Feature request for v7.x

JanezFord · Fri Aug 21, 2015 1:46 pm

Usermanager EAP authentication support, so we can use Usermanager for WPA2 Enterprise configurations.

JF.

kaleruka · Sun Aug 23, 2015 11:42 am

what about socks 5 support?

magnavox · Wed Aug 26, 2015 7:01 pm

Implementation in ROS of MLPPP Server side (for ISPs installation).

tnx

radman3000 · Fri Sep 25, 2015 3:21 pm

IPv6 PBR

zojka · Mon Oct 05, 2015 8:13 am

Authenticaton by RADIUS for http proxy and socks

mezzovide · Fri Oct 23, 2015 2:08 pm

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

andersonlich · Tue Nov 03, 2015 10:46 am

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

Wed Nov 04, 2015 9:01 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

+1

We need these too

StubArea51 · Wed Nov 04, 2015 9:39 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

+1 for us too!

samsung172 · Thu Nov 05, 2015 1:49 am

VRF support to features is sooooo missed. The support to choose what routingtable to use for what service. Ability to choose web configuration troug one vrf - and ssh by another. (just as example) . Best would be to support more than one per service.. Also stuff like ospf or bgp - inside a vrf.

Thu Nov 05, 2015 10:26 am

It is already possible to run OSPF and BGP as CE-PE protocols.

mezzovide · Fri Nov 06, 2015 3:14 pm

BGP feature : advertise-inactive routes please. Its important for route collector services to receive all known routes even if its inactive!

PtDragon · Thu Nov 12, 2015 5:29 pm

I would like to see IP list optimization routines.
I'm often facing massive botnet attacks, in normal mode (adding attackers to list to block them for 60 days) I'm facing GIANT CPU load(all 36 cores are at 100% from just 50Mbit of traffic(SynFlood type traffic).
In some minutes I got around 1.4million of IPs to block.
Surely that list can be optimized by setting "n IPs from subnet means to block subnet" so for example if i got "8.8.8.1 8.8.8.5 8.8.8.10 8.8.8.30 8.8.8.80 8.8.8.99 8.8.8.251" as attackers and in rule I set block subnet /24 if 5 or more IPs on that subnet in list it would transform to IP list entry 8.8.8.0/24 (just single entry instead of many).
And also i wish that option to use rules for /24 /16 /8 subnets.
Similar function I have in CSF on my server in datacenter and it helps nicely against botnets.

Skyder · Thu Dec 03, 2015 6:09 pm

Hello!
+1 IGMP snooping.
In Russia, in particular, it is very necessary for IGMP snooping. Popularity equipment soared to at all levels from byudzhenyh Hap summer to expensive models. All of our providers are using IGMP snooping. From me personally - to all its customers happy equipment installed Mikrotik and would advise all familiar.
So far, because of the absence of such functional distribution in Russia is questionable. We are not afraid even places without technical support RouterOS.

I very much hope that you will listen.
While I did not find any answer on the forum: whether to wait for IGMP snooping or leave for other equipment manufacturers. Mixing equipment from different manufacturers to achieve the desired functionality is not always a rational decision.

bronx · Sat Dec 05, 2015 12:35 pm

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP
It is like you read my mind!

Also add MPLS TE Auto-Tunnel

I also requested to Mikrotik support that they implement RFC7130 https://tools.ietf.org/html/rfc7130 for BFD + Bonding(LAG), this runs a BFD session per bond member, and can detect problems with packet flow via an individual link in a bond. This is very useful when you are running a Leaf/Spine switch architecture between routers and there is a problem with packet flow via one path, the bond + LACP to the Mikrotik will stay up, yet a path beyond the direct LACP link may have a problem and currently this would go unnoticed and cause issues.

RFC7130 aims to prevent such situations.

+1

alexjhart · Fri Dec 18, 2015 2:32 am

Few things:

I haven't read all suggestions, but a simple way of filtering the log view on routeros would be nice. A way to only see a curtain PREFIX f.ex from the logfile while its running.

in linux something like this.

tail -30f /var/log/syslog | grep -i FW-DROP-LOG-PREFIX1

or even better to see several things

tail -30f /var/log/syslog | egrep -i 'FW-DROP-LOG-PREFIX2|FW-DROP-LOG-PREFIX3'

While you can achieve this with

/log print follow where message~"^prefix1|^prefix2"

I see the benefit of having grep for the complete output as well. It would be nice to have many Cisco/Juniper pipe commands such as match, begin, exclude, etc.

I would love to see tail. Often times I want to see the last few lines of the log, but not print the entire thing.

Since I brought up Juniper, it would be nice to have a better commit, compare, rollback system. I know you can batch commands and use undo/redo and/or safe mode, but it just isn't quite the same.

More detail in /system history please. "device changed" what specifically? maybe show the command or something.

printing (and ideally searching with ctrl+r) the command history would be handy too. Scrolling up one line at a time is a bit tedious.

real-time syntax painting in editor

save without quit in editor

inline comments in terminal (instead of normal ;;; comment on different line, perhaps by adding a column in standard print view and comment= in detail view so that each item uses oneline). Additionally, I think comment should be the last column or item listed. terse view could be updated to list comment last as well and could also benefit from syntax coloring. the comment value should be quoted in terse view as well.

margusl · Sun Jan 17, 2016 12:38 pm

IKEv2 for IPSec

jspool · Sun Jan 17, 2016 10:39 pm

1. Full cURL support. We need the ability to send data to REST API's with cURL POST and the tool fetch is getting pretty limited for our current times.

2. DHCP-Client needs to have a script that can be executed when it gets an IP address. Would make it way more efficient then running a scheduler constantly looking for a change when the script could actually be executed only when ther eis an actual change.

b0m8er · Mon Jan 18, 2016 10:44 am

+1 for IGMP snooping support.
Much needed for IPTV in Russia!

brunoviviani · Tue Jan 19, 2016 9:53 pm

Team, please, make the Radius attribute Delegated-IPv6-Prefix to work.. we have more than 100 mikrotik boxes, and we need of this funcionally.

Devil · Mon Jan 25, 2016 10:19 am

Ability to exclude some source/destination hosts/subnets from hotspot traffic counter.
And for the love of god, OVPN UDP support.

satish143 · Thu Feb 04, 2016 6:21 pm

When it is going to release?

Please in v7 make max-entries adjustable. so we can limit connection so kernel won't get crash

I have notice in v6.35rc3 kernel crashing when limit reach to max

I want to reduce max-entires but don't know how to

[admin@MikroTik] > /ip firewall connection tracking print

max-entries: 524288
total-entries: 234041

SDFadfasdfadsf · Sun Feb 07, 2016 2:25 am

MVRP to sync VLAN information

mycket · Mon Feb 08, 2016 2:03 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.
+1 for us too!

+1 for me too
and PPPoE IPv6 Accounting
The only two things blocking us from using MK

pants6000 · Wed Feb 24, 2016 7:40 am

A source-address option for bandwidth test would be nice!

Wed Feb 24, 2016 7:43 am

You should read the forum: http://forum.mikrotik.com/viewtopic.php?t=104266

mukkelek · Sun Feb 28, 2016 3:15 pm

user manager for ARM system

vortex · Fri Mar 18, 2016 12:40 am

Single connection routing @ 2 Gbps on 1036 and up.

vortex · Fri Mar 18, 2016 5:56 pm

Single connection routing @ 2 Gbps on 1036 and up.

Make it 5 Gbps.

vortex · Fri Mar 18, 2016 6:00 pm

Automatic dynamic power and cooling management for CCR.

dallas · Fri Mar 18, 2016 7:36 pm

I am requesting for the most basic spectrum analyzer for AC chipset. I will beta test for you. What version can I test on?

vortex · Sat Mar 19, 2016 11:23 pm

Realtek WiFi support.

Arcticfox · Thu Mar 31, 2016 1:16 pm

LLDP support is highly required.

DmitryAVET · Fri Apr 01, 2016 3:31 pm

1. Load balancing mode in QuickSet (simple settings, step by step configuration manager). Actual for all home users (old rb951, and new hAP and hEX series).

2. More userfriendly step-by-step configuration managers, like L2TP Server conf. etc.

3. More powerfull Graphing, like Cacti etc. New graph design, like Google Analitycs

4. Built-in wireless link calculator, that use current device specifications (tx power, modulation, sensitivity).

5. Step-by-step configuration manager for QoS: select WAN-port, enter WAN capacity, enter total users, press 1 button and get configuration. Actual for most small offices.

6. That same as #5, but traffic prioritization for applications (skype etc)

nishadul · Fri Apr 01, 2016 4:38 pm

NEED HTTPS WITH PROXY

satish143 · Mon Apr 04, 2016 5:50 pm

When v7 coming out? is there any beta or testing version available?

basic833 · Wed Apr 06, 2016 12:01 am

OVPN feature need!!!!!
UDP mode
LZO compression
TLS authentication
authentication without username/password

topperh · Fri Apr 08, 2016 11:43 pm

NEED HTTPS WITH PROXY

I second this request

mgiammarco · Sun Apr 10, 2016 9:31 am

I know what the answer for this is going to be, but it's just to show that the issue is not getting anywhere even if you pretend it does not exist and people still need it.

OpenVPN version update
OpenVPN support for UDP
OpenVPN support for LZO

In openWRT running in MetaRouter it's way too slow

I agree. Please finish existing feature before adding new ones.
And in CRS models LACP is missing too.

BeNoZo · Mon Apr 11, 2016 3:38 pm

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .

doneware · Mon Apr 11, 2016 8:24 pm

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .

all of those can be put in place using scripting and ros api right now

BeNoZo · Tue Apr 12, 2016 8:32 am

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .
all of those can be put in place using scripting and ros api right now

But it's still not TR-069 isn't it . Scripting is per device , and time consuming . Consider managing thousands of RouterBoard , Scripting is good if you have a few CPE , but when your talking about mass deployment you need TR-069, no help desk is going to take a support call and put a customer on hold while you script something up .

doneware · Tue Apr 12, 2016 11:12 am

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .
all of those can be put in place using scripting and ros api right now

But it's still not TR-069 isn't it . Scripting is per device , and time consuming . Consider managing thousands of RouterBoard , Scripting is good if you have a few CPE , but when your talking about mass deployment you need TR-069, no help desk is going to take a support call and put a customer on hold while you script something up .

you're right, it's not TR-069. scripting is a lot more powerful stuff.
of course it needs a head start of coding, it's not something out of the box. but auto-provisioning can be
done using different approaches.

no one stops us to actually create a similar environment/ecosystem with ROS scripting, to provide the same
look & feel as TR-069. if you need it right now, let's make one. when you have to deal with 1000s of devices
it (the home-brew approach) will be a lot more efficient than doing everything manually while waiting for MTIK to implement TR-069

BTW, i would not compare the average TR-069 governed CPE feature set to something that ROS offers right now.

BeNoZo · Wed Apr 13, 2016 1:54 am

TR-069

you're right, it's not TR-069. scripting is a lot more powerful stuff.
of course it needs a head start of coding, it's not something out of the box. but auto-provisioning can be
done using different approaches.

no one stops us to actually create a similar environment/ecosystem with ROS scripting, to provide the same
look & feel as TR-069. if you need it right now, let's make one. when you have to deal with 1000s of devices
it (the home-brew approach) will be a lot more efficient than doing everything manually while waiting for MTIK to implement TR-069

BTW, i would not compare the average TR-069 governed CPE feature set to something that ROS offers right now.

That is just re-inventing the wheel. Why develop new ecosystem when one already exists . ISP already have TR-069 asset in the business and interfaced with OSS/BSS systems, re-inventing (home-brew) is not feasible.

At the end of the day , this is a feature request , end user should have the option to choose what best fits the network and business. TR-069 is my feature request for V7.

doneware · Wed Apr 13, 2016 12:05 pm

At the end of the day , this is a feature request , end user should have the option to choose what best fits the network and business. TR-069 is my feature request for V7.

fair enough

sterling · Thu Apr 28, 2016 6:05 pm

Not sure this one has been mentioned, but I really need fastpath in VPLS endpoints for VPLS faster than 1Gbps.

I've had to switch back to basic OSPF routing to obtain the 8-9Gbps speeds i used to have before implementing end to end MPLS/VPLS.

th0massin0 · Mon May 02, 2016 9:56 am

Small thing: for multiple WAN envoronments it should exists some kind of predefined policy or on/off switch, about incomming and outgoing traffic. When something goes in from WAN1 should go out by WAN1, when something goes in frome WAN2 should go out by WAN2 and so on...

Mon May 02, 2016 10:08 am

It's easy. Mangle the connection and route the packets back according to the routing marks.

th0massin0 · Mon May 02, 2016 10:54 am

When combining PPPoE Client WAN and static IP address WAN it's not so easy, look

/ip firewall mangle
add action=mark-connection chain=prerouting comment="WAN1 FWD" in-interface=ppp-WAN1 new-connection-mark=wan1_conn passthrough=no
add action=mark-routing chain=prerouting comment="WAN1 FWD" connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no
add action=mark-connection chain=prerouting comment="WAN2 FWD" in-interface=ppp-WAN2 new-connection-mark=wan2_conn
add action=mark-routing chain=prerouting comment="WAN2 FWD" connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no
add action=mark-connection chain=input comment="WAN1 IN OUT" in-interface=ppp-WAN1 new-connection-mark=wan1_conn
add action=mark-routing chain=output comment="WAN1 IN OUT" connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no
add action=mark-connection chain=input comment="WAN2 IN OUT" in-interface=ppp-WAN2 new-connection-mark=wan2_conn
add action=mark-routing chain=output comment="WAN2 IN OUT" connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no

/ip route
add check-gateway=ping distance=2 gateway=ppp-WAN1 routing-mark=to_wan1
add check-gateway=ping distance=3 gateway=ppp-WAN2 routing-mark=to_wan2
add check-gateway=ping comment=MAIN distance=1 gateway=10.1.0.1
add distance=1 dst-address=10.0.0.11/32 gateway=eth6_WAN1
add distance=1 dst-address=10.0.0.12/32 gateway=eth7_WAN2

... and when I tried to set up routing mark for address 10.1.0.1, the route fails.
Could you help me please?

th0massin0 · Mon May 02, 2016 12:16 pm

Also usable will be some kind of checkbox for hairpin NAT in NAT rule creation.

alphalt · Wed May 04, 2016 12:05 am

Hi,

Maybe very old request, but... Metarouter support on microSD card.

Wed May 04, 2016 11:39 pm

... and when I tried to set up routing mark for address 10.1.0.1, the route fails.
Could you help me please?

Your problem is that the connection-marking rules need to also have the criteria: connection-mark=no-mark
If not, then you can re-mark connections and break the routing policy.

th0massin0 · Fri May 06, 2016 4:37 pm

Login by ssh key in WinBox will be really helpfull too.

radman3000 · Wed May 11, 2016 6:21 am

Requesting IPv6 policy based routing.

isolnet · Wed May 11, 2016 7:54 am

Dear MT Team

I think User manager is most power full tool in future because every isp need radius with accounting, country wise payment gateway, sms api integration, plans flexibility etc.

So Kindly improve in further upcoming updates.

hkaiser · Fri May 13, 2016 6:02 pm

Hello!

802.11ad cards support, and GPS syncing would be great!

maara · Sat Jun 04, 2016 5:38 pm

Ovpn tls-auth and improved ovpn client in general so the connection compatibility is better..

craterman · Sat Jun 18, 2016 3:47 pm

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP

These functions need definitely. And they need not only to us but also to you - mikrotik team, for that would have a more competitive product and a more extensive sales geography. I think when you had MUM tour in Asia have often been asked about the ISIS protocol. Oh Asians very love it

riaanmaree · Sat Jun 18, 2016 7:07 pm

AS & BGP info in Netflow v5 export.

Sent from my SM-G925F using Tapatalk

Sun Jun 19, 2016 1:02 am

I think when you had MUM tour in Asia have often been asked about the ISIS protocol. Oh Asians very love it

ISIS is very common in large provider networks the world over. It will be great to see ISIS support in RouterOS.

But for now I will be happy to just see RouterOS v7 beta get released

borisk · Wed Jul 06, 2016 3:04 pm

The very simple feature we need right now is: ability to delete bgp communitied from prefix by rege. Cisco like:

route-map xxx permit 10
match ....
set comm-list XXXX delete

Wed Jul 06, 2016 10:53 pm

The very simple feature we need right now is: ability to delete bgp communitied from prefix by rege. Cisco like:

route-map xxx permit 10
match ....
set comm-list XXXX delete

+1

Being able to delete communities based on a regex would be perfect !

mmabob · Thu Jul 14, 2016 6:53 am

Multi Core BGP to speed up receiving a full BGP routing table

paoloaga · Thu Jul 14, 2016 6:44 pm

The major missing feature of ROSv7 that I think would benefit everyone is to be available in the download page.

I apologize for the cheap humor, but I couldn't resist...

Fri Jul 15, 2016 7:52 am

Yep. Wondering why none mentioned the torrent client yet... That would be something really widely used. Also tor package would move the ros to new level.

Sob · Fri Jul 15, 2016 6:46 pm

You're making fun of it, but ability to have some unusual software could be nice. Not necessarily from MikroTik, some form of custom packages. Probably with limited environment (chroot, user permissions), to prevent them from messing up the router.
There was MetaROUTER, but it was a little heavy and not very easy to use. And it's no longer an option anyway, since MikroTik continues to successfully fix the "excessive storage problem" for more and more devices.
But few small binaries would still fit. So yeah, why not torrent, tor or whatever...

Fri Jul 15, 2016 10:31 pm

Sure, I do.

You know very well that there are still basic gaps in functionality that should be filled first. After that, there will be some space for similar requests, like torrents, tor, speach synthesizer, different magic wands and whatever else. But this will never happen as the resources are scarce and the competitors are still moving forward providing some parts of functionality on better level. It will be never ending story to keep the tempo with them and trying to provide something really useful and special above that.

We are just mortal beings, what we can do more than to try to have fun?

maltris · Sat Jul 16, 2016 10:17 am

I just had an idea which I would like to share with the community and maybe someone else also likes it.

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting because it will save time required for setting up other ways of automated backups.

Further information can be found here: https://github.com/joeyh/etckeeper

cusco · Wed Jul 20, 2016 5:13 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!

Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)

Wed Jul 20, 2016 5:17 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)

Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.

pe1chl · Thu Jul 21, 2016 9:48 am

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting because it will save time required for setting up other ways of automated backups.

I fail to see why.
MikroTik does not make the contents of /etc visible to users. They use a frontend that processes all user commands and makes changes to the underlying Linux configuration in a manner that is not public.
There is no way they will export the contents of /etc outside the router!
When you want to save your exported configs in a version control system, go ahead and do so. You don't need assistence from MikroTik for that.
Just setup a directory (tree) where you keep your exported configs and check this in to your favority version control system. I do this all the time.
This "etckeeper tool" can be done in a single "git add -A /etc" command, all the fluff you find in there is just to make it easily installable and configurable for different environments.

net365 · Tue Jul 26, 2016 1:46 pm

IPv6 Hotspot would be very nice to offer. Not sure if anyone elase has suggested it yet?

cusco · Tue Aug 02, 2016 8:05 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)
Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.

Hello Normis. In my case, I also struggled, read on the web that i should allow ALL UDP traffic on the firewall. Then I read about my provider (MEO in Portugal) and other people making similar configurations in other equipment, so I found out the addresses I needed to allow UDP.

here follows:

 > /routing igmp-proxy export compact 
# aug/02/2016 17:58:59 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan12 upstream=yes
add interface=bridge-lan

 > /ip firewall filter export compact 
# aug/02/2016 17:59:54 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=Attacks comment="Drop connections FROM blacklisted hosts" src-address-list=blacklist
add action=drop chain=Attacks comment="Drop connections TO blacklisted hosts" dst-address-list=blacklist
add chain=input comment="Allow Established and Related" connection-state=established
add chain=forward connection-state=established,related disabled=yes
add action=drop chain=input comment="Drop INVALID" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=output comment="Allow LAN" src-address-list=INTERNAL
add chain=input comment=SUPPORT src-address-list=support
add chain=input comment="Allow VPN's" protocol=gre
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add chain=input comment=L2TP dst-port=1701 protocol=udp
add action=reject chain=input comment="prevent ping" disabled=yes in-interface=vlan12 protocol=icmp reject-with=icmp-admin-prohibited
add chain=input comment="Allow Ping" log=yes log-prefix="PING_ " protocol=icmp

#add action=add-dst-to-address-list address-list=MEO-IGMP address-list-timeout=1w3d chain=input comment="IGMP (iptv)" protocol=igmp
add chain=input comment="IGMP (iptv)" protocol=igmp
add chain=input comment="UDP (iptv)" protocol=udp src-address-list=MEO-IPTV
add chain=forward protocol=udp src-address-list=MEO-IPTV

add action=drop chain=input comment="Drop Everything else" log-prefix=DROP_

 > /ip firewall address-list export
# aug/02/2016 18:04:28 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/ip firewall address-list
# ... other stuff ...
add address=194.65.46.0/23 list=MEO-IPTV
add address=10.173.0.0/16 list=MEO-IPTV
add address=213.13.16.0/21 list=MEO-IPTV

CyB3RMX · Fri Aug 05, 2016 8:05 am

- TDD on wireless
- improvements on wireless side like beam forming
-

mtuser666 · Thu Aug 18, 2016 4:02 pm

+1

Multi Core BGP to speed up receiving a full BGP routing table

But for first v7 need any Ether RING protocol : ITU-T G.8032 Ethernet Ring Protection Switching (ERPS) there is also EAPS(like extreme networks), EPSR(allied telesis)
Without ring every accident takes too long time and don't tell me RSTP is a good solution, because it is not.

Yekver · Wed Sep 07, 2016 10:47 am

Here is some useful features that would be great to see!

capsman
- speed per client in registration table tab
- show speed in interfaces tab even for that configurations where Local Forwarding option is enabled!

queue
- show notification if queue couldn’t be processed because of fasttrack

graphs
- ability to save graphs
- draw graphs for the following wireless interface settings (this is very helpful to detect long time problems with wifi links):
- tx/rx signal strengh
- tx/rx CCQ
- noise floor
- signal to noise
- make static graphs for retina displays, now they look awful
- total upload/download statistics

web interface
- new svg icons for retina
- create mobile device friendly web interface
- delete/add table columns while designing skin
- more default skins
- quick search through whole amount of options
- reduce the CPU usage (now from 10-15%)
- log filterable by topics
- fix "ERROR: Internal Server Error" shown on login screen. Error comes with not expected logout

capsman
- show "Active Host Name" in "Registration Table" tab (like in DHCP - Lease)

firewall
- save bytes/packets counters after ROS upgrade or reboot

PS: winbox for MacOS pleeease

PastuhMedvedey · Wed Sep 07, 2016 2:41 pm

Multi Core BGP to speed up receiving a full BGP routing table

A very important feature.

kleinem · Tue Sep 20, 2016 4:37 pm

Definitive must:
Locator Id Separation (LISP) support

Nice to have:
Conditional DNS forwarding, so you don't have to fiddle with L7 inspection and NATing...

ivicask · Tue Sep 27, 2016 3:38 pm

Would be possible to implement option to enable IP firewall per bridge?
So BRIDGE A has ip firewall enabled and i can control fully its traffic (for example controlling ADSL traffic between bridget ports 1-2)
And for example BRIDGE B which would just pass traffic between LAN port3 and WIFI interface/s on which i dont need IP firewall which kills CPU.

andreiroos · Sat Oct 01, 2016 8:26 pm

Not sure if this have been mentioned, I would like the ability to change exclusive settings for the LTE wireless cards, eg. Sierra cards. Settings like the LTE band selection and more. Not sure what the card capabilities are, but if all settings are available through winbox it would be fantastic.

ErfanDL · Sat Oct 01, 2016 10:22 pm

Please add GPS webui (remotlly find router location in webfig)

Sent from my C6833 using Tapatalk

crumb · Tue Oct 04, 2016 1:12 pm

Hello! I would really like to see in a future version of the RouterOS possible to install Metarouter to external storage such as a USB-flash. It is very important for hAP AC owners, where the free HDD space is very small.

pe1chl · Tue Oct 04, 2016 3:15 pm

Hello! I would really like to see in a future version of the RouterOS possible to install Metarouter to external storage such as a USB-flash. It is very important for hAP AC owners, where the free HDD space is very small.

I'm sure that will never happen, as it would open the door to breaking into RouterOS...
(you can remove the flash card and look what is on there, modify it, and place it back)

hurymak · Tue Oct 04, 2016 3:42 pm

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.

Sivics · Mon Oct 10, 2016 4:45 pm

OpenVPN CRL

pe1chl · Mon Oct 10, 2016 5:01 pm

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.

Secure Routerboot is already available - maybe that is what you wanted?

jandafields · Tue Oct 11, 2016 3:53 am

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.
Secure Routerboot is already available - maybe that is what you wanted?

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration. You can easily reset the router if it has Secure Routerboot and it erases the configuration and then you can use it like it is brand new.

Directly from the Secure Routerboot Wiki:
"As an emergency recovery option, it is possible to reset everything by pressing the button at power-on for longer than reformat-hold-button time. Even if reformat-hold-button time is forgotten, holding the reset button for more than 300s will allow you to perform reformat."

harvey · Thu Oct 13, 2016 3:47 pm

I would like to voice my agreement with all the requests for enhanced OpenVPN support including:-

UDP support
auth-tls support
Enhance 'auth' algorithms such as SHA512.
Enhance 'cipher' support.
The ability to push configurations to clients.

Thanks for all the hard work.

vonsete · Thu Oct 13, 2016 6:39 pm

ONT password authentication

Sob · Thu Oct 13, 2016 7:15 pm

UDP support

UDP was already confirmed for RouterOS v7, no need to keep requesting it. Buy a nice bottle of champagne with long expiration date and be ready!

The other goodies, that's a different question, I don't remember seeing anything else confirmed by MikroTik, and I'm affraid to ask. One thing is clear, it would be real shame to end up with "please add <some still missing OpenVPN feature>" thread(s) after RouterOS v7 gets out.

pe1chl · Fri Oct 14, 2016 11:38 am

it would be real shame to end up with "please add <some still missing OpenVPN feature>" thread(s) after RouterOS v7 gets out.

Hopefully the change will just be "update the OpenVPN binary to the most recent release".
But, note that OpenVPN has serious (and nonsensical) limitations itself!
For example, the server can only listen on TCP or UDP, not on both at the same time.
So when you want to migrate your existing OpenVPN-over-TCP network to UDP once that becomes available,
you "will be facing interesting times".

Fri Oct 14, 2016 11:49 am

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration.

Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th second

jandafields · Fri Oct 14, 2016 4:38 pm

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration.
Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th second

So, you have to know the number within a 5 second range? Up to 300 seconds, divided by 5 = 60. So, worst case scenario is that someone could reset it with 60 tries, and most likely within 30 tries.

pe1chl · Fri Oct 14, 2016 7:44 pm

Of course it would cost several hours to try all those options. When someone is that persistent, just give him the router.

jandafields · Fri Oct 14, 2016 8:50 pm

A few hours does not equal "impossible".

Some people spend a few hours setting up the router anyway.

Fri Oct 14, 2016 10:07 pm

My philosophy has always been: "physical access = root"

Sat Oct 15, 2016 3:41 pm

Who really suffers by devices being regularly stolen? I have not ever heard of it.

jandafields · Sat Oct 15, 2016 4:25 pm

Who really suffers by devices being regularly stolen? I have not ever heard of it.

Maybe not stolen, but reused by a competitor... giving the competitor an advantage because they don't have to provide one.

Anyway, the point is that this "Secure Routerboot" feature should be advertised as a configuration protector only, which is seems to be very good at, instead of also a hardware protector, which is currently very easy to reset and in the future will just take longer.

pe1chl · Sat Oct 15, 2016 5:46 pm

Maybe not stolen, but reused by a competitor... giving the competitor an advantage because they don't have to provide one.

That will probably be not a professional competitor, but merely a bunch of hobbyists.
I cannot think of a professional company making a living providing service using left-over routers of competitors and resetting
and re-configuring them (or having their clients do that).
How do you ever want to support such a network?
When you don't want that to happen, provide your routers only on loan with obligation to return them at end of subscription
so you can exercise that right when there appears to be something going on.

likid · Sun Oct 16, 2016 6:46 am

OpenVPN LZO compression
OpenVPN TLS-Auth

veso266 · Sun Oct 16, 2016 9:25 pm

Udpxy to relay multicast to unicast for IPTV: http://www.udpxy.com/index-en.html

Adam84 · Wed Oct 19, 2016 1:51 pm

DHCP Lease assignment based only on partial MAC (i.e. only on OUI) / hostname / received DHCP Option 82 Info (this one is the most important).
IPsec Virtual Interface (that would allow routing to other networks through tunnel)
DNS records based on zones

NGL · Sat Oct 22, 2016 2:17 am

I am in desperate need of ISIS... specifically Shortest Path Bridging (SPB)
Or some way to Dynamically route Large TE tunnels down multiple smaller ones.

Here is our problem. We are a WISP and we run MPLS and TE tunnels between sites. We use multiple connections between sites and utilize them with TE tunnels. The problem is that it does not balance well when the sites are needing lots of bandwidth and have many smaller connections. Here is an example.

Lets say site A has 4 connections to it:
1gb path 2 hops
100mb path 2 hops
100mb path 3 hops
200mb path 4 hops
Site A uses 350mbps and it is reserved in the TE tunnel. Great all is working well... until something happens to the 1gb link and it goes down.
When the 1 gb connection goes down the TE tunnel will fail and all of the traffic will then go down the 100mb 2 hops path. the other 2 links will not be used at all and the site will be crippled by lack of bandwidth. It has the bandwidth available but no way to use it.

Option 1: have some way to dynamically route Large TE tunnels down multiple smaller ones.

Option 2: Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bridge that has ISIS and Shortest Path Bridging (SPB) breaks traffic up to allow multiple paths to the same site.

Option 3 (current option) Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bonded interface. write a script that monitors the interface and add back changed VPLS interfaces. They are all dynamically made so when something changes they break out of the bonded interface. Then add the bonded interface into a bridge. You may need to add Nx addresses on both sides to use the fail detection on the interfaces in the bonding to make sure traffic doesn't go down a dead interface. then add another custom script to move the IP addresses to follow the dynamically created interfaces to ensure correct fail over....

Option 3 is not cool.
We really need option 1 or 2

troffasky · Sun Oct 23, 2016 12:59 am

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting

I suggest you look at RANCID, it does what you've described. Works for me, as well as with much other network equipment.

gt4a · Tue Oct 25, 2016 6:55 am

1. single ssid for 2.4G & 5G.
users don't have to chose 2.4g or 5g, ap will automatically assign best freqs for client. APs from Ruijie network(China based) have this feature. and some openwrt based firmware can.
2. better Active directory IAS compatibility.
radius+ias, some clients(laptop) can connect but some can't not. but all of them can connect to cisco ap(ms ad/radius).

Tue Oct 25, 2016 7:46 am

It was always possible to use the same ssid for different wlans.

netflow · Sat Oct 29, 2016 1:01 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)
Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.

I have IGMP proxy and still feel the need of IGMP snooping to reduce network bandwidth efficiently and simplify configuration.
My intended setup:
- IGMP Proxy from WAN to LAN and L2TP interface
- Where LAN is defined as bridge between ETH and WLAN

Problems:
- WLAN is polluted once an ETH interface register for UDP streaming
- All physical ETH interfaces linked to the same internal switch are also polluted

Solution I had to use because of lack of IGMP snooping:
- Remove bridge interface, introduce L3 routing between ETH and WLAN (by separating subnet)
- Remove link between ETH interfaces and introduce L3 routing (which as consequence reduce transfer speed between cable computers) or accept network broadcast pollution or use an external switch with IGMP snooping

So OK we can work around and understand it cannot be added to v6.x but since v7 is a rearchitecturing, I think it is completely legitimate to request to add it to the toolbox for those who want/need.

pe1chl · Sat Oct 29, 2016 1:53 pm

It was always possible to use the same ssid for different wlans.

I think what is meant is the "trick" to have a much much longer beacon interval on 2.4 than on 5 GHz
so a client that randomly starts receiving is more likely to connect on 5 GHz when it is supported.
Without this, the majority of clients will connect on 2.4 even when they do support 5, until some
config at the client is changed to prefer 5. (it is usually default to prefer 2.4)
This cannot be done on MikroTik because you cannot configure the beacon interval.

rushlife · Tue Nov 01, 2016 12:18 pm

I wish standard bash ( or another command processor ) scripting interface.
Scripting in mikrotik and debugging scripts for mikrotik is horrible.
Sorry but it is just true. I spoken about that with many many colleagues and every single man have this wish for new mikrotik. Please, please consider this. Please.

pe1chl · Tue Nov 01, 2016 5:02 pm

I wish standard bash ( or another command processor ) scripting interface.
Scripting in mikrotik and debugging scripts for mikrotik is horrible.
Sorry but it is just true. I spoken about that with many many colleagues and every single man have this wish for new mikrotik. Please, please consider this. Please.

I think you have chosen the wrong OS. When you want bash scripting and other open access to the Linux system, you should install OpenWRT or another compact Linux system.
In some MikroTik routers you can even do that as a Virtual Machine running under RouterOS.
The RouterOS system is designed to be a closed layer on top of Linux that guards you from direct system access.

lukoramu · Wed Nov 02, 2016 10:27 am

Interactive command-line packet sniffer, which would print packet headers immediately and without any 'paging'.

Just like tcpdump. For example:

/tool tcpdump interface=ether1 protocol=!udp src=192.168.1.0/24
10:23:49.941810 IP 192.168.1.171.4000 > 192.168.1.240.3565: Flags [P.], seq 35055931:35055951, ack 933641181, win 8192, length 20
...

hzsolt94 · Mon Nov 07, 2016 11:47 pm

We need a lot of IPv6 features to be able to use it instead of IPv4. Just some examples:

- Working DHCPv6 server for single adresses,
- DHCPv6 with custom addressing schemes, to workaround device IPv6 limitations (Give out adresses based on MAC, give out EUI-like addresses, etc.)
- DHCPv6 DNS advertiesment support
- RA DNS extensions
- NAT66 (Needed for special things like hotspots, DNS-spoofing, captive portals)
- IPv6 policy-routing
- OpenVPN over IPv6 and OpenVPN with IPv6 inside
- IPv6 Layer7 filtering

Also there's the need for IPv6 address local-part matching in firewall rules. I frequently want to allow connections to one specific device, however as the dynamic prefix changed by the provider, the address of that devices is changed. This means there can't be exceptions based on full IPv6 addresses. (There is a dirty workaround with dydns and IPv6 address-lists but ...) The clean solution would be to match the lover bits of an address, something like "inverted /64 or /48 subnet matching".

ceesco53 · Wed Nov 09, 2016 8:13 pm

BGP4-MIB. Please and thank you.

jspool · Thu Nov 10, 2016 6:22 am

IKEv2 for IPSec

+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.

Thu Nov 10, 2016 9:49 am

IKEv2 for IPSec
+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.

FYI IKEv2 was just added to 6.38 Release Candidates. See http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth for config info.

Thu Nov 10, 2016 9:53 am

IKEv2 for IPSec
+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.

Check the changelo of latest rc.
http://forum.mikrotik.com/viewtopic.php ... 00#p566926

jspool · Thu Nov 10, 2016 10:03 am

IKEv2 for IPSec
+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.
Check the changelo of latest rc.
http://forum.mikrotik.com/viewtopic.php ... 00#p566926

Great news! I look forward to a stable version that we can offer to customers.

Florian · Thu Nov 17, 2016 12:47 pm

Hi !

I would love a equivalent of "llprio" found in OpenBSD6.

"In ifconfig, add the "llprio" parameter to set the priority of packets that do not go through pf."

I believe it would be a way to interact with raw sockets packets. (In my own case, I need to put priority on DHCP packets, which can't be done right now...)

Thx

jrandombob · Fri Jan 06, 2017 3:25 pm

- Working DHCPv6 server for single adresses,
...
- DHCPv6 DNS advertiesment support

+1 on both of these, I was toying with the idea of switching my wireless infrastructure over to MikroTik, but until there's a DHCPv6 server which does host addressing I'll be putting that on the back-burner.

hurymak · Wed Jan 25, 2017 1:14 pm

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration.
Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th second

when this option will be implemented?

Alwest · Sun Jan 29, 2017 4:31 pm

DHCP Lease assignment based on received DHCP Option 82 Info (this one is the most important)

+1
must have!
I believe in Mikrotik)

umount · Tue Jan 31, 2017 2:56 am

Force sending of DHCP options to clients

buraglio · Sun Feb 19, 2017 4:00 am

IS-IS would be amazing. The ability to manage more than one routed protocol inside a single routing protocol that does not rely on the protocol it is routing for communication seems like a self evident great idea to me - but i don't have to code it and I get that building ISO/CLNS likely isn't straightforward. Nevertheless, it would significantly change the simplicity of any medium to large sized routed network. Managing OSPF2/3 pretty much stinks as a general rule and does not scale to large sizes like IS-IS does.
Segment routing via IS-IS TLV would be even more amazing. SR is a game changer - but it's dependent on the TLV or IPv6 implementation to function.

nb

I am in desperate need of ISIS... specifically Shortest Path Bridging (SPB)
Or some way to Dynamically route Large TE tunnels down multiple smaller ones.

Here is our problem. We are a WISP and we run MPLS and TE tunnels between sites. We use multiple connections between sites and utilize them with TE tunnels. The problem is that it does not balance well when the sites are needing lots of bandwidth and have many smaller connections. Here is an example.

Lets say site A has 4 connections to it:
1gb path 2 hops
100mb path 2 hops
100mb path 3 hops
200mb path 4 hops
Site A uses 350mbps and it is reserved in the TE tunnel. Great all is working well... until something happens to the 1gb link and it goes down.
When the 1 gb connection goes down the TE tunnel will fail and all of the traffic will then go down the 100mb 2 hops path. the other 2 links will not be used at all and the site will be crippled by lack of bandwidth. It has the bandwidth available but no way to use it.

Option 1: have some way to dynamically route Large TE tunnels down multiple smaller ones.

Option 2: Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bridge that has ISIS and Shortest Path Bridging (SPB) breaks traffic up to allow multiple paths to the same site.

Option 3 (current option) Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bonded interface. write a script that monitors the interface and add back changed VPLS interfaces. They are all dynamically made so when something changes they break out of the bonded interface. Then add the bonded interface into a bridge. You may need to add Nx addresses on both sides to use the fail detection on the interfaces in the bonding to make sure traffic doesn't go down a dead interface. then add another custom script to move the IP addresses to follow the dynamically created interfaces to ensure correct fail over....

Option 3 is not cool.
We really need option 1 or 2

lukoramu · Fri Mar 17, 2017 3:45 pm

It would be very usefull to have "add to set" and "remove from set" operators in RouterOS commands, on those attributes, which contain some set of elements, i.e., ports:

/interface ethernet switch vlan set [find vlan-id=10] ports+=ether1
/interface ethernet switch vlan set [find vlan-id=11] ports-=ether3,ether4

The attribute "ports" is a set (a data structure) in this example, and operators "+=" and "-=" are hypothetical operators, which adds and removes elements to/from the set "ports". In mathematical terms - union and complement operations. Maybe event an "intersection" operator would be usefull in some cases

Or is it already possible to do such operations? (I don't know RouterOS scripting yet..)

lukoramu · Fri Mar 17, 2017 4:16 pm

Or even better - replace every "ports" and "tagged-ports" attribute (at least under "/interface ethernet switch") with a list of vlan-port associations in separate submenu (in style of "bridge ports", where you can use "add" and "remove" commands on every bridge-port association).

campa4bt · Mon Mar 20, 2017 3:06 pm

For me it is important to obtain a consolidate multi platform VPN:

- For example introducing the IKEv2

But it will be interesting, if is possible, to realize a multiplatform client, or web based VPN client to realize VPN Tunnels over 443 https port from different devices. It will be use SSTP existing Server or something similar.

Exists a roadmap on VPN evolutions on this way?

Thanks a lot for your work.

juliokato · Mon Mar 20, 2017 3:31 pm

Force sending of DHCP options to clients

+1

juliokato · Mon Mar 20, 2017 3:40 pm

DHCP Lease assignment based on received DHCP Option 82 Info (this one is the most important)
+1
must have!
I believe in Mikrotik)

+1
Although I believe it is not the best solution on the routerboard.
I already a solution that generates reports and historical of all DHCP requests based on option 82. (something that MT will not do).
Btw will be something to be evaluated.

juliokato · Mon Mar 20, 2017 11:47 pm

Automatic Import

In RouterOS it is possible to automatically execute scripts - your script file has to be named anything.auto.rsc - once this file is uploaded using FTP to the router, it will automatically be executed, just like with the '/import' command. This method only works with FTP.

Once the file is uploaded, it is automatically executed. Information about the success of the commands that were executed is written to anything.auto.log

source: https://wiki.mikrotik.com/wiki/Manual:C ... tic_Import

Suggestion for Mikrotik: could migrate the automatic import also to sftp or scp uploads and downloads . (auto execute files *.auto.rsc from anywhere)

juliokato · Mon Mar 20, 2017 11:54 pm

How to reset counter interfaces LTE or PPP-Client.

I has find for interfaces ethernet, but not for the LTE nor PPP....

The only way i can do this at the moment is to reboot the mikrotik device...

buraglio · Thu Apr 06, 2017 11:32 pm

Another potentially easier option for implementing segment routing would be to implement IPv6-SR (and the SRH). I'd personally rather have IS-IS because I believe it is a significantly better protocol, but implementation if SRH would likely be easier since there is already an IPv6 stack and public code exists to extend the protocol.

IS-IS would be amazing. The ability to manage more than one routed protocol inside a single routing protocol that does not rely on the protocol it is routing for communication seems like a self evident great idea to me - but i don't have to code it and I get that building ISO/CLNS likely isn't straightforward. Nevertheless, it would significantly change the simplicity of any medium to large sized routed network. Managing OSPF2/3 pretty much stinks as a general rule and does not scale to large sizes like IS-IS does.
Segment routing via IS-IS TLV would be even more amazing. SR is a game changer - but it's dependent on the TLV or IPv6 implementation to function.

nb

I am in desperate need of ISIS... specifically Shortest Path Bridging (SPB)
Or some way to Dynamically route Large TE tunnels down multiple smaller ones.

Here is our problem. We are a WISP and we run MPLS and TE tunnels between sites. We use multiple connections between sites and utilize them with TE tunnels. The problem is that it does not balance well when the sites are needing lots of bandwidth and have many smaller connections. Here is an example.

Lets say site A has 4 connections to it:
1gb path 2 hops
100mb path 2 hops
100mb path 3 hops
200mb path 4 hops
Site A uses 350mbps and it is reserved in the TE tunnel. Great all is working well... until something happens to the 1gb link and it goes down.
When the 1 gb connection goes down the TE tunnel will fail and all of the traffic will then go down the 100mb 2 hops path. the other 2 links will not be used at all and the site will be crippled by lack of bandwidth. It has the bandwidth available but no way to use it.

Option 1: have some way to dynamically route Large TE tunnels down multiple smaller ones.

Option 2: Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bridge that has ISIS and Shortest Path Bridging (SPB) breaks traffic up to allow multiple paths to the same site.

Option 3 (current option) Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bonded interface. write a script that monitors the interface and add back changed VPLS interfaces. They are all dynamically made so when something changes they break out of the bonded interface. Then add the bonded interface into a bridge. You may need to add Nx addresses on both sides to use the fail detection on the interfaces in the bonding to make sure traffic doesn't go down a dead interface. then add another custom script to move the IP addresses to follow the dynamically created interfaces to ensure correct fail over....

Option 3 is not cool.
We really need option 1 or 2

chaplin · Thu May 11, 2017 4:34 pm

Allow header modification.
curl -H

gmiller01 · Mon May 22, 2017 3:58 pm

MAC address vendor in IP scan results, like https://macvendors.com/
Telnet to other port than 23 (testing if a port is alive)

Mon May 22, 2017 4:12 pm

Telnet to other port than 23 (testing if a port is alive)

Already possible
/system telnet address=1.1.1.1 port=222

htdbnbj · Thu Sep 07, 2017 2:57 pm

Looking forward to up to date NIC support in v7 x86 and with 64Bit.
ROS x86 looking very dated at the moment and working around it with a VM solution is not the answer when all one wants is a bare hardware solution.

pe1chl · Thu Sep 07, 2017 3:19 pm

[*]MAC address vendor in IP scan results, like https://macvendors.com/

The file for that is rather large, 600K for the file used by nmap, 1300K for the file used by wireshark.
Maybe it could be done in an optional package.

[*]Telnet to other port than 23 (testing if a port is alive)

Already possible:
/system telnet 1.2.3.4 port=80

gmiller01 · Fri Sep 22, 2017 12:26 pm

[*]MAC address vendor in IP scan results, like https://macvendors.com/
The file for that is rather large, 600K for the file used by nmap, 1300K for the file used by wireshark.
Maybe it could be done in an optional package.
[*]Telnet to other port than 23 (testing if a port is alive)
Already possible:
/system telnet 1.2.3.4 port=80

Thank you

AnupamPradhan · Mon Oct 02, 2017 8:23 pm

Hi All,

I have seen lots of post and hell lot of documents available on web for PCC load balancing. But all these documents dont have the one click deployment solution. I mean its great to learn something new but sometimes GUI with one click solution is better for a production environment.

I have seen Mikrotik team has done a tremendous job in developing the ROS. But still, as I believe and I am sure there are lots like me believes that this WAN load balancing is still missing from ROS.

@Normis - I have used Tplink TL-R470T+ for the same purpose. So simple and easy. If they can do it I think its not very big deal for Mikrotik team.

pe1chl · Mon Oct 02, 2017 8:59 pm

I have seen lots of post and hell lot of documents available on web for PCC load balancing. But all these documents dont have the one click deployment solution. I mean its great to learn something new but sometimes GUI with one click solution is better for a production environment.

I have seen Mikrotik team has done a tremendous job in developing the ROS. But still, as I believe and I am sure there are lots like me believes that this WAN load balancing is still missing from ROS.

In general the MikroTik solution is not for those that want "one click solutions". The advantage is that with MikroTik you have a lot more flexibility, the disadvantage is that it requires some insight and experience from you (although in the case of PCC there are ready-to-use examples for the simple case of two equal internet connections).
When you don't have insight and experience and you have no interest in obtaining it, MikroTik may not be for you.
Please don't try to convince MikroTik that they should turn RouterOS into a one-click-system because it will remove the flexibility that the other users require.

lalo86 · Tue Oct 03, 2017 1:25 pm

Please consider implementing ShadowSocks Client/Server with chacha20 encryption.
It's so bad to use metarouter with OpenWRT or dedicated OpenWRT hardware just beacause RouterOS doesnt have it.

Thanks

erebusodora · Fri Oct 13, 2017 12:32 pm

I will be very glad if there is a tool for cutting the current screen of winbox. Also, if something (text) is copied from the terminal to the colors for greater convenience when looking for a setting. Also have and chat system between two routerboard systems or between two administratos in winbox

shahbazian · Mon Jul 16, 2018 11:52 pm

Implement NAT64 described in RFC6146 https://tools.ietf.org/html/rfc6146 + DNS64

Also, 6RD.
6RD very useful for rapidly deployment of IPv6 in ISPs; some of xDSL modems support 6RD now.

campa4bt · Tue Jul 24, 2018 3:30 pm

Cloud Centralized Manager

giguard · Mon Oct 08, 2018 6:05 am

Hi,
I would like to request for radius accounting support on IKE2.
Right now it is only supporting access request.

May be this goes without saying but just in case, rate-limit attribute support is necessary also.
As far as rate-limit is concern, it is now being discarded by the RouterOS.

Lastly, thank you guys/gals, your work is appreciated.

nopain1573 · Mon Oct 08, 2018 6:45 am

shadowsocks built in please。

TerAnYu · Wed Oct 10, 2018 8:04 am

There is a strong wish to see function similar Dynamic Multipoint VPN (DMVPN)

chakphanu · Thu Oct 11, 2018 10:03 am

JWT Token: Hotspot without local user or radius.

1.MT install public key or use JWK/JWKS method.
2.when client login via external auth server and send callback token to MT: http(s)://local.hotspot.mt/token=jwt.token.signature.
3.MT using public key to verify jwt token.
4.MT do login with parameter in jwt, without require local user or external radius.
example jwt parameter:
{
"jti": "uuid-xxxx-xxx-xxx",
"iss": "https://auth.provider.com/",
"exp": 1460046123,
"User-Name": "username@realm.com",
"Mikrotik-Rate-Limit": "1M/2M",
"Session-Timeout": 3600
}

estas · Mon Nov 05, 2018 4:28 pm

Please, add UDPXY for IPTV stream relay!

hairfarmer · Sun Nov 25, 2018 1:26 am

mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.

WiFi networks are too big to have all the available devices all bridged to the LAN.

Would be nice to then firewall what devices are discoverable.

muetzekoeln · Mon Nov 26, 2018 2:29 pm

Locator Id Separation (LISP) support

RFC6830-6836, please!

RackKing · Tue Dec 04, 2018 2:23 pm

mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.

WiFi networks are too big to have all the available devices all bridged to the LAN.

Would be nice to then firewall what devices are discoverable.

m2

lygstate · Wed May 01, 2019 9:13 pm

I hope full SwOS function are merged into RouterOS

mkx · Thu May 02, 2019 10:42 am

I hope full SwOS function are merged into RouterOS

Which functionality can you enable/configure in SwOS that can not be done in ROS?

mada3k · Mon May 06, 2019 8:15 pm

mDNS proxy is very useful, both home and medium-enterprise.

arily · Fri May 17, 2019 1:47 pm

IPv6 policy routing
IPv6 multiple routing table
IPv6 accounting
Address list subscription

eliemacho · Wed Jun 12, 2019 2:28 am

cant really understand why does PCC require us to mark the connection of the incoming WAN interfaces with the same mark of the incoming LOCAL interface
knowing that the routing mark will take the decision at the where to route the packets to the outside world
like using the "WAN1" & "WAN2" for example as connection mark names for the incoming WANs and using the same connection mark names for the incoming LOCAL and then mark the route for each WAN interface
whats the reason behind having the same cnx mark name of the in WAN and in LOCAL

any clarification whats the relation between them and how does this feature work, CZ as for me i could mark the in LOCAL with a routing mark (using of course the pcc feature 2/0';2/1 for ex) and route every connection being made from the LOCAL to the outside with the specific gateway associated with that routing mark WITHOUT going into routing the output traffic of the router interfaces with a cnx mark of there each WAN etc...

Sob · Fri Jun 14, 2019 2:55 am

1) You posted in wrong thread

2) I'm not sure if I'm getting the part about same names, but no such requirement exists. In some cases, it should be possible to skip connection marking completely, but it would only work if you'd have outgoing connections only, no incoming. And even then marking connections first should be more efficient, because connection tracking happens anyway and just checking mark should take less work than doing PCC computing for each packet.

rene72 · Tue Jun 18, 2019 8:29 pm

A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl

rupeshkafle · Wed Jul 24, 2019 1:24 pm

Is there any timeline for IPv6 route marking? or Is it still impossible to implement on routeros6 due to kernel limitations?

mkx · Wed Jul 24, 2019 2:07 pm

A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl

The only sensible part of this wish is "letsencrypt support for SSL certificates" ...

If you're running multiple (SSL) sites behind your mikrotik, you can easily use one of those servers to run reverse proxy (haproxy functionality you requested above is essentially this) on it ... PC hardware is much better suited to run such service than average xMIPS/ARM deployed in RBs. Not to mention additional RAM needed by this functionality (it needs to keep list of active connections if load-ballancing functionality of haproxy is used). Plus all encryption/decryption (not sure if that can/will be offloaded to HW on units that have such hardware).

pe1chl · Wed Jul 24, 2019 2:33 pm

PC hardware is much better suited to run such service than average xMIPS/ARM deployed in RBs. Not to mention additional RAM needed by this functionality (it needs to keep list of active connections if load-ballancing functionality of haproxy is used). Plus all encryption/decryption (not sure if that can/will be offloaded to HW on units that have such hardware).

While I did not make this request and do not need such functions, I would say that my CCR routers have so much CPU, crypto accel and RAM capacity that is sitting unused that it would certainly be worth it to load them with something like this, e.g. when the webserver itself gets a little overloaded by the crypto.

mkx · Wed Jul 24, 2019 4:46 pm

I'd say that such an expensive hardware (as CCRs are) sitting idle at some cheap enterprise, is a rare species which doesn't warrant developing new functionality. I mean ... having idle CCR costing anywhere between 425€ and 3000€, but saving some 1000€ by not buying a modest x86_64 server which would handle things much better ...

I think devs' time would be better used when implementing full feature set for IPv6 ... for example.

pe1chl · Wed Jul 24, 2019 5:33 pm

I'd say that such an expensive hardware (as CCRs are)

Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.

I think devs' time would be better used when implementing full feature set for IPv6 ... for example.

I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.
Apparently most of their customers are not interested in IPv6.

mkx · Wed Jul 24, 2019 10:06 pm

I'd say that such an expensive hardware (as CCRs are)
Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.

Perhaps not ... but we might have different perspectives. Me, for example, I associate CCRs with decent LAN size which deserves some dedicated boxes to do some things ... such as dedicated server for http/https and in this case CCR should do routing and firewalling. On the other hand I expect to see budget hardware (hEX/hAP) to do stuff where it is sensible to join different tasks on small number of devices.

OTOH I'm quite used to use ICT gear vith price tags ranging from 0 to a few million €uros. (I'm not saying that's their value

)

pe1chl · Thu Jul 25, 2019 12:04 am

I was thinking more in terms of an inexpensive SSL accellerator/loadbalancer that could also perform some other functions like routing and firewalling.
Not that I need one, but maybe some people do.

ingdaka · Thu Jul 25, 2019 12:45 am

+1 for BGP4-MIB (RFC 4273)

Gesuino · Fri Jul 26, 2019 9:11 pm

Hi please improve dude settings from cli, i love routeros scripting language. I need some instrument for auto adding devices to graphical map, in routeros style like: /dude network-maps rescan "home" that can be triggered by scripts;
/dude device add name=" " ip-address=" " type=" .... to-map="home" <-And device added can be showed in dude graphical client relative map.

Thanks

aneroid · Tue Sep 10, 2019 3:40 pm

mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.

WiFi networks are too big to have all the available devices all bridged to the LAN.

Would be nice to then firewall what devices are discoverable.
m2

also here ... for securing IoT over VLANs, etc.

kiler129 · Mon Sep 23, 2019 3:22 am

I hit the mDNS problem again in an enterprise setting. You know how funny it is to explain that we need a small VM just to run Avahi reflector? It got even more awkward when someone in the meeting mentioned that both Cisco and Ubiquity can do that.

Really, the mDNS/Zeroconf/Bonjour is really needed. While originally it was just merely a helpful gadget in the Apple ecosystem it's no longer the case. Back in the days there was always a manual option to connect to a device - nowadays it's simply not possible in many scenarios. Chromecasts and AppleTVs are used across the industry in conference rooms and currently it's not possible to put them into isolation since mDNS will not cross the subnets.

nithinkumar2000 · Mon Sep 23, 2019 7:58 am

It would be really great if Mikrotik v7.x can include walled-garden like feature for PPPOE also just Like Cisco's.
Because PPPOE with radius create lots of hits when user is suspended of Terminated....

Thanks

nithinkumar2000 · Mon Oct 28, 2019 7:16 pm

Dear Mikrotik Team,

Please Include the following features in Mikrotik ROS v7.x

1. DHCPv6 Server
2. Accounting for IPv6 and Radius Parameters (Most Important Requirement for ISP's)
3. Walled Garden Service for PPPOE to prevent unnecessary hits from users. (Just like feature in Cisco Routers).
4. IPv6 Hotspot Service (Optional).
5. IPv6 NAT Service

Looking forward to your valuable response.

Regards
Nithin Kumar

deanMKD1 · Mon Oct 28, 2019 8:18 pm

Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.

nithinkumar2000 · Mon Nov 18, 2019 11:42 am

Please Include Traget= interface-list in Simple Queues.

Thanks in Advance

Mon Nov 18, 2019 1:24 pm

MAC list ...

nithinkumar2000 · Sun Jul 05, 2020 9:07 pm

Please add the IPv6 Radius accounting. All ISP are looking for the same from very long time.

ISP's are unable to deploy the IPv6 due to No Radius Accounting for IPv6 and it is really SAD

that Mikrotik team is not taking any actions towards this issue.

Mikrotik is being used by Many ISP's across the world and yes we love ROS and Features but it feels bad that other brands like CISCO, Huwai, Juniper are IPv6 Ready but Majorities who are using Mikrotik are still not ready to deploy IPv6 because it still lags features.

Expecting the Feature at the earliest.

anuser · Mon Jul 06, 2020 5:11 pm

Feature request for wireless: "airtime fairness": fair-accese / To allocate Airtime evenly across all the clients.

Jotne · Tue Jul 07, 2020 12:50 pm

Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.

Log interface traffic counter to a syslog server. There you can see it number or you can graph it if you like.
See link in my signature on how to set up Splunk (syslog server) to log MikroTik Routers.

pe1chl · Tue Jul 07, 2020 12:57 pm

Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.
Log interface traffic counter to a syslog server. There you can see it number or you can graph it if you like.
See link in my signature on how to set up Splunk (syslog server) to log MikroTik Routers.

It may be that he has one of those ISPs that have "limited bundle of traffic". Some other routers offer an option
to set a "day of the month when bundle starts" and it will count traffic and reset it on that date. It may also offer
an alert when the accumulated traffic exceeds some set limit.
It is a feature in the "detect internet" and "kid control" class: people want this because others offer it, and it
is convenient in their home setting. They do not want to setup a syslog analyzer for that.

buraglio · Wed Jul 08, 2020 2:55 am

I'd say that such an expensive hardware (as CCRs are)
Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.

I think devs' time would be better used when implementing full feature set for IPv6 ... for example.
I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.
Apparently most of their customers are not interested in IPv6.

This is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it. Operators don't deploy it because vendor implementations are incomplete. IPv6 deployment is quite profound in mobile and smartgrid networks, and (at least in the US), nearly all major providers offer it (Comcast, ATT, Spectrum, etc.) and the content has been there for years. If Mikrotik would implement feature parity with IPv4 then the bar is further lowered.
If we put even 1/8 of the effort into doing v6 as we did painting over the rusty carcas of ipv4 we would have been done a decade ago. Come on, Mikrotik, this is fundamental stuff.

nb

nithinkumar2000 · Wed Jul 08, 2020 7:01 am

I'd say that such an expensive hardware (as CCRs are)
Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.

I think devs' time would be better used when implementing full feature set for IPv6 ... for example.
I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.
Apparently most of their customers are not interested in IPv6.
This is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it. Operators don't deploy it because vendor implementations are incomplete. IPv6 deployment is quite profound in mobile and smartgrid networks, and (at least in the US), nearly all major providers offer it (Comcast, ATT, Spectrum, etc.) and the content has been there for years. If Mikrotik would implement feature parity with IPv4 then the bar is further lowered.
If we put even 1/8 of the effort into doing v6 as we did painting over the rusty carcas of ipv4 we would have been done a decade ago. Come on, Mikrotik, this is fundamental stuff.

nb

Yes i agree with you. There is no major concentration to IPv6 Modules from Mikrotik Team.

Come On Mikroitk Team Please add the support for Delegated IPv6 Prefix when using PPPOE Auth for RADIUS CLIENT

Atleast this much we can expect from Team Mikrotik right!

pe1chl · Wed Jul 08, 2020 12:14 pm

This is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it.

That is probably the biggest problem in IPv6 adaptation! When you do it correctly, nobody notices it. When you make a mistake, people complain that things that
were working before now are no longer working. So the pre-calculated impact on the network is: "it can only cause problems".

With that situation, it is not so surprising that so many ISPs postpone it over and over again, and most of them are not asking for IPv6 features at MikroTik.
And of course, the major sales of MikroTik routers is triggered by what ISPs do and buy, not the end-user who has bought a single router and tries to config it.
With RouterOS v6, IPv6 is not even enabled by default. So people who do not explicitly try to use it, will never notice it is there.

Fortunately that has changed in v7, but now we still see a large disparity of functionality between IPv4 and IPv6 in RouterOS. Hopefully sometime people will wake
up and align that.

sep · Tue Nov 10, 2020 11:31 am

pre covid. when going to a conference, I counted more then 15 people asking a unnamed firewall vendor about ipv6... and every one of them got the answer that "nobody is asking about ipv6"... ; "Nobody is asking about ipv6" is just a silly excuse, many vendors simply do not want to hear the question.

of course, when the users are asking about ipv6, it is a bit late to start thinking about it from the vendor's side. most vendors are on the ipfv6 ball for years already. And mikrotik have rudimentary support. but they are so far behind the ball at this point that working with the quirks is not funny any more.

I have been a mikrotik and routeros user since the the first version 3.x And I really would want to continue using routeros in the future. But that means that mikrotik must have plans to be relevant in the future.

And the (my?) future consists mostly of ipv6-only networks. With some ipv4 bubbles connected with ipv6 tunnels or ipv4 as a service solutions.

We are migrating networks as quick as we can, and unfortunatly in each case that usually means replacing mikrotik. Running dual-stack is a last resort option, since it is more then 2x the work.

Mikrotik as an CPE desperately need RFC8585 support, it contains the common CPE solutions. most importantly NAT64, since that is so widespread already.
All of these have FOSS tools available, so they do not need to reinvent anything. But they do need to integrate them. with TR069 support, DNS64+NAT64 and CLATD mikrotik could be a CPE of choice for many isp's

Mikrotik as a DC/ISP use Need tools such as SIIT-DC and NAT64.
SIIT-DC allow you to provice services to ipv4 internet from an ipv6 only datasenter. DNS64+NAT64 allow ipv6 only hosts to reach ipv4 only services online.
integrating something like JOOL would solve this. ( https://www.jool.mx )

Those are my personal itches. but ipv6 feature parity should be mikrotik's endgoal.

NPTv6 is useful for a small niche as well. But if you have a network so important it need 2x isp's, you could probably send that email and ask one of the isp's for a PI space as well. with ipv6 PI space, announced by the isp's or announced via a privateAS bgp should be the default solution for a small multihomed network, since the address space is so abundant, getting PI space is an email or 2 away. and not the problem it was on ipv4.

pe1chl · Tue Nov 10, 2020 2:23 pm

But if you have a network so important it need 2x isp's, you could probably send that email and ask one of the isp's for a PI space as well. with ipv6 PI space, announced by the isp's or announced via a privateAS bgp should be the default solution for a small multihomed network, since the address space is so abundant, getting PI space is an email or 2 away. and not the problem it was on ipv4.

Do you have any experience with that in practice, or is it only a proposal?
Here we have two different ISPs connected, each with IPv4 and IPv6, we use load-balancing/failover techniques to distribute the traffic over the two lines for IPv4, but for IPv6 that
is not possible due to the lack of NAT/route marking.
Of course even when we had BGP announcement of a PI space, and had the providers advertise only default routes, we would still have no loadbalancing for outbound traffic,
but maybe some for inbound. It could be a solution.
But I think the ISPs would act quite surprised when I propose setting up such a thing. It would be nice when you have some RFC that describes the scenario and practices.
(this does not appear to be in the scope of RFC 8585)

magnavox · Tue Jun 15, 2021 6:47 pm

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting
I suggest you look at RANCID, it does what you've described. Works for me, as well as with much other network equipment.

Very interesting, can you share some details about Rancid and Mikrotik backup?

troffasky · Sat Jun 26, 2021 12:05 pm

RANCID is a heap of scripts, with different collector plugins for different target platforms. It logs in on a schedule, executes whatever the native equivalent of "/export compact", "show run", etc, is and stores the output in a version control backend. It can email you a diff of the config.

The "mtlogin" RANCID component takes ROS commands or scripts as an argument, so you can use this from your own scripts for making bulk changes, for example.

emunt6 · Sun Jun 27, 2021 3:28 am

1., High Availability (HA) (example: two or more router devices)
Stacking / Clustering - features:
> control-plane states sync ( example: NAT );
> configuration sync ( filesystem );
> upgrade/downgrade firmware ( cluster all members );
> all devices like a "single logical device" ( example: cisco VSS; hpe IRF );
> load-balancing / load-sharing ( master-master; master-slave; other )
2., Linux Namespaces for VRF (virtual routing and forwarding)
3., VRF route leaking with MP-BGP

nithinkumar2000 · Sat Jul 03, 2021 8:51 am

BGP option like Juniper "advertise-inactive".
+1

Sun Jul 18, 2021 4:00 pm

port list
mac-address list

altayr · Wed Feb 16, 2022 8:23 am

A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl

+1

And I would mention that it would be enough to have port sense ability, like port forward port 80 to ip list, and use first available of them, and fail over to next available in case health check fails.
This time no need for full ha proxy implementation but only “smart” or “ha port forward” which requires only health check and dynamic port forward rule change.

digit · Fri Feb 18, 2022 4:20 pm

WIFI multiple PSK ACL with wildcard MAC.

Here Engenius description on that. Ruckus also have something similar and I think Meraki also do so...
https://www.engeniustech.com/mypsk-a-ne ... porations/

Here discussion about the issue on the forum
viewtopic.php?p=913911&hilit=dpsk#p913911

Basic idea is to have a single SSID and allow multiple PSK and assigned VLAN based on PSK used. That is use in hotel or nursing home application where device does not always play well with WPA2-Enterprise (RADIUS). Basic idea, each room have it's own PSK on a single SSID and VLAN are assign based on PSK used, so device on same "room" can communicate with each other. Alexa, ChromeCast, Tablet...

Right now wifi ACL allow for (almost) that, but MAC need to be know. Also a "wildcard" MAC is allowed, but only the first one is evaluated. Need to have multiple wildcard, if first failed, check the next...

This is working

/interface wireless access-list
add mac-address=01:01:01:01:01:01 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag

This is also working

/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag

But this is not, and that is requiered

/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
/code]

pe1chl · Fri Feb 18, 2022 4:40 pm

You are aware that this feature is patented by Ruckus?

digit · Fri Feb 18, 2022 5:10 pm

You are aware that this feature is patented by Ruckus?

Damn... patent... that's why you can't have a toilet that flush properly or a saw that can saw without being over complicated these days...

EDIT:

Found that RUCKUS patent, I don't think it apply
This describe a connection to an open network first, then a PSK is dynamically generated and use for later communication.

https://patents.google.com/patent/US9226146B2/en

Proposed solution is to have multiple STATIC psk on a non open SSID where all PSK are evaluated and if one match, grant access.

Explain why current implementation where first wildcard is allowed is correct and check multiple wildcard infringe Ruckus patent ? Also note that Engenius, Cambium, Aerohive and Meraki have similar solution.

https://www.engeniustech.com/mypsk-a-ne ... porations/
https://community.cambiumnetworks.com/t ... keys/62609

excession · Fri Feb 18, 2022 7:45 pm

Other vendors have this feature.
Doesn’t seem like a patent issue if you don’t try and call it DPSK.

tx6376 · Sat Feb 19, 2022 2:40 pm

RTSP helper (alg)
Thanks.

digit · Thu Feb 24, 2022 12:09 am

route based ipsec vs policy based

ipsec with an interface, so we can do OSPF / BGP / Static routing on Interface without the need of L2 tunneling like GRE when connected to other brand router / Azure.

VTI or XFRM interfaces.

CTSsean · Tue Jul 04, 2023 5:22 pm

Plus 1 for this!

WIFI multiple PSK ACL with wildcard MAC.

Here Engenius description on that. Ruckus also have something similar and I think Meraki also do so...
https://www.engeniustech.com/mypsk-a-ne ... porations/

Here discussion about the issue on the forum
viewtopic.php?p=913911&hilit=dpsk#p913911

Basic idea is to have a single SSID and allow multiple PSK and assigned VLAN based on PSK used. That is use in hotel or nursing home application where device does not always play well with WPA2-Enterprise (RADIUS). Basic idea, each room have it's own PSK on a single SSID and VLAN are assign based on PSK used, so device on same "room" can communicate with each other. Alexa, ChromeCast, Tablet...

Right now wifi ACL allow for (almost) that, but MAC need to be know. Also a "wildcard" MAC is allowed, but only the first one is evaluated. Need to have multiple wildcard, if first failed, check the next...

This is working
Code: Select all
/interface wireless access-list
add mac-address=01:01:01:01:01:01 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
This is also working
Code: Select all
/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
But this is not, and that is requiered
Code: Select all
/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
/code]
[/quote]

LaZyLion · Wed Jul 05, 2023 8:49 pm

Hi all

The Zerotier client allows adding static routes but only to the main routing table.
It would be nice to specify a different routing table on the Zerotier interface tab.

This would make handling marked routing-table traffic much easier as one could update routes en-mass from the Zerotier portal, rather than having to update routes manually in each router.

Thanks all.
Keep up the great work.