Community discussions

MikroTik App
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

BUG v5.12 : firewall - not all params visibile from terminal

Thu Feb 02, 2012 8:05 pm

I have an RB750GLwith ROS v5.12.

I used the setup wizard from winbox used to create a hotspot.

Can someone tell me how I can view the Extra-Hotspot part of the firewall rules from a terminal using either /ip firewall filter print or export?

From within winbox I see parameters (within the Extra section) such as
Hotspot: !auth
to client

These Extra parameters are completly invisible from within a terminal.

The following is an example of what I see - look at the first 2 rules!
[admin@MikroTik] /ip firewall filter> print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=forward action=jump jump-target=hs-unauth 

 1 D chain=forward action=jump jump-target=hs-unauth-to 

 2 D chain=input action=jump jump-target=hs-input 

 3 D chain=input action=drop protocol=tcp dst-port=64872-64875 

 4 I chain=hs-input action=jump jump-target=pre-hs-input 

 5 D chain=hs-input action=accept protocol=udp dst-port=64872 

 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 7 D chain=hs-input action=jump jump-target=hs-unauth 

 8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

 9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 
Last edited by sja on Fri Feb 03, 2012 8:51 am, edited 1 time in total.
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: ROS v5.12: firewall - not all params visibile from termi

Fri Feb 03, 2012 4:29 am

Try using "print detail".
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: ROS v5.12: firewall - not all params visibile from termi

Fri Feb 03, 2012 8:54 am

Thanks for the reply.

I have tried "print detail", "print all" and also other combinations: I have never succeeded in seeing the Extra hotspot parameters.

On further investigation, I find within http://wiki.mikrotik.com/wiki/Manual:Cu ... ng_Hotspot it says:
From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules):

0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
Clearly with v5.12 this does not work. Thus this a ROS bug - I have changed the title accordingly.
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 5:36 am

Does export show them?
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:34 am

No:
[admin@MikroTik] /ip firewall filter> export 
# feb/04/2012 08:25:32 by RouterOS 5.12
# software id = 8XH3-XH53
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
[admin@MikroTik] /ip firewall filter> 
"export" only shows 1 rule whilst "print all" shows 11 (the one shown by export together with the 10 dynamic ones).

Neither export nor print show the Extra Hotspot parameters.

As an experiment I also introduced a new filter firewall rule from Winbox in which I set the Extra Hotspot params by hand. "export" now shows:
[admin@MikroTik] /ip firewall filter> export        
# feb/04/2012 08:38:20 by RouterOS 5.12
# software id = 8XH3-XH53
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=forward comment=test disabled=no
[admin@MikroTik] /ip firewall filter> 
Thus "export" not only does not show the dynamic rules but neither does it show the Extra params.
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:06 pm

Yeah, sorry, my brain was only half working, export never includes dynamic stuff. The print thing sounds like a bug you should report to MikroTik support.
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:11 pm

Sorry, how do I report the bug? I thought that it was enough to write on the forum.
 
User avatar
ryohnosuke
just joined
Posts: 7
Joined: Mon Nov 17, 2008 12:42 am

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:12 pm

Yeah, I have similar problem with export, I can't export tcp-flags

Saludos
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:19 pm

See their disclaimer from the top of the front page - "Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum" Also see - http://www.mikrotik.com/support.html

I've always been a bit surprised that they don't have some kind of web based bug reporting/tracking system for users, but email seems to be the only way.
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Sat Feb 04, 2012 9:22 pm

Thankyou, I'll do it.
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Sun Feb 05, 2012 10:58 am

I have sent the following to support@mikrotik.com and from which I obtained Ticket#2012020566000092:
Subject: RouterOS v5.12 Bug Report: TCP Flags and Hotspot firewall settings cannot be viewed from CLI.

This mail is to inform you of a bug in RouterOS v5.12. I have not used any previous version and so I am unable to say whether it exists also in those versions.

I have an RB750GL with ROS v5.12.

One other forum poster has confirmed that he too has the same issue.

Description

It is not possibile from the cli to print or export the firewall settings for Advanced: TCP flags and Extra: Hotspot. Filter, NAT, and Mangle are all impacted. Other settings may also be affected.

This means that verification of the firewall rules can only be done via Winbox and clicking on each and every rule and then on each tab within the rule.


Evidence

The bug can be reproduced by creating manually via Winbox a Firewall rule of filter, NAT or mangle and, where applicable, setting the following:
Advanced: TCP flags
Extra: Hotspot

These settings are can not be shown from the command line when using export, print detail, print all, etc

I first noticed the problem by examining the dynamic firewall rules created by the Hotspot wizard. Without seeing the Hotspot settings they are incomprehensible. Here are the first few lines:

[admin@MikroTik] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth
1 D chain=forward action=jump jump-target=hs-unauth-to

Note that the Manual at http://wiki.mikrotik.com/wiki/Manual:Cu ... ng_Hotspot says:

From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules):
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

Some aspects of the bug have been discussed on the forum at: http://forum.mikrotik.com/viewtopic.php?f=13&t=59020

If you need any further information please do not hesitate to ask
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Mon Feb 06, 2012 9:02 am

Received the following reply from MikroTik support:
Thank you very much for the report.
We are aware of the problem, we will try to fix it in the next RouterOS version.
 
sja
newbie
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: BUG v5.12 : firewall - not all params visibile from term

Thu Feb 16, 2012 12:55 am

I have installed v5.13 and I have verified that the problem has been fixed.

Thankyou Mikrotik!

Who is online

Users browsing this forum: Bing [Bot], SoTech57 and 38 guests