1. Please allow the ability to make multiple window column selections instead of "one at a time".
2. Please move the "Torch" selection from the "Tools" to the "Main Menu" !!!

Thanks

-tp

But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?

It would not be a good idea to do that because it introduces new possibilities for bugs.
It is also not good for your own network management.

On routers in complicated networks I have lots of address lists often with only a single address or subnet in them, sometimes 2 or 3, and I use them all over the place in the firewall.
That makes it much easier to maintain things, once you get the hang of it (and have a good naming convention).

I can understand the utility of having the list-of-lists feature so you can define a list which contains other lists as members, I sometimes have multiple lists containing the same addresses in different combinations, and that could be cleaned up this way.

NV2 - increase NV2 client scan-for-AP b4 connect to AP


I need/want a longer nv2 client scan time prior to an nv2 client connecting to an nv2 AP (a new setting would be nice for nv2 scan time before connecting to a nv2 AP)

The wireless AP enviornment:
- The small town/city I am in has 20+ nv2 APs (soon to be 40+ APs)
- All nv2 APs are the same SSID
- nv2 APs do NOT receive near-equal nv2 client connection counts.
- almost 400 nv2 wireless clients
- sustained customer bandwidth during peak periods is always more than 325 meg

The problem:
- Almost always , nv2 wireless clients will connect to APs that are the lowest frequencies in the scan list
- Very often , nv2 wireless clients are not connecting to the best/strongest nv2 APs that are in the upper frequency part of a client nv2 scan list
- This mostly results in an un-blanaced nv2 AP customer-connected-load (where lower frequency APs normally take 80+ percent of all nv2 client connections.
- nv2 APs in the upper part of wireless nv2 client scan lists often only get 20 percent of all clients (the other 80 percent always favor lower frequency APs in the scan list)

Info - I believe that nv2 clients have a limited scan time prior to the nv2 client making a decision on what nv2 AP to connect to. I believe the client scan period needs to be extended/lengthened by about 250 percent longer. With a longer client nv2 scan time-period, nv2 clients searching for a nv2 AP can then choose the best nv2 AP to connect to instead of the lowest-frequency first-found nv2 APs.
If all nv2 clients could fully scan everything in the full (superchannel) nv2 scan list, then all APs would be better client-connect balanced -and- the entire nv2 network could run much faster because the lower frequency APs would not be saturated with nv2 client connections.

Mikrotik , is it possible to add a feature (optional setting) for nv2 clients to have more time to perform a nv2 client scan prior to connecting to an nv2 AP ?

I really like Mikrotik's hybrid version of TDMA ( nv2 ) , however the nv2 client scan time has always been a problem. Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.


North Idaho Tom Jones

NV2 - increase NV2 client scan-for-AP b4 connect to AP

Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.


North Idaho Tom Jones

Tom:
As far as I know nstream and 802.11 also cannot do a background scan and then connect/roam to the best signalled AP. The background scan is possible, but only to 'see' what is out there. The client stays connected to what he was. So its only a manual tool the operator can use which in NV2 indeed is not even available. But correct me if I'm wrong! Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?

Second; I agree on the scan 'low frequencies first'. I observed the same when running a scan or when I have a CPE that is allowed to connect to two or three different AP's (Even with different SSID's). If both frequencies come with roughly the same strength the low ones are picked up first and if allowed used to connect.

But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations? Like we have.
I just make sure all clients that have the option to connect to 2, or 3 different AP's it connects to the best one upon my decision as an operator.
Because I know what the average usage is on each AP.
So if I have 2 options for a client to connect to, I'd look to which AP gives the best signal and pick that one. But if signals are good for both AP's I decide to make it connect only to the one with the best P2MP network. And here comes the amount of connected CPE's as well the signals they all have in consideration. I know how the AP's perform in general.
So I'd balance the client load then more based upon my insight as network operator which usually beast any automated process. (Don't forget that most data that could be used in an automated decision making process is variable anyway. Signals vary, traffic vary, which clients are generating traffic vary.. etc.)

As soon as the decision is made that specific client will be add into the 'access list' of that preferred AP, and that same preferred AP will be add as first listing in the 'connect to' list of the CPE.
I might have both units (AP + CPE) to know about the other but in the AP's 'access list' only in a 'disabled' function. So only in case AP1 goes down, I stil allows the CPE to connect to AP2 so at least we can still serve the client. (Most of the times we disable the alternative 'connect to' listing because the setback is that when we do an upgrade on AP1 the clients jumps to AP2. After that we can upgrade AP2 so the client jumps back but for some clients it might be the other way around. And sometimes you just need to reboot an AP and I don't want the kind of client to jump to the alternative AP)
This is all manual work. MT units are pretty reliable so it happens rarely we have to make use of a 'backup AP' because one AP goes down.

A semi automated proces as you suggest imho is hardly achievable. Even when CPE's would automatically populate AP's in a more balanced way by numbers of associated clients to AP, it still doesn't mean you really balance the load on an AP. It is still pretty expectable that one AP has much more traffic then the other. And that variate between those AP's too....
The client would be best connect to an AP with little (overall) traffic then one with high traffic even with only a handful of clients.

I think the experience of the operator is a much more better decisive tool then any automated proces performed in these little intelligent devices.
We set everything manual and in 98% of the case we never have to adjust or change the client's CPE preferred AP any more...

Wireless Rudy

Thanks for your reply post

Re: Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?
I don't have a client script to do this. I am not that good of a programmer. However I think a client boot-up script to first scan and then have the script select the best AP and modify the scan list for the best AP. And - upon failure , re-scan and select the 2nd best AP and upon failure of ability to connect to any AP in the site-survey , the fall back to the default (or custom configured scan lists.

Re: But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations?
correct

Here is an example of a potential issue with many nv2 APs and many nv2 clients:
- lets say you have a bunch on nv2 APs and a bunch of nv2 clients (all using the same SSID)
-- You have the ability to update the client ROS versions (no problem here)
--- When you update the ROS on your bunch of nv2 APs , there is a problem. When you update an nv2 AP and reboot the nv2 AP, nv2 clients are then forced to re-scan & re-connect to a different AP. After your ROS updates of your bunch of nv2 APs, you end up with the majority of your nv2 clients connected to the nv2 AP that has been up the longest and few nv2 clients connected to your nv2 APs that are the most recent updated/rebooted AP. This forces the Mikrotik network admin to manually bounce weak nv2 clients off of some nv2 APs so that they can again reconnect.
---- Thus , with 20 nv2 APs, updating those AP in sequence of AP#1, then AP#2 through AP#19, AP#20, you will end up with the bulk of nv2 clients connected to lowere # APs and fewer nv2 client connections to your higher # AP. Thus , it may well be worth it to have a nightly script fire off on all nv2 clients to auto-scan and re-distribute the client to AP connect loads. (my thoughts).

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones

Address lists on Simple queue as target

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones

How about performing an IP / neighbor command on your main router (that should 'see' all units) and order by device type? You'll immediately see if a units is 'n' or 'ac'. My antenas all have their designated AP in their name so I can then also set the filter and thus see in an instance which units are 'n' or 'ac' (and thus can do 80Mhz wide channel in 'ac') for each AP.

Just ran into this issue today. Can't establish peering with a neighbor because of:

10:57:39 route,bgp,error Remote RouterId is not a valid unicast address: 247.255.0.240

ros 6.42.7

rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.

it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.

in general you only need to remove the check that was required in rfc4271.

this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.

Just ran into this issue today.

opened a support request for it earlier today:

Ticket#2018090722004616

Please add the ability to authenticate with a ssh certificate in Winbox - thereby providing an alternative to passwords.

Yes, this is available for ssh, but lots of people (myself included) prefer using Winbox most of the time.

Advanced management for cap devices,

it would be great if i can change my all cap devices user password, port, service, interface status etc.

Stop the use of the bundle package, deliver the routers with the packages required for typical home router use:
advanced-tools, dhcp, ppp, security, system, wireless (the latter only on devices that have wireless) and most important:
add some method in system->packages to download and install packages selecting them from a list of available packages on the download server.

This will make it easy for everyone to add the packages they require, no need to download and unpack zip files and update part of them to the router.
The required files are already on the download server, because upgrade of a router with separate packages downloads only what is required.
Maybe an index file would have to be added and it would be downloaded when you click the new "add package" button.
A list of available packages is displayed, you select one or more of them and click "download&install" just as when upgrading.

Within Winbox I would like to see a "reboot button" within capsman for all CAP devices
Reason: If you have 2 CAPSMAN controller in active-active configuration, you have CAP devices on both controllers. If you upgrade one of them the CAPs use the other controller to connect to. But they won´t go connect back to their primary controller. So we need a simple "reboot" button after which they will connect to the primary one.

One of the things I would like to see for all new ROS updates/upgrades is more information as to what the new/fixed featured do.

Example - with the following two lines below - it is not clear what the problem was and what was fixed and what actually improved:

*) wireless - fixed wireless interface lockup after period of inactivity;
*) wireless - improved Nv2 reliability on ARM devices;

More information on new features & things fixed & things improved is almost always useful.

Even a URL in the upgrade menu for more information about the upgrade features/functions/fixes would be very much appreciated.

North Idaho Tom Jones

I didnt find, but sorry if exists.
There sould be a new section, a table in webfig and in winbox for global variables with initial values.

A bit of fun - but a potential very useful tool …

Info - back in the late 1980s and early 1990s, early notebook computers did not have sound cards , however they ususally had the PC-speaker (in this case a piezo speaker was normally mounted on the motherboard and used for the beep sounds) , well back then there was a Windows piezo speaker driver that could be loaded which offered the ability to play anything that would come out of your normal sound card computer speakers.

Now thinking about Mikrotiks routers with basically the same piezo speaker on the mother board and 99 percent the same electronics, it could be a usefull tool to be able to play a small sound file to/out the Mikrotik piezo speaker. Software PC-motherboard-piezo driver to emulate sound cards have been available for almost 30 years.

I suspect all that might be needed would be an optional Mikrotik ROS package to drive the Mikrotik piezo to behave like a sound card speaker. The software drivers are already out there.

Now as to why this might be a usefull , nifty, handy tool on a Mikrotik ... Rather than a script playing beeps of varing levels , a script could possibly just play a small sound file. This could come in handy for script files that beep messages. Instead , a Mikrotik could announce something you want to hear and a person could know about right away rather than get an alert via another computer device. A WISP could possibly use something like this to play a sound file that contains "Warning - Internet WAN connection is down/up" and/or "Call your ISP tech support at phone number xxx-yyy-zzzz" and/or play any usefull sound file such as "Wireless network information - new device connected using WPA2 encryption". The sound files could be small files with high compression which could fit in the flash file system.

Any-ways , I think the ability for a script to play a sound file could be a very usefull tool.

And to really totally show off your Mikrotik router (such as at a trade show or something) , then have it play full blown music out the piezo --- that would get everybody stopping by your booth.

I've used such tools on old notebook 16 MHz CPU computers with motherboard piezo speakers only and even watched full blown movies with the piezo speaker drivers hundreds of times , it works. If the Mikrotik motherboard hardware is already there then how about an optional ROS package to enable the piezo to do much much more.

North Idaho Tom Jones

A WISP could possibly use something like this to play a sound file ...

@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.

A WISP could possibly use something like this to play a sound file ...

@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.

It would pretty much be a tool for what ever a Mikrotik admin might want/need. Also , because I am suggesting it be an optional package, it would not necessarily be pre-loaded on a fresh Mikrotik router. This optional package could potentially be a nifty tool when used with scripts (including netwatch) to provide audio/verbal information. Also , because I know this type of motherboard speaker driver works on old/slow 16 MHz 16-bit computers , it would not be a Mikrotik resource drain sucking performance away from L2/L3 throughput.

Related to optional ROS packages …

Because ROS is Linux based (and many of us know Linux very well) -and- because Linux/Unix may be one of the top two popular operating systems of all time , I would like to ask Mikrotik to consider a creating an optional developer package for ROS. Something that provides real programmer features and a compiler/cross-compiler which also includes an ability to make custom packages.

There are hundreds of small Linux developer motherboards out there already. Why not make a ROS programmer developer package. Who knows what the limits are for a RB ROS developer package ... A programmer could create custom drivers for PCI interfaces. Heck , I could see a possible use for a custom wireless/networked controller in many common things such as security systems, new additional drivers , hardware/interface/software/firmware support for use in all kinds of electric/electronic devices from heating & cooling systems, environmental systems and many everyday home/business devices already being developed using non-Mikrotik motherboards. I for one would tinker with it and see what useful devices I could create.

FYI - Did you know that Linksys released a full-blown Linux developer system with all of their Linksys source code and documentation for their Linux based wireless routers over 10 years ago (for free)? Where do you think DD-WRT came from (and many other systems) - and some of those operating systems derived/created from the Linksys developer system run on Mikrotik devices as a Virtual system right now ???

And also related to this post , when I started my WISP , I started out with 1,000 Linksys WRT routers running DD-WRT. I was very pleased with the DD-WRT Linux back then and it worked great.

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.

How about the possibilities of a new wireless driver for Wireless chipsets ? With a developent package , a new wireless driver could be created (using all of the available Atheros chipset registers/settings) to make new high-performance high-thoughput wireless drivers (such as a new/better nv2 'TDMA') system that might way outperform the current Mikrotik properitery hybrid TDMA (nv2). Or how about the tens of thousands of Linux drivers and applications/tools/utilities already freely available.

I think a development package would give the Mikrotik ROS the ability to enter other markets - more sales for Mikrotik in custom verticle markets. Even the US DOD could use this because they could then run their version of high-secirity high-encription special-functionality because they could then control their code and what does what. (I've been down this road a few times in the past...)

EDIT - back in the 90s, I was part a team that sold some custom very low power motherboards which supported special DOD software to control some battlefield devices and communications. Thanks to a software developer system , we were able to make $$$ millions in DOD sales of motherboards. With an optional Mikrotik ROS software developer package, new markets could be made available. A single order could potentially add many zeros to Mikrotik's $$$ income - ( I know - been there and did that !!! )

I think MikroTik want to be in the market of selling relatively inexpensive hardware with a relatively powerful routing OS which is relatively easy to configure and which can be supported.
(all those parameters of course can vary a little and some may have different opinions about them than others)

It appears you want hardware with an open software environment. However, that is already widely available from other manufacturers.
(many network-oriented system boards are available from our Chinese friends and there is also a lot of Linksys-like hardware)

You can install Linux or OpenWRT and do everything yourself. However, it is difficult to support when everyone can add their own things.
Some other manufacturers have experimented with partly-open boxes (e.g. you enter some code and it becomes open, and you lose support).
But some of them have reverted that and now you cannot do that anymore without installing entirely your own software.
And you can already do that on MikroTik's hardware!

To be successful and make money you have to find some market where people want your product and you can manufacture and support it at reasonable cost.

I don't know, maybe there are people or organizations willing to make drivers for RouterOS (or port existing Linux drivers) and keep up with possible changes done by MikroTik, instead of just using completely free Linux and have everything under their control. I can't really say. Another matter is how attractive prospect it would be for MikroTik. If they like to be in control, it would end, because driver can do anything. For this, "my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system. It could also be interesting for more people, because dealing with drivers is not for everyone, but to compile some simple daemon, that could be done by almost anyone.

"my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system.

Yes it would certainly be nice to have user-mode daemons under isolated user IDs so they cannot mess with the MikroTik part of the system, but frankly I doubt that the infrastructure for that is currently in place.
I mean: probably now everything runs as root and there has been no attention to file and directory permissions for a long time, so first that would have to be prepared.
It would improve overall security and decrease the risk for vulnerabilities as we have recently seen when services would run as restricted users, but apparently the webserver runs as root (only Linux system where I have seen that for a long long time!).
Of course the CHR provides a way to look into that, maybe I will do some research now that we have a shiny new ESXi server with lots of spare capacity.

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

There sould be a new section, a table in webfig and in winbox for global variables with initial values.

System > scripts > environment (both winbox and webfig) ( it's only the current values however)

It would be nice to be able to properly append to text files. So we can get around the whole reading the file to another variable, adding what we needed and then writing the whole thing out again.

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

Such request is pretty useless. Defince what you consider "complete"? Which features you are missing?

Please fix webproxy with IPv6 sites.
It doesnt work, more people said in the forum, that there is some problem with IPv6 sites trough webproxy. Someone said, only direct ip address works in url (if remote webserver accepts direct IP address behalf domain name).
I tried with IPv6 address of the IPv6-test.com, and i got the error message of the remote webserver ("these aren't the droids you're looking for").

IPv6 test webpage (http://testipv6.com/) results trough proxy:
Test with IPv4 DNS record ok (2.023s) using ipv4
Test with IPv6 DNS record timeout (17.107s)
Test with Dual Stack DNS record ok (2.022s) using ipv4
Test for Dual Stack DNS and large packeto ok (3.011s) using ipv4
Test IPv4 without DNS skipped (3.118s)
Test IPv6 without DNS skipped (17.099s)
Test IPv6 large packet timeout (17.110s)
Test if your ISP's DNS server uses IPv6 ok (3.013s) using ipv4
Find IPv4 Service Provider ok (0.782s) using ipv4 ASN 8990
Find IPv6 Service Provider timeout (16.692s)

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

This can be done using scripting. The underlying mechanism in the kernel does not support a DNS name so it would have to be solved in a similar way.

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

Isn't the support already here for some time?.. quite long time...

What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;

Yes, it's there, but only for remote address. Local address accepts only IP address.

Yes, it's there, but only for remote address. Local address accepts only IP address.

Why not just unset it?

What should router do if FQDN resolves to non-local address?

Well, when you unset the local address, you cannot enable IPsec.

Good point. Then I vote for the ability to set local-interface instead of local-address, so that IP address from that interface got used automagically.

As a workaround, simple scripting does this job.

Hey Mikrotik marketing staff …

I think Mikrotik should include a Mikrotik bumper sticker in every Mikrotik product box shipped from Mikrotik.

Guess I'll have to stick around and see what happens.

North Idaho Tom Jones

Please add Multipath TCP according to RFC 6824.

I would like to see an "add comment" feature on any rule that allows you to add an address to an address list so the created address list entry has info about why it was added.

e.g

/ip firewall filter
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=5d chain=input protocol=tcp dst-port=8291 address-list-comment="Winbox Attempt"

A few suggestions I'd love:

1) Line item groupings, specifically in firewall stuff - basically a completely empty 'rule' / line thats just a comment, stays in block when comments are set to inline. The work around for this is setting dummy unmatchable rules or putting the comment on the first line in the block, but then I also like to comment all my rules, so having a 'header' comment stay in block and all the normal comments go inline would help organise firewall tables with heaps of chains/100's of rules etc.

2) Custom release cycle channel, basically to make it easier for the router you add custom, set a name to it and give it a URL, that URL might be a format that Mikrotik provide / documentation on how we should respond to the server to give it the latest firmware we want it to have. An example would be, im currently keeping my fleet of Routerboards on 6.42.x (mix of 5/6/7), as I haven't been able to test some of the bigger changes in 6.43.x, but some staff will just hit the check for updates and do updates that way, if we could have a custom release channel maintained by ourselves I could keep routers more inline.

There's plenty more but thats just some 'smaller' ideas I dont think would be too hard to implement.

I agree with the above two. In addition with #2 I would like to add the possibility to make the release channel refer to some URL on a local webserver that
has information about the releases to track. E.g. a single version, or a major/minor version (like 6.42.x). So the routers configured that way will upgrade
to a version you set on a central system and you can change it without having to go all along those routers.
E.g. you set a custom release channel with URL http(s)://server.local.domain/mikrotik-release which would return a small textfile with either a MikroTik
release channel name (current, bugfix or whatever) or a specific version (6.42.7) or version range (6.42.x) and you can change that as a result of your local
testing outcome and/or security announcements. Of course you can have several of those URLs internal to your organisation so you can test on a couple
of routers first.
This also covers the problem that "current' is suddenly updated by MikroTik but you don't want to jump to it immediately but wait a week or two, but still
want to update some routers from an even older version.

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done

Well in that case it would be nice when there was a custom setting that allows to configure another DNS name for the "upgrade.mikrotik.com" in a router.
Preferably two different settings: one foe the LATEST file and another one for the actual npk files.
In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)

In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)

Yeah, in nginx you simply use try_files for your custom files on local server and proxy_pass to the original MikroTik server for the rest

Please add:

MAC address lists
Port lists in Firewall

Hello!
Please add an option to do "force cloud update" in an time interval, that is useful when have public dynamic IP
And yes, I know that this can be done with an script but will be great and easy if we have an "auto update in X time" function!

MikroTik is great! Have a good day!

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

Isn't the support already here for some time?.. quite long time...

What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;

I should have provided more detail.

If you use an FQDN on the remote address I suspect it then resolves it to an IP one time for the IPSec policy. There does not appear to be any kind of ongoing resolution of that FQDN. The support I am looking for would be compatible with the IPSec wizardry that is built into using the IPSec Secret field. The idea here would be to better support for creating GRE/IPSec tunnels with dynamic IPs without resorting to scripting.

Please add:

MAC address lists
Port lists in Firewall

+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.

We currently have a script that does this using the ARP table.

+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.

Having MAC addresses in a list would not be very useful for that. What you want is to match MAC address by prefix, usually by the first 3 octets (manufacturer).
It looks like you can now only match the full MAC address in rules, it should allow a partial address and match that from the left.
(of course this is already possible in the where clause in commands)

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done

So, updates work via plain HTTP? No encryption?

Shame!