I suggest you look at RANCID, it does what you've described. Works for me, as well as with much other network equipment.There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting
I have IGMP proxy and still feel the need of IGMP snooping to reduce network bandwidth efficiently and simplify configuration.Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.Don't we already have IGMP support?+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)
I think what is meant is the "trick" to have a much much longer beacon interval on 2.4 than on 5 GHzIt was always possible to use the same ssid for different wlans.
I think you have chosen the wrong OS. When you want bash scripting and other open access to the Linux system, you should install OpenWRT or another compact Linux system.I wish standard bash ( or another command processor ) scripting interface.
Scripting in mikrotik and debugging scripts for mikrotik is horrible.
Sorry but it is just true. I spoken about that with many many colleagues and every single man have this wish for new mikrotik. Please, please consider this. Please.
+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.IKEv2 for IPSec
FYI IKEv2 was just added to 6.38 Release Candidates. See http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth for config info.+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.IKEv2 for IPSec
Check the changelo of latest rc.+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.IKEv2 for IPSec
Great news! I look forward to a stable version that we can offer to customers.Check the changelo of latest rc.+1 This is so needed in the industry. Mikrotik would dominate the always on VPN for mobile devices if they had a VPN that fully supported IKEv2.IKEv2 for IPSec
http://forum.mikrotik.com/viewtopic.php ... 00#p566926
+1 on both of these, I was toying with the idea of switching my wireless infrastructure over to MikroTik, but until there's a DHCPv6 server which does host addressing I'll be putting that on the back-burner.- Working DHCPv6 server for single adresses,
...
- DHCPv6 DNS advertiesment support
when this option will be implemented?Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th secondNo, Secure Routerboot does not protect the hardware at all. It only protects the configuration.
+1DHCP Lease assignment based on received DHCP Option 82 Info (this one is the most important)
I am in desperate need of ISIS... specifically Shortest Path Bridging (SPB)
Or some way to Dynamically route Large TE tunnels down multiple smaller ones.
Here is our problem. We are a WISP and we run MPLS and TE tunnels between sites. We use multiple connections between sites and utilize them with TE tunnels. The problem is that it does not balance well when the sites are needing lots of bandwidth and have many smaller connections. Here is an example.
Lets say site A has 4 connections to it:
1gb path 2 hops
100mb path 2 hops
100mb path 3 hops
200mb path 4 hops
Site A uses 350mbps and it is reserved in the TE tunnel. Great all is working well... until something happens to the 1gb link and it goes down.
When the 1 gb connection goes down the TE tunnel will fail and all of the traffic will then go down the 100mb 2 hops path. the other 2 links will not be used at all and the site will be crippled by lack of bandwidth. It has the bandwidth available but no way to use it.
Option 1: have some way to dynamically route Large TE tunnels down multiple smaller ones.
Option 2: Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bridge that has ISIS and Shortest Path Bridging (SPB) breaks traffic up to allow multiple paths to the same site.
Option 3 (current option) Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bonded interface. write a script that monitors the interface and add back changed VPLS interfaces. They are all dynamically made so when something changes they break out of the bonded interface. Then add the bonded interface into a bridge. You may need to add Nx addresses on both sides to use the fail detection on the interfaces in the bonding to make sure traffic doesn't go down a dead interface. then add another custom script to move the IP addresses to follow the dynamically created interfaces to ensure correct fail over....
Option 3 is not cool.
We really need option 1 or 2
/interface ethernet switch vlan set [find vlan-id=10] ports+=ether1
/interface ethernet switch vlan set [find vlan-id=11] ports-=ether3,ether4
+1Force sending of DHCP options to clients
+1+1DHCP Lease assignment based on received DHCP Option 82 Info (this one is the most important)
must have!
I believe in Mikrotik)
IS-IS would be amazing. The ability to manage more than one routed protocol inside a single routing protocol that does not rely on the protocol it is routing for communication seems like a self evident great idea to me - but i don't have to code it and I get that building ISO/CLNS likely isn't straightforward. Nevertheless, it would significantly change the simplicity of any medium to large sized routed network. Managing OSPF2/3 pretty much stinks as a general rule and does not scale to large sizes like IS-IS does.
Segment routing via IS-IS TLV would be even more amazing. SR is a game changer - but it's dependent on the TLV or IPv6 implementation to function.
nb
I am in desperate need of ISIS... specifically Shortest Path Bridging (SPB)
Or some way to Dynamically route Large TE tunnels down multiple smaller ones.
Here is our problem. We are a WISP and we run MPLS and TE tunnels between sites. We use multiple connections between sites and utilize them with TE tunnels. The problem is that it does not balance well when the sites are needing lots of bandwidth and have many smaller connections. Here is an example.
Lets say site A has 4 connections to it:
1gb path 2 hops
100mb path 2 hops
100mb path 3 hops
200mb path 4 hops
Site A uses 350mbps and it is reserved in the TE tunnel. Great all is working well... until something happens to the 1gb link and it goes down.
When the 1 gb connection goes down the TE tunnel will fail and all of the traffic will then go down the 100mb 2 hops path. the other 2 links will not be used at all and the site will be crippled by lack of bandwidth. It has the bandwidth available but no way to use it.
Option 1: have some way to dynamically route Large TE tunnels down multiple smaller ones.
Option 2: Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bridge that has ISIS and Shortest Path Bridging (SPB) breaks traffic up to allow multiple paths to the same site.
Option 3 (current option) Use multiple TE tunnels using BGP signaled VPLS and throw them all into a bonded interface. write a script that monitors the interface and add back changed VPLS interfaces. They are all dynamically made so when something changes they break out of the bonded interface. Then add the bonded interface into a bridge. You may need to add Nx addresses on both sides to use the fail detection on the interfaces in the bonding to make sure traffic doesn't go down a dead interface. then add another custom script to move the IP addresses to follow the dynamically created interfaces to ensure correct fail over....
Option 3 is not cool.
We really need option 1 or 2
Already possible
- Telnet to other port than 23 (testing if a port is alive)
The file for that is rather large, 600K for the file used by nmap, 1300K for the file used by wireshark.[*]MAC address vendor in IP scan results, like https://macvendors.com/
Already possible:[*]Telnet to other port than 23 (testing if a port is alive)
The file for that is rather large, 600K for the file used by nmap, 1300K for the file used by wireshark.[*]MAC address vendor in IP scan results, like https://macvendors.com/
Maybe it could be done in an optional package.Already possible:[*]Telnet to other port than 23 (testing if a port is alive)
/system telnet 1.2.3.4 port=80
In general the MikroTik solution is not for those that want "one click solutions". The advantage is that with MikroTik you have a lot more flexibility, the disadvantage is that it requires some insight and experience from you (although in the case of PCC there are ready-to-use examples for the simple case of two equal internet connections).I have seen lots of post and hell lot of documents available on web for PCC load balancing. But all these documents dont have the one click deployment solution. I mean its great to learn something new but sometimes GUI with one click solution is better for a production environment.
I have seen Mikrotik team has done a tremendous job in developing the ROS. But still, as I believe and I am sure there are lots like me believes that this WAN load balancing is still missing from ROS.
RFC6830-6836, please!Locator Id Separation (LISP) support
m2mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.
WiFi networks are too big to have all the available devices all bridged to the LAN.
Would be nice to then firewall what devices are discoverable.
Which functionality can you enable/configure in SwOS that can not be done in ROS?I hope full SwOS function are merged into RouterOS
The only sensible part of this wish is "letsencrypt support for SSL certificates" ...A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl
While I did not make this request and do not need such functions, I would say that my CCR routers have so much CPU, crypto accel and RAM capacity that is sitting unused that it would certainly be worth it to load them with something like this, e.g. when the webserver itself gets a little overloaded by the crypto.PC hardware is much better suited to run such service than average xMIPS/ARM deployed in RBs. Not to mention additional RAM needed by this functionality (it needs to keep list of active connections if load-ballancing functionality of haproxy is used). Plus all encryption/decryption (not sure if that can/will be offloaded to HW on units that have such hardware).
Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.I'd say that such an expensive hardware (as CCRs are)
I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.I think devs' time would be better used when implementing full feature set for IPv6 ... for example.
Perhaps not ... but we might have different perspectives. Me, for example, I associate CCRs with decent LAN size which deserves some dedicated boxes to do some things ... such as dedicated server for http/https and in this case CCR should do routing and firewalling. On the other hand I expect to see budget hardware (hEX/hAP) to do stuff where it is sensible to join different tasks on small number of devices.Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.I'd say that such an expensive hardware (as CCRs are)
also here ... for securing IoT over VLANs, etc.m2mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.
WiFi networks are too big to have all the available devices all bridged to the LAN.
Would be nice to then firewall what devices are discoverable.
Log interface traffic counter to a syslog server. There you can see it number or you can graph it if you like.Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.
It may be that he has one of those ISPs that have "limited bundle of traffic". Some other routers offer an optionLog interface traffic counter to a syslog server. There you can see it number or you can graph it if you like.Monthly traffic per interface. Dont tell me about graphing. Its not fine for me.
See link in my signature on how to set up Splunk (syslog server) to log MikroTik Routers.
This is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it. Operators don't deploy it because vendor implementations are incomplete. IPv6 deployment is quite profound in mobile and smartgrid networks, and (at least in the US), nearly all major providers offer it (Comcast, ATT, Spectrum, etc.) and the content has been there for years. If Mikrotik would implement feature parity with IPv4 then the bar is further lowered.Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.I'd say that such an expensive hardware (as CCRs are)
I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.I think devs' time would be better used when implementing full feature set for IPv6 ... for example.
Apparently most of their customers are not interested in IPv6.
Yes i agree with you. There is no major concentration to IPv6 Modules from Mikrotik Team.This is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it. Operators don't deploy it because vendor implementations are incomplete. IPv6 deployment is quite profound in mobile and smartgrid networks, and (at least in the US), nearly all major providers offer it (Comcast, ATT, Spectrum, etc.) and the content has been there for years. If Mikrotik would implement feature parity with IPv4 then the bar is further lowered.Apparently we have different definition of expensive... I think our CCR1009's are quite cheap.I'd say that such an expensive hardware (as CCRs are)
I agree with that! But talking to MikroTIk staff it became clear to me that nothing is to be expected in that department.I think devs' time would be better used when implementing full feature set for IPv6 ... for example.
Apparently most of their customers are not interested in IPv6.
If we put even 1/8 of the effort into doing v6 as we did painting over the rusty carcas of ipv4 we would have been done a decade ago. Come on, Mikrotik, this is fundamental stuff.
nb
That is probably the biggest problem in IPv6 adaptation! When you do it correctly, nobody notices it. When you make a mistake, people complain that things thatThis is the conundrum of IPv6 - the "no one is asking for it" line is the weakest excuse for not deploying IPv6. 99.999% of customers won't ask for it, nor should they. If it is done correctly they'll never even notice they are using it.
Do you have any experience with that in practice, or is it only a proposal?But if you have a network so important it need 2x isp's, you could probably send that email and ask one of the isp's for a PI space as well. with ipv6 PI space, announced by the isp's or announced via a privateAS bgp should be the default solution for a small multihomed network, since the address space is so abundant, getting PI space is an email or 2 away. and not the problem it was on ipv4.
Very interesting, can you share some details about Rancid and Mikrotik backup?I suggest you look at RANCID, it does what you've described. Works for me, as well as with much other network equipment.There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting
+1BGP option like Juniper "advertise-inactive".
+1A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl
/interface wireless access-list
add mac-address=01:01:01:01:01:01 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
/interface wireless access-list
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1
add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
/code]
Damn... patent... that's why you can't have a toilet that flush properly or a saw that can saw without being over complicated these days...You are aware that this feature is patented by Ruckus?
WIFI multiple PSK ACL with wildcard MAC.
Here Engenius description on that. Ruckus also have something similar and I think Meraki also do so...
https://www.engeniustech.com/mypsk-a-ne ... porations/
Here discussion about the issue on the forum
viewtopic.php?p=913911&hilit=dpsk#p913911
Basic idea is to have a single SSID and allow multiple PSK and assigned VLAN based on PSK used. That is use in hotel or nursing home application where device does not always play well with WPA2-Enterprise (RADIUS). Basic idea, each room have it's own PSK on a single SSID and VLAN are assign based on PSK used, so device on same "room" can communicate with each other. Alexa, ChromeCast, Tablet...
Right now wifi ACL allow for (almost) that, but MAC need to be know. Also a "wildcard" MAC is allowed, but only the first one is evaluated. Need to have multiple wildcard, if first failed, check the next...
This is working
This is also workingCode: Select all/interface wireless access-list add mac-address=01:01:01:01:01:01 private-pre-shared-key=testvlan1 add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
But this is not, and that is requieredCode: Select all/interface wireless access-list add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1 add mac-address=02:02:02:02:02:02 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag
Code: Select all/interface wireless access-list add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan1 add mac-address=00:00:00:00:00:00 private-pre-shared-key=testvlan105 vlan-id=105 vlan-mode=use-tag /code] [/quote]