Feature requests

w0lt · Wed Sep 05, 2018 4:36 pm

1. Please allow the ability to make multiple window column selections instead of "one at a time".
2. Please move the "Torch" selection from the "Tools" to the "Main Menu" !!!

Thanks

-tp

pe1chl · Wed Sep 05, 2018 5:56 pm

But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?

It would not be a good idea to do that because it introduces new possibilities for bugs.
It is also not good for your own network management.

On routers in complicated networks I have lots of address lists often with only a single address or subnet in them, sometimes 2 or 3, and I use them all over the place in the firewall.
That makes it much easier to maintain things, once you get the hang of it (and have a good naming convention).

I can understand the utility of having the list-of-lists feature so you can define a list which contains other lists as members, I sometimes have multiple lists containing the same addresses in different combinations, and that could be cleaned up this way.

TomjNorthIdaho · Wed Sep 05, 2018 10:47 pm

NV2 - increase NV2 client scan-for-AP b4 connect to AP

I need/want a longer nv2 client scan time prior to an nv2 client connecting to an nv2 AP (a new setting would be nice for nv2 scan time before connecting to a nv2 AP)

The wireless AP enviornment:
- The small town/city I am in has 20+ nv2 APs (soon to be 40+ APs)
- All nv2 APs are the same SSID
- nv2 APs do NOT receive near-equal nv2 client connection counts.
- almost 400 nv2 wireless clients
- sustained customer bandwidth during peak periods is always more than 325 meg

The problem:
- Almost always , nv2 wireless clients will connect to APs that are the lowest frequencies in the scan list
- Very often , nv2 wireless clients are not connecting to the best/strongest nv2 APs that are in the upper frequency part of a client nv2 scan list
- This mostly results in an un-blanaced nv2 AP customer-connected-load (where lower frequency APs normally take 80+ percent of all nv2 client connections.
- nv2 APs in the upper part of wireless nv2 client scan lists often only get 20 percent of all clients (the other 80 percent always favor lower frequency APs in the scan list)

Info - I believe that nv2 clients have a limited scan time prior to the nv2 client making a decision on what nv2 AP to connect to. I believe the client scan period needs to be extended/lengthened by about 250 percent longer. With a longer client nv2 scan time-period, nv2 clients searching for a nv2 AP can then choose the best nv2 AP to connect to instead of the lowest-frequency first-found nv2 APs.
If all nv2 clients could fully scan everything in the full (superchannel) nv2 scan list, then all APs would be better client-connect balanced -and- the entire nv2 network could run much faster because the lower frequency APs would not be saturated with nv2 client connections.

Mikrotik , is it possible to add a feature (optional setting) for nv2 clients to have more time to perform a nv2 client scan prior to connecting to an nv2 AP ?

I really like Mikrotik's hybrid version of TDMA ( nv2 ) , however the nv2 client scan time has always been a problem. Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.

North Idaho Tom Jones

WirelessRudy · Thu Sep 06, 2018 2:44 pm

NV2 - increase NV2 client scan-for-AP b4 connect to AP

Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.

North Idaho Tom Jones

Tom:
As far as I know nstream and 802.11 also cannot do a background scan and then connect/roam to the best signalled AP. The background scan is possible, but only to 'see' what is out there. The client stays connected to what he was. So its only a manual tool the operator can use which in NV2 indeed is not even available. But correct me if I'm wrong! Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?

Second; I agree on the scan 'low frequencies first'. I observed the same when running a scan or when I have a CPE that is allowed to connect to two or three different AP's (Even with different SSID's). If both frequencies come with roughly the same strength the low ones are picked up first and if allowed used to connect.

But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations? Like we have.
I just make sure all clients that have the option to connect to 2, or 3 different AP's it connects to the best one upon my decision as an operator.
Because I know what the average usage is on each AP.
So if I have 2 options for a client to connect to, I'd look to which AP gives the best signal and pick that one. But if signals are good for both AP's I decide to make it connect only to the one with the best P2MP network. And here comes the amount of connected CPE's as well the signals they all have in consideration. I know how the AP's perform in general.
So I'd balance the client load then more based upon my insight as network operator which usually beast any automated process. (Don't forget that most data that could be used in an automated decision making process is variable anyway. Signals vary, traffic vary, which clients are generating traffic vary.. etc.)

As soon as the decision is made that specific client will be add into the 'access list' of that preferred AP, and that same preferred AP will be add as first listing in the 'connect to' list of the CPE.
I might have both units (AP + CPE) to know about the other but in the AP's 'access list' only in a 'disabled' function. So only in case AP1 goes down, I stil allows the CPE to connect to AP2 so at least we can still serve the client. (Most of the times we disable the alternative 'connect to' listing because the setback is that when we do an upgrade on AP1 the clients jumps to AP2. After that we can upgrade AP2 so the client jumps back but for some clients it might be the other way around. And sometimes you just need to reboot an AP and I don't want the kind of client to jump to the alternative AP)
This is all manual work. MT units are pretty reliable so it happens rarely we have to make use of a 'backup AP' because one AP goes down.

A semi automated proces as you suggest imho is hardly achievable. Even when CPE's would automatically populate AP's in a more balanced way by numbers of associated clients to AP, it still doesn't mean you really balance the load on an AP. It is still pretty expectable that one AP has much more traffic then the other. And that variate between those AP's too....
The client would be best connect to an AP with little (overall) traffic then one with high traffic even with only a handful of clients.

I think the experience of the operator is a much more better decisive tool then any automated proces performed in these little intelligent devices.
We set everything manual and in 98% of the case we never have to adjust or change the client's CPE preferred AP any more...

TomjNorthIdaho · Thu Sep 06, 2018 6:06 pm

Wireless Rudy

Thanks for your reply post

Re: Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?
I don't have a client script to do this. I am not that good of a programmer. However I think a client boot-up script to first scan and then have the script select the best AP and modify the scan list for the best AP. And - upon failure , re-scan and select the 2nd best AP and upon failure of ability to connect to any AP in the site-survey , the fall back to the default (or custom configured scan lists.

Re: But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations?
correct

Here is an example of a potential issue with many nv2 APs and many nv2 clients:
- lets say you have a bunch on nv2 APs and a bunch of nv2 clients (all using the same SSID)
-- You have the ability to update the client ROS versions (no problem here)
--- When you update the ROS on your bunch of nv2 APs , there is a problem. When you update an nv2 AP and reboot the nv2 AP, nv2 clients are then forced to re-scan & re-connect to a different AP. After your ROS updates of your bunch of nv2 APs, you end up with the majority of your nv2 clients connected to the nv2 AP that has been up the longest and few nv2 clients connected to your nv2 APs that are the most recent updated/rebooted AP. This forces the Mikrotik network admin to manually bounce weak nv2 clients off of some nv2 APs so that they can again reconnect.
---- Thus , with 20 nv2 APs, updating those AP in sequence of AP#1, then AP#2 through AP#19, AP#20, you will end up with the bulk of nv2 clients connected to lowere # APs and fewer nv2 client connections to your higher # AP. Thus , it may well be worth it to have a nightly script fire off on all nv2 clients to auto-scan and re-distribute the client to AP connect loads. (my thoughts).

TomjNorthIdaho · Thu Sep 06, 2018 6:37 pm

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones

Simono · Thu Sep 06, 2018 7:58 pm

Address lists on Simple queue as target

WirelessRudy · Fri Sep 07, 2018 1:09 pm

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones

How about performing an IP / neighbor command on your main router (that should 'see' all units) and order by device type? You'll immediately see if a units is 'n' or 'ac'. My antenas all have their designated AP in their name so I can then also set the filter and thus see in an instance which units are 'n' or 'ac' (and thus can do 80Mhz wide channel in 'ac') for each AP.

xxiii · Fri Sep 07, 2018 8:19 pm

Just ran into this issue today. Can't establish peering with a neighbor because of:

10:57:39 route,bgp,error Remote RouterId is not a valid unicast address: 247.255.0.240

ros 6.42.7

rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.

it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.

in general you only need to remove the check that was required in rfc4271.

this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.

doneware · Fri Sep 07, 2018 11:12 pm

Just ran into this issue today.

opened a support request for it earlier today:

Ticket#2018090722004616

Wyz4k · Thu Sep 13, 2018 3:26 pm

Please add the ability to authenticate with a ssh certificate in Winbox - thereby providing an alternative to passwords.

Yes, this is available for ssh, but lots of people (myself included) prefer using Winbox most of the time.

tnrclkr · Tue Sep 18, 2018 3:47 pm

Advanced management for cap devices,

it would be great if i can change my all cap devices user password, port, service, interface status etc.

pe1chl · Tue Sep 18, 2018 9:23 pm

Stop the use of the bundle package, deliver the routers with the packages required for typical home router use:
advanced-tools, dhcp, ppp, security, system, wireless (the latter only on devices that have wireless) and most important:
add some method in system->packages to download and install packages selecting them from a list of available packages on the download server.

This will make it easy for everyone to add the packages they require, no need to download and unpack zip files and update part of them to the router.
The required files are already on the download server, because upgrade of a router with separate packages downloads only what is required.
Maybe an index file would have to be added and it would be downloaded when you click the new "add package" button.
A list of available packages is displayed, you select one or more of them and click "download&install" just as when upgrading.

anuser · Tue Sep 18, 2018 9:46 pm

Within Winbox I would like to see a "reboot button" within capsman for all CAP devices
Reason: If you have 2 CAPSMAN controller in active-active configuration, you have CAP devices on both controllers. If you upgrade one of them the CAPs use the other controller to connect to. But they won´t go connect back to their primary controller. So we need a simple "reboot" button after which they will connect to the primary one.

TomjNorthIdaho · Tue Sep 18, 2018 10:43 pm

One of the things I would like to see for all new ROS updates/upgrades is more information as to what the new/fixed featured do.

Example - with the following two lines below - it is not clear what the problem was and what was fixed and what actually improved:

*) wireless - fixed wireless interface lockup after period of inactivity;
*) wireless - improved Nv2 reliability on ARM devices;

More information on new features & things fixed & things improved is almost always useful.

Even a URL in the upgrade menu for more information about the upgrade features/functions/fixes would be very much appreciated.

North Idaho Tom Jones

bennyh · Wed Sep 19, 2018 3:17 pm

I didnt find, but sorry if exists.
There sould be a new section, a table in webfig and in winbox for global variables with initial values.

TomjNorthIdaho · Thu Sep 20, 2018 4:30 am

A bit of fun - but a potential very useful tool …

Info - back in the late 1980s and early 1990s, early notebook computers did not have sound cards , however they ususally had the PC-speaker (in this case a piezo speaker was normally mounted on the motherboard and used for the beep sounds) , well back then there was a Windows piezo speaker driver that could be loaded which offered the ability to play anything that would come out of your normal sound card computer speakers.

Now thinking about Mikrotiks routers with basically the same piezo speaker on the mother board and 99 percent the same electronics, it could be a usefull tool to be able to play a small sound file to/out the Mikrotik piezo speaker. Software PC-motherboard-piezo driver to emulate sound cards have been available for almost 30 years.

I suspect all that might be needed would be an optional Mikrotik ROS package to drive the Mikrotik piezo to behave like a sound card speaker. The software drivers are already out there.

Now as to why this might be a usefull , nifty, handy tool on a Mikrotik ... Rather than a script playing beeps of varing levels , a script could possibly just play a small sound file. This could come in handy for script files that beep messages. Instead , a Mikrotik could announce something you want to hear and a person could know about right away rather than get an alert via another computer device. A WISP could possibly use something like this to play a sound file that contains "Warning - Internet WAN connection is down/up" and/or "Call your ISP tech support at phone number xxx-yyy-zzzz" and/or play any usefull sound file such as "Wireless network information - new device connected using WPA2 encryption". The sound files could be small files with high compression which could fit in the flash file system.

Any-ways , I think the ability for a script to play a sound file could be a very usefull tool.

And to really totally show off your Mikrotik router (such as at a trade show or something) , then have it play full blown music out the piezo --- that would get everybody stopping by your booth.

I've used such tools on old notebook 16 MHz CPU computers with motherboard piezo speakers only and even watched full blown movies with the piezo speaker drivers hundreds of times , it works. If the Mikrotik motherboard hardware is already there then how about an optional ROS package to enable the piezo to do much much more.

North Idaho Tom Jones

Sob · Thu Sep 20, 2018 5:59 am

A WISP could possibly use something like this to play a sound file ...

@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.

TomjNorthIdaho · Thu Sep 20, 2018 5:54 pm

A WISP could possibly use something like this to play a sound file ...
@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.

It would pretty much be a tool for what ever a Mikrotik admin might want/need. Also , because I am suggesting it be an optional package, it would not necessarily be pre-loaded on a fresh Mikrotik router. This optional package could potentially be a nifty tool when used with scripts (including netwatch) to provide audio/verbal information. Also , because I know this type of motherboard speaker driver works on old/slow 16 MHz 16-bit computers , it would not be a Mikrotik resource drain sucking performance away from L2/L3 throughput.

TomjNorthIdaho · Thu Sep 20, 2018 6:17 pm

Related to optional ROS packages …

Because ROS is Linux based (and many of us know Linux very well) -and- because Linux/Unix may be one of the top two popular operating systems of all time , I would like to ask Mikrotik to consider a creating an optional developer package for ROS. Something that provides real programmer features and a compiler/cross-compiler which also includes an ability to make custom packages.

There are hundreds of small Linux developer motherboards out there already. Why not make a ROS programmer developer package. Who knows what the limits are for a RB ROS developer package ... A programmer could create custom drivers for PCI interfaces. Heck , I could see a possible use for a custom wireless/networked controller in many common things such as security systems, new additional drivers , hardware/interface/software/firmware support for use in all kinds of electric/electronic devices from heating & cooling systems, environmental systems and many everyday home/business devices already being developed using non-Mikrotik motherboards. I for one would tinker with it and see what useful devices I could create.

FYI - Did you know that Linksys released a full-blown Linux developer system with all of their Linksys source code and documentation for their Linux based wireless routers over 10 years ago (for free)? Where do you think DD-WRT came from (and many other systems) - and some of those operating systems derived/created from the Linksys developer system run on Mikrotik devices as a Virtual system right now ???

And also related to this post , when I started my WISP , I started out with 1,000 Linksys WRT routers running DD-WRT. I was very pleased with the DD-WRT Linux back then and it worked great.

Sob · Thu Sep 20, 2018 9:06 pm

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.

TomjNorthIdaho · Thu Sep 20, 2018 10:32 pm

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.

How about the possibilities of a new wireless driver for Wireless chipsets ? With a developent package , a new wireless driver could be created (using all of the available Atheros chipset registers/settings) to make new high-performance high-thoughput wireless drivers (such as a new/better nv2 'TDMA') system that might way outperform the current Mikrotik properitery hybrid TDMA (nv2). Or how about the tens of thousands of Linux drivers and applications/tools/utilities already freely available.

I think a development package would give the Mikrotik ROS the ability to enter other markets - more sales for Mikrotik in custom verticle markets. Even the US DOD could use this because they could then run their version of high-secirity high-encription special-functionality because they could then control their code and what does what. (I've been down this road a few times in the past...)

EDIT - back in the 90s, I was part a team that sold some custom very low power motherboards which supported special DOD software to control some battlefield devices and communications. Thanks to a software developer system , we were able to make $$$ millions in DOD sales of motherboards. With an optional Mikrotik ROS software developer package, new markets could be made available. A single order could potentially add many zeros to Mikrotik's $$$ income - ( I know - been there and did that !!! )

pe1chl · Thu Sep 20, 2018 11:04 pm

I think MikroTik want to be in the market of selling relatively inexpensive hardware with a relatively powerful routing OS which is relatively easy to configure and which can be supported.
(all those parameters of course can vary a little and some may have different opinions about them than others)

It appears you want hardware with an open software environment. However, that is already widely available from other manufacturers.
(many network-oriented system boards are available from our Chinese friends and there is also a lot of Linksys-like hardware)

You can install Linux or OpenWRT and do everything yourself. However, it is difficult to support when everyone can add their own things.
Some other manufacturers have experimented with partly-open boxes (e.g. you enter some code and it becomes open, and you lose support).
But some of them have reverted that and now you cannot do that anymore without installing entirely your own software.
And you can already do that on MikroTik's hardware!

To be successful and make money you have to find some market where people want your product and you can manufacture and support it at reasonable cost.

Sob · Thu Sep 20, 2018 11:26 pm

I don't know, maybe there are people or organizations willing to make drivers for RouterOS (or port existing Linux drivers) and keep up with possible changes done by MikroTik, instead of just using completely free Linux and have everything under their control. I can't really say. Another matter is how attractive prospect it would be for MikroTik. If they like to be in control, it would end, because driver can do anything. For this, "my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system. It could also be interesting for more people, because dealing with drivers is not for everyone, but to compile some simple daemon, that could be done by almost anyone.

pe1chl · Fri Sep 21, 2018 10:06 am

"my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system.

Yes it would certainly be nice to have user-mode daemons under isolated user IDs so they cannot mess with the MikroTik part of the system, but frankly I doubt that the infrastructure for that is currently in place.
I mean: probably now everything runs as root and there has been no attention to file and directory permissions for a long time, so first that would have to be prepared.
It would improve overall security and decrease the risk for vulnerabilities as we have recently seen when services would run as restricted users, but apparently the webserver runs as root (only Linux system where I have seen that for a long long time!).
Of course the CHR provides a way to look into that, maybe I will do some research now that we have a shiny new ESXi server with lots of spare capacity.

Dragonk · Fri Sep 21, 2018 10:51 am

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

helipos · Mon Sep 24, 2018 2:23 am

There sould be a new section, a table in webfig and in winbox for global variables with initial values.

System > scripts > environment (both winbox and webfig) ( it's only the current values however)

It would be nice to be able to properly append to text files. So we can get around the whole reading the file to another variable, adding what we needed and then writing the whole thing out again.

Tue Sep 25, 2018 11:30 am

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

Such request is pretty useless. Defince what you consider "complete"? Which features you are missing?

bennyh · Tue Sep 25, 2018 1:04 pm

Please fix webproxy with IPv6 sites.
It doesnt work, more people said in the forum, that there is some problem with IPv6 sites trough webproxy. Someone said, only direct ip address works in url (if remote webserver accepts direct IP address behalf domain name).
I tried with IPv6 address of the IPv6-test.com, and i got the error message of the remote webserver ("these aren't the droids you're looking for").

IPv6 test webpage (http://testipv6.com/) results trough proxy:
Test with IPv4 DNS record ok (2.023s) using ipv4
Test with IPv6 DNS record timeout (17.107s)
Test with Dual Stack DNS record ok (2.022s) using ipv4
Test for Dual Stack DNS and large packeto ok (3.011s) using ipv4
Test IPv4 without DNS skipped (3.118s)
Test IPv6 without DNS skipped (17.099s)
Test IPv6 large packet timeout (17.110s)
Test if your ISP's DNS server uses IPv6 ok (3.013s) using ipv4
Find IPv4 Service Provider ok (0.782s) using ipv4 ASN 8990
Find IPv6 Service Provider timeout (16.692s)

logicwrath · Tue Sep 25, 2018 11:39 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

pe1chl · Wed Sep 26, 2018 9:19 am

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

This can be done using scripting. The underlying mechanism in the kernel does not support a DNS name so it would have to be solved in a similar way.

Chupaka · Wed Sep 26, 2018 1:18 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.

Isn't the support already here for some time?.. quite long time...

What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;

Sob · Wed Sep 26, 2018 4:48 pm

Yes, it's there, but only for remote address. Local address accepts only IP address.

Chupaka · Wed Sep 26, 2018 5:36 pm

Yes, it's there, but only for remote address. Local address accepts only IP address.

Why not just unset it?

What should router do if FQDN resolves to non-local address?

pe1chl · Wed Sep 26, 2018 6:22 pm

Well, when you unset the local address, you cannot enable IPsec.

Chupaka · Wed Sep 26, 2018 6:47 pm

Good point. Then I vote for the ability to set local-interface instead of local-address, so that IP address from that interface got used automagically.

As a workaround, simple scripting does this job.

TomjNorthIdaho · Wed Sep 26, 2018 8:03 pm

Hey Mikrotik marketing staff …

I think Mikrotik should include a Mikrotik bumper sticker in every Mikrotik product box shipped from Mikrotik.

Guess I'll have to stick around and see what happens.

North Idaho Tom Jones

2jarek · Wed Sep 26, 2018 10:06 pm

Please add Multipath TCP according to RFC 6824.

scampbell · Thu Sep 27, 2018 8:10 am

I would like to see an "add comment" feature on any rule that allows you to add an address to an address list so the created address list entry has info about why it was added.

e.g

/ip firewall filter
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=5d chain=input protocol=tcp dst-port=8291 address-list-comment="Winbox Attempt"

joegoldman · Thu Sep 27, 2018 9:19 am

A few suggestions I'd love:

1) Line item groupings, specifically in firewall stuff - basically a completely empty 'rule' / line thats just a comment, stays in block when comments are set to inline. The work around for this is setting dummy unmatchable rules or putting the comment on the first line in the block, but then I also like to comment all my rules, so having a 'header' comment stay in block and all the normal comments go inline would help organise firewall tables with heaps of chains/100's of rules etc.

2) Custom release cycle channel, basically to make it easier for the router you add custom, set a name to it and give it a URL, that URL might be a format that Mikrotik provide / documentation on how we should respond to the server to give it the latest firmware we want it to have. An example would be, im currently keeping my fleet of Routerboards on 6.42.x (mix of 5/6/7), as I haven't been able to test some of the bigger changes in 6.43.x, but some staff will just hit the check for updates and do updates that way, if we could have a custom release channel maintained by ourselves I could keep routers more inline.

There's plenty more but thats just some 'smaller' ideas I dont think would be too hard to implement.

pe1chl · Thu Sep 27, 2018 9:32 am

I agree with the above two. In addition with #2 I would like to add the possibility to make the release channel refer to some URL on a local webserver that
has information about the releases to track. E.g. a single version, or a major/minor version (like 6.42.x). So the routers configured that way will upgrade
to a version you set on a central system and you can change it without having to go all along those routers.
E.g. you set a custom release channel with URL http(s)://server.local.domain/mikrotik-release which would return a small textfile with either a MikroTik
release channel name (current, bugfix or whatever) or a specific version (6.42.7) or version range (6.42.x) and you can change that as a result of your local
testing outcome and/or security announcements. Of course you can have several of those URLs internal to your organisation so you can test on a couple
of routers first.
This also covers the problem that "current' is suddenly updated by MikroTik but you don't want to jump to it immediately but wait a week or two, but still
want to update some routers from an even older version.

Chupaka · Thu Sep 27, 2018 11:51 am

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done

pe1chl · Thu Sep 27, 2018 12:57 pm

Well in that case it would be nice when there was a custom setting that allows to configure another DNS name for the "upgrade.mikrotik.com" in a router.
Preferably two different settings: one foe the LATEST file and another one for the actual npk files.
In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)

Chupaka · Thu Sep 27, 2018 1:26 pm

In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)

Yeah, in nginx you simply use try_files for your custom files on local server and proxy_pass to the original MikroTik server for the rest

Thu Sep 27, 2018 2:02 pm

Please add:

MAC address lists
Port lists in Firewall

nicolasemmanuelc · Thu Sep 27, 2018 4:44 pm

Hello!
Please add an option to do "force cloud update" in an time interval, that is useful when have public dynamic IP
And yes, I know that this can be done with an script but will be great and easy if we have an "auto update in X time" function!

MikroTik is great! Have a good day!

logicwrath · Fri Sep 28, 2018 9:22 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
Isn't the support already here for some time?.. quite long time...

What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;

I should have provided more detail.

If you use an FQDN on the remote address I suspect it then resolves it to an IP one time for the IPSec policy. There does not appear to be any kind of ongoing resolution of that FQDN. The support I am looking for would be compatible with the IPSec wizardry that is built into using the IPSec Secret field. The idea here would be to better support for creating GRE/IPSec tunnels with dynamic IPs without resorting to scripting.

logicwrath · Fri Sep 28, 2018 9:31 pm

Please add:

MAC address lists
Port lists in Firewall

+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.

We currently have a script that does this using the ARP table.

pe1chl · Fri Sep 28, 2018 10:11 pm

+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.

Having MAC addresses in a list would not be very useful for that. What you want is to match MAC address by prefix, usually by the first 3 octets (manufacturer).
It looks like you can now only match the full MAC address in rules, it should allow a partial address and match that from the left.
(of course this is already possible in the where clause in commands)

Cha0s · Sat Sep 29, 2018 1:47 pm

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done

So, updates work via plain HTTP? No encryption?

Shame!

pe1chl · Sat Sep 29, 2018 6:01 pm

So, updates work via plain HTTP? No encryption?

Shame!

Why shame? There is absolutely no problem with that!
Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.

You know, Windows is using http download for windows update as well.

Cha0s · Sat Sep 29, 2018 6:09 pm

Why shame?

Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt).
Why should any entity between the router and the update server even need to know what is being downloaded? TLS will prevent any type of eavesdropping.

Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.

Yeah, it's fine. Until it somehow gets exploited in the future.
Winbox was considered safe as well, and we all saw the mess we got into recently.
Just because it seems secure now, it doesn't mean it will always be.

You know, Windows is using http download for windows update as well.

Microsoft's policies are not an example to be copied.

So I'll stick to my original comment on this. Shame.

pe1chl · Sat Sep 29, 2018 7:30 pm

I don't agree with you. TLS is a hype and some people believe that nothing can be done without encryption anymore.
But that is of course not true at all. In the case of downloading updates, encryption is not an issue (everyone knows what is being
downloaded!) and the only issue is authenticity. This is guarded MUCH BETTER with the signing using a keypair managed by
the signing authority themselves (as it is done now by MikroTik and also by Microsoft) than by any publicly signed TLS certificate.
The whole system of signing of certificates by "trusted issuers" has too many unreliable parties so it really cannot be relied
upon (anymore) for authenticity. And there is really no point at all in downloading updates using TLS when they are verified
before installation anyway.

Cha0s · Sat Sep 29, 2018 8:59 pm

Sure,

So next time you login to your web-banking do not check for TLS. Just go blindly with http. Don't even check if you typed the correct domain or weather you got hijacked and redirected to another domain. What's the point anyway? Too many parties involved! :facepalm:

People, it's 2018. Not 1996. Everything MUST be TLS. For encryption, authenticity, everything. Having anything over the public internet in clear text is stupid. It doesn't matter what the content is.

Sob · Sat Sep 29, 2018 9:31 pm

It's a little different. Well, completely different. I don't want anyone on the way to see what info I exchange with my bank and I don't want evil hacker substituting target account number with their own, when I send some money out. I couldn't care less about downloaded RouterOS updates (*). Even if an evil hacker hijacks the connection and sends me something different instead, RouterOS won't be able to verify signature and will reject it. No harm done.

(*) As long as there's no flaw in MikroTik's package signing. So yeah, TLS would not hurt and could help some people sleep better. But it's not like there must necessarily be an apocalypse without it.

pe1chl · Sat Sep 29, 2018 10:16 pm

Sure,

So next time you login to your web-banking do not check for TLS.

I never inferred that. Logging in to some website is COMPLETELY DIFFERENT from downloading a firmware update.
Please don't post crap like that!

pe1chl · Sat Sep 29, 2018 10:18 pm

So yeah, TLS would not hurt and could help some people sleep better.

TLS would remove the possibility to have a local update repository on a closed network. At least until the update URL is made configurable.

Chupaka · Sun Sep 30, 2018 2:26 am

So the problem is that you don't trust MikroTik package signing and you do trust TLS and some "trusted" certification authorities (or just trust it more). It's your choice.

But the problem is you don't actually have a choice

At least for now.

helipos · Sun Sep 30, 2018 5:07 am

The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually

elsuhdnet · Tue Oct 02, 2018 4:50 pm

We want to suggest using address list from IP Firewall Address list in the System Users allowed access from special list and also could be used in IP services allowed access for services. This will increase the securing of routers when someone need to access them from public using port knocking process with dynamic address list.

Wyz4k · Wed Oct 03, 2018 4:59 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.

joegoldman · Wed Oct 03, 2018 5:34 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.

This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)

This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.

joegoldman · Wed Oct 03, 2018 5:37 am

The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually

Create a 'viw' /session, with those things enabled (And maybe your favourite screens setup and layed out), then use that as your default session view, along with unticking autosave so no matter what you do in that session it resets next time you log-in.

I have 5 or 6 different sessions, some set up for BGP routers, others for Shapers, for PPPoE Servers etc, to give me relevant information as quick as possible.

On this note though, my feature request would be to perhaps have a quick-access drop down of your session files (top left/right), so when logging into a router, you can quickly swap between different views based on what you want to look at (Firewall centric view, wireless centric view, routing centric view etc etc)

Wyz4k · Wed Oct 03, 2018 5:59 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)

This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.

That would be almost okay if the graphs had some authentication built into them as well as opposed to just an ip whitelist.

First prize would still be something that doesn't require the graphs though, which can be scripted through the CLI.

joegoldman · Wed Oct 03, 2018 6:15 am

You are correct, I dont use the graphs for the same reason, but I generate the same graphs using one of many SNMP based monitoring tools out there, so I have a clear idea on CPU usage of routers.

Jotne · Wed Oct 03, 2018 8:11 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.

Here is a screenshot form my Splunk Mikrotik project found here: viewtopic.php?t=137338
.

CPU.jpg

TomjNorthIdaho · Wed Oct 03, 2018 6:11 pm

Although my graph below is way to small to read - On some of my Mikrotiks I graph everthing. I can go back years and see , interface bandwidths , CPU loads, temperature , frequency , signal-to-noise , Signal-strengths , TX & RX rates , connected client counts.

Most SNMP based bandwidth graphing programs allow you to use just about any SNMP Mib OID you want and turn it into a graph item. I use Cacti.
The graph below shows an entire year for one of my Mikrotiks. On some devices, I have graphs going back to the early 2000s.

graphs.png

TomjNorthIdaho · Wed Oct 03, 2018 6:21 pm

Re graphing , I suggest using a 3rd party SNMP server and not using the Mikrotik graphing utility because it helps to lessen the Mikrotik CPU load and overhead which helps increase Mikrotik throughput and reduce L2/L3 packet propagation delay

Wyz4k · Thu Oct 04, 2018 3:11 am

I just want to see average cpu usage on a router somewhere in the field.

Now I either have to run:
1) unsecured graphing which can't be queried using a script anyway
2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik and no ability to query snmp registers from the router itself.

Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...

vecernik87 · Thu Oct 04, 2018 3:57 am

1) unsecured graphing which can't be queried using a script anyway

If IP whitelist is not enough, you can limit it to VPN via firewall.

2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik

Mikrotik has "The Dude" which works well enough as SNMP server. It is not masterpiece, has its own bugs, but works.

... and no ability to query snmp registers from the router itself.

Unsure what do you mean. You can query SNMP from router.

Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...

Everyone will ask for different average. Someone will ask for 5m, someone for 1hour, someone for 1day... Cmon, if you have such specific requirements, is it really that hard to make own script, which will grab SNMP counters and show you absolutely anything you can imagine?

To sum up - we got two methods - either very simple graphing, or fully featured SNMP. You want something simple, yet advanced...

ilovepancakes · Thu Oct 04, 2018 4:39 am

Would like a way to be able to send user agent header with the fetch tool. For example, Google DDNS with Google Domains and other DDNS providers can accept IP updates through HTTPS get requests, but they need a valid user agent sent with the request. Right now, a script to do this returns a "badagent" error from Google. A way to send and even customize a user agent with the fetch tool would be great.

Wyz4k · Thu Oct 04, 2018 4:57 am

My mistake. I thought this was the "Feature requests" topic, not the "We'll find creative ways to partially solve your problems in inefficient ways" topic.

That being said the snmp get functionality on the mikrotik is useful and isn't something that I've used before. Thanks for that suggestion. I'll look into it.

Sob · Thu Oct 04, 2018 5:40 am

@Wyz4k: Actually, people are trying to help. Problem with your original request is that averages are not very useful. If you check your router and see daily CPU average 40%, what does it tell you? It could mean plenty of power to spare, but it can also mean that CPU is maxed out during whole business hours and router is struggling to survive. And the longer interval, the more useless the numbers get. So what would be such misleading feature good for?

vecernik87 · Thu Oct 04, 2018 6:15 am

@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you

Wyz4k · Thu Oct 04, 2018 11:27 am

@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you

It's okay, I apologize for getting a bit irritated as well. I appreciate your suggestion and will give it a try.

fneto · Thu Oct 04, 2018 5:04 pm

Hello!!

I'm new to the forum, and I'd like to know where is the right place for a feature request.

Actually I think Mikrotik should authenticate itself through radius in a uniform way, Winbox uses CHAP-MD5 what's on, but terminal uses PAP??? We uses centralized authentication in a very hostile environment and transmit password in clear way is not an option for us!!

Thanks!

pe1chl · Thu Oct 04, 2018 8:54 pm

I'm new to the forum, and I'd like to know where is the right place for a feature request.

Your feature is already implemented in RC/testing version. And some people don't like it...

joegoldman · Fri Oct 05, 2018 9:14 am

Clustered PPPoE servers....to an extent of course.

Basically only really IP Pool clustering - with limited IP addressing and a decentralised core, I currently have 4 different routers doing PPP termination. Rather than split up a /25 and have to try manage enough IP's in the pool between the routers, would be cool if I could give the whole range in the pool, and have the routers be aware of each others state and not give out an already used address.

pe1chl · Fri Oct 05, 2018 11:26 am

That is already possible via RADIUS!

joegoldman · Fri Oct 05, 2018 2:40 pm

That is already possible via RADIUS!

No, RADIUS is not a pool manager it can assign statics, software behind RADIUS would need to still manage a pool, which can get out of sync if you miss a stop record or something.

tinodj · Fri Oct 05, 2018 4:07 pm

What about Copy rule option in Webfig?

It would be nice to be there. Thanks.

dihrmax · Fri Oct 05, 2018 11:17 pm

Hi,

It's not a feature request but a model request. I didn't find a Topic about it.
I need a CCR with 4S+. I know there have a 1072 with 8S+ but it's to high and expensive for what I need. I need like CCR1009-8G-4S+ (1016 or 1036) dual PSU rackmount. (Doesn't matter how many Gig port)

Thank you

pe1chl · Sat Oct 06, 2018 11:49 am

Maybe when you don't really need the full 10G performance you could use one of the new SFP+ switches together with a CCR1009 as router-on-a-stick?

expert · Sat Oct 06, 2018 12:27 pm

1. Please allow adding many to many entries into vlan table for CRS1xx,2xx. Currently, only many to one entries are allowed:

Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201

Proposed:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200,201

The same should also work for egress-vlan-tag table.

2. This is improvement over point (1). Please allow interface lists to be added into vlan table for CRS1xx,2xx:

Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201

Proposed:
/interface list add name=sfp-list
/interface list member add interface=sfp1 list=sfp-list
/interface list member add interface=sfp2 list=sfp-list
/interface ethernet switch vlan add ports=sfp-list vlan-id=200,201

The same should also work for egress-vlan-tag table.
Idea: vlan lists similar to interface lists would be amazing...

pe1chl · Sat Oct 06, 2018 1:08 pm

Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.

expert · Sat Oct 06, 2018 6:40 pm

Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.

Thanks for explanation, I didn't know what's the underlying implementation of interface lists. Well, the idea(1) is still nice to have, since my vlan table entries contain same trunk ports.

logicwrath · Wed Oct 10, 2018 11:24 pm

It would be great if all forms in Winbox.exe had a help button you could press that would take you to the relevent online documentation.

example:
http://prntscr.com/l4lfty

schadom · Thu Oct 11, 2018 3:21 am

MT please consider doing some BGP and routing-related fixes for christmas.
Would make A LOT of MT users very, very happy! Just to give some examples:
- multi-threading
- BGP4 SNMP MIBs
- better BGP convergence time
- faster route table searches
- fix ipv6 route reflection
- add RPKI support

TomjNorthIdaho · Fri Oct 12, 2018 10:56 pm

It might be a new nice feature to add a couple of items under IP-Services.
In /ip service , add the follwoing:
snmp ( normally SNMP uses port 161 , add ability to set what IP addresses can even get to the SNMP service )
icmp ( add ability to set what IP addresses can even get to the icmp service when pings are directed to a Mikrotik )

And yes , I am aware in Mikrotik ROS there is the ability in SNMP access using the /snmp community addresses=IPs name=community , however should this possibley be added to /ip service ???

Re icmp , withoug going into firewall rule settings , shouldnt icmp be located in /ip service ?

Also - what other services are running on Mikrotik ROS that can/should be also in the /ip service area ?
Any possible btest server settings in /ip service ?

What about any service that uses a username (where we want to control what IPs have access to the service and the ability to control which username can be accessed from different IP-lists.

Also - If there is a IP service which is locked down by username (and possibly an IP-address-list) , if the service is running then there is a possibility of a denial-of-service attack. So , any ideas about adding additional functionality in the [/i] /ip service area ?

Also - re /ip service for any Mikrotik service running , how do we limit repeated connections from the same remote IP address over and over again --- Such as a remote attacker repeatedly trying usernames and passwords using a dictionary sequence of logins/passwords ( telnet , ssh , winbox , http , https , snmp , ftp , api ).

North Idaho Tom Jones

raymondr15 · Sat Oct 13, 2018 4:12 pm

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.

pe1chl · Sat Oct 13, 2018 4:51 pm

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.

There should simply be the possibility to add "user graphing" where an SNMP OID is entered and the value is graphed. It has been requested before.

giorgiop · Sat Oct 20, 2018 6:57 pm

Features Request!

a. Winbox, lets suppose we want to remove 5 columns and add 6 more. That would require to do 11 times the same thing since the list closes every time. Wouldn't it be easier (for the users not the programmer!) to have check box in front of every option, so as to check-uncheck whatever needed?
b. Winbox again. Wouldn't a rule copy from the start page be easier using the right click? got add-remove-enable-disable etc but no copy. Less windows-less clicks
c. Again winbox! Start page of a menu again (e.g. Firewall). A drop menu for the options (when double-clicked?) would be much faster to change an option. Combined with the second request, making a copy of rule and changing one option would be sth like right click-->copy rule--> double click new rule option-->choose new option.

marosi · Mon Oct 22, 2018 1:36 pm

I would like to have the capsmanager push back informations to an accesspoint about connected clients (per interface)
this would be the easiest way to put snmp queries into dude for each ap (or any other monitoring tool), place accesspoints on a map and see how many clients connected.

facubertran · Wed Oct 24, 2018 7:02 pm

Hello, why mikrotik does not have the ability to better define user permissions based on roles?

facubertran · Wed Oct 24, 2018 7:04 pm

MT please consider doing some BGP and routing-related fixes for christmas.
Would make A LOT of MT users very, very happy! Just to give some examples:
- multi-threading
- BGP4 SNMP MIBs
- better BGP convergence time
- faster route table searches
- fix ipv6 route reflection
- add RPKI support

PLEASE!

vortex · Wed Oct 24, 2018 11:22 pm

There's still not quick (or slow) way of seeing which port are all devices connected to.

If a port is in a bridge, the latter is shown in the ARP table. It also does not show the DHCP name, just the IP address.

Chupaka · Wed Oct 24, 2018 11:44 pm

Hello, why mikrotik does not have the ability to better define user permissions based on roles?

Hello. It's not a feature request.

Swordforthelord · Thu Oct 25, 2018 4:15 pm

I would love to see the functionality of the Mode button expanded. Specifically, it would be useful to be able to assign different actions taken based on whether the button was pressed once, double-pressed, triple-pressed, or long-pressed.

WirelessRudy · Thu Oct 25, 2018 6:31 pm

Features Request!

a. Winbox, lets suppose we want to remove 5 columns and add 6 more. That would require to do 11 times the same thing since the list closes every time. Wouldn't it be easier (for the users not the programmer!) to have check box in front of every option, so as to check-uncheck whatever needed?
b. Winbox again. Wouldn't a rule copy from the start page be easier using the right click? got add-remove-enable-disable etc but no copy. Less windows-less clicks
c. Again winbox! Start page of a menu again (e.g. Firewall). A drop menu for the options (when double-clicked?) would be much faster to change an option. Combined with the second request, making a copy of rule and changing one option would be sth like right click-->copy rule--> double click new rule option-->choose new option.

I fully underwrite these features requests. The problem is only I have made almost the same, and more, request on Winbox improvement several times over the years and never even got a reply..... None of these 'ergonomic' adjustments are ever implemented.

Long pull down list need every setting apply to be opened again to go to the next setting. My keyboard wear out only by the use of winbox!

pe1chl · Sat Oct 27, 2018 5:21 pm

And now, for something completely different: (no, not the larch)
With all those YouTube videos from MUM taken from all over the world, it would be nice when the language of the video is always visible in the title.
Some of them are in English or another language I could understand, but more often they are completely incomprehensible to me and it would be useful to make that selection already in the title listing.

TomjNorthIdaho · Mon Oct 29, 2018 4:37 pm

And now, for something completely different: (no, not the larch)
With all those YouTube videos from MUM taken from all over the world, it would be nice when the language of the video is always visible in the title.
Some of them are in English or another language I could understand, but more often they are completely incomprehensible to me and it would be useful to make that selection already in the title listing.

Yup - it can be a little frustrating when a video about Mikrotik is not in English (the only language I know).
But - I am also very aware that English is not the only language used in the world. - However , with todays technology , I suspect that somewhere there just might be a really smart computer than in real-time can verbally translate the spoken language in a video to English and optionally print the translated language on the bottom of the video at the same time.

pe1chl · Mon Oct 29, 2018 8:04 pm

But - I am also very aware that English is not the only language used in the world.

Very true! Note that in no way I would suggest not to put videos in other languages on the channel.
It is very good that they are there, it only would be much more convenient when you can look in the listing and play only videos in languages you understand.
Which of course is different for everyone.

- However , with todays technology , I suspect that somewhere there just might be a really smart computer than in real-time can verbally translate the spoken language in a video to English and optionally print the translated language on the bottom of the video at the same time.

Youtube has that, but it is not really usable right now except when you want to have fun.

NEOhidra · Tue Oct 30, 2018 2:56 am

Indeed - it would be nice to separate the non-English videos.

pe1chl · Tue Oct 30, 2018 10:46 am

Indeed - it would be nice to separate the non-English videos.

I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.
I just would like to see the language of the video in the listing.

schadom · Wed Oct 31, 2018 9:09 pm

RPKI/ROV guys, please. No need to re-invent the wheel.
See RTRlib for a lightweight, open-source C library: http://rpki.realmv6.org/

PS: Perfect for a weekend hackathon @ Mikrotik HQ while the weather outside is bad

chubbs596 · Thu Nov 01, 2018 7:18 am

RPKI/ROV guys, please. No need to re-invent the wheel.
See RTRlib for a lightweight, open-source C library: http://rpki.realmv6.org/

PS: Perfect for a weekend hackathon @ Mikrotik HQ while the weather outside is bad

RPKI is really needed

pants6000 · Fri Nov 02, 2018 5:43 pm

Actual tcpdump.

I know and use the existing local and remote sniffing tools, but they are not a satisfying replacement for a quick and simple "tcpdump -X" from the CLI.

bkusic · Fri Nov 02, 2018 7:58 pm

Hi,
it would be great to develop a new product - an edge next-generation firewall (NGFW)...

My whole network is Mikrotik based - its GREAT. The only thing I would see is a real and fancy Mikrotik firewall.

Bruno Kusic

Chupaka · Sat Nov 03, 2018 2:06 pm

What's not real in current firewall?

anav · Tue Nov 06, 2018 5:34 pm

I am an english speaker and quite enjoy foreign language MUM and mikrotik youtube videos. One can sense the passion for the products in the voices.
Of course it helps when some languages revert to use english for the numbers LOL. All to say, the only comment I have is the lack of PDFs and/or videos for some of the presentations can be frustrating. At least a PDF I can translate very easily. I am with pelchi in that diversity is grand and an indication of which language would be helpful.
I was looking at DHCP leases (static) on youtube just last night and went through a number of non-english ones. Some were rather long, but in the end it was
either choose the dhcp lease menu selection of (make static) or right click on the mouse for that lease and at the popup windows type menu, select at the bottom (make static) and in both cases the mysterious D (dynamic) disappears on the far left of the lease line. There, Video of about 20 seconds.

StreamlinkUK · Tue Nov 06, 2018 11:50 pm

Would be great to get support for either dnsmasq, or some other feature to enable forwarding of mac-address to remote DNS server, (i,e for parental controls and other applications)
http://www.thekelleys.org.uk/dnsmasq/do ... q-man.html

specifically these options :

--add-mac[=base64|text]
Add the MAC address of the requestor to DNS queries which are forwarded upstream. This may be used to DNS filtering by the upstream server. The MAC address can only be added if the requestor is on the same subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) is not yet standardised, so this should be considered experimental. Also note that exposing MAC addresses in this way may have security and privacy implications. The warning about caching given for --add-subnet applies to --add-mac too. An alternative encoding of the MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
--add-cpe-id=<string>
Add an arbitrary identifying string to o DNS queries which are forwarded upstream.

OnixJonix · Mon Nov 12, 2018 12:01 pm

Something like TORCH on firewall rule!
It would be great if i can select firewall rule and click on torch - and see what traffic is triggering on that rule!

pe1chl · Mon Nov 12, 2018 2:29 pm

Something like TORCH on firewall rule!
It would be great if i can select firewall rule and click on torch - and see what traffic is triggering on that rule!

It is sort of possible to do that, by clicking the "log" checkmark on the last page (the matched traffic will appear in the log).
Of course you must be careful when doing this on large amounts of traffic. But I have often used it for traffic that has only
a few pkts/second and it works fine.

msatter · Mon Nov 12, 2018 5:06 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log. The first two and last one/two lines are writen so the time between lines can by seen.

First the two logline written. When it is repeated then the shown counter is increased:

.
time - same logline
time - same logline
the line above are repteated X times.
time - end of repeated lines
|
time - new logline
.

pe1chl · Mon Nov 12, 2018 7:11 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.

As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.
Of course there can still be a lot of new connections logged this way.

Jotne · Mon Nov 12, 2018 7:36 pm

the line above are repeated X times.

When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:
viewtopic.php?t=137338

When you read logs external programs its hard to understand what is repeated and get the message back together.
And do you have many boxes that sends syslog to same server, it makes it even worse.
So if implemented, this need to be an option.

msatter · Mon Nov 12, 2018 8:44 pm

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log.
As long as you have connection tracking, and do not use the log on the "established/related" rule (which should be at or near the top of the list), logging on rules further down the list will usually have less volume and certainly not a duplication of the same info.
Of course there can still be a lot of new connections logged this way.

In RAW I don't have those control options and thinking further about it.

On enabling logging the option to group logline for that specific rule. Control is so still with the user.

msatter · Mon Nov 12, 2018 8:49 pm

the line above are repeated X times.
When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project:
viewtopic.php?t=137338

When you read logs external programs its hard to understand what is repeated and get the message back together.
And do you have many boxes that sends syslog to same server, it makes it even worse.
So if implemented, this need to be an option.

Making it optional on rule level is the way to go. The user have to decide, if it is going to be used or not.

pe1chl · Tue Nov 13, 2018 4:18 pm

Please consider implementing a way to run a user program in an environment as far protected as possible, but lighter than MetaROUTER which requires a full OS and hardware virtualization.
Some discussion is on page 4 of the Feature Request: OpenVPN [ovpn] udp tunnels topic.

E.g. make a folder on the flash device or external storage, the user puts the executable binary there and possible configuration data, RouterOS runs the executable
in a chroot to that folder, normal networking is possible but possibly also a tun/tap device that is configured just like for the MetaROUTER.
User code is run as a nonprivileged user and without any access to RouterOS configuration or environment.

This would allow users to run their own OpenVPN server, Wireguard server, advanced DNS server, DNS to HTTPS relay and more, without
having to wait for MikroTik implementing those services.
Only support required would be some common shared library files to link to (others could be statically linked).
Users can use the usual gcc cross-compilation facilities to generate their binaries.
Advanced tricks like virtual machines with their associated stability issues and unavailability on certain processors would be unnecessary for this feature.

Wyz4k · Thu Nov 15, 2018 8:11 am

RFC 5424 compliant syslog client so that I can use a cloud syslog server. https://help.sumologic.com/03Send-Data/ ... log-Source

eduplant · Sat Nov 17, 2018 8:38 am

Hello, I just posted a feature request in a separate thread but wanted to at least link it here for possible visibility:

[Feature Request] :resolve DNS Client Improvements

One of the advantages of RouterOS is its scriptability and the strength of its shell syntax for getting things done. New improvements in the :system and :tool areas have given us more tools than ever, and augmenting existing features with script="" hooks have given us even more places to use those tools. However, it seems like an important scripting primitive (for a network device, at least) has been neglected for some time: :resolve.

The rest can be found in the thread here.

Thanks!

mada3k · Sat Nov 17, 2018 7:25 pm

Netinstall for Linux/BSD
DMVPN or something smilar would be great
SNMP monitoring of OSPF-neighbour and BGP peer-status
Sectioned view in Firewall/Filter.
TACACS
802.1x

GuJack20 · Sat Nov 17, 2018 9:25 pm

Indeed - it would be nice to separate the non-English videos.
I don't want to advocate separating English from non-English videos. We should not consider one language "better" than another.
I just would like to see the language of the video in the listing.

You are right. That’s why in this year’s MUM in Tirana i changed the title and description of my presentations from English to Albanian (the language I was going to give them)

So the video in youtube has an Albanian title, the .pdf has an albanian name too. Very easy i think for everyone.
MikroTik should just ask the presenter to write the title and description of each presentation in the language that is going to be given.

usv111 · Thu Nov 22, 2018 1:40 pm

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

Chupaka · Fri Nov 23, 2018 2:11 pm

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

https://wiki.mikrotik.com/wiki/Manual:T ... _Generator

WirelessRudy · Fri Nov 23, 2018 3:24 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.

expert · Fri Nov 23, 2018 5:20 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.

What's hard on doing

ssh mikrotik "/log print" | less

?

WirelessRudy · Fri Nov 23, 2018 5:50 pm

When do we ever see the option of select and copy text in the winbox log files? This has been asked for years.
Plus the option to search for string of caracters?

When studying your logs in winbox it's at times hard to get the eyes focused on what you want to see if there are many lines to read through.
And copy and paste into a text file would make is so easy to quickly select what you are looking for.
What's hard on doing
Code: Select all
ssh mikrotik "/log print" | less
?

1. I am not doing ssh. 2. I don't want to print anything. I just want to quickly look in my log and highlight a line or try to find just one setting (one mac leaving or connectiong for example on an antenna) so I can see what happened or where something went wrong.
Why do I need to ssh into it when I am after 15 years still perfectly happy with winbox. And why should I need to print a log first before I do the things that is already any other program running on my screen?
What is so hard to just make my mouse highlight a line? This feature has been asked for by many over the years...

muetzekoeln · Sat Dec 01, 2018 7:21 pm

I have a small feature request. For me it would be very helpful. There are some (about 35) IP networks better reachable by a special gateway than by default gateway (no BGP!).
It would be great if there would be an address list table where all these networks listet and add only one ip route for the list. Today address lists can only be used in firewall.

I know one can use firewall rules to establish routes, but I find this a little bit confusing.

Please make address lists available as destinations in ip route menu.

pe1chl · Sat Dec 01, 2018 11:31 pm

Please make address lists available as destinations in ip route menu.

That is actually already possible.
You add a route to 0.0.0.0/0 via your special gateway in the ip route table with a routing mark name you choose.
Then in your ip firewall mangle table you add a forward rule matching your address list and setting the action "mark routing" and select your mark name.

schadom · Sun Dec 02, 2018 8:35 am

I'd love to see some routing and BGP-related improvements and features (like RPKI Origin Validation).
According to ROS changelogs, it's now almost over a year ago since the last BGP-related fix has been released:

What's new in 6.41 (2017-Dec-22 11:55):
...
*) bgp - added 32-bit private ASN support;
...

We've seen a lot of bridge, cloud, wireless and w60g-related stuff going on during the last months.
Now it's really the time to focus a little bit on routing again... make routing great again

lucasimo88 · Mon Dec 03, 2018 9:56 pm

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.

i need me too complete supporto for IPSEC/IKEv2 with EAP Authentication implementation for NordVPN

muetzekoeln · Tue Dec 04, 2018 2:37 pm

Please support preference field in IPv6 router advertisements. Incoming and outgoing. RFC 4191.

TomjNorthIdaho · Wed Dec 05, 2018 2:49 am

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.

Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.
A single btest session uses a single CPU - however … multiple btest sessions (a mix of send & receive btest(s) appear to use multiple CPUs.
A single CPU assigned to my CHR ROS system can actually btest using vmxnet-3 Ethernet interfaces through the physical 10-Gig network cards can reach near 10-Gig throughput to another CHR btest device on a different VMware ESXi server.
Additionally , two CHRs running on the same physical VMware ESXi servers using vmxnet-3 interfaces can easily btest to each other at rates faster than 10-Gig (in my case , I have tested two CHRs on the same system at almost 19-Gig. And , a CHR running a btest to the loopback interface 127.0.0.1 can easily hit over 20-Gig. I have never seen a Mikrotik motherboard btest to the loopback 127.0.0.1 interface at even 1/4th that speed.
Also - in my opinion , a CHR running on a decent SuperMicro with fast Intel XEON CPUs and lots of CPU cache has always totally and easily way out performed all Mikrotik motherboards that I have tested. For example, a full BGP load on a 10-Gig feed is almost 10-times faster than a CCR1036 Mikrotik router.
Also - again in my opinion, a CCR1036 is good at speeds less than 2-Gig , and a CRS is more of a switch than a router and they are slower. On both your CCRs and CRS mikrotiks , run a btest to 127.0.0.1 and you will discover they are not all that fast or even in the neighborhood of performance a CHR with good hardware can deliver.

North Idaho Tom Jones

Wed Dec 05, 2018 8:24 am

Multithread support for btest is already added:
Version 6.44beta39 has been released.
*) btest - added multithreading support for both UDP and TCP tests;

Wed Dec 05, 2018 8:42 am

Please,

add multi-cpu(multi-core) support to Bandwidth Test Tool.

this is required for 10G/SFP+ speeds testing between CCR1036/ or between CRS317-1G-16S+RM devices.
At the moment Bandwidth Test Tool can generate only 2Gbps and utilize only 1 core on CCR routers.
Of note: I have some CHRs running on VMware ESXi servers with 10-Gig network cards.
A single btest session uses a single CPU - however … multiple btest sessions (a mix of send & receive btest(s) appear to use multiple CPUs.
A single CPU assigned to my CHR ROS system can actually btest using vmxnet-3 Ethernet interfaces through the physical 10-Gig network cards can reach near 10-Gig throughput to another CHR btest device on a different VMware ESXi server.
Additionally , two CHRs running on the same physical VMware ESXi servers using vmxnet-3 interfaces can easily btest to each other at rates faster than 10-Gig (in my case , I have tested two CHRs on the same system at almost 19-Gig. And , a CHR running a btest to the loopback interface 127.0.0.1 can easily hit over 20-Gig. I have never seen a Mikrotik motherboard btest to the loopback 127.0.0.1 interface at even 1/4th that speed.
Also - in my opinion , a CHR running on a decent SuperMicro with fast Intel XEON CPUs and lots of CPU cache has always totally and easily way out performed all Mikrotik motherboards that I have tested. For example, a full BGP load on a 10-Gig feed is almost 10-times faster than a CCR1036 Mikrotik router.
Also - again in my opinion, a CCR1036 is good at speeds less than 2-Gig , and a CRS is more of a switch than a router and they are slower. On both your CCRs and CRS mikrotiks , run a btest to 127.0.0.1 and you will discover they are not all that fast or even in the neighborhood of performance a CHR with good hardware can deliver.

North Idaho Tom Jones

Since beta version "6.44beta39", bandwidth test utilizes all of the CPU cores.

shiyiqiang08 · Wed Dec 05, 2018 9:04 am

can rb450Gx4 add wireless?
i need small device but high performance ,but the rb450Gx4 or RB850G has no wireless.

iperezandres · Wed Dec 05, 2018 10:51 am

It would be awesome to be able to save the winbox personalized views, instead of having to rearrange every window every time we connect to a new device.

UPDATE: as it turns out, it already exists the solution: viewtopic.php?f=14&t=120033

marosi · Thu Dec 06, 2018 11:42 am

So dudes, christmas is coming soon and here are my wishes

- a mptcp enabled kernel
- sstp vpn combined with mptcp

this would make it possible to take (v)dsl lines combined with 4G/lte and establish vpn tunnels to a central vpn server.
the reassambling of packets is done by the mptcp kernel.

this would be a outstanding feature.
https://en.wikipedia.org/wiki/Multipath_TCP

and the second one would be to implement pound as a loadbalancer service combined with letsencrypt certificates, wich would be my third wish.
implement letsencrypt including automatisation for certificare renewals.
the ppl could use routerboard hardware from 3011 to ccr1072 as loadbalancers for reasonable costs and connect the ports direct to a webfarm.

the useability in sum would increase quadratically.

muetzekoeln · Thu Dec 06, 2018 12:15 pm

- a mptcp enabled kernel

+1, although it's status is "experimental". Would also play nicely together with LISP (RFC6830) viewtopic.php?f=19&t=81674&p=699943&hil ... 30#p699943. In addition BBR is included in mptcp, which would be great.
BBR together with a proxy service (see below) would help for legacy end user devices with old tcp stacks.

pound as a loadbalancer service

+1, something like Pound would be really useful!

implement letsencrypt including automatisation for certificare renewals.

+1 again

pe1chl · Wed Dec 12, 2018 11:25 am

winbox: please add some "windows list" feature, e.g. a button for every open window to the right of the "Session:" field below the menu bar.
this can be useful to have an overview what windows are open and to raise them when they are inadvertently lowered below another window.

I normally have the "Log" open fullsize and open all other windows on top of that. When I click somewhere outside of a window by accident,
all opened windows disappear behind that Log window and I have to re-open them from the menu.

Alternatively, it could be useful to have a "lower window" widget or right-click option so I can lower the Log window again (so all other open
windows appear on top of it).

WeWiNet · Wed Dec 12, 2018 6:12 pm

pe1chl +1,
that would be awesome. hate to fiddle around the various windows...

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)

pe1chl · Wed Dec 12, 2018 7:46 pm

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)

That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!
What I would like to see is an option to disconnect only after 1-2 minutes of link-down, so it is possible to survive a router reboot somewhere inbetween.

eworm · Fri Dec 14, 2018 9:47 pm

I would love to see the functionality of the Mode button expanded. Specifically, it would be useful to be able to assign different actions taken based on whether the button was pressed once, double-pressed, triple-pressed, or long-pressed.

That is possible with scripts. See my RouterOS Scripts (or at github), especially mode-button-event and mode-button-scheduler.

solelunauno · Wed Dec 19, 2018 11:47 am

I use the USB port to activate a N.O. relais that will remove power form an IP surveillance camera to hard reset it.
I use the N.O. relais because 1) a relais failure will let the camera ON, instead than OFF; 2) the relais consumes almost 0,6W of power and my installations are often battery powered (solar panels, etc).
But until now there isn't a feature in RouterOS to let usb power OFF all the time, so I use a script scheduled at startup:
/system routerboard usb power-reset duration=720d
It will be great if I could power ON and OFF usb as I already do with POE output.
Thanks

bmatic · Wed Dec 19, 2018 1:36 pm

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages.

I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages.

Log.png

eworm · Wed Dec 19, 2018 3:11 pm

If anybody from MikroTik is reading this I would make a sugestion that I can somehow disable fetch tool log messages.

I wrote a simple script for fetching public IP address for updating No-ip address, and it works OK, but now I have log flooded with fetch messages.

You can get rid of this. If you do not need the file just add "keep-result=no" to your fetch command. If you do need the file I suppose you read the content later? Just switch to return value to a variable.

muetzekoeln · Thu Dec 20, 2018 12:44 pm

It would be nice to have zero-wait DFS in RouterOS, like AVM and Aerohive have it.

This is to eliminate wait time on 5GHz band after changing operational channel because of Radar detection.

RouterOS could do continuous background scanning (using Scanlist) to find "available" and "unavailable" channels (https://www.etsi.org/deliver/etsi_en/30 ... 20007a.pdf). On radar detection (on active channel) it could (randomly) choose a new channel from the available channels and inform clients of the frequency change before shutting down current operational channel and switch to the new channel.

WeWiNet · Fri Dec 21, 2018 1:56 pm

Pe1chl

Also a green/yellow/red color field within WINBOX to indicate if you are still connected to the router (green - connected, yellow - don't know, red-disconnected)
That isn't required because when you have no link, you will be disconnected (far to) quickly and lose the open window (reverts to connections list)!
What I would like to see is an option to disconnect only after 1-2 minutes of link-down, so it is possible to survive a router reboot somewhere inbetween.

Not true on MacOS/Wine Winbox.
You get disconnected but it won't through you out (but the clock stops to work!). I can open still windows, with data/settings, modify them etc.
Then after a while you might really get thrown out but you won't know when the disconnect happened, and from which point
onwards the modifications were lost.
For this a clear flag (green=clock updates, yellow=no update for 1-3 seconds, red= no update for over 4 seconds) would be really helpful.
Knowing that the clock is precised and stops (even on Mac) using that as trigger should be simple to implement and really nice at same time.

pe1chl · Fri Dec 21, 2018 2:13 pm

Not true on MacOS/Wine Winbox.
You get disconnected but it won't through you out (but the clock stops to work!).

Strange! Under Windows and with Linux/Wine this does not happen, whenever the link is lost you get disconnected within 3 seconds.
Very inconvenient, because sometimes I have 3-4 devices open at the same time and when I reboot one of them I lose all windows even before BGP+BFD re-calculates the routes.
I would in fact prefer such a status indicator and some more patience from winbox (and the router at the other side) so that it survives such events.

cowgirl · Fri Dec 21, 2018 4:35 pm

Multi Chassis Link Aggregation for CCR1xxx and CRS3xx

Best regards
Alexandra

pe1chl · Tue Jan 15, 2019 2:38 pm

In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
(within a queue tree, the values in the parent item. in the top item, maybe the interface speed when available. or percentages could be disallowed there)

When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.

muetzekoeln · Tue Jan 15, 2019 4:55 pm

In "queue tree" please provide the option of specifying limit-at and max-limit as a percentage of the limit on the next higher layer.
When the value of the limit in the parent item changes, automatically re-calculate the values specified by percentage.

+1

Yes please, this is very useful!

SaurVLZ · Wed Jan 16, 2019 1:09 pm

Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.

winbox upg.jpg

iperezandres · Wed Jan 16, 2019 3:01 pm

Please add temperature and voltage to the dashboard of the Winbox.
Often it is necessary to monitor the parameters and the location on the dashboard would simplify this at times.
winbox upg.jpg

Now that you mention this, what about being able to personalize the parameters being shown on the dashboard? It would be useful to use a script to show any value or calculation.

pe1chl · Wed Jan 16, 2019 3:42 pm

Of course when you need a dashboard with all kinds of customized parameters it is easy to make that using SNMP.
I would make such a thing on a local webserver in Perl or PHP but undoubtedly there exist "user friendly" packages for Windows that can do that too.
And of course MikroTik have "the Dude" which can do that as well.

muetzekoeln · Fri Jan 18, 2019 2:19 pm

RouterOS includes limited (S)NTP support for syncing clocks. For many applications (e.g. in telecoms and industry) more time precision is required. Protocol IEEE 1588-2008 (aka PTP, IEEE1588v2) is used for this. It would be a great benefit if Mikrotik devices would support IEEE 1588 and function as transparent clock, better yet boundary clock. Maybe some of the built-in switch chips already support for IEEE1588 timestamping in hardware.

You find some information about IEEE 1588 here:
https://www.endruntechnologies.com/pdf/PTP-1588.pdf
https://www.endace.com/ptp-timing-whitepaper

This forum already had some discussion about IEEE 1588:
viewtopic.php?f=1&t=70793&p=534801&hili ... 88#p534801
viewtopic.php?f=1&t=87471&p=465496&hili ... 88#p465496
viewtopic.php?f=1&t=79304&p=421858&hili ... 88#p421858
viewtopic.php?f=21&t=121198&p=605388&hilit=1588#p605388

Of course one has to have a grandmaster clock accessible to make use of IEEE 1588. Mikrotik devices only could transport PTP packets better, if supported.

MikrotikOdessa · Sat Jan 19, 2019 11:48 am

I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik

It's very useful for smart home automation scenarios

Pada · Mon Jan 28, 2019 11:10 pm

I would love the following Winbox (and WebFix) features to be added:

Setting default options for Tools > Torch, because I always have to first deselect "Src. Address6" & "Dst. Address6" and then select "Port" & "Protocol"
Setting to prevent drag & drop of Firewall rules to prevent accidental changes in firewall order

joegoldman · Mon Jan 28, 2019 11:54 pm

I would like to receive SNMP traps when WiFi client registration occurs...

for example:
[WIRELESS]--Association:11G STA 80:b0:3d:xx:xx:xx associated with WLAN1 SSID = Mikrotik

It's very useful for smart home automation scenarios

You could replicate this with logging and a syslog (remote) logging server. Bit of a workaround

Jotne · Tue Jan 29, 2019 8:42 am

I would like to receive SNMP traps when WiFi client registration occurs...

As joegoldman write, syslog is your friend. Look at the project in my signature using Splunk to monitor Mikrotik.
I there dropped using SNMP at all, since then have to add/scan for all new devices.
Now a script on the router calls home with all information needed.

This is how the log lines looks like from Router using Syslog (even shows the signal strength and what VLAN used)

2019-01-24 08:48:09	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -45
2019-01-24 08:36:55	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -43
2019-01-24 07:51:17	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -39
2019-01-23 10:05:08	wireless,info MikroTik: 04:79:70:A9:B1:B3@wlan2: connected, signal strength -32

pe1chl · Fri Feb 01, 2019 2:32 pm

winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

When managing a router via a slow network or when using winbox over something like RDP or X2GO and when it shows a page that has a lot of counters (e.g. firewall filter wih >200 filters) the winbox client is very busy with updating the page and it becomes difficult to actually do something (like moving a rule).
I would like to just pause the updating or configure it to update like every minute instead of "all the time".

mkx · Fri Feb 01, 2019 2:45 pm

winbox: please have some feature to set (or completely disable) the live update interval of pages that show counters etc.

++

While at it, do it for WebFig as well.

DmitryAVET · Sat Feb 02, 2019 11:29 pm

Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

Keenetic (ex Zyxel) provide AUTOMATIC sertificates by Let's Encrypt:
https://blog.keenetic.com/keenetic-join ... r-society/

Why Mikrotik can't provide same?

SSL for WWW services, include WebFig, especcially remote, hotspot...

Check this out:

ssl.png

its cool!

kiler129 · Sun Feb 03, 2019 7:57 am

A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

mkx · Sun Feb 03, 2019 10:24 am

A simple yet I think important request: provide IPv6 out of the box. This really requires a package to be present and some default firewall & stateless configuration enabled. I don't see the reason why in 2019 they are shipped with IPv4 only where even cheap consumer routers are IPv6 enabled OOB.

++

Specially so as loading IPv6 package means it doesn't have default settings (i.e. firewall rules) and user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).

pe1chl · Sun Feb 03, 2019 11:41 am

That is certainly true, but frankly even more important is to bring the IPv6 functionality up to par with what is available in IPv4.
There is a separate topic about that.
Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)

krafg · Sun Feb 03, 2019 3:37 pm

A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

mkx · Sun Feb 03, 2019 3:46 pm

A request:

Please create a 2g/3g/4g high gain antenna (dual chain). mANT LTE 5o is very little.

There are plenty of high-quality third-party antennae available ... one only needs appropriate connector coverters (many antennae come with FME connectors, so one needs SMAtoFME pigtails).

kiler129 · Mon Feb 04, 2019 1:59 am

(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).

Actually you can do

/system default-configuration print file=default-cfg

after installing IPv6 package and you will get the default config with IPv6 related stuff

Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)

Why do you think so? Did they said something (even unofficially)?

metricmoose · Mon Feb 04, 2019 6:39 am

We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

mkx · Mon Feb 04, 2019 8:50 am

(...)user has to perform factory reset to get decent configuration as starting point - but loosing whatever already done in other parts (IPv4, wlan, VLAN, ...).
Actually you can do
Code: Select all
/system default-configuration print file=default-cfg
after installing IPv6 package and you will get the default config with IPv6 related stuff

I know that ... but vast majority of SOHO users (and those seem to be the focus of MT lately) don't ... they struggle to enable IPv6 and don't bother with the rest of config ... just as they don't bother about IPv4 config, but luckily the default firewall for IPv4 is quite decent lately.

4lphanumeric · Tue Feb 05, 2019 8:08 am

Ability to swap the rx/tx representation in the graphing setting.

Normal : In -> green, Out -> blue
Swapped: In -> blue, Out -> green

pe1chl · Tue Feb 05, 2019 11:52 am

Unfortunately it appears the IPv6 developer has left the company (maybe he was also the BGP developer?)
Why do you think so? Did they said something (even unofficially)?

I think so, because NO development of these components has appeared aside from some minor bug fixes, for several years.
And also note they are trying to hire new developers for quite some time already.

Also, it appears the watchful eye that reminds the others in the room at the development meeting that IPv6 exists has disappeared.
New features like Kid Control and Detect Internet are developed and released WITHOUT IPv6 support.

neos14 · Mon Feb 11, 2019 11:02 am

Please add support for SNMP views.
To be able to provide limited set of OID's for specific SNMP community.

dravnieks · Tue Feb 12, 2019 4:45 pm

flashing every router with netinstall is minor, and fast process, only issue, in later versions configuration is not persistant after reset.

Have you tried to aply default configuration on 40 Fritzbox routers?

40 Hap AC2 i would get flashed in less than 2 hours, get 24 port poe switch and pile of patch leads. Uploading config to Fritz will take 10 minutes per router because of endless reboots and button confirmations.

We started renting Mikrotik routers to our customers as a basic managed WiFi solution and one thing that any ISP will run into with this type of setup is the customer hitting the damn reset button.

We'd love a way to change the default configuration that doesn't involve netinstall. It's extremely tedious to have someone sit there and netinstall a stack of routers with our custom configuration. There needs to be a better way! Mikrotiks are so close to being perfect for deploying as managed wifi.

To go with that, a basic Tr069 ACS able to run on RouterOS, like Dude or Userman, would be very useful. As long as it can handle applying configurations, setting wifi info and PPPoE logins, it will get people most of the there. Monitoring bandwidth, latency and WiFi stats would also be useful.

muetzekoeln · Wed Feb 13, 2019 1:09 pm

It would be useful to have link-up and link-down event scripts for PPPoE client.
And please make "message" from Authenticate-Ack and Authenticate-Nak available for parsing.

Some carriers communicate DSL connection speed by using Authenticate-Ack message [PAP AuthAck id=0x1 "SRU=uploadspeed#SRD=downloadspeed#]:
https://www.ip-phone-forum.de/threads/s ... st-2274697
https://www.onlinekosten.de/forum/showt ... ost2466544

Wed Feb 13, 2019 3:19 pm

PPP profile already has on-up on-down events.

Wed Feb 13, 2019 4:43 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

raffav · Wed Feb 13, 2019 6:53 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

+infinity agree with that, Why in the logs cannot log the hostname/comment if is there, is very annoying to see/debug: mac abc123 connected mac abc123 disconnected

logistic69 · Wed Feb 13, 2019 11:14 pm

Please Include VPN templates for IOS, windows 10.
it is nightmare trying to make work 6.43 to accept IOS 12.1 simply don't work.
or post a update wiki how to do it, avaery time a new router OS release came up it broke something in VPN.
sadly i need to change to other brand in other to do it.

TomjNorthIdaho · Thu Mar 14, 2019 11:35 pm

Feature Request (1 of 2):
Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).
I would like to see an ability to use a WPA-2 encryption on nv2 wireless networks.

Feature Request (2 of 2):
This is from a post I originally placed in the General forum under Public-Mikrotik-Bandwidth-Test-Server(s).

I would like to see a new optional Mikrotik ROS package which can perform http speedtests between Mikrotiks and client connected computers (something similar to http://my-mikrotik-IP-address/speed-btest).
… Where an optional login/password could be used to perform a http UDP-or-TCP up-or-down bandwidth test
… Where a client computer behind NATted Mikrotik could perform speedtests to their inside Mikrotik gateway IP address , and/or to any Mikrotik IP address out on the Internet.
… Where the Mikrotik admin has some control for maximum bandwidth, number of simultaneous speed-btest testers, and setting to limit how often a client can perform a http speed-btest.
… The Mikrotik http speed-btest should be a simple TCP-up, then TCP-down, then UDP-up then UDP down, followed by a round-trip-ping response time.
… The output after the http speed-btest could then report all kinds of information , including the number of dropped packets during each test -and- it would also be nice to show at what speeds RED ( Random Early Detection ) begins kicking in with dropped packets.
I suspect this type of a Speed-btest server could become very very popular. And the http speed-btest web page could show some pre-configured ISP hosting information and a URL indicating "Powered by Mikrotik" which links to Mikrotik. Mikrotik just might get a boost in sales from something like this.

ditonet · Thu Mar 14, 2019 11:54 pm

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

DHCP server lease script can help you:

:local leaseHostName;
:if ($leaseBound = 1) do={
:set leaseHostName $"lease-hostname";
:log info ("DHCP server: $leaseServerName => MAC: $leaseActMAC => IP: $leaseActIP => Host Name: " . $leaseHostName);
};

Chupaka · Fri Mar 15, 2019 11:50 am

Mikrotik's wireless nv2 protocol ( a version of TDMA ) currently does not use encryption ( I think I am correct here … ).

https://wiki.mikrotik.com/wiki/Manual:N ... v2_network

DanielJB · Wed Mar 20, 2019 12:51 pm

It is extremely useful to use the 'wait' parameter in "/interface lte at-chat" eg wait=yes.

Please can it be added for "/interface ppp-client at-chat" also as is missing?

muetzekoeln · Wed Mar 20, 2019 3:39 pm

Can we get standard 802.11s support?

+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards

But to mesh RouterOS with coming commercial devices it would need Wi-Fi EasyMesh:
https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh

Please implement mesh protocols compatible with non-RouterOS devices!

DanielJB · Thu Mar 28, 2019 4:42 am

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

On my Unix systems, I set TMOUT for root in a similar way.

pe1chl · Thu Mar 28, 2019 11:26 am

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.

DanielJB · Thu Mar 28, 2019 12:07 pm

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!
I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue),
and frankly I don't see how that adds any security. Maybe a little more for telnet where you conceivably could take over the open session when you are at an
intermediate router, but for SSH that does not work.

SSH forwarding introduces a session takeover scenario, so there is security value of this feature (which is why other vendors implement it). Perhaps a default of 1h or never is better.

pe1chl · Thu Mar 28, 2019 2:46 pm

I think other vendors only implement it because it is on standard recommendation (or even requirement) lists, not really for security.
Similar to requiring (very) frequent password changes, requiring complicated passwords, etc.
All things that could be valuable in some limited scenarios but are imposed on everyone and everything just for the sake of being able to set a checkmark.

pe1chl · Tue Apr 09, 2019 4:25 pm

When a user or admin logs in incorrectly the following message is logged:

system,error,critical login failure for user xxxxx from ...

Please remove the username (xxxxx in this case) from this log message or provide a system setting to do that.
Logging the username for login failures is a security risk.

pe1chl · Thu Apr 11, 2019 11:03 am

Please add an ARP mode that replies to ARP requests with info from the local ARP cache.
E.g. local-proxy-arp-cache
When the router receives an ARP request on an interface where this is enabled, it first does a lookup in its own ARP table.
When the entry is found there, a reply is sent that is exactly the same as when that particular device would answer the ARP.
When not, either an ARP request is made first and after reply the data is replied from the cache as above, or the router
replies with its own MAC address as in local-proxy-arp. (whatever is more convenient to implement)

This is useful in large WiFi installations where filtering has been implemented to reduce the amount of broadcast traffic.
Usually in such a setup, devices can not communicate with each other because they do not hear each other's ARP requests.
A workaround for that is to setup local-proxy-arp in the router, but the result is that all such communication is flowing
via the router. This can be optimized by telling the requester the MAC address of the desired peer device on behalf of
that device.

muetzekoeln · Thu Apr 11, 2019 12:27 pm

Dear Mikrotik, what about automatic sertificates from Let's Encrypt?

+1 again

viewtopic.php?t=92673

Chupaka · Thu Apr 11, 2019 12:31 pm

+1 again

viewtopic.php?t=92673

The topic is marked as "Solved"

Sob · Thu Apr 11, 2019 5:33 pm

Yeah, about that "solved"... If Let's Encrypt support is solved by the solution (workaround is better word^(*)) presented in that thread, then we can magically solve all other RouterOS shortcomings right away. Why didn't we think about it before, it's so simple, just add Linux machine to your router! You can solve pretty much anything that way.

(*) Don't get me wrong, I don't have anything against it, it's nice idea, definitely better than nothing and can be good enough for someone.

anav · Thu Apr 11, 2019 6:50 pm

I already did that Sob! I added an RPI for my DNS.

mada3k · Thu Apr 11, 2019 11:04 pm

IEEE1588 and SyncE would be great, but requires specific support in hardware level.

A more stressful issue is the need for BGP RKPI support.

vecernik87 · Fri Apr 12, 2019 2:48 am

To be honest, this is one of features which would be amazing and very appreciated.
Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS.
Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd party service and that never happened in the past (same as we don't have integrated support for 3rd party ddns or 3rd party VPN provider)

muetzekoeln · Fri Apr 12, 2019 8:56 am

IEEE1588 and SyncE would be great, but requires specific support in hardware level

IEEE1588 works without hardware support, but performance is not so good. It even works over WLAN:
https://www.researchgate.net/profile/Wu ... ion_detail

There are switch chips (also from QC) with support for IEEE1588 and sometimes SyncE since many years. It would be nice to know which Mikrotik products already have these built-in. Someone with this knowledge out there??

It could also support a better TDMA protocol as suggested here:
viewtopic.php?t=87471#p465494
viewtopic.php?t=70793&start=100#p515551

Maybe Mikrotik can also offer an affordable GNSS-based POE-powered IEEE1588 grandmaster-clock device for mast mounting ....

dohmniq · Fri Apr 12, 2019 2:19 pm

Can we get standard 802.11s support?
+1
802.11s would be useful to mesh for example with OpenWRT based devices (some of which may be routerboards
[...]
Please implement mesh protocols compatible with non-RouterOS devices!

Also +1
I'm involved in a commercial project that is looking to use 802.11s but I have to install OpenWRT on Routerboards to get 802.11s support.
AFAIK, 802.11s is baked into the Linux kernel which is also used for RouterOS?
Using wireless snooper on RouterOS you wouldn't even know there was a 802.11s mesh on your frequency!