propose some improvements in user interface of Winbox


- Allow changing order of columns in tabular view.

Now, order is fixed and it becomes quite cumbersome if you have to follow some columns that are last in the row and you do not have large enough screen. Allowing user to set order of columns would help him ordering columns due to current importance.


- Allow selecting visible columns (option Show Columns) in more user friendly manner.

Selecting columns that are visible is quite cumbersome on data that has lots of columns. User has to scroll down through the list to find columns, and when he selects column list is closed, so, for another column, you have to start adding from scratch.

Better solution would be that Select Columns is modal windows (dialog) which provides list of columns avoiding need for scrolling throuugh the list and with check boxes, so user can in single pass set or unset columns that he wants to be visible.



- Comments should be treated as any other column

Comments have different treatment comparing to other row data as they may be displayed in separate line (which is good). Sometimes it is more practical to see them as columns and there is option to set it but that setting lives only until Winbox is closed. On restart, columns are again displayed as separate line. I am not referring to global setting but for custom setting for specific table view.

It should be treated as ordinary column, meaning if user selects is to be visible as column it should stay that way.



- Some columns could be treated as comment

When comment is displayed not inline there is usually plenty of empty space where additional info could be shown. It would be good if we could have option to choose some columns that would be displayed in comment space. That would provide better space usage and improvement of user experience.

For example, when I set logging on firewall rule, it would be great if that information is visible in comment space.



- Allow customization of toolbar on main window

Every admin has set of options he frequently use and it would be good to have them easily accessible instead going through menus again and again. Make toolbar on main windows that can be customized in two ways:

1) user can simply set button that opens specified settings

2) user can set button that starts specified script




- Allow Hide Password option to be directly accessible

One that was option set on main window so user could simply check or uncheck password visibility. Now, that option is hidden in menu. That causes two user experience problems: option is hidden so user has to look for it through the menu, and password visibility status is not visible, meaning, user may leave password visibility inappropriately set to visible as he does not see option status.

In most occasions, password visibility is needed just temporarily and for very short time, so it is better user experience if it is possible to see status and change it quickly by simple click.

That option could be simply set as checkbox on far right on main windows toolbar as it used to be.



- Allow setting favorite connections

With large number of routers tabular list of saved router connections becomes cluttered. Grouping and notes do help sorting it out, but it would really help if user can set some connections that he needs frequently as favorites so he can have them easily accessible in some way (listed in separate tab or listed on top or some other method).

Re: Feature requests - Re Winbox , close all

Posted: Sun May 26, 2019 11:42 pm
by jo2jo
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
I would love to see this also. Often on lower end RBs people dont realize how much CPU load winbox/mgmt can have on the device. the more winbox windows open, the more updates that have to be sent, thus more CPU load (im talking in a single winbox session/window / connected to a single routerboard).

The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed). the new feature im looking for (and i think this user above too), is a button or menu option to close all windows in the current session, without exiting winbox. Often pressing ESC key will close some windows, but there are quite a few that ESC does not work on (like terminal windows, understandably).
thanks

Re: Feature requests - Re Winbox , close all

Posted: Mon May 27, 2019 2:51 pm
by pe1chl
A feature I would like to see in Winbox is a new selection to close all winbox windows
Example - many many windows open in winbox , click close-all and presto they all close and you still have your connected winbox session

North Idaho Tom Jones
I would love to see this also.
Then why did you not notice the replies made to Tom that this feature is already available?

Re: Feature requests - Re Winbox , close all

Posted: Mon May 27, 2019 7:02 pm
by Chupaka
The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).
wrong

Re: Feature requests - Re Winbox , close all

Posted: Tue May 28, 2019 1:50 am
by jo2jo
The suggestion from another user session-> close all windows , only occurs when you EXIT winbox (ie the next time you connect all windows will be closed).
wrong
oh wow, you are correct, choosing session-> close all windows , does infact accomplish this (wo existing the app). thanks!

Re: Feature requests

Posted: Thu Jun 13, 2019 2:51 pm
by moham96
How about adding "use peer DNS" to the OVPN Client similar to other clients like PPPoE and dhcp client, right now when i establish a connection to the openvpn server I'm forced to have the advertised openvpn dns server, I can disable the dns server on the openvpn server but I would like other clients to have the vpn dns resolver and only one of my routers to disable peer dns
2019-06-13-142337_1020x512_scrot.png

Re: Feature requests

Posted: Thu Jun 13, 2019 4:19 pm
by pe1chl
It would be nice to have some feature to move an entire network with all its interface-related settings to another interface.
I.e. interface list, bridge port, IP/IPv6 addresses, dhcp client or server, firewall entries, and all other config that refers to an interface.
Use case: you want to move an internal network or the ISP link to another port or from a port to a bridge or a VLAN.
As a workaround it is of course possible to always use a bridge instead of directly attaching config to an interface, but you have to know that beforehand :-)

Re: Feature requests

Posted: Thu Jun 13, 2019 10:26 pm
by luciano
Will be nice if Socks and Webproxy became individual packages. So we can disable and hardening the box.

Re: Feature requests

Posted: Fri Jun 14, 2019 12:35 am
by Sob
Both proxies are disabled by default, so they just take space in menu and little bit on disk, but that's it. Ability to uninstall them completely wouldn't change much, they already don't do anything if you don't enable them. I can understand that seeing some things in menu can annoy people for whatever reason (they don't use them, believe that they don't belong on router, ...). But there's a question if making everything separate package is really worth the effort.

Re: Feature requests

Posted: Mon Jun 24, 2019 5:49 pm
by pe1chl
Please add possibility to add "unknown" entries in the /ip dns static list.
This is useful especially with regexp entries like ".*\.168\.192\.in-addr\.arpa$" -> unknown.
(to avoid bombarding the upstream resolver with requests about rdns for local networks)

Re: Feature requests

Posted: Tue Jun 25, 2019 5:27 pm
by ivanfm
Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)
netwatch with option to set src-address will make easier to test connections on multi connection routers.

Re: Feature requests

Posted: Tue Jul 23, 2019 10:12 am
by flyfinlander
Can you please add the option in "IPSEC policy" to choose Dst. and Src. address from an IP list, not just one IP or range?

Re: Feature requests

Posted: Fri Jul 26, 2019 10:45 am
by ekerlostw
Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Re: Feature requests

Posted: Fri Jul 26, 2019 11:35 am
by Jotne
any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Can you post the command that fails? There may be a solution to test for poe interface before command is run.

Re: Feature requests

Posted: Fri Jul 26, 2019 12:12 pm
by pe1chl
any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Can you post the command that fails? There may be a solution to test for poe interface before command is run.
A workaround for this was already found in another topic.

Re: Feature requests

Posted: Fri Jul 26, 2019 1:24 pm
by mkx
Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out

Re: Feature requests

Posted: Fri Jul 26, 2019 1:47 pm
by pe1chl
Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
pppoe has no relation to poe!

Re: Feature requests

Posted: Fri Jul 26, 2019 1:51 pm
by mkx
Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
pppoe has no relation to poe!
Aargh ... suits me for not being careful enough when reading :-(

Re: Feature requests

Posted: Sat Jul 27, 2019 11:04 am
by pe1chl
Please allow for multiple DNS resolver instances (with independently configured external servers, static entries, and cache).
The current single DNS resolver could just be 1 item in a list, to which others can be added.
These resolvers could be tied to internal interfaces using an interface list or they could listen on one or more addresses specified in their entry, whatever is more convenient.

Reason: you may want to use a different DNS service, like OpenDNS or another DNS with filtering capabilities, for your guest network.
Or you may want to have LAN systems resolve via a local DNS resolver like Windows Server and have the guest network only use internet DNS.

Re: Feature requests

Posted: Sat Jul 27, 2019 12:31 pm
by msatter
Able to disable dynamic DNS servers when using an IKEv2 connection to a VPN provider as NordVPN. This to have only the manual entered DNS server receiving requests and no fallback to the dynamic provided DNS servers of the VPN provider.

Re: Feature requests

Posted: Tue Aug 13, 2019 11:04 am
by msatter
Using Address Lists not only with IP address and Domain Name but also with the ASN number.

Never found a way to block in routing incoming traffic using ASN and I had to fallback on generating my own Address List to filter those IP ranges out.

Re: Feature requests

Posted: Tue Aug 13, 2019 11:14 am
by pe1chl
The AS number is only directly available when the router has a full BGP routing table from internet.
When you are just connected using a static default route to internet (i.e. typical endpoint on a single ISP) the AS number is not available.
The cost to lookup the AS number is high to very high (depending if you use some special DNS service or the basic WHOIS method) so it cannot be done on every packet.
There would have to be a very clever cache of AS numbers corresponding to recent traffic, and it probably would work only when a dedicated service was set up for this purpose.
I know that a DNS service that can do this does exist, but I don't think they will be very happy when many MikroTik routers start using this for one out of 100 packets they receive.

Maybe for this special case where you want to block a certain AS number a special service could be setup that returns the subnets advertised by that AS number in the format required to load them into an address list. One of those people that sell blocklists here on the forum could do that, if they had BGP routing to internet (which I don't think they do right now).

Re: Feature requests

Posted: Tue Aug 13, 2019 1:28 pm
by msatter
Thanks pe1chl. I had yesterday some kind of only sync requests on ports 80 and 443 from serveral different AS numbers fom Dutch, Lituania, Ukrain and China sourced server/service providers.

I blocked in 12 hours almost 50 000 connections in RAW, now it is quiet again.

Re: Feature requests

Posted: Tue Aug 13, 2019 7:34 pm
by pe1chl
I have seen that as well. This is a DDoS amplification: those SYN packets are not really coming from the servers or even AS that you think, but they are spoofed by the DDoS operator.
The idea is that for every SYN they send to you, you will send a number of SYN ACK packets to the address that they spoofed, and thus to the addresses of that service provider.
As they do this for many websites the "return traffic" of unidentified SYN ACK packets to that provider can be large and be used as an attack, while the websites used in the amplification note little.
So the addresses you are trying to block are not the abusers but the victims. You might block legitimate visitors doing this, although it is unlikely.

It is not really necessary do do anything about this, it is not an attack on your system and as long as you don't send an unreasonable number of SYN ACK to an incoming SYN, your system should not be overwhelmed with traffic or lingering connections. If necessary you can reduce the number of retries, e.g. like this:

echo 2 > /proc/sys/net/ipv4/tcp_synack_retries

(to change the default from 5 to 2 in Linux)

Of course the REAL problem is that ISP's are not doing source address filtering. When everyone applied source address filters to the networks they host or serve to endusers, this attack would not be possible.

Re: Feature requests

Posted: Thu Aug 15, 2019 7:24 pm
by Fesiitis
I'm waiting for ike2 support for eap as responder. Hope this feature will be added soon, since support for this as initiator was added in v6.45.1 update.

Re: Feature request: IEEE 1588 support

Posted: Mon Aug 19, 2019 4:54 pm
by ursy
RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.

You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper

This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388

Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.
Hello Muetzekoeln,

The topic is very interesting for me and I would need some clarifications from your topic:

1. Is any Mikrotik device supporting IEEE1588?
2. Is there any Mikrotik equipment which can be considered "transparent switch"? Im interested in particular about RB1100AH and heX-mini
If this is possible, then how can I enable this function?
3. When you are mentioning "IEEE1588 timestamping in hardware", you refer to a dedicated hardware inside of Mikrotik that can send sync packets or 1PPS output signal?
4. Can "Boundary Clock" be implement on Mikrotik?
5. How can I enable Mikrotik to transport PTP packets? Is this a default option? If yes, how the ptp packets are recognized/isolated?


Thank you in advance!

Re: Feature requests

Posted: Mon Aug 19, 2019 5:15 pm
by mkx
Answer to questions 1,2,4 and 5 is: No.

Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active devices can be attributed to constant path delay (just think of it as being some 500km longer). Namely: the big thing about IEEE1588 (as compared to NTP) is to get around the delay jitter which kills precision of normal NTP. And delay jitter is there due to active devices doing buffering, not due to changing speed of light in fibre.

Answer to question 3 is: probably your understanding of IEEE1588 concept is not right. The Ptp-aware switches need HW support for timestamping ... because IEEE1588 requires very precise knowledge of delay imposed by device on PtP packet passing by. Which means the following steps done in hardware:
  1. add ingress timestamp to a packet immediately after it is received by ingress port (before it hits any cache or processing queue)
  2. get precise estimation of egress timestamp for that packet (which needs to take into account all remaining processing and cache waiting time)
  3. calculate delay from the above timestamps and adjust the PtP header.

So to enable IEEE1588, device needs HW support for the timestamping and currently none of Mikrotik's gear has it (or it has it exposed).

And the procedures above have nothing to do with 1PPS.

Re: Feature requests

Posted: Mon Aug 19, 2019 5:40 pm
by pe1chl
The relevant question of course is: how often will it happen that installations with strict requirements like IEEE1588 will use equipment from MikroTik?
Will it lead to a lot of new sales when MikroTik switches do support IEEE1588?
IMHO there are LOTS of things missing from MikroTik switches, and IEEE1588 is only one of them.
It would require quite a lot of work to bring the switches up-to-par against enterprise switch offerings, and maybe it would not be very effective because it likely takes a lot of time before people that normally buy enterprise switches from the wellknown manufacturers would consider MikroTik as a less expensive but equally capable alternative.

Re: Feature requests

Posted: Mon Aug 19, 2019 5:47 pm
by ursy
Answer to questions 1,2,4 and 5 is: No.

Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active devices can be attributed to constant path delay (just think of it as being some 500km longer). Namely: the big thing about IEEE1588 (as compared to NTP) is to get around the delay jitter which kills precision of normal NTP. And delay jitter is there due to active devices doing buffering, not due to changing speed of light in fibre.

Answer to question 3 is: probably your understanding of IEEE1588 concept is not right. The Ptp-aware switches need HW support for timestamping ... because IEEE1588 requires very precise knowledge of delay imposed by device on PtP packet passing by. Which means the following steps done in hardware:
  1. add ingress timestamp to a packet immediately after it is received by ingress port (before it hits any cache or processing queue)
  2. get precise estimation of egress timestamp for that packet (which needs to take into account all remaining processing and cache waiting time)
  3. calculate delay from the above timestamps and adjust the PtP header.

So to enable IEEE1588, device needs HW support for the timestamping and currently none of Mikrotik's gear has it (or it has it exposed).

And the procedures above have nothing to do with 1PPS.
Thank you very much MKX,

Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?

Thank you again

Re: Feature requests

Posted: Mon Aug 19, 2019 9:37 pm
by mkx
Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?
1. No idea. If I have to choose, then I'd hesitantly choose a yes.
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.

Re: Feature requests

Posted: Mon Aug 19, 2019 9:55 pm
by pe1chl
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the
accurate sync (using chrony).

Re: Feature requests

Posted: Mon Aug 19, 2019 10:05 pm
by mkx
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
I have an application which requires accuracy of ~10us and I generally use NTP for "coarse" time (~1ms) and then connect 1PPS from a GPS receiver directly to the PC for the
accurate sync (using chrony).
That makes sense. I was wondering about combining NTP (for coarse estimation) with 1PPS (for precission) in a RB device and then propagating the time to "end users" via LAN but not using IEEE1588.

Re: Feature requests

Posted: Mon Aug 19, 2019 11:21 pm
by pe1chl
That is likely not accurate enough to achieve such results. I connect the 1PPS to the DCD input of an old-style RS232 port (with UART on the bus, not via USB) and I achieve jitter like 3-5us.
This is possible because the edge of the 1PPS pulse directly generates an interrupt in the UART, and in the interrupt handler the nanosecond timestamp is read and put in a queue for processing by the kernel.
Such results are difficult to achieve without similar timestamping on the network interface (as is required for IEEE1588).

Re: Feature requests

Posted: Tue Aug 20, 2019 11:31 am
by ursy
Hi PE1CHL,

I'm using also a NTP server in a hEX combined with an external 1PPS signal generator. The NTP client is a unix machine which is synchronized with the hEX NTP server and via internal bus is fetching 1PPS signal. I'm to calculate the jitter.
1. Is there a way to combine the NTP with 1PPS inside of any Mikrotik gears conducting to a very accurate clock, as @MKX was wondering?
2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant?
3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of the clock?

Thank you!

Re: Feature requests

Posted: Tue Aug 20, 2019 11:45 am
by ursy
Still I want to ask you about 1PPS signal.
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?
2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, there is a gear who can generate/provide 1PPS signal. Can I combine the NTP clock and 1PPS signal to provide a precise clock for a different equipement, either mikrotik or any other brand?
1. No idea. If I have to choose, then I'd hesitantly choose a yes.
2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP over lightly congested IP connections.
Hi Mkx,
I have the answer to the question:
"Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?"

According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS):
Note: The time is not stratum 1 as RouterBOARD devices do not have PPS implemented

Re: Feature requests

Posted: Tue Aug 20, 2019 12:10 pm
by mkx
1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)?

1. No idea. If I have to choose, then I'd hesitantly choose a yes.

According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS):
Note: The time is not stratum 1 as RouterBOARD devices do not have PPS implemented

I knew that. The reason for my hesitation is this: many (but not all) GPS modules have 1PPS output enabled and then it's up to hardware and software implementation if that 1PPS signal is available/used or not. MT devices don't use 1PPS signal, but if GPS modules are general enough, they might have 1PPS signal available and it might be possible to make that signal available to some 3rd device (as in your use case). It would require hardware modification though.

Re: Feature requests

Posted: Tue Aug 20, 2019 12:13 pm
by pe1chl
Hi PE1CHL,
I have no practical experience with PTP. Some years ago I needed clocks on a couple of servers very accurately synced for a co-channel FM transmitter network we were building.
What I had available was professional GPSDOs with 10 MHz and 1 PPS output, and of course the network (which happens to be MikroTik-routed but that is not significant).
The GPSDOs were of different types. I wrote some software to get the current time out of them but some were so old that they could not provide correct date (due to GPS week rollover) and on some sites we did not own the GPSDO so we could only tap the 10 MHz and 1 PPS via distribution amplifiers and not the (usually RS232) time info.

So what I did was like this:
- install chrony on the involved servers (Linux of course, when you run Windows servers there is no point in all of this...)
- configure external time servers for the basic time synchronization to within 10ms (usually within 1ms).
- connect 1 PPS hardware signal to RS232 DCD input via a suitable pulse stretcher and line driver (not really required with all GPSDOs, some already deliver 100ms pulse which is fine)
- load "ldattach 18 /dev/ttyS0" to input the PPS signal to the kernel pps device
- configure "refclock PPS /dev/pps0 refid PPS" into chrony to use PPS signal

This results in chrony status like this:
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
#* PPS                           0   4   377    16   +719ns[ +834ns] +/- 4782ns
^- lpk.pi2nos.ampr.org           1   9   377   104   +106us[ +111us] +/-  244us
^- pi2nos.ampr.org               1  10   377   672   +915us[ +938us] +/- 2275us
^- pi3goe.ampr.org               1  10   377   931    +95us[ +109us] +/- 5718us
So local PPS time distribution is simply as a discrete signal not via the network (PTP/IEEE1588). See it as a coax with BNC connectors running between the racks.
The majority of equipment is synchronized "just" with NTP, only the critical servers that control the transmitters (1 server per site) are wired up to the PPS.

Re: Feature requests

Posted: Tue Aug 20, 2019 12:36 pm
by mkx
2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant?
3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of the clock?

2. In IEEE1588 deployment there are different profiles. Perhaps the most stringent profiles are ITU-T G.8275.1 and G.8275.2 Telecom Profiles, which require accuracy of under a micro-second. I don't think this kind of precision is possible using off-the-shelf hardware and external 1PPS source. Most of real-life implementations (e.g. LTE base station network) require less stringent synchronization with precision of 1-10 micro seconds and in such cases the "home brewn" 1PPS solution gives adequate results. One needs to beware that profile requirements are one thing while IEEE1588 network actual performance is another thing, usually elements of such network are performing even better as the profile requirements are about end-2-end performance (from master clock to client across all boundary clocks) and in worse-case scenario jitter of individual nodes on the path accumulates.

3. Process of tagging/untagging might add considerable jitter (if done in software as per bridge vlan filtering) or only slight jitter (if done by switch chip). But as mentioned before: all active gear under non-trivial load adds to jitter in RTT and the only way to eliminate that is that equipment adds highly precise information about delay of each individual PTP packet to packet itself ... PTP gear doesn't introduce lower jitter per-se, it just can measure the packet delay with high precission.

There's actually another NTP problem that PTP addresses: non-symmetrical path delay. NTP allows measuring round-trip-delay and client then can only assume that RTT is symmetrical (same in both directions) to set own absolute time. If the delay is not symmetrical (either due to asymmetrical connection speed/load with buffering or due to asymmetrical routing or any other reason), then this can cause some systematic offset in times. PTP is more or less broadcast solution where master clocks broadcast time, border clocks add delay information to those packets (both constant connection delay as well as dynamic "fly-by" delay) and clients can calculate accurate absolute time. Feedback from client to master clock is not strictly necessary.
In LAN environments, where link speeds are likely symmetrical and links are rarely congested, this NTP phenomenon is not a big problem.

Re: Feature requests

Posted: Thu Aug 22, 2019 9:12 am
by killersoft
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.

Re: Feature requests

Posted: Thu Aug 22, 2019 9:15 am
by normis
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7

Re: Feature requests

Posted: Thu Aug 22, 2019 12:27 pm
by huntermic
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7

Re: Feature requests

Posted: Thu Aug 22, 2019 12:36 pm
by msatter
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7
There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

Re: Feature requests

Posted: Thu Aug 22, 2019 12:42 pm
by huntermic
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7


There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

Yep, i missed that part...…

Re: Feature requests

Posted: Thu Aug 22, 2019 4:33 pm
by pe1chl
Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
Maybe you can put a topic here of those features that are already done in v7?
Then it would be easy for people to check before making a request. And also keep us happier while we are waiting for it.

Re: Feature requests

Posted: Thu Aug 22, 2019 5:41 pm
by msatter
There is a page in the Wiki, which is empty, that could be used for feature request to be implement and implemented in v6 or v7:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

Request to implement client certificate usage in tool fetch

Posted: Wed Aug 28, 2019 7:24 pm
by tclafoe
Hi,

for a project my routers need to contact a central server via https on a regular basis.
The tool "fetch" allows to verify the identiy of the server (" check-certificate").
All our routers for this project are equipped with individual certifcates.
So it would be possible for the central server to check the identiy of the requesting router - if only "fetch" would allow that.....
I guess the basic mechanisms are already there, as openvpn etc. allows that.
I also assume that "fetch" is something like the linux tools "curl" or "wget" under the hood - if that is correct, then it is probably not very difficult to implement this feature as both linux tools have it already available.

Greetings,
Lars

Re: Feature requests

Posted: Thu Aug 29, 2019 12:52 pm
by Magres
Please,

to \system reset-configuration add flag keep-certificates that let to keep all the certificates, CRL etc.

add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot

thanks

Re: Feature requests

Posted: Thu Aug 29, 2019 1:00 pm
by SiB
Please, to \system reset-configuration...
and if I provide with run-after-reset= aditional delay. Delay must be ~10second to all interfaces up and then run this .rsc script.

Currently to all backup-export's file I must use bash script to add first line with /delay 10s; to can use any backup-export into this feature.

Re: Feature requests

Posted: Thu Aug 29, 2019 2:09 pm
by asterisco
Hi Mtik developers,

Any chance in near release of WAP 60 radius autentication of STAs ? (not getting L1 if radius deny)

Thanks!
Antonio

Re: Feature requests

Posted: Thu Aug 29, 2019 2:58 pm
by muetzekoeln
add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot
+1

Have seen it in professional equipment before. Very useful!!

Re: Feature requests

Posted: Thu Aug 29, 2019 3:28 pm
by Chupaka
add the command :commit to commit all the changes to the flash, otherwise to discard changes after reboot
+1

Have seen it in professional equipment before. Very useful!!
Do you both know about Safe Mode?

Re: Feature requests

Posted: Thu Aug 29, 2019 3:39 pm
by SiB
And the https://wiki.mikrotik.com/wiki/Manual:Partitions is very great with a proper additional scheduler/script-ing.

Re: Feature requests

Posted: Thu Aug 29, 2019 4:15 pm
by muetzekoeln
Do you both know about Safe Mode?
Safe Mode is quite the opposite of the requested commit!

The idea is to collect all changes and apply them at once!

Re: Feature requests

Posted: Thu Aug 29, 2019 4:39 pm
by SiB
Safe Mode is quite the opposite of the requested commit!
The idea is to collect all changes and apply them at once!
https://wiki.mikrotik.com/wiki/Manual:P ... s#Commands => save-config-to

Re: Feature requests

Posted: Thu Aug 29, 2019 4:52 pm
by Chupaka
The idea is to collect all changes and apply them at once!
{
command1
command2
...
commandN
}

Re: Feature requests

Posted: Fri Aug 30, 2019 12:40 pm
by Magres
Do you both know about Safe Mode?
Safe mode is quite restricted and rather a winbox feature than something universal. The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode and :commit for writing changes to the persistant memory and :reject respectively.

Re: Feature requests

Posted: Fri Aug 30, 2019 1:40 pm
by Chupaka
Safe mode is quite restricted and rather a winbox feature than something universal.
Huh?..
The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode
Ctrl+X
and :commit for writing changes to the persistant memory
Ctrl+X again
and :reject respectively.
Ctrl+D

Re: Feature requests

Posted: Fri Aug 30, 2019 1:47 pm
by Magres
Safe mode is quite restricted and rather a winbox feature than something universal.
Huh?..
The suggested commit command could be considered as an universal extension to safe mode, e.g. :safe for starting safe mode
Ctrl+X
and :commit for writing changes to the persistant memory
Ctrl+X again
and :reject respectively.
Ctrl+D
and what about ansible + ssh ?

Re: Feature requests

Posted: Fri Aug 30, 2019 2:11 pm
by pe1chl
and :commit for writing changes to the persistant memory
Ctrl+X again
There is a difference in philosophy. In RouterOS you can use "safe mode" to make some changes and they will be rolled back when you lose the connection.
I'm not sure what happens with the changes when you powercycle the router halfway.
In some other equipment any change that you make is only made in memory and there is a separate command like "save" or "write" to
write all changes you made in memory back to the nonvolatile memory device. A powercycle before that will reset all configuration to what it was
when you last saved it. Commands exist to reboot the device (to its last saved configuration) after some elapsed time.
So you can work on the device for a time interval you choose yourself, and when you lose connection you wait until the interval elapses and you
get your connection back with the last saved settings. During your work you can disconnect, it will not affect this thing.

Advantage: you can work e.g. on VPN settings that result in disconnect/reconnect which is not possible in RouterOS "safe mode".
Disadvantage: there is always the risk that you forget to save some change, and months later, when the power is cycled, you suddenly find
yourself back at an older configuration. Of course when you work regularly with such devices you have it wired in your fingers to always type
"write mem" or "save" or click some button whenever you have changed something. But for MikroTik users such a change would be major
and would certainly lead to some frustration and misunderstanding.

There is also another model where you can batch up some changes and then you "apply" them all in one transaction. That is similar to the { commands }
construct in RouterOS. However this is not available in GUI modes (winbox/webfig).

Re: Feature requests

Posted: Fri Aug 30, 2019 2:36 pm
by Chupaka
and what about ansible + ssh ?
What's wrong with ansible + ssh?

Re: Feature requests

Posted: Fri Aug 30, 2019 4:09 pm
by Magres
and what about ansible + ssh ?
What's wrong with ansible + ssh?
It's not obvious to send CTRL+_ commands over ssh
While reconfiguring routeros the ssh session could be broken and all the changes will be discarded due to safe mode.

Re: Feature requests

Posted: Fri Aug 30, 2019 5:15 pm
by Chupaka
It's not obvious to send CTRL+_ commands over ssh
Yeah, reading the docs is kind of requirement...
While reconfiguring routeros the ssh session could be broken and all the changes will be discarded due to safe mode.
Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.

Re: Feature requests

Posted: Fri Aug 30, 2019 5:41 pm
by pe1chl
Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.
Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all changes upon any disconnect, without some form of timeout.
I have experienced a couple of times that I could not complete a change without disconnect/re-connect and so was unable to use "safe mode".
Fortunately RouterOS often allows things that other systems don't, so it is possible to o through the steps required without much risk of a permanent lockout.

Still I think it would be useful to have some more where all changes are only made in memory and are not saved until that mode is left, independent of disconnection.
You could setup a scheduled job to do a reboot, then set memory-mode and make your changes and test them, and when everything is fine you save the changes
and remove the job. When you get locked out the job reboots the router and it falls back to previously saved configuration.

Re: Feature requests

Posted: Fri Aug 30, 2019 6:51 pm
by Chupaka
Well, for now you can do a backup and setup a scheduler job to restore that backup, right?

Re: Feature requests

Posted: Fri Sep 06, 2019 9:09 am
by barts
Hello guys!

After I got a reply from Ticket#2019052822002647, here what we need to make SFPONU works with some ISPs.

We need to have the possibility to set the parameters GPON password and GPON serial number in MikroTik RouterOS to authenticate in ISP OLT that change those parameters for safety.

Image
(https://ibb.co/q1YCkhF)

Many thanks

Re: Feature requests

Posted: Fri Sep 06, 2019 11:54 pm
by Error0x29A
We need to have the possibility to set the parameters GPON password and GPON serial number in MikroTik RouterOS to authenticate in ISP OLT

These parameters are hardcoded into EEPROM/Flash of the ONU. Most of the time protected with a password.
Read CarlitoxxPro thoughts on it
viewtopic.php?f=1&t=116346

Re: Feature requests

Posted: Sat Sep 07, 2019 12:17 pm
by ludvik
Please add hashlimit: http://ipset.netfilter.org/iptables-extensions.man.html

And second most wanted for me is ACL for DNS server. Solution by firewall needs conntrack.

Re: Feature requests

Posted: Sun Sep 08, 2019 4:08 pm
by Chupaka
Isn't "dst-limit" what you're looking for?

Re: Feature requests

Posted: Mon Sep 09, 2019 1:57 am
by ludvik
I don't know ... it is same? Hashlimit has more parameters.
Isn't "dst-limit" what you're looking for?

Re: Feature requests

Posted: Wed Sep 11, 2019 5:29 am
by Chupaka
Many RouterOS features have different sets of parameters compared to upstreams. Let's start from your goal, not from the way to achieve it.

Re: Feature requests

Posted: Wed Sep 11, 2019 4:34 pm
by 2dfx
Please add to the OVPN Client (open-vpn) in "Dial Out":
More than one "Connect To"
Selection parameter "Remote random" or "Round robin"
Input parameter "connect-timeout". When connecting to a remote server do not wait answer for more than n seconds.The default value is 120s

Re: Feature requests

Posted: Wed Sep 11, 2019 9:31 pm
by IPANetEngineer
Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability.
Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all changes upon any disconnect, without some form of timeout.
I have experienced a couple of times that I could not complete a change without disconnect/re-connect and so was unable to use "safe mode".
Fortunately RouterOS often allows things that other systems don't, so it is possible to o through the steps required without much risk of a permanent lockout.

Still I think it would be useful to have some more where all changes are only made in memory and are not saved until that mode is left, independent of disconnection.
You could setup a scheduled job to do a reboot, then set memory-mode and make your changes and test them, and when everything is fine you save the changes
and remove the job. When you get locked out the job reboots the router and it falls back to previously saved configuration.

Taking this a step further, i'd love to see a commit/confirm process similar to Juniper JUNOS so that you can preview changes and then commit them

Re: Feature requests

Posted: Thu Sep 12, 2019 7:58 am
by StevenGT
Please make winbox config file compatible with mobile app