Feature requests

SDFadfasdfadsf · Sun Feb 19, 2017 2:47 am

RFC 8092 BGP Large Communities implementation Feature Requested 2016090522001073

timeline available?

JanezFord · Thu Feb 23, 2017 12:58 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

Thu Feb 23, 2017 1:14 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

JanezFord · Thu Feb 23, 2017 8:30 pm

This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Thank you, I will look at your suggestion ... but anyway I find it would be way more user friendly to have for example a "Locate" button in Routerboard menu instead of having to program scripts for such a task.

JF.

anuser · Mon Feb 27, 2017 5:40 pm

What about enhancing CAPSMAN:
- centralized upgrade for RouterBoot (button for "/system routerboard upgrade") would be nice.
- "Right click" into remote CAPs list and directly connect to one of the CAP device itself
- management of all routerboards, also without wifi

CerpinTaxt · Wed Mar 01, 2017 3:16 am

Usermanager:
Currently, maintaining users via web browser provides more information than can be obtained using the CLI directly on the router (e.g. Total time left/Till Time can be seen on browser, but not Winbox) this makes using the API to get this information impossible. Could this be added in the output of

/tool user-manager user print

or even

/tool user-manager user print detail

would be great. The CLI should have everything a GUI has (plus more?!)

gilson · Sat Mar 04, 2017 10:02 pm

While using Winbox, I always missed the ability to allow to mark and copy form the log panel to clip board, as well a Find box. It would be very useful.

Wyz4k · Mon Mar 06, 2017 3:04 am

The ability to copy and paste data more easily.
1) Selected text from the log to the clipboard.
2) From random tables into the clipboard in csv format.

hyperpaccket · Mon Mar 06, 2017 6:15 am

More than 2GB of ram for the X86 Build.

JanezFord · Fri Mar 10, 2017 2:39 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.

Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

mlow · Fri Mar 10, 2017 11:43 pm

RFC6939 for the DHCPv6 relay.
Would be extremely useful for doing MAC address based DHCPv6 reservationsRFC4649

exploit · Mon Mar 13, 2017 7:55 am

1. I believe that you need to add ability to associate an IP address with two different mac-addresses. This allows you to give the same network address to a device that connects at different times from different interfaces (for example, ethernet or Wi-Fi in laptops)
This feature is implemented in dnsmasq (for example, dhcp-host=38:B1:DB:38:B4:23,28:d2:44:d0:e0:3e,192.168.0.111)

2. I do not receive the network route specified in the profile of the l2tp client. This topic was previously discussed in your forum: viewtopic.php?t=56079
This feature is implemented in SoftEther

Thus, both possibilities requested by me are technically feasible.

meckanix · Wed Mar 15, 2017 4:29 pm

Can we add a VRF setting to the DHCP relay so that the relay can be used within a VRF?

neticted · Fri Mar 17, 2017 1:18 pm

I use wireless roaming feature and I have set Signal range in Access list to kick clients with low signals.

It works fine for most of the time but sometimes some clients got kicked frequently even with good signal.

After some time of monitoring this issue I concluded that problem is that it happens that client momentarily is received with low signal, and Mikrotik kicks it at once.

If I set lowest allowed signal to very low, client does not get kicked. But, that ruins whole idea of roaming as then clients stay connected to node even with very low signal.

My proposal is to introduce option to set hysteresis (delay) to kicking clients if signal is out of specified level range. Goal is to kick client if it really has low signal for some time not just because it is measured low for a moment.

lavv17 · Wed Mar 29, 2017 3:41 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

savage · Wed Mar 29, 2017 3:44 pm

Hello!

RouterOS "ip route print where dst-address in x.x.x.x/z" is fast. But for a reason the same for ipv6 is slow (when the number of routes is large).

Please, make ipv6 route lookups fast as well.

And IPv6 filter on dst-address doesn't work at all in Winbox

Wyz4k · Thu Mar 30, 2017 4:09 am

Bridge-like filtering (L2) for Mesh.

lavv17 · Tue Apr 04, 2017 12:34 pm

It would be nice if routing updates were more atomic. Currently converging BGP full view can lead to temporary routing loops. They last for a minute or two.

My setup consists of 3 CCR1036 routers facing different providers; iBGP between each pair of them. When a router boots up, a temporary loop can be created for a pair of minutes.

Also I'd like to repeat my plea of a graceful reboot option: viewtopic.php?f=1&t=45934&p=556840&hili ... ul#p556840

Nee · Tue Apr 11, 2017 5:03 pm

1. dstnat for output chain - i.e. to route Mikrotik's DNS requests to different DNS servers / interfaces
2. hardware ipsec acceleration for processors, which support it (i.e. RB3011) - maximum ipsec performance is the must for many modern configs, imho

Wyz4k · Thu Apr 13, 2017 8:11 am

Please add a button to clear the log. It's practically impossible to try and debug routers over crappy connections when just attempting to load the log causes the connection to break. If I could periodically clear the log it would reduce the traffic enough for the connection to remain viable.

I've tried the methods listed on the forum and they no longer work.

OnixJonix · Thu Apr 13, 2017 10:32 am

Please come up with CAPS logs explanation!!!!
Stuck with capsman problems - see problems in log files, but not sure what it mean an what direction look for!!

for example:
caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

Thu Apr 13, 2017 11:39 am

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]

You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

OnixJonix · Thu Apr 13, 2017 1:08 pm

caps,error removing stale connection [E4:XX:8C:D4:11:99/18/b823,Run,[E4:XX:8C:D4:11:99]] because of ident conflict with [E4:XX:8C:D4:11:99/18/e84d,Join,[E4:XX:8C:D4:11:99]]
You might be using the same certificate on multiple CAPs. Take this as an educated guess, not a definitive answer.

No certificates at all!! Maybe thats the problem??

Thu Apr 13, 2017 1:33 pm

No certificates at all!! Maybe thats the problem??

Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

felipelinkmais · Thu Apr 13, 2017 9:31 pm

Will be nice if mikrotik create a new OLT package.. to turn any mikrotik device with sfp slot in one GPON/EPON OLT.

OnixJonix · Tue Apr 18, 2017 8:25 am

No certificates at all!! Maybe thats the problem??
Another guess- CAPs with duplicated MAC addresses. Do you happen to use backup/restore to clone configuration of CAP devices?

Have ~50Caps - in Capsman Radio list shows all, and in the list no dublicated macs!!! This was my first gues, but seems there everything is ok!!

Wyz4k · Tue Apr 18, 2017 10:34 am

Please make it possible to change the comment associated with a connection without it restarting said connection.

Wyz4k · Wed Apr 19, 2017 6:39 am

Could we get the LAC (local area code) also being displayed in in the info box for 3G/4G modems? This information is required to locate the sim. Currently the cellid is being displayed and it's possible to determine MCC and MNC. See http://cellidfinder.com/

scus · Wed Apr 19, 2017 3:54 pm

In case that public key authentication is used (and passwords are disabled) the SSH server should drop the connection immediately if no public key is provided by the client (instead of asking for a password and denying access even if a valid password is provided). There should also be a configuration option to allow password authentication in addition to public key authentication.

I have thousands of failed login attempts (from different IPs), all trying to login as admin, user, test, etc. using passwords...

juliokato · Wed Apr 19, 2017 5:06 pm

[Active Users (Admins)]
Is there any way to cut the connection of a remote admin.
Amazing how this feature does not exist!

Wed Apr 19, 2017 9:21 pm

Do you want to be cut off by a hacker?

juliokato · Thu Apr 20, 2017 3:25 pm

Look this:
How do I delete previous sessions stuck in an easy way?

macsrwe · Fri Apr 21, 2017 9:29 pm

Hi,

Please add feature that will allow me to add DNS name instead of exact IP address. I need this to connect 2 or more MKT routers (PPTP connection) if they are connected to internet thru ADSL and theirs IP addresses are dynamic. I hope that you understand what I am saying and that we can expect this feature in new ROS.

bye,

i think that this should be global. anywhere you specify a dns name it should be resolved.

Yes, but not immediately - it should be stored as a DNS name and resolved in real time. For example, it's pointless to resolve /tool email server once and store it as a numeric address, which is why ROS will store it as a name. However, /system watchdog resolves the same server once and then stores it as a number, which is wrong. Also, you don't want things to fail because they can't be resolved immediately when you are configuring a router on a workbench and it has no connection to your network.

macsrwe · Fri Apr 21, 2017 9:34 pm

Please make it possible to change the comment associated with a connection without it restarting said connection.

This would be good for both /int wireless access and /int wireless connection; also the "add to access list" and "add to connection list" operations, where you already know that the resulting entry will not be incompatible with the connection that already exists, because it is being generated from that connection.

macsrwe · Fri Apr 21, 2017 9:38 pm

Please add some kind of "find router" feature. I often take over projects from other people and have to search for bunch of devices sometimes in many rooms even buildings. A simple "beep constantly" feature could save me a lot of time. You wouldn't believe where people put their routers and wifi access points. This way devices can be located without disrupting their operation. Beep constantly + maybe some kind of LED visual feedback would be nice to have.

JF.
This is already possible, there is a :beep console command and also leds can be turned on/off. Simple script will do the trick.
Hmm... can't make any of the 20 wAP devices beep.... is it just me or the damn thing does not have a beeper??? The 850Gx2 beeps OK...

JF.

Many of the newer, lower-cost devices have no beepers.

I have come to rely on the beepers for so much diagnosis (esp. SXT setup) and I really miss them. I would pay the extra buck.

horhay · Fri Apr 21, 2017 11:44 pm

Help us old keyboarders out and add ALT tags to menu and buttons.

This way we can use ALT C for a Close button or ALT O for OK.

skuykend · Sat Apr 22, 2017 3:59 am

During an Export of /Interface/Ethernet/Switch/Ports it would be nice to have it use a [ find default-name=xxxxx ] like the /interface ethernet export instead just the set#.

Andrew08 · Sat Apr 22, 2017 10:32 am

Ip dns port support
So for example we can use 208.67.220.220:443

biatche · Sat Apr 22, 2017 4:39 pm

Requesting for neater and more readable exports

currently:

export compact
/something1
some config
/something2
some config

suggestion:

export compact
/something1
some config

/something2
somet config

spacing them out improves readability a lot.

Zero3K · Sun Apr 23, 2017 1:33 am

It would be nice if there was an option to display a box containing the Ethernet and DHCP Clients (with the Mac, IP, and how long it has been online) connected to it in the Quick Set page.

tawhwat · Sun Apr 23, 2017 5:29 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!

The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

juliokato · Sun Apr 23, 2017 7:26 pm

I believe this request can be implemented very fast but it helps the ROS management with Multiple WAN a lot!
The "/ping" and "/system ssh" allow user to specify the "src-address" parameter so that the command can initiate the network connection on specific WAN easily.
BUT "/tool fetch" doesn't include "src-address" parameter.

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

+1

biatche · Mon Apr 24, 2017 8:02 pm

please, MSTP & PVRSTP next version...

sparker · Tue Apr 25, 2017 9:49 am

+1
Really need, please!

biatche · Wed Apr 26, 2017 5:55 am

request: a default set if IPv6 firewall rules with IPv6 enabled be default

Wyz4k · Wed Apr 26, 2017 6:46 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

pass example:
:local macAddress "00:11:22:33:44:55"
:local interface [/ip neighbor find where mac-address=$macAddress]

pass reason:
gives exact same result as :local interface [/ip neighbor find where mac-address="00:11:22:33:44:55"]
contains only interfaces that have that MAC address

Chupaka · Thu Apr 27, 2017 2:08 am

The problem is one ISP blocks all incoming ping request, thus I cannot use ping as a remote monitoring facility, I need to find alternatives to archive this goal.
I write script to carry out the monitoring job, but as I know, "/system ssh" cannot be executed under script environment, which means I cannot use "/system ssh" to do this job.
The only way to choose is to use "/tool fetch" facility to monitor the remote ROS, BUT it lacks "src-address" parameter, to supplement this deficiency, before using the "/tool fetch", I need to specify a temporary custom route to fix the outgoing path for remote target.

The whole situation can be simplified tremendously by only adds the "src-address" parameter to "/tool fetch"

setup some VPN tunnel between the routers

then you may ping inside the VPN, or just use VPN Interface state to detect remote failure

Chupaka · Thu Apr 27, 2017 2:15 am

Please add the ability to do a where query in [] with any valid-variable.

fail example:
:local identity "testRouter"
:local interface [/ip neighbor find where identity=$identity]

fail reason:
result differs from :local interface [/ip neighbor find where identity="testRouter"]
contains several interface which don't have the specified identity.

that's because the variable name "identity" is the same as parameter name "identity". the following code works correctly:

:local id "testRouter"
:local interface [/ip neighbor find where identity=$id]

by the way, use the following is also correct:

:local interface [/ip neighbor find where $identity=$id]
:local interface [/ip neighbor find $identity=$id]

Wyz4k · Thu Apr 27, 2017 5:39 am

Thank you, I will try it out!

doneware · Thu Apr 27, 2017 9:37 pm

this one can be quite neat if someone is into parental control

https://datatracker.ietf.org/doc/draft- ... -clientid/

the code is there in dnsmasq since 2.76

Wyz4k · Fri Apr 28, 2017 3:58 am

Can we get standard 802.11s support? https://wiki.mikrotik.com/wiki/Manual:I ... e/HWMPplus indicates that the HWMP+ protocol is based on 802.11s draft but is not compatible with it.

kalaposl · Fri Apr 28, 2017 1:00 pm

I would love if I could run a script as a firewall action.

doneware · Sat Apr 29, 2017 12:25 am

I would love if I could run a script as a firewall action.

this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

macsrwe · Sat Apr 29, 2017 2:27 am

I've been waiting over five years for /system upgrade upgrade-package-source to allow specification of its password parameter on the command line instead of demanding it interactively. This one deficiency makes Flashfig entirely useless to us and makes initializing every one of our MikroTik CPEs a multi-step manual process. I've been told this is done for "security," but every other password, encryption key, secret, etc. can be set from the CLI except this one (which is a relatively minor "security" function at best), so I'm not buying that argument. How hard can this be, guys?

nordex · Sat Apr 29, 2017 8:14 pm

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

Wyz4k · Mon May 01, 2017 4:10 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.

biatche · Mon May 01, 2017 6:07 am

request switch vlan support on RB750Gr3

doneware · Wed May 03, 2017 10:57 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.
where i do see the quite a bit of flexibility, but it is a fundamental change how the PF code is organised. say we're just fine with a serialised code execution on a single core if it comes down to handle a flow, but that doesn't mean that cpu cycles are there to be wasted on unoptimised execution. also for me is not clear whether the script should be run in a non-blocking or blocking manner. all in all, since its just a set of interpretable code, it would be quite unpredictable whether it is to be executed parallelised or not. the result would be varying delay that could potentially affect (read: ruin) TCP throughput.

i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

i think this fulfils your requirements of "hands shall not be bound", but also provides enough safeguarding for the "not so creative/unexperienced" users, whose forwarding performance would be seriously degraded by running code based on firewall rule matches. and for the RouterOS developers its always a give-and-take situation, where to go, what to risk: provide a very versatile toolset where you can do anything, which can (and most probably will) result a thousands of trouble-tickets and sad faces when used inappropriately, or leave it to be solved by the excessive creativity of the few ones who actually do require it. they need to think in the dimensions of megapackets per seconds for a while, and "tinkering" does not fit into the scope no more. and there is a whole world outside of RouterOS, a lots of tools that may be used to contribute to its original functionality, we just need to think outside the box.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

Wyz4k · Wed May 03, 2017 4:54 pm

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.

Yes, the method that you describe of using a firewall rule and logging is an option, but potentially something that can become really messy really quickly.

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

doneware · Wed May 03, 2017 5:52 pm

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

seems we have to leave it to Mikrotik guys do decide which way to go

Wyz4k · Thu May 04, 2017 7:46 am

seems we have to leave it to Mikrotik guys do decide which way to go

Indupitably

Wyz4k · Wed May 10, 2017 8:11 am

Please add the ability to ping / ssh / telnet / other from the ip dhcp-server screen in winbox. This is already offered from the wireless registration page.

Any chance we could get the ability to form simple socket connections / ssh from the router in a script? Currently it's really one sided in that it's possible to connect to the router, but not possible for the router to automatically connect to other things.

makstex · Thu May 11, 2017 7:25 am

Please add compression for the OpenVPN client.

Wyz4k · Thu May 11, 2017 9:16 am

Could we get a proper AT command + reply interface?

Sending down AT commands in the info string and then having them randomly overwrite some output as a response is far from ideal.

On that same topic, it would be great if the /interface ppp-client info section can be rewritten to go away and read all the data and then come back with the data instead of having to be polled repeatedly hoping to get all the data after x polls.

felipelinkmais · Thu May 11, 2017 4:34 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

teddyhsu · Fri May 12, 2017 2:25 pm

I hope I can create a counter only supout file, that only take process information and count connections and users.

When my routerboard have more then 100K connections and 2000 users, making supout file will take more 2 hours and bigger then 1GB.
The heavy loading reboot is very hard to debug.

Wyz4k · Sat May 13, 2017 3:38 pm

I would like to request the required changes in order to allow 3G/LTE signal strength to be monitored on a continual basis without interrupting the signal - see https://forum.sierrawireless.com/viewto ... 108#p41108

Mon May 15, 2017 12:20 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

macsrwe · Tue May 16, 2017 10:11 pm

/ip firewall address-list has a creation-time field that is read only, although it appears in the add box. It would be quite handy if that were writeable at add time, such that the entry would take effect at whatever date and time is entered. This would allow us to schedule changes in account behavior at a future date without having to be sure to log in on that date to make it happen.

SiB · Wed May 17, 2017 10:14 am

Now I must create the same few rules in FILTER ICON again and again in many place of WinBox (I use AutoIt to do it like workaround)
PLEASE ADD the SAVE option for filtering rules.
I will be creating prifile filters like, dhcp with dynamic only, Arp static only, Contrack show network1, conntrack show net2 - You gotta idea. Open filters and select own save before filters rules - perfect.

CsXen · Wed May 17, 2017 11:19 am

Hi.
I know, that Mikrotik dropped the mipsle platform support... I know... but..
Please, backport two fantastic changes to mipsle, specifically to RB532.
1. WPS client mode.
2. EAP-PEAP-MSCHAPv2

Please, make a "routeros-mipsle-6.32.5" package with these features to make our old routers happier.

Thanks and best regards: CsXen

Vooray · Tue May 23, 2017 10:39 am

Please, add /31 mask on p2p support (rfc3021).

freemannnn · Mon May 29, 2017 3:12 pm

it would be nice in capsman interfaces tab a column with how many devices are connected per cap.

Murmaider · Mon May 29, 2017 8:46 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.

5nik · Thu Jun 01, 2017 12:58 pm

Please add support for DHCPInform for PPP link. It is usefull for Windows VPN clients (push additional info such as domain name, classless routes etc.). Now I must redirect DHCPInform request from PPP to external DHCP server.

Pilson · Fri Jun 02, 2017 9:40 pm

Please add support for setup l2tp client source portselection - set port by maunal, or set random port. Something like /interface l2tp-client set l2tp-out1 src-port=port_number, or src-port=random. It would be a very useful feature, especially if multiple l2tp clients + ipsec establishes connections from local network via one NAT address.
Thanks.

aacable · Sat Jun 10, 2017 8:35 am

'Unmetered Content' / to bypass local servers from radius accounting.

maznu · Sun Jun 11, 2017 1:45 am

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

craterman · Sun Jun 11, 2017 11:07 am

Please add:
- Incremental SPF
- IP FRR (RFC5714) and microloops (RFC5715)
- LFA (RFC5286) & Remote LFA (RFC7490)

And it would be really great if you add:
- RSVP FRR (RFC4090)
- MRT (RFC7812)

Sob · Sun Jun 11, 2017 7:13 pm

About the WireGuard idea, are you a time traveller writing to us from future?

I almost got excited, but at present time, things don't look so bright yet:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:

After version 1 is finalized, an RFC will be written and standardized.

maznu · Sun Jun 11, 2017 7:23 pm

About the WireGuard idea, are you a time traveller writing to us from future? :)

Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)

drivebydex · Wed Jun 14, 2017 11:53 pm

Please add in capsman registration table "active host name" and "active address"! THX

ajack46 · Thu Jun 22, 2017 3:51 pm

Providing Compression for the OpenVPN client, would be something i would wish for.

biatche · Sat Jul 01, 2017 10:45 am

1. add /ip route check-gateway-ping-interval
2. ability to customize fasttrack rules a little bit. more dual wan friendly. right now i cannot figure out a way to have fasttrack with both ipsec and multi wan, although it does appear possible if its just one extra feature.

th0massin0 · Sat Jul 01, 2017 4:34 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

biatche · Sat Jul 01, 2017 9:59 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better

biatche · Sat Jul 01, 2017 10:01 pm

/tool fetch keep-result (yes | no; Default: yes) If yes, creates an input file.

rename this to save-tofile or something.... from what i am seeing, keep-result appears to save the output to disk. or is it input? i've no idea anymore.

MT could possibly hire an englishman to straighten the terms out.

th0massin0 · Mon Jul 03, 2017 1:22 am

Could you please describe how did you worked out port forwarding in dual wan environment with fasttrack?

platitude · Tue Jul 04, 2017 11:59 pm

DNSCrypt feature request topic has been started in 2012! Your customers waiting it about 5 years and still no support from you. Looks like you are not interested in customer's data privacy at all. Now open your eyes, read the message and satisfy us.

biatche · Sun Jul 09, 2017 2:42 am

add tool: tcp/udp open port tester.

pe1chl · Sun Jul 09, 2017 12:34 pm

Feature request: move all configuration related to one physical interface to another.
E.g. you have a router with two hardware switches or with ports inside/outside switch.
You have configured e.g. ether8 which is on switch2 with all kinds of options (address, dhcp server, firewall config, etc)
and you decide it would be better to move all this to ether4 which is on switch1, e.g. because you want to free up a port
that is on switch2, to do hardware switching to the other ports on that switch. It would be convenient when this could
be done with a single command, just like an interface can be renamed with a single command and it is reflected everywhere
in the config. After issuing that command and plugging the cable from port 8 to port 4, all functionality would remain the same.
For practical purposes (what would happen to the config that was on port 4), maybe the easiest implementation would
be in the form of "swap interface configurations" What was on ether4 will be on ether8 and vice-versa.

msatter · Sun Jul 09, 2017 2:21 pm

When adding an adress in large adress-list is a PITA when an address already exits. The the script is stopped an you can work with on-error to seek sequential through the list use set to update it timeout on the dynamic address. This takes ages when you have to seek each time.

On the moment you get collision it would be a pleasure to be able to directly use set on that entry to set the expire time in the on-error.

cental63 · Sun Jul 09, 2017 6:22 pm

I find that Userman is a really good choice to build a hotspot service for a company, but i think, as installer, that there is something missing, few things like embedded sms verification (and not the script), and the one that i found more interesting, make the userman database readable (just think about a company with a newsletter). All could be added to make userman like a serious radius server (chr would allows more performance for anought clients). more competitive !
Thats all

Regards from an Italian user

schadom · Sun Jul 09, 2017 7:56 pm

Please add the 'Comments' column and the 'Add/Edit Comment Button' which is currently missing in WinBox 3.11 under

Routing =>BGP => Networks
Routing => BGP => Aggregates

Interestingly it is available in Routing => OSPF => Networks, but missing in all of the other tabs
While I personally prefer the CLI for configuration, WinBox is nice to get a quick overview.

Thanks

Wyz4k · Thu Aug 10, 2017 1:39 pm

Please add SMB support to the fetch tool or the ability to limit FTP accounts to specific folders to the FTP server. The SMB server is considerably more advanced than the FTP server on Mikrotik and makes it easier to limit clients to a specific folder.

pe1chl · Fri Aug 11, 2017 12:16 pm

/queue tree elements can now only match on "packet marks", when multiple packet marks are specified they are OR'ed.

Please add the capability to also match on the "packet priority" field, and make it an AND match with the packet marks.
(so if a queue tree element is specified with both packet marks and a priority, it will only be used when one of the specified packet
marks is present AND the priority field of the packet is as specified)

Alternatively, introduce the option of doing an AND match on packet marks. It is already possible (although cumbersome)
to add packet marks based on the packet priority field.

dgrenetz · Wed Sep 13, 2017 2:31 am

We are deploying Mikrotik virtual appliances to centralize and replace several disparate VPN solutions. We need a way to hand out our domain suffix to VPN clients so they won't have to use Netbios broadcast to resolve names. Currently, without domain suffix setting, accessing hosts by hostname takes about 5 seconds longer than it does on our existing legacy VPN solutions. I Googled the issue and see people complaining about this all the way back to 2010. However I do not see it anywhere in this Feature Request thread. Longstanding issue - please help!!
David

diasem · Tue Sep 19, 2017 1:22 am

Normis add /31 address for PTP links.

Chupaka · Tue Sep 19, 2017 10:23 am

Normis add /31 address for PTP links.

/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3

vytuz · Tue Sep 19, 2017 3:09 pm

Do You maybe have in plans to make more detailed user group list? Different user access to i.e. wireless, firewall filter, nat rules, ip addresses, dhcp and etc. I imagine it may be hard to add databases and additional cunfiguration to every configuration field. Maybe any possibility to add at least additional wireless user option. Clients sometimes wants to change wifi name, password, but we do not want to allow to change other options with given password.

nelfou · Fri Sep 22, 2017 1:07 pm

Being able to customize the hAP WPS button behavior, like having it trigger a script.
(our use case would be to easily turn the Wi-Fi on/off)

Vooray · Sat Sep 23, 2017 8:42 pm

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Chupaka · Mon Sep 25, 2017 11:01 am

It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

... and routing table/vrf

OnixJonix · Tue Sep 26, 2017 12:37 pm

Make Address List from DHCP lease table!!
For example - select multiple LEASE entries and put them in address list (then you can use for firewall)!! Something like in wirelless - you can add entries from registration table to access list!!
Thansk!

Tue Sep 26, 2017 1:53 pm

Lease script doesn't work for you in this case?

Chupaka · Tue Sep 26, 2017 3:59 pm

Looks like he needs it in WinBox (one-time context menu like 'Make static' or something)

By the way, if your leases are static, you can just set 'Address List' for them

bajodel · Wed Sep 27, 2017 12:41 am

Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

..and the possibility to set source address (e.g. remote ipsec hosts)

Wed Sep 27, 2017 1:46 am

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Netwatch can trigger a script.

Example - my netwatch:

/tool netwatch
add comment="Watch Dog" down-script="log info \"Netwatch missed a ping to 192.0.2.254 - starting 5 minute timeout script\" ; /system script run NetWatchBoot-192.0.2.254" host=192.0.2.254 timeout=1s500ms

Example - My script called by netwatch:
/system script
add name=NetWatchBoot-192.0.2.254 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local addresstoping 192.0.2.254;
:local addresstoping 192.0.2.254;
:local interface "wlan1";
#
:local continue true;
:local counter 0;
:local maxcounter 28;
:local sleepseconds 10;
:local goodpings 0;
:log error "-----> Tom's Netwatch-Script-Warning - Netwatch could not ping $addresstoping - Will begin further testing in $sleepseconds seconds - and will continue for $maxcounter times $sleepseconds seconds";
:while ($continue) do={
:set counter ($counter + 1);
:delay $sleepseconds;
:if ([/ping $addresstoping interval=1 count=1] =0) do={
:log info "----->ping to $addresstoping failed on attempt $counter of $maxcounter -- Will try again in $sleepseconds seconds";
} else {
:log warning "-----> ping success on to $addresstoping attempt $counter of $maxcounter <----- No Further testing needed --- Program will exit -----";
:set continue false;
:set goodpings ($goodpings +1);
/interface wireless monitor $interface once without-paging do={
:local status $"status";
:local band $"band";
:local freq $"frequency";
:local wprotocol $"wireless-protocol";
:local noise $"noise-floor";
:local signal $"signal-strength";
:local snr $"signal-to-noise";
:local thruput $"p-throughput";
:log info "-----> Status: $status --- Band: $band --- Frequency: $frequency --- WProtocol: $wprotocol --- NoiseFloor: $noise";
:log info "-----> Optional Info if Available ---> SignalStrength: $signal --- SNR: $signal --- PThroughput: $throughput";
/interface wireless monitor $interface once
:local txr $"tx-rate";
:local rxr $"rx-rate";
:local sstr $"signal-strength";
:local signoise $"signal-to-noise";
:local curdistance $"current-distance";
:local txccq $"tx-ccq";
:local rxccq $"rx-ccq";
:log info "-----> TxRate: $txr --- RxRate: $rxr --- SignalStreng: $sstr --- SignalToNoise: $signoise --- CurrentDistance: $curdistance --- TxCcq: $txccq --- RxCcq: $rxccq";
};
}
:if ($counter=$maxcounter) do={:set continue false;}
}
:if ($"goodpings" = 0 ) do={
:log info "-----> Rebooting in 15 seconds";
:delay 5;
/file print file=ScriptRebootReason
/file set ScriptRebootReason.txt contents="Rebooted by Toms script on $[/system clock get date] at $[/system clock get time]"
:log error "-----> Rebooting in 10 seconds";
:delay 5;
:log error "-----> Rebooting in 5 seconds";
:delay 5;
:log error "-----> Rebooting now";
:delay 1;
/system reboot
/system reboot
/system reboot
/system reboot
}

With the above - a netwatch ping failure will trigger my script "NetWatchBoot-192.0.2.254"
The script will retry the ping for (:local maxcounter 28) 28 times
While pausing (:local sleepseconds 10;) 10 seconds between pings

If the script gets a ping response, the script aborts - and make a log.
If the script loops through the count-down and does not get a ping, the script will reboot the Mikrotik - and make a file named ScriptRebootReason just prior to the reboot.

I am sure this netwatch & script procedure could be modified to do many things you may want when netwatch triggers.

In my case, I have this netwatch & script on all of my Mikrotik client devices and all of my internal core network Mikrotik devices. The IP address 192.0.2.254 is an RFC IP address and is OK to use for in-house (non-external-Internet-Routed). If I want to reboot every Mikrotik everywhere on my network, all I need to do is disable the 192.0.2.254 device a few minutes. Presto - everything everywhere will auto-reboot. This is good for keeping Mikrotiks on-line when the network might have a problem.

North Idaho Tom Jones

Wed Sep 27, 2017 1:57 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

Wed Sep 27, 2017 10:31 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1

anv · Mon Oct 16, 2017 3:23 pm

Routeros openvpn server needs a way to push routes to the clients.

CsXen · Sat Oct 21, 2017 6:51 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.

(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

WreckLoose · Tue Oct 24, 2017 11:25 pm

Yes, I think that a great feature would be greater support for Intel network interfaces. Most notably the I218 stuff. I would love top be able to run RouterOS in the Intel NUC.

Wed Oct 25, 2017 6:48 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

It might be nice to have an option for color in the logs.
There is a work-around that I use which gives me three colors in my logs.

In your script that writes to the logs (or at the CLI prompt) you can use this:

log error "This is a log error --- RED"
log info "This is a log info --- BLACK"
log warning "This is a log warning --- Blue"

With the above 3 lines, you will see this in your logs:

This is a log error --- RED
This is a log info --- BLACK
This is a log warning --- Blue

North Idaho Tom Jones

gorec2005 · Fri Nov 03, 2017 6:43 am

Add please shadowsocks server & client ?

safiullahtariq · Sun Nov 26, 2017 2:30 pm

Can you please add a feature in which Hotspot doesn't account the local traffic, or to a specific subnet?

kometchtech · Fri Dec 01, 2017 4:15 pm

Despite being asked before in the past.
It seems that implementation of Wireguard is planned for the future Kernel.

https://www.phoronix.com/scan.php?page= ... d-Features

I would like you to consider implementing this function which has high encryption strength and excellent performance.
It seems that correspondence to several distributions is progressing as well.

Florian · Tue Dec 19, 2017 2:23 pm

I know it's not ready yet, but +1 on Wireguard.

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

pe1chl · Tue Dec 19, 2017 2:36 pm

When you read "it is planned in a future Linux kernel" you know it is not going to happen in RouterOS 6.x and probably not in 7.x either (because a kernel version probably has been decided on).
So, you can put it on the wishlist for RouterOS 8.x

Florian · Tue Dec 19, 2017 2:39 pm

I guess so, but, It's to show the devs my (or "ours") interest in this, if they can find a way to implement it, some people would be very happy.

lavv17 · Mon Dec 25, 2017 2:59 pm

I'd like to have a setting to change ppp aaa order: radius first, then local. The default is now local first.

ege · Tue Dec 26, 2017 6:52 pm

SSL Bump feature for webproxy like Squid-in-the-middle.
Thanks

eccles · Thu Dec 28, 2017 2:10 am

We really need two options which are normally provided with OpenVPN on most Routers:

a) LZO Compression - I suspect that this might be an issue if the CPU doesn't natively support it

b) UDP - We can achieve faster transmission (with less bandwidth) by using UDP instead of TCP. UDP is an OpenVPN option provided on all other routers that I have worked with. Our protocol incorporates all of the required checking to ensure reliable delivery so the additional overhead of TCP isn't required or justified.

The reason is that we are using the wapLTE device at remote sites with 4-G transmission of datalogging records to a central site. Bandwidth is expensive (we pay by the MB/GB). We have done what we can by reducing transmissions to one per day, etc. but with the increasing number of remote sites the cost of traffic is becoming a real issue. It seems that the local ISPs are wanting to capitalise on IoT device traffic, but in any case cellular data transfer is very expensive here.

Eric

pamribeirox · Thu Dec 28, 2017 1:37 pm

It should be very simple to add support for selecting the bits of the IPv6 RA that announce if the router have "High", "Medium" or "Low" preference for being selected as a default router for the terminals in the segment. (RFC4191 2.1 Preference values)
I know VRRP could be used for that, but I think this clean and native solution is better for IPv6 first hop redundancy.
As an example, Cisco does it with the command "ipv6 nd router-preference [High|Low|Medium]" at interface level.
regards.

pe1chl · Thu Dec 28, 2017 1:50 pm

It should be very simple to add support for selecting the bits of the IPv6 RA

I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.

pamribeirox · Thu Dec 28, 2017 2:06 pm

To ease the management of IPv6 networks is useful as a first step to base them on the existing IPv4 network structure.
One of the things that could be done is using some elements embedded in the IPv6 link-local address so the Windows "ipconfig /all" (and alike from other OSs) provide an simple way to verify the terminal are correctly connected/configured.

RouterOS should allow us to change the IPv6 link-local address from the default one (based on EUI-64 logic) to a manual defined address in the block reserved for link-locals in the RFC4291 (fe80::/10)

Then, as an example, the interface with IPv4 address 192.0.2.1 could also have an IPv6 LL fe90::192:0:2:1

regards.

pe1chl · Mon Jan 01, 2018 1:23 pm

Feature request: enable WMM (QoS based on DSCP) for WiFi interfaces (preferably by default) without having to use mangle rules to set priority based on DSCP.
The disadvantage of mangle rules is that they only work when all "fast" options are disabled and when the "use IP firewall" is enabled on the bridge.
Competing products have WMM enabled by default without having to configure anything. In MikroTik it requires settings like:

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes

and deleting the "fast track" rules.
As some of these have quite global effect on performance, it would be preferable to have some way of just doing WMM with a simple checkmark in the Wireless settings.
(there is one, but it does not do the prioritization)

moose999 · Tue Jan 16, 2018 12:49 pm

I am aware I can control access to services (web, winbox, api, etc.) and rights (read, write, sensitive, etc.) but it would be very useful to be able to control access to features (/ip firewall nat for example) as well.

Does anyone know if this is possible?

Thanks,
Justin.

upower3 · Thu Jan 18, 2018 8:59 am

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

ViennaAustria · Thu Mar 01, 2018 9:23 am

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...). A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

If a rinetd-like function would be added to RouterOS it would be GREAT!

Thanks!
Thomas

upower3 · Thu Mar 01, 2018 9:28 am

I might me a bit wrong but why don't you just use NAT?

I'd like to re-request the function of rinetd.

pe1chl · Thu Mar 01, 2018 12:16 pm

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

Never heard of that before, but I did similar things in the past using "netcat" ("nc")

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).

You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!

A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

HOW???
A local linux box can be a Raspberry Pi which would be more like $50.

wtm · Sun Mar 04, 2018 2:06 am

Would like to see a Radius tester available for the "Tools section". Something along the lines of Radtest, so you can see that the external radius server is actually getting something from the Mikrotik router, and if not what the problem may be to fix it. Currently there is not enough information available in the Logging to help you on that.

Quasar · Fri Mar 09, 2018 2:45 pm

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.

Virtual private networks with WireGuard

gerakon · Wed Mar 21, 2018 3:46 pm

In Winbox I think the Dashboard menu could go away and just have all of it's items enabled by default. Unless there's some reason people don't want to see this information or there is some amount of overhead on the router.

If it can't go away, it would be great if it would at least remember my settings between routers so that I don't have to re-enable them to compare times more easily between routers that are having IPSEC negotiation problems or when the CPU is maxed.

pe1chl · Wed Mar 21, 2018 5:01 pm

it would be great if it would at least remember my settings between routers

This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.
Some other requests have been seen to e.g. allow "set current winbox settings as default for new connections" and/or to simply allow
the sharing of the same settings between all routers in a Group.

Wed Mar 21, 2018 5:07 pm

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

pe1chl · Wed Mar 21, 2018 5:35 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

hackclub · Wed Mar 21, 2018 8:51 pm

urgent request to (for) mikrotik
viewtopic.php?f=1&t=132062

gerakon · Thu Mar 22, 2018 12:26 am

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.

Unless there's some reason that I'm not seeing?

Thu Mar 22, 2018 12:28 am

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions) ,
The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones

mkx · Thu Mar 22, 2018 11:25 am

The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.

.
Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

Perhaps by giving us possibility to set unit ... e.g. bits/second (default, current setting) or kbps (gives 1000-times higher limits) or Mbps. After all, with Gbps speeds it is not really sensible to set limits with bps resolution. Or is it?

pe1chl · Thu Mar 22, 2018 11:43 am

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

WirelessRudy · Thu Mar 22, 2018 12:02 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

This is what I have been asking for several times over the years. It's good someone else now asks again.
Somewhere some Mikrotik guy decided what the default settings are when on a virgin router a virgin winbox is openend. I would like to be able to just change that 'virgin' setting myself.
By default winbox shows a lot of info I have never interest in. But many other field I need everytime again are not there by default.... Especial when you work with many PC's it would be easy to have one winbox.exe that is everywhere the same to MY like.

Thu Mar 22, 2018 5:09 pm

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.

I am pretty sure my CHR-x86-64Bit and my ROS-x86-32-Bit systems have plenty of CPU horse-power. All of my virtual ROS systems can btest to 127.0.0.1 in the 19+Gig ranges. (btest uses only 1-core. Now if you use 8+ cores (hyper-threading disabled for maximum CPU throughput) then I would assume possible system-wide-throughput might be 8x greater.

(My next hyper-visor system I am planning to build soon will allow me to configure 44 Xeon CPU cores to a hosted system - such as a CHR.)

Also , just about all new carrier-grade network equipment has one or more 10-Gig interfaces. Thus another reason for a simple-queue fix/update is needed.

Also - remember the Mikrotik post about "What would you like to see in a future Mikrotik ...something... with a 40-Gig throughput..." Thus another reason for a simple-queue fix/update.

Everything in my server room and my Internet feed uses 10-Gig interfaces. And I need an ability to use simple-queues up to 10-Gig.

artemk · Sat Mar 24, 2018 8:07 pm

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1
It works for SSH but it would be really good to make Winbox to be able to authenticate via radius.

ahmedramze · Sun Mar 25, 2018 4:34 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

ivicask · Sun Mar 25, 2018 4:39 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

Sob · Sun Mar 25, 2018 8:52 pm

... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.

sarada · Sun Apr 01, 2018 11:03 pm

Hi,

Can you add a feature in User manager which support WPA EAP and add 6to4 tunnel to vlan or bridge, please?

Railander · Thu Apr 05, 2018 7:50 pm

Feature Request:

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.

doneware · Sat Apr 07, 2018 9:32 pm

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.

this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.

but i don't really think this is a good idea, as routers are to forward packets and to run web servers. if you want real granular read/write control for defined routeros resources (interface, addresses, queues) you will be better off with an external web server using API integration.

pepek · Tue Apr 10, 2018 1:14 am

I've tried to search this topic, but I haven't found it (hope there are not any duplicates):

NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

zappulec · Tue Apr 10, 2018 6:15 pm

Secured DNS
- DNS over HTTPS
- DNS over TLS

pe1chl · Wed Apr 11, 2018 10:34 am

Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!
It provides an overview of some basic config but it is not showing correct values after you made manual changes (not only this!) and should you later change some
things via QuickSet you will seriously mess up the configuration!
So please don't worry about things like this and don't use QuickSet.

In fact a more appropriate feature request would be: make QuickSet disappear once it has been used and manual changes have been made afterwards.
That would protect a lot of beginners from serious trouble.

miencek · Wed Apr 11, 2018 11:55 am

RAM Disk for temporaty files ex. configuration to/from other devices, scripts

pudjo · Tue Apr 17, 2018 1:04 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You

Miracle · Tue Apr 17, 2018 5:48 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You

Do you know dst-nat ?

Chupaka · Tue Apr 17, 2018 5:53 pm

Is there any DNS server on port other than 53?..

Tue Apr 17, 2018 7:52 pm

Is there any DNS server on port other than 53?..

There are some non port 53 DNS configurations/uses.
Example: DNS over TLS is often port 853 -and- I kinda remember something about 135 End-Point-Mapper being used also for DNS

Also - security through obscurity can help prevent some attacks - such as running ssh on non-standard ports , DNS could possibly be remapped to use a non-standard port other than 53 to achieve a security through obscurity.

However , the standard well-known DNS port is 53. I would think if there is a security concern , that a FW configuration would be easier and more compatible method to control DNS access and better prevent attacks against DNS servers.

North Idaho Tom Jones

pe1chl · Tue Apr 17, 2018 8:06 pm

There are some non port 53 DNS configurations/uses.

The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)
but does not have advanced DPI in place. Then just using a different port may circumvent their efforts. E.g. OpenDNS listens on port 5353,
and one could sents the requests there. I don't know if Google DNS and CloudFlare DNS have similar alternate ports.

Of course this works only until the ISP admins know it and block or redirect that port as well. Not worth it to make a change in the router
for that, just use dst-nat.

Sob · Tue Apr 17, 2018 9:48 pm

Not worth it to make a change in the router for that, just use dst-nat.

Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.

pe1chl · Tue Apr 17, 2018 11:10 pm

It may be possible to use a loopback interface and set the DNS server address to the address of this interface, then dstnat that traffic.
(I did not try, but I *do* use dstnat for traffic incoming to a router and that works)

msatter · Tue Apr 17, 2018 11:42 pm

Or you use an local DNS server on a RaspberryPI like DNSmasq, PiHole, etc.and you are able to control it all yourself.

Wed Apr 18, 2018 1:17 am

As stupid as it might sound -almost a lol-
What happens if you add ":XY" to the IP address of the DNS server , where XY is the port #

Say you wanted you mikrotik to use port 5320
then use IP address format of the DNS server of:
a.b.c.d:5320

I remember this working on an old DSL router 15 years ago.

North Idaho Tom Jones

Sob · Wed Apr 18, 2018 2:03 am

@pe1chl: No, dstnat happens in prerouting, so traffic coming to router (no matter if it will end up in forward or input) can be matched by dstnat rule. Traffic from router doesn't come through prerouting in RouterOS.

@msatter: External device would work fine, but sometimes it may not be desired or even possible to add it.

@TomjNorthIdaho: Nope, to quote WinBox: "Error in - non zero ip address or non zero ipv6 address expected!"

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.

pe1chl · Wed Apr 18, 2018 10:38 am

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.

Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.
But maybe the address is considered local and it does not work then.

Chupakabra303 · Wed Apr 18, 2018 1:39 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!

pe1chl · Wed Apr 18, 2018 2:34 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!

It is not a limitation of those routines, but of the maximal length of a variable content.
What is needed is an open/readline/close feature so files can be read line-by-line into a variable.
(for completeness also a read(n) to read a fixed number of bytes instead of a single line)

juliokato · Wed Apr 18, 2018 3:44 pm

Is there any DNS server on port other than 53?..

I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.
This also helps in the security of this resolver.
I can give you more details if anyone has an interest.

Chupaka · Wed Apr 18, 2018 4:25 pm

So how do you point your Windows/Linux/MacOS machine to some non-53 DNS port?..

juliokato · Wed Apr 18, 2018 8:32 pm

I was using firewall nat:

add action=dst-nat chain=dstnat disabled=no dst-port=53 log=yes protocol=udp to-addresses=aa.bb.cc.dd to-ports=5353

this forces anyone to use my resolver, even if some user tries to use another different dns server.

This has other implications of redundance and security that is not part of this topic.

fernandolcx · Thu Apr 19, 2018 6:06 pm

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:

1.3.6.1.4.1.9.9.150.1.1.1.0

But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:

/interface pppoe-server print count-only where service=service5

BUT it should be a nice feature to add to SNMP

samsung172 · Fri Apr 20, 2018 12:20 am

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:
Code: Select all
1.3.6.1.4.1.9.9.150.1.1.1.0
But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:
Code: Select all
/interface pppoe-server print count-only where service=service5
BUT it should be a nice feature to add to SNMP

You can have this info from the radius server. (if used)

raymondr15 · Fri Apr 20, 2018 1:34 am

Please add the ability to enable or disable successful login attempts for specific users, for example an API user, accounting software logging in and out updating information on the router.

lordcoke · Fri Apr 20, 2018 4:03 pm

Feature request for /tool sniffer. Please make it possible to submit a filter-port range to the sniffer to allow sniffing like this:

/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255

pudjo · Mon Apr 23, 2018 3:16 pm

Is there any DNS server on port other than 53?..

i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.php

pudjo · Mon Apr 23, 2018 6:43 pm

Not worth it to make a change in the router for that, just use dst-nat.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.

vote +1 for dstnat in output chain

pudjo · Mon Apr 23, 2018 6:45 pm

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You
Do you know dst-nat ?

dst-nat not working in output chain, AFAIK

lugovoyma · Mon Apr 23, 2018 8:20 pm

openvpn UDP

pe1chl · Wed Apr 25, 2018 5:07 pm

Now that ip firewall address-list (and ipv6 firewall address-list) support DNS lookups, add a way to get subnet entries from DNS.
Unfortunately there is no standard DNS record type for subnets. There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
Therefore, I suggest to use TXT records.
Do a query for TXT records for the specified name (after or in parallel to the A and AAAA records already queried) and for each TXT record coming back, check if it conforms to valid subnet notation like 11.22.33.0/24 or 11:22:33:44::/64 and if valid, add it as an address list item.

Sob · Wed Apr 25, 2018 8:12 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.

If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.

So it may sound perhaps a little too optimistic, but I'd say it's almost there. And a gentle push (like MikroTik adding support in RouterOS) might help to move things forward. Some people could start using it right away and others would have motivation to nag their DNS providers to add support.

erebusodora · Wed Apr 25, 2018 8:20 pm

It would be very nice to have a feature to hide rows. Column Hide and Show Footer Works is a great job on the look. Screenshot feature must be implementet too.

pe1chl · Wed Apr 25, 2018 8:28 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).

I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.
However, if it is supported it would be fine to use APL. Probably with TXT there are less obstacles.

Sob · Wed Apr 25, 2018 10:31 pm

It doesn't seem to be advertised much, but it looks like BIND has it since 2002.

Advantage of using TXT would be instant availability everywhere. Probably even better reliability, at least in short term, because some broken resolvers will surely show up somewhere. But it's reinventing the wheel. Purists might also argue that we don't need yet another thing in TXT, there's enough of them already.

hurymak · Thu Apr 26, 2018 1:54 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.

cis2131 · Thu Apr 26, 2018 11:11 pm

Run a script when a port is closed by loop protect.

PtDragon · Fri Apr 27, 2018 12:08 am

Small feature request:
Please make Syn Cookies tunable!
I explain a bit: right now we can only turn on or off.
I wish we could have cookie timeout tunable in our hands (so if no cookie reply for example in 5 or 10 or 30 sec just drop connection).
That will make defense way easier

Chupaka · Tue May 01, 2018 3:26 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.

So, you'll need to enter encryption password each time router reboots?

5nik · Mon May 07, 2018 12:29 pm

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.

pedromrocha · Mon May 07, 2018 2:48 pm

Please implement TACACS autentication.

We can't get your equipments certified in a ISP without that feature.

netwpl · Wed May 09, 2018 8:37 am

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.

1+

psannz · Wed May 09, 2018 9:15 am

Please, add support 802.1x for wire interfaces.

Yes! +1, pretty please?

Wed May 09, 2018 9:29 pm

BUMP - I originally posted this: Wed Mar 21, 2018 3:28 pm

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions and I have read nothing in newer versions) ,
The current maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a huge problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection (using CHR) - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones

Chupaka · Thu May 10, 2018 11:39 am

Tom, did you write to support@mikrotik.com ? Because this looks not like feature request but like important fix

pe1chl · Thu May 10, 2018 6:45 pm

No this is just established standard functionality hitting limitations as technology proceeds.
The queue mechanism uses 32-bit values (variables) and so the values are limited to 2^32
In fact practical limits are lower because "buckets of data" have to be calculated to be transmitted on each timer tick
and when the datarate gets so high the buckets become very large and those bursts could hit other limits or not play
along with others as nicely as you would like.
So it is not as easy to fix as you might think.

Fri May 11, 2018 6:48 pm

I suspect the simple-queue maximum value settings are going to be a bigger and bigger problem in the near future. - because of the new Mikrotik 40-Gig interfaces and newer/faster CPUs.

I can't help but wonder how much of the 64-Bit CHR software actually uses 64-bit instrustions.
Many 64-bit CPU instructions use fewer CPU clock cycles compared to a 32-bit set of instructions doing the same software function.

If Mikrotik is gonna compete in the router throughput world with the other guys in the faster than 3-Gig enviornment, they need to do everything possible to gain every speed/function/feature advantage possible.

I think I will write to Mikrotik support.

North Idaho Tom Jones

anav · Tue May 15, 2018 1:09 am

EXTRA TAB CHANGE!!

The mere fact of viewing any of the parameters ACTIVATES the parameter and this is WRONG.
All entries should be blank and if you want to offer default settings, GREY THEM OUT.
Suggest putting an apply button or something.

This is not consistent with the rest of the filter rules.
Right now I call it the DANGER DANGER TAB.

Chupaka · Tue May 15, 2018 11:13 am

Huh... Any more details? What do you mean saying 'Activates'?.. Why can't you 'deactivate' it back?

anav · Tue May 15, 2018 2:14 pm

Sorry chupka, I am just a beginner. I didnt know I was changing router settings just by looking at the paramaters in the ExtraTab.
In my limited experience when I clicked on the little arrow tabs, I thought I was simply viewing the default parameters in those selections.
I did NOT REALIZE that I was activating those parameters.
This is not consistent with how we apply items elsewhere in winbox.

Thus suggesting that the default entries be grayed out and one has an implement button when one wants to turn grey into white.
Or it is like every other

Or add a warning at the bottom of the EXTRA TAB. Stating, opening these items ACTIVATES them.
If you do not want them activated CLOSE after viewing.