Community discussions

MikroTik App
 
jvolkhausen
just joined
Posts: 5
Joined: Fri Apr 26, 2019 8:44 am

Re: Feature requests

Mon Mar 16, 2020 1:06 pm

Give the ability to secure firewall rules.
For remote systems it will be not good if the managemend firewall rules are deleted. For this reason i think it would be nice to have a feature to secure these rules in any way like locking. For the first step it would reach the target to just secure the rule itself. The big shot would be to lock also the place in the firewall chain.
The workflow in my mind looks like this:
creation
- create rule
- lock rule

modify
- unlock rule
- modify rule
- lock rule

delete
- unlock rule
- delete rule
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 16, 2020 2:13 pm

Give the ability to secure firewall rules.
I think it would be more useful as a limited-user capability where users can be created that have precisely
defined capabilities for each configuration item. (no access, read-only, add-only, modify, delete)
This is not limited to firewall.
This would allow ISPs that roll out managed routers to give their customers some limited capability that they
require, but not full access to the entire config.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Mon Mar 16, 2020 2:28 pm

To the last 2 answers.
In my opinion that changes are good but not must. Proper comments with chain-name with jump action can create a proper tree of action at firewall and this "lock/unlock" is not that necessery.
About change in firewall, better will be better note/log a change what we do inside ROS, currently history is not useful when you do few changes in one module, like firewall.
From what I will be know what rule change what back/undo command where are all the same in system history ?
Image
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24881
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature requests

Mon Mar 16, 2020 2:35 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8540
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:38 pm

For remote systems it will be not good if the managemend firewall rules are deleted.
Welcome to the Safe Mode :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8540
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:44 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
Just an example, that's cool:
 > /sys history print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip remove bridge2 
    undo=
      /interface eoip add arp=enabled arp-timeout=auto disabled=no mac-address=\
          6A:F5:C8:E5:62:12 mtu=auto name=bridge2
    action="device removed" by="admin" policy=write time=mar/13/2020 14:06:52 
The only problem is... That was actually "bridge" interface, not "eoip" :D
> /interface/bridge/add name=brrr
> /sys history print detail      
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip add name=brrr undo=/interface eoip remove *3 
    action="device added" by="admin" policy=write time=mar/16/2020 16:44:09 

Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6254
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Mon Mar 16, 2020 4:19 pm

Thanks, If you find anything else strange with history report to support.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature requests

Tue Mar 17, 2020 2:40 pm

Don't forget to add VRF for management interface!
+1
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Mar 26, 2020 1:45 pm

Please add extra parameter "regexp" (including NOT operator) to "/system logging" rules so you can specify a regexp on the logged message to be (not) matched before the specified action is taken.
Often there are many messages with exactly the same topics but widely different purpose, and some of the topics are quite verbose so one would want to see (or suppress) certain messages.

Also, it would be nice to have some way of triggering scripts directly from logging, e.g. a new "action" type "script" that executes a script for every logging item sent to that action.
 
neticted
Member Candidate
Member Candidate
Posts: 129
Joined: Wed Jan 04, 2012 10:36 am

Re: Feature requests

Fri Apr 24, 2020 9:47 am

It is mush of a struggle to protect router for constant login attempts to it's services that must be open to public.
Handling it in firewall is complicated, wastes resources and often cannot even be done in satisfactory manner.

It would be great if Mikrotik introduces new script trigger called something like onLoginFail to all services that have login. That would make it very easy and efficient tool for admins to handle repeated failed login attempts.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 24, 2020 10:42 am

Yes indeed. But that would actually one of the use cases I had in mind for the previous feature request I made (on Mar 26, 2020)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

6 GHz a/n/ac 2x2 ( when ? )

Wed Apr 29, 2020 6:45 pm

6 GHz a/n/ac 2x2 ( when ? )

The FCC recently opened up the 6 GHz frequency range ( 1,200 Megahertz Of spectrum ) for un-licensed use.
The new unlicensed 6-GHz frequency range includes 5.925 GHz -through- 7.125 GHz.
Question - how soon will Mikrotik have products which will support 6-GHz a/n/ac 2x2 in the new frequency range of 5.925 GHz -through- 7.125 GHz ?

Ideally, I would love to see a Mikrotik wireless device/card with SuperChannel support from 4.8-GHZ up through 7.125 GHz.

I desire to as soon as possible begin adding new FCC 6-GHz ( a/n/ac 2x2 ) APs/clients to my existing 5-Ghz networks. If Mikrotik is prompt with products to fulfill this new market, then I will stay with Mikrotik .

North Idaho Tom Jones
 
WeWiNet
Long time Member
Long time Member
Posts: 539
Joined: Thu Sep 27, 2018 4:11 pm

Re: Feature requests

Wed Apr 29, 2020 8:18 pm

I would like to see so many things in routeros but here is a my list I think should happen:
  • Have DFS/radar detection log/counter since boot in 5Ghz wireless status tab
  • Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare. If you could use percentages of that max values in those various places you could easily adapt to throughput change on your WAN side (like moving to a better LTE modem, adding another WAN link, or Fiber link) and your device would scale up withou any other change.
  • More flexible scheduling, PLEASE. Not only one time per day but different times per day and on different days etc. It is already there in some parts of routerOS, so should be simple (I put that request in the wrong place in another post earlier)

And then yes some day finally Wifi Wave 2 features like band steering, but now I am starting to dream about paradise ... so forget this one... :lol:
WeWiNet

**
MTCNA
I like a new challenge, I migrate to ROS7... :? no way, finally I stay with 6.48! I am NOT crazy :lol: !!!
 
kiwistag
just joined
Posts: 13
Joined: Mon Jun 24, 2013 12:53 am
Location: New Zealand

Re: Feature requests

Sun May 10, 2020 1:36 am

3 differing requests that may become very useful
  • Within Winbox: Right click menu option for on an ARP record or DHCP Lease to quickly issue WOL request
  • Consider a GeoIP package allowing for firewall filtering by Country (a big ask I know, but there are good Linux resources for this - https://www.maxmind.com)
I know that the two latter may take some considerable resource to implement and is more practical to MMIPS, ARM and even Tile architectures, however for the sakes of IOT these days - the ability to remotely interface via USB into devices to program may be a large drawcard for purchasing Mikrotik routers to an untapped market.

Bevan
NZ
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:49 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:55 am

Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare.
I think the queue trees should allow an additional form of rate configuration in the form of a percentage of the rate of the next higher level in the queue tree.
When the next level is an interface, there should be some options, e.g. default the negotiated interface rate, possibility to manually set a lower rate, and e.g. on a WiFi link also the possibility to track the actual datarate of the link as depending on link quality. or indeed a fourth option could be to set it to some name of a global variable where the value is taken. that would be the feature you request.
I recognize the pain of having to walk through entire trees when the top-level speed is changed. However I usually do it from commandline so larger numbers of items can be set all at the same time. Still a laborious procedure.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Wed May 13, 2020 11:59 pm

Add column TYPE who give us a result from :typeof $variable
Image
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
emad1984
just joined
Posts: 1
Joined: Sat Jun 06, 2020 4:03 pm

Re: Feature requests

Sat Jun 06, 2020 4:05 pm

Please add Shadowsock / shadowsocksr to the vpn features.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 2:33 am

WiFi 6 ( 6 GHz )

Yesterday I went into Costco ( a large everything store ). And guess what is on display as you walk in the store - a bunch of WiFi 6 wireless networking devices !!!

Emmmm, soooooooo ,,,, Where are any Mikrotik WiFi 6 WISP products ?

I need to start adding at least one-hundred WiFi 6 APs to my multiple tower networks then begin migrating a thousand or so 5 GHz customers to some WiFi 6 networks while the 6 GHz channels are still clear/clean , however ,,, there are no Mikrotik WiFi 6 products available.

How can Mikrotik not have any WiFi 6 products when the shelfs in Costco are full of non-Mikrotik WiFi 6 products ?

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jun 09, 2020 11:06 am

Add "usage counters" to static DNS entries and display them in the table.
These need to be in RAM only, no need to write back to flash.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 5:32 pm

WiFi 6 ( 6 GHz )
WiFi6 ist 2.4 and 5 GHz.
WiFi6e includes 6GHz
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Wed Jun 10, 2020 3:59 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Jun 10, 2020 12:20 pm

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.

Do you want it to refer to the physical location of the system having that address, the citizensship of the owner of that system, or its network? Or of the system's user?
E.g. when you think "I only want to receive mail from people in Australia so I will block all mail from servers in other countries" but that will fail because people in Australia might (even unknown to themselves) have their mail server located in another country.

Similar for websites. "I want my users only to see websites from Australia" might look easy to do with such a list, but it isn't. The list will not refer to the content of the site, nor to the owner/operator of that site, but (at best) only to the physical location of the server. Which errs in both directions: reputable Australian sites may be hosted overseas, and overseas phishers/hackers might have their site physically located in Australia.

I don't know the situation in Australia, but here in the Netherlands we have MANY MANY networks that lookup as "country=NL" but really are operated by rogue hosters from anywhere in the world. So limiting my router logins to "only from NL" really brings me nothing but a false sense of security, as those ongoing portscans from the many foreign VPSes hosted in local datacenters here will just go through.
Furthermore, anyone can use a VPN (in the newfangled meaning) to have a source IP address in any country they desire.

And when you operate on a mobile network provided by a company that originates from outside of your country, it may well be that your external IP address is registered in another country too. Maybe not in Australia (due to its isolated topology), but certainly in other places.

Then, making something like this available as a standard feature where every operator can just click some selection list (even without knowing all of the above) is certainly not a good thing, in my opinion. But you can differ on that.

Firewall filtering is something that has to happen on-the-fly so it has to use locally stored tables. However, services like a login or VPN connect could to an external query to determine parameters of the source IP address, and use the result to accept or reject the connection.
There are DNS-based country lookup services (you query a name like 1.2.3.4.somedomain.example.com for a TXT record and you get a reply with the AS number and country code of the specified address.
Maybe it would be good when login procedures would be able to do such queries (or allow calling a script where such customized queries can be made).
That would still have the disadvantages listed above, though.
 
msatter
Forum Guru
Forum Guru
Posts: 2105
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Wed Jun 10, 2020 1:57 pm

Those list can be obtained at mikrotikconfig dot com

Beside that you need to maintain a seperate list with scanning IP add. that are domestic or listed with the wrong country.

I am doing it myself since a few days becsuse I got fed up with maintaining the separate list all the time. Now is because very quiet and still the checkers come in preparing a scan.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
doctorpangloss
just joined
Posts: 6
Joined: Thu Jun 11, 2020 1:07 am

Re: Feature requests

Thu Jun 11, 2020 1:19 am

Hairpin NAT should be enabled in Quick Set.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Thu Jun 11, 2020 8:31 am

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 7279
Joined: Mon Dec 04, 2017 9:19 pm

Re: Feature requests

Thu Jun 11, 2020 12:50 pm

If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 1:31 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
 
solar77
Long time Member
Long time Member
Posts: 580
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 8:15 pm

good firewall rule stops attacks, picks up IP of attacker, keep them in your Address List for as long as you want and block all future attacks from the same IP.
I'd like to see the IP cloud to include a function so that we can all share these IP address. that would be nice!
MTCNA MTCTCE UEWA
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 769
Joined: Wed Mar 25, 2020 4:04 am

Re: Feature requests

Thu Jun 11, 2020 8:35 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 8:39 pm

Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
As I explained before, that is not going to work. Your own users may appear to come from another country.
 
solar77
Long time Member
Long time Member
Posts: 580
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 10:38 pm

Imagine you have a service for users from your own country only.
this is was nearly my user-case. a local WISP. and at one point it was very attempting to do so to fence off all failed authentication to our VPN service. Most of them are from one country.
However, I realized that we cannot just block connection from the rest of the world. one of my customer might want to travel :-)

We don't have a list of known IP address to allow. So ended up to log 3 failed connection attempt and add the source IP to an Address list, add a /24 to it and block the Address List .
From the list, I can see the attacker jumps from IP to IP, different range, clearly blocking by country is not going to stop them at all.
Also they were clever enough to do this less frequently so they don't get caught. I had to increase the time-out at each stage as well.

I try to mess with them by using Tarpit instead of Drop. Making their life slightly more difficult. :lol: 8)

again, a platform for Mikrotik users to share these IP address would be useful.
MTCNA MTCTCE UEWA
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Thu Jun 11, 2020 10:48 pm

Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
And as I did write, how to access these services if the user are out travelling in another country?
If I would like to surf from an Australian address, I could use "Hola Free VPN" and bypass your country rule.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 3:25 am

My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.
You are WAY overthinking this. It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up. But behind the scenes this is done by simply enabling an option in a firewall rule that says i.e. "Country!=Australia" and it uses all the known prefixes residing inside Australia. Done behind the scenes, and ideally periodically updated so you don't have to run scripts to manually pull the latest IANA data

This is no different to what many other countries do with geoblocking of services. I have zero interest in making 100% absolutely damn sure that the 'user' is in Australia. If they have an overseas IP, are using a VPN etc, not my problem. This is a broad sweeping rule that will catch a significant number of attacks, it's not about ensuring we definitely have someone physically located in Australia, don't care
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
That would not be an 'input' chain, that would be forward chain, so the rule would not block traffic going to a server that resides behind the router. Only traffic directly destined to the router itself would get blocked
The specific conditions of each person can be taken into account by either adjusting firewall rules to the companies needs, or just not using the country filter......... amazing concept I know. But for us, we 100% absolutely have zero need for allowing overseas connections directly to our routers. Now if we need to get a consultant in, or someone goes overseas or we have some special purpose we can always go ahead and just add a more specific 'accept' rule above the general country filter. Until this, this 1 rule would reduce our attack footprint massively
If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
It isn't useless. It's not about 100% perfect security either (such a thing doesn't exist). It's just about reducing the broader attack spectrum. In the same way most people move the default Winbox port off 8291 to something else, that isn't 100% effective so therefore its a useless feature? may as well not have it?
Why do people block port scans? That's not a guarantee of anything either....
If 1 very simple rule reduces the attack vector by 90% then how is it useless..... the other 10% can still be handled as normal anyway. Heck if nothing else its a performance boost, anything overseas gets dropped in the first couple of rules without processing further
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Fri Jun 12, 2020 10:33 am

That would not be an 'input' chain, that would be forward chain.
Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router.

If you can not use VPN to manage your router, follow this:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. If possible setup the remote router to connect using VPN to an admin site.
8.++++

4. you can give only on IP to manage your system if you need.

Then you can administrate your router from where you like and better security.
Using a country based access list only limit the number of hack attempt to your system, nothing more.

PS I have an access list that block an IP for 24 hour if they try one port on my system that is not open. This blocks most of the automatic script running out there.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 11:09 am

It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up.
I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.

So the feature you request is nothing more than what you would get when you load the address list and use that in the firewall rules, and the only
thing you could expect here is that some native tool for loading the address list would have an easier time getting around the limitations posed
by scripting and the flash-wear caused by repeatedly loading static address lists.

I have asked before for extensions on the DNS-based loading of address lists:
- remove or at least increase the limit on the number of records returned for a DNS lookup when loading an address list item via a DNS name so longer lists like blocklists can be loaded this way
- add support to load "subnet" address list items e.g. by lookup of TXT records which contain subnets in the CIDR notation (1.3.3.0/24 for example)
(a DNS record type exists specifically for this, but it is experimental and probably not widely supported, TXT seems a safer bet)

With this in place, your request could be fulfilled by a DNS service (hosted by MikroTik or by another company or indvidual) that returns all
subnets for "australia" on some specific DNS lookup, and you could get your "security" by configuring that address list in your router and using it
in your firewall rules.
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 11:52 am

I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.
I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.

Why are you guys not seeing the value in this? DDNS does a similar thing. It's entirely possible to script your own DDNS implementation but isn't it a LOT better just having a single tick-box in IP-Cloud? I know I sure appreciate that feature for when I need it. Do I use it all the time? no. Is it perfect with i.e. multiple gateways? no. Does it have a purpose though? Absolutely. So why are you so opposed to having a country feature?
I dunno, maybe you guys are right, because its not an absolutely perfect implementation that works for absolutely everybody, it must be totally useless........
I don't use IPv6 on Mikrotik whatsoever, can I put in a request to remove it? because for me its totally useless, therefore it must also be totally useless for everyone else.........
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Feature requests

Fri Jun 12, 2020 3:09 pm

Hello

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.


Regards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:04 pm

I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.
I hoped you would have understood by now that this is not possible because there is no simple attribute on a packet that indicates it is "from Australia" so such filters can only work with that address list of thousands of entries in place.
I stop this useless discussion, when you want to keep going on about how you think this could be implemented please post a separate topic so it can be kept outside of the "Feature requests" topic.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:07 pm

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.
The use of separate packages for part of functionality (like routing, advanced tools, PPP, etc) has been abandoned in v7. Everything is now in a single package except the truly special things like UPS monitoring.
So you will have to get used to loading the single routeros package that has all the things that you do not need.

The separate package files (for v6) are already available for download from upgrade.mikrotik.com via fetch, you only need to figure out the URL.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jun 12, 2020 7:38 pm

Blocking countries and remote bad/rogue locations - ( related information )

If you use PfSense , take a look at the package "pfBlockerNG-devel".
My multiple core network routers are a mix of Mikrotik and PfSense routers/firewalls/NAT. The optional PfBlocker on PfSense allows you do block by country and/or use multiple Internet list servers to auto download/update bad IP address on the Internet. I have a syslog server that receives firewall logs from my Mikrotik and PfSense firewalls. My syslog server then auto creates a custom block-list that my other PfSense routers/firewalls will also use. So if one PfSense firewall blocks something, that IP address will auto propagate to my other PfSense firewalls. This works well because when somebody is scanning your network searching for vulnerabilities, it only takes one PfSense firewall hit to redistribute the new firewall rule list to all other PfSense firewalls. Default pfBlockerNG can use IP lists and DNSBL lists freely available, and you can even create your own custom lists for other PfSense firewalls to use.

I have found many infected computers on some of the networks I manage simply by looking at my syslog. When you see repeated never-ending attempts from a computer in your network trying to connect to ( China or other sometimes rogue locations), then it is a fair bet that you may want to further inspect/scan that local computer on your network.

I don't know if something like pfBlocker is possible on a Mikrotik, but if it were then I would be very interested in testing it out.

North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sat Jun 13, 2020 1:01 am

So why are you so opposed to having a country feature?
Remember, you don't need to convince anyone in this forum, just MikroTik. Non-technical reasons and user's business decisions aside, first question is what exactly should MikroTik provide. I see big difference between just support for something and providing all the data.

For example, in the past I played with MaxMind's GeoIP database (no, I didn't block anyone), which is periodically updated database with IP to country mapping. They even had iptables module for it. Adding support for something like that should be relatively simple one-time thing. Providing such database themselves, keeping it updated and everything, that's much more work and may not be worth it for MikroTik.

I don't care about countries myself, but it could be interesting if it would be something more generic. Assuming that working with static precompiled database is faster than with address lists (I guess it could, I didn't test it, but it would be interesting to know), it could be useful for any kind of large (semi)static lists. No only it could be faster (maybe), but updates could be done by simply downloading and replacing one file, instead of scripting address list updates or abusing dns, etc.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8540
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Sat Jun 13, 2020 7:14 pm

Regarding that geoip databases... Ten years ago I had to contact MaxMind because the ISP I was working for leased two /24 PA blocks from Czech company, and MaxMind (well, together with many other services, but they are among the biggest ones) was ignoring this fact for years. They told us they don't read all the changes, so most small ISPs are treated as their aggregated IP block by default. Only after that (about ~ a month later) our clients started to be identified as coming from Belarus, not Czech.

Nowadays, when IP space is exhausted, more and more leasing happens, so today the problem can be even bigger.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Sat Jun 13, 2020 10:13 pm

This just add more to why block by country is not a good thing. Quality of search a service would never be high and you can bypass it using proxy/VPN. It looks like millenium7 like this to protect input chain that is used to admin the router. VPN should give the needed security.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Put Dude ports 2210 and 2211 in IP-Services where it belongs ( RESOLVED )

Fri Jun 26, 2020 3:57 am

*** RESOLVED *** ( it works like it is supposed to. This post was an error asking a question. There is no issue *** RESOLVED ***

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Last edited by TomjNorthIdaho on Fri Jun 26, 2020 7:55 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 11:15 am

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!
But you can just handle them in the input firewall, right? That is where I regulate the other services as well, when they are enabled.
A subnet limitation in the service still allows connect to the service which then refuses to serve you, but an input firewall rule entirely protects it.
(and can be more advanced than just checking for source subnet)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:00 pm

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Never mind - I got an email that says Dude uses the same ports as Winbox.
So what traffic is on 2210 and/or 2211 ?
And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:19 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:50 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
Again - thank you for your prompt reply(s) to my questions :)
I guess I was not understanding the sequence "service accepts the connection then drops it and logs" , I wrongly thought it was "don't accept the connection".
Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Mikrotik - I love your products and your highly knowledgeable team.

Thank you

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 8:12 pm

Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Yes, that is how it works. In Linux this is called "TCP Wrappers" with their associated config files "/etc/hosts.allow" and "/etc/hosts.deny". It sits between the listening TCP port and the daemon that runs the connection, it first accepts the connection (or rather the kernel does that), looks up the source network in those files, and if not allowed it just closes the connection again. This whole thing was invented before firewalls were available in operating systems.
You can observe this yourself when you use telnet.
 
Retral
newbie
Posts: 32
Joined: Wed Jul 25, 2018 9:10 pm

Re: Feature requests Winbox Optimization

Sun Jun 28, 2020 4:11 am

Hey I'd like to throw these ones out there.
Can you make the menu in Winbox collapse able to where it's just a column of icons?
I think it would be a great asset to anyone wanting to squeeze every inch out of their screen(s) real estate.

Optimize the re-opening of Winbox. Often I find when I make changes to rules inside different areas like the firewall I'll have the inner window randomly resize on me. When I close and re-open Winbox it has a habit of auto changing it's zoom level, which mangles up the inner windows.

Give us the ability to make the options we check off in the torch default for the next time a torch is opened and give us the option to turn it off if we want.
 
ivicask
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Sun Jun 28, 2020 9:00 pm

Not sure if was asked but can we get option to specify multiple adress lists inside single firewall rule?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Sun Jun 28, 2020 10:48 pm

option to specify multiple adress lists inside single firewall rule?
You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Jun 29, 2020 11:31 am

It would be nice to have some additions from the ipset mechanism available as address list items.
- list:set would enable you to make an address list that has a couple of other address lists as members (and can implement the above request)
- counters would show a hit-count in an address list for each item (enabling evaluation of relevance of items in a list)
 
anuser
Long time Member
Long time Member
Posts: 549
Joined: Sat Nov 29, 2014 7:27 pm

Re: Feature requests

Sun Jul 05, 2020 9:49 am

Feature request: "Airtime Fairness" for Wireless, because it helps a lot when there is a huge number of clients is connected to one SSID and one is able to slow down the rest (Take a look at https://www.smallnetbuilder.com/wireles ... l=&start=1)
 
eguun
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Fri Apr 10, 2020 10:18 pm

Re: Feature requests

Tue Jul 07, 2020 10:24 am

Hi,

as feature request, I would like mikrotik to have IPsec support of DH group 31 (EC25519)

Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519)

It's today the only undisputed secure Elliptic Curve algorithm.
And several competitive product already supports it (pfSense, OPNsense, Fortigate ...)
It's absent from Mikrotik supported protocols: https://wiki.mikrotik.com/wiki/Manual:I ... man_Groups and the Wiki is up-to-date.

Is there a procedure to formally request this support?

Reference RFC: https://tools.ietf.org/html/rfc8031

Thanks
 
opientka
just joined
Posts: 4
Joined: Wed Nov 13, 2019 12:09 pm

Re: Feature requests

Fri Jul 10, 2020 9:22 am

Hello Mikrotik,

here's another feature request:

Add support for LTE Devices to be controlled via CAPsMAN

Example Use case:
My company uses serval smaller MikroTik Routers (like hAP-AC²) spread over the whole campus as office dektop switches.
All of them share their WiFi hardware to a central CRS328-4C-20S-4S+RM, located in our Server Room, which is our CAPsMAN.
Two of the CAPs are also used to connect an LTE-USB-Stick to provide a backup internet connection over 4G/LTE mobile network.

It would be great if those USB-sticks could be virtually relocated into the the CAPsMAN, like the WiFi Antennas of the CAPs.
Having LTE connected to the central Router/Gateway makes sense. But since CRS328-4C-20S-4S+RM does not have USB and the LTE-Signal inside the server room is really bad, it seems like a good idea to relocate those Sticks to a Desktop-Router, which is located next to a window.

Sure, it is possible to configure that router as a second gateway, but having it configured centralized within CAPsMAN would be a great benefit.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Fri Jul 10, 2020 10:51 am

Add support for LTE Devices to be controlled via CAPsMAN
No, it's bad idea. USB Stick are detected and dhcp-client is automatical created, you can do many fix to your needs by scripts&schedulers.

You have few other ways to massive config like ssh, scheduler & fetch, .auto.rsc via ftp who work with autostart...
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 7:23 am

Can we get an option to add a reason for rebooting? For example /system reboot reason="upgrading to new ROS" and have that reason be stated in the next log?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 11:09 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:20 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
That's right yes. reason = "Shutting down because DHCP broken script triggered a restart."
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue Aug 18, 2020 11:22 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:42 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
 
al3xeezer
just joined
Posts: 22
Joined: Thu Feb 27, 2020 11:46 am

Re: Feature requests

Tue Aug 18, 2020 12:35 pm

Would be very useful to have the src-address parameter available for /tool speedtest (as it is for fetch, traceroute, ping...)

Have you consider adding it?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 4:26 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 6:47 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
Yes, that would be a useful approach. Unfortunately I operate in an infrastructure-less environment where the configurations are built up and destroyed dynamically and as such we don't have a syslog server option.

Can I get a syslog server too? :D Yes I know dude has one, but a small one for normal routers would be nice.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Aug 21, 2020 4:17 am

FYI - Reboots and logs.

- 1'st; I don't use the Mikrotik native ( /system watchdog " Watch Address" ).
I do not like the way it behaves and it is not smart. Because it is not smart, it can/will trigger a reboot when everything is connected. When the default WatchDog detects a no-ping condition , it will auto-reboot ( even if the connection is restored prior to auto-reboot ).

-2'nd; I use my own WatchDog scripts.
My WatchDog scripts for a Mikrotik have configurable variables which include:
A - How often to perform a Watch-Dog test ping
B - How often to retry Watch-Dog test pings when something is down. It can retry test-pings for seconds or minutes or hours prior to forcing a auto-reboot.
C - Prior to a reboot, it will perform a wireless-site-survey and save the results in a file in the Mikrotik flash file system.
D - After a wireless-site-survey , it will again wait/retry Watch-Dog pings for an additional configuration time period.
E - Finally , when there is actually going to be a reboot, my scripts will write an additional file to the flash file system indicating the time/date/reason for the reboot.

I have use my Watch-Dog scripts for over 10-years now on thousands of Mikrotiks. It works and it works great. I can always find out when a Mikrotik rebooted and why - and a very big advantage is I don't need a remote syslog server.

Also - with these scripts , it's super easy to perform a site-survey on a remote client customer Mikrotik , then drag the site-survey file to your computer and open it to see the site-survey results. Comes in very very handy to see the customer might have many wireless routers in their house on the same frequency or close to the frequency you are using to connect your customers. :)

For many years now, I have posted some of these scripts in the Mikrotik forums.
If you are an ISP or WISP , it is 100-percent worth your time/effort to do the same in your environment/business.

North Idaho Tom Jones
 
dalami
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Mon Dec 12, 2011 9:18 am

Re: Feature requests

Sat Aug 22, 2020 12:06 pm

New request - add a new action to Firewall (probably under Filter)..."Run Script".

Possible horrible security hole? Of course - like anything else.

My first intended use case - via a port knock sequence, update the stored IP for an IPSec peer.

An alternative solution for this use case - allow IPSec peer definitions to be defined with an address-list parameter instead of only a fixed IP.

Another option - allow scripts to be triggered on an address-list change.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Aug 22, 2020 2:01 pm

That is technically not feasible, I'm afraid. Firewall rules are evaluated inside the kernel and they cannot call something in a user process.
The best that could be done is direct some matched traffic towards an NFLOG socket and then have a process listening there and executing the script.
But that still would mean the actual traffic is either passed or blocked depending on the firewall rule, not depending on the outcome of the script.
I'm not sure if that would be obvious to the average user. It would also likely require some complicated setup.

About the IPsec use case: I have requested before to have scripts called in Phase1 that could setup Phase2 policies. That is possible in racoon, but it appears that RouterOS is using FreeSwan/StrongSwan instead. I don't know if that software allows such scripts.
 
gutzeit
newbie
Posts: 26
Joined: Mon Feb 04, 2013 1:19 pm

Re: Feature requests

Fri Sep 11, 2020 7:17 am

Hello, please introduce support for the coa radius for the dhcp server. This is required to change the Mikrotik-Rate-Limit. Thank you.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 11:56 am

I wouId like to see some classification options (filters) in the DHCP server, so that one can direct different device classes into different pools/networks.

E.g. the ISC DHCP server has a quite powerful mechanism for that, where you can define a "class" based on the DHCP request parameters (like vendor class identifier, DHCP requested options, MAC address, hostname etc), and then you can have different pools where each pool has a list of classes that can or cannot use that pool.
(you can have different allow and deny rules in each pool)

This would allow things like putting devices in another pool/network and thus have different attributes like access to internet yes/no, while they connect to the same physical network.
It would be a good start when it can filter on these attributes:
- vendor class identifier (a string)
- MAC address (a value and a mask)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8540
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Sep 15, 2020 12:42 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 2:29 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
Ok I was not aware of that. Indeed it is most like what I need except that I would like an extra match capability on MAC address/mask.
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
I want to give users with a local (random) MAC address (02:00:00:00:00:00/03:00:00:00:00:00) an IP address from a different pool where they will get a portal page that prompts them to set "device MAC" for this connection...
The reason for this is that I want to be prepared for a possible meltdown of the network when some manufacturer decides that it is best for privacy to change the MAC all the time, or when they bind it to AP MAC instead of SSID (we have 34 APs so that would cause mayhem in our network)

So this makes my feature request probably much easier to implement as the framework for doing this is already present. It becomes like:
- add capability for "dhcp vendor class" to match on MAC address/mask in addition to match on DHCP request class-id.
 
mkx
Forum Guru
Forum Guru
Posts: 6003
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Tue Sep 15, 2020 4:01 pm

- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to have some way to remind users to switch off MAC randomization for a particular SSID.
BR,
Metod
 
santyx32
Member Candidate
Member Candidate
Posts: 160
Joined: Fri Oct 25, 2019 2:17 am

Re: Feature requests

Tue Sep 15, 2020 10:19 pm

As a home user I request the following to Mikrotik:

Proper WiFi 5 Wave2 support for IPQ40XX and QCA9984 chipsets along with new WiFi 6/6E hardware.

Fq_codel queue type to be available on ROS.
 
davit1988
just joined
Posts: 1
Joined: Thu Feb 23, 2017 8:51 pm

Re: Feature requests

Fri Sep 25, 2020 7:00 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 29, 2020 7:52 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
You may be surprised as a network engineer, but SWos does not require this information!
You will find that when you access the switch from another network (reachable only via a gateway), that will just work, even without any subnet mask or gateway information.
Maybe it is an interesting study object to find out how it does that :-)
(it is described somewhere in the online manual, so don't look there first)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1209
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

A Mikrotik 40-Gig switch is much needed

Wed Sep 30, 2020 1:03 am

A Mikrotik 40-Gig switch is much needed

I sure would like to see a Mikrotik switch with at least eight 40-Gig ports ( or even better yet a 16-port 40-Gig switch ) and also somewhere between two to 8 10-Gig ports ( and zero 1-Gig ports ).

I need some 40-Gig switches right now. We are currently in the process of changing our internal 10-Gig core switches to 40-Gig. If Mikrotik routers/switches had any 100-Gig interfaces , then I would be fork-lifting my core internal network ( routers & switches ) to a 100-Gig core network.

A 10-Gig core network is just not enough core network throughput these days.
I am getting ready to install a second 10-Gig BGP peering session, ( so two CHR 10-Gig BGP peering routers and a CHR 10-Gig core OSPF router just does not cut it.
Also my internal 10-Gig NFS/iSCSI network is already peaking at 10-Gig now and needs to also be upgraded to 40-Gig interfaces.
In addition, with a eight-port 40-Gig switch , I could then connect connect all of my VmWare ESXi servers at 40-Gig ( I have several CHRs I also want to get talking on 40-Gig networks - but I need a 40-Gig switch first...

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8540
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 30, 2020 5:32 pm

viewtopic.php?p=818709#p818709

They semi-announced 100G in their newsletter :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
michaels
just joined
Posts: 9
Joined: Fri May 17, 2019 8:02 pm

Re: Feature requests

Thu Oct 22, 2020 8:30 pm

Feature requests IPv6 DHCP Relay - Prefix Delegation - create route

Currently (6.48beta48 and 7.1beta2) the relay does not create a route for the prefix.
Without the route on the relay router, the prefix is not reachable.

further description:
viewtopic.php?t=117283
viewtopic.php?f=2&t=97156
 
neszt
just joined
Posts: 2
Joined: Fri Nov 13, 2020 12:46 pm

Re: Feature requests

Tue Nov 17, 2020 7:01 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)

Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.
 
Sparhawk76
just joined
Posts: 3
Joined: Sun Nov 24, 2019 12:14 am

Re: Feature requests

Sun Dec 06, 2020 9:22 pm

Is it at all possible to add a "Add to Connect-List" button next to the "Connect" button in the Wi Fi Scan result detail's in the web interface.

If the network is an encrypted one, then it should prompt you for the encryption key and automatically add a new entry to the Security Profiles for the new network named to match the SSID.

This would get around the problem of the Connect button changing the default rule in the connect list, that allows the router to automatically connect to available wifi networks as the router moves in mobile installations (RV/Boat).
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Mon Dec 07, 2020 2:15 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)
Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.
They listing at that post :) and now... ros7.1beta3

[marcin.przysowa@SXTR_LTE6] > ping mikrotik.com
SEQ HOST SIZE TTL TIME STATUS
0 159.148.147.196 56 47 115ms363us
1 159.148.147.196 56 47 78ms822us
2 159.148.147.196 56 47 67ms953us
3 159.148.147.196 56 47 64ms792us
sent=4 received=4 packet-loss=0% min-rtt=64ms792us avg-rtt=81ms732us max-rtt=115ms363us
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
expo
newbie
Posts: 27
Joined: Tue Jan 27, 2009 7:57 am

Re: Feature requests

Sat Jan 09, 2021 10:23 pm

Feature request;

HA feature that will synchronize configuration and connection state between two routers for a active/standby type of network.

See this HA script for inspiration;

https://github.com/svlsResearch/ha-mikrotik

Would like this deployed as a official feature of Ros
 
tpedko
just joined
Posts: 11
Joined: Wed May 22, 2019 9:58 am

Re: Feature requests

Wed Jan 20, 2021 2:29 pm

Add Transmission of Syslog Messages over TCP
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1405
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Feature requests

Wed Jan 20, 2021 5:08 pm

IS-IS and Segment Routing (SR-MPLS)

Discussion is here:

viewtopic.php?f=1&t=171278&p=837339#p837339
Global - MikroTik Support & Consulting - English | Español | Serbian | Danish +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jan 22, 2021 11:27 am

Change /tool netwatch so that it can also use ARP instead of PING (similar to route gateway checking)
When a local address of the router is entered, it is still to send ARP to the interface of that subnet and react on ARP replies.
UP/DOWN status is maintained depending on the arrival of ARP replies.

Purpose: to watch if another host on the network has set the same IP address as the address a local interface, and possibly send alerts if so.
Similar to "DHCP server alerts".
But of course can also be used to monitor hosts on the local network for being up/down.

Background: someone has entered the address of the default gateway as their own IP address by mistake. Big mayhem. It would be nice to be able to send alerts for that condition before debugging has to be done.
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Feb 05, 2021 8:11 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up. Only way to see state changes from i.e. down to exstart, 2way, up etc you need to enable full OSPF debugging, this floods the log file with all OSPF packet data and is totally impractical.
We use remote syslog alerts to notify us of any OSPF state changes in real-time as they are critical to network operation and detecting a failure. It wastes a lot of staff time manually checking when it wouldn't be necessary if 2 seconds later we could see a message for "Up"

Secondly I think OSPF state changes shouldn't be in 'route, ospf, info' but rather 'route, ospf, warning'. As most of the time Info messages aren't important and i'd like to exclude them. I feel Warning is a more appropriate level

Third please change the default view in OSPF->Neighbors tab to include the 'Adjacency' and 'State' columns. Adjacency time in particular is probably the single most important piece of information to quickly glance and see "Hang on, why has that neighbor only been up for 30 minutes and all the rest are 60 days? time to investigate link quality". It would be nice to not have to keep turning this on across hundreds of routers

Edit: Fourthly, please include the interface in the state change messages, since right now you can't tell which link between routers has gone up/down. The log messages look identical with no regard for which interface has lost adjacency. In cases of primary/backup link its far more important knowing if the primary link has failed, as its usually the much faster/better route

I've written a script as a temporary workaround for points #1 and #4 (only when Up) viewtopic.php?f=2&t=153606&p=842398#p842398
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Mon Feb 22, 2021 10:26 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.
 
MerManMaid
just joined
Posts: 2
Joined: Fri Feb 26, 2021 7:04 am

Re: Feature requests

Fri Feb 26, 2021 10:42 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.
Seconded
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 10:52 am

Maybe you should explain what "snapping capabilities" are?
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Fri Feb 26, 2021 10:59 am

Maybe you should explain what "snapping capabilities" are?
I refer to the option you have in Windows: select the title bar of the window you want to snap, and drag it to the edge of your screen. An outline indicates where the window will snap to once you drop it. Drag it to the left or right side of your screen depending on where you want to snap it to. Some other interfaces allow you to snap windows against each other.

There is an app in Windows that I use: http://windowgrid.net/

It helps to keep several windows visible and organized at the same time.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 11:45 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Fri Feb 26, 2021 11:57 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.
I like your taskbar aproach and the access to the open windows. And also compatible with the tile suggestion.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Fri Feb 26, 2021 4:29 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7381
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Fri Feb 26, 2021 5:31 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.
Easy for a teddy bear with straw for a neck!!!

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 7:11 pm

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.
That feature has been present for years. But people don't bother to really study the matter so they often will not find that by themselves.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Sat Feb 27, 2021 12:57 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Feb 27, 2021 5:22 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
That makes no sense! TCP and UDP are different protocols, they cannot be grouped.
Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.
As I said before: people don't bother to really study the matter so they often will not find that by themselves.
They do stupid things that can easily be done another way.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1573
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Sun Feb 28, 2021 7:17 pm

That makes no sense! TCP and UDP are different protocols, they cannot be grouped.
TCP&UDP for 53, 3389 can be done by 2 rules, not 4.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun Feb 28, 2021 7:55 pm

And rules for a number of different addresses can be combined using address lists.
Rules that are some exception e.g. only for certain interfaces can be grouped into a single chain that is jumped from the toplevel chains.
So there really is not a problem.
 
prawira
Trainer
Trainer
Posts: 319
Joined: Fri Feb 10, 2006 5:11 am

Re: Feature requests

Mon Mar 01, 2021 11:33 am

another feature request from me :
viewtopic.php?t=172489

Paul
 
craterman
just joined
Posts: 12
Joined: Tue Oct 14, 2014 1:26 pm

Re: Feature requests

Mon Mar 01, 2021 1:06 pm

BGP Link Bandwidth Extended Communities
https://tools.ietf.org/html/draft-ietf- ... ndwidth-07
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Mon Mar 15, 2021 2:48 am

MikroTik please fix/implement the SNMP-Get output as standard
Currently /tool snmp-get does not allow you to store the output to a string/variable, it remains empty, making it a rather useless command

I need to be able to poll other devices in our network and then take action
Our main use case is for monitoring values on a radio link
i.e. RouterA->RadioA->RouterB->RouterB
We run OSPF from RouterA to RouterB which is fine for detecting outright link failure. But if the link between RadioA and RadioB becomes slow or unreliable, then neither router has any knowledge of it

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 15, 2021 11:08 am

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls
I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.
 
prawira
Trainer
Trainer
Posts: 319
Joined: Fri Feb 10, 2006 5:11 am

Re: Feature requests

Tue Mar 16, 2021 3:14 pm

dear all,

as dhcp-server on mikrotik already support vendor-class but mikrotik device itself does not have vid, than it's good ide to put special vid for all of mikrotik devices. so we can put mikrotik devices on different pool (still on the same dhcp-server) according to the vid.

cheers

Paul
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Wed Mar 17, 2021 3:00 am


I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.
Absolutely. However assuming we stick with OSPF it's not viable as it would break compatibility with other devices. However if its another protocol that rides on top of it as an extension and can completely override the OSPF behavior (much like what MPLS does) then, maybe
However this still presents a problem because the radio's need to be polled, and all devices have different methods of reading the data. Vast majority don't have API's or any sort of protocol to communicate whats happening, the only possible solution is SNMP and thats just too messy to be used in any sort of official protocol

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic
So you could do things like use Radio link A for all traffic, but as it progressively drops it'll start to shift high CoS traffic elsewhere and/or load balance (or even transmit duplicate frames to improve delivery efforts) but then steer it back as needed

However the short simple version is this: Right now MikroTik is just 1 small step away from allowing the community to write their own pseudo protocol by way of reading SNMP values. Everything is already in place to do this, literally just need the ability to store SNMP values for use in scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Mar 17, 2021 11:45 am

Yes, that surely would help. It would be nice to have the possibility to read SNMP values into variables and then run a script to modify parameters of the routing.
In BGP it would be possible to change route filters that set "BGP prepend" and "BGP local pref". Unfortunately they are course controls but it is at least better than disabling an entire interface and potentially make a destination completely unreachable.
I have been thinking about it before, and considered writing something that would be running at a central location (or a location per area) e.g. on a Raspberry Pi, which would collect this information for several links, do some calculation of an optimal usage of the available links, and then configure the routers via API.
I have no experience with OSPF. I did use EIGRP in the past and there is a calculation of a path metric from bandwidth, load, delay and reliability there which would suit much better what we need here.
 
millenium7
Member
Member
Posts: 355
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Thu Mar 18, 2021 12:03 am

I don't like OSPF for wireless networks, it really isn't a very good protocol for it at all, EIGRP definitely would be better suited but i've had this discussion before but it seemed to fall on deaf ears
The next best thing (and I actually agree for more widespread use, not just wireless networks) is IS-IS
With OSPF you don't have many metrics to tweak, best you can do is path cost and that will drop the adjacency so it isn't suited for live adjustment
BGP is really not suited for internal networks. iBGP has problems, and BGP routes don't get used as MPLS labels so that's already a problem

We have 2 options, MPLS-TE potentially, though I really don't have much experience with it to know if its suited

And this viewtopic.php?f=14&t=161968&p=843061#p843061
Which is also very messy and only allows traffic steering 1 hop at a time. However combined with some lists of mangle rules its possible to define levels and steer traffic accordingly
i.e. under normal circumstances just ignore it, but as load increases or conditions worsen by reading radio values, create a 'Level1' global variable and then enable a mangle rule that sends just DSCP 46 traffic for instance
As it gets worse again, go to Level2 which in addition to DSCP46 might start steering control protocols like winbox, BGP, SNMP etc
Then Level3 which includes TCP handshakes
Level4 business class traffic etc etc

This would allow some dynamic traffic offloading. It's just very messy with scripts. However for the most part its copy/paste once setup correctly, this is what i'd be implementing i'm just waiting on 1 particular key thing.................... ABILITY TO STORE SNMP VALUES! :\
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Mar 18, 2021 11:51 am

I think your only real option for routing differently depending on packet marks (e.g. based on DSCP or other kinds of SLA) is to have multiple different routing tables each maintained by a separate instance of a routing protocol (or different routing protocols), and using a selection of the routing table that is the same all through the network.
In your case: you maintain a separate routing table for VoIP and select it based on DSCP 46 or "upper 3 bits of DSCP are 5".
The routing table (also called "routing mark" in RouterOS is maintained by a routing protocol instance that is tuned differently, and emphasizes on reliable paths rather than fast paths.
To get this working OK in more complex networks than you picture it is essential that all the nodes in the network are configured the same, and that there are no nodes where e.g. the routing table selection based on DSCP is forgotten or is different. Because that would easily result in routing loops.
 
Helix
just joined
Posts: 3
Joined: Sun Nov 22, 2020 1:00 am

Re: Feature requests

Thu Mar 18, 2021 7:02 pm

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic
Last edited by Helix on Mon Apr 12, 2021 6:21 pm, edited 7 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Mar 19, 2021 10:39 am

Please add average cpu usage for the last day / month / year whatever.
That has been available for many years already! Look at Tools->Graphing
 
mada3k
Member
Member
Posts: 387
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature requests

Fri Mar 19, 2021 10:52 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up.
I agree. All other platforms reports Up's and Down's.
CCR/CRS/hEX/wAP • Ansible • NetXMS
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Apr 17, 2021 12:18 pm

Can you please add the "rpfilter" matcher to the firewall matching rule options?
See viewtopic.php?f=2&t=120863 and viewtopic.php?f=14&t=56572
 
emunt6
just joined
Posts: 15
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Mon Apr 19, 2021 1:57 am

What is the future replacement plan for CCR1072?
( Tilera CPU support is dropped by linux kernel - so its no future ).

I would like to see a new CCR hardware like this:
- Intel BareFoot TOFINO based ASIC
- ARM64 CPU (example: Marvell OCTEON )
- 32GB ECC RAM
- 2x msata / SATA port
- 2x USB port
- 2x hot swap PSU

Just for comparison:
-Ubiquiti USW Leaf Switch (48x 25GbE and 6x 100GbE)

:)
 
Cablenut9
Member Candidate
Member Candidate
Posts: 278
Joined: Fri Jan 08, 2021 5:30 am

Re: Feature requests

Mon Apr 19, 2021 2:32 am

( Tilera CPU support is dropped by linux kernel - so its no future ).
Mikrotik has already made kernel patches just for Tilera, so no worries there.
Serial question asker
 
mkx
Forum Guru
Forum Guru
Posts: 6003
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Mon Apr 19, 2021 8:23 am

( Tilera CPU support is dropped by linux kernel - so its no future ).
Mikrotik has already made kernel patches just for Tilera, so no worries there.

Tile is an old platform never the less and would be unwise to introduce new products based on outdated hardware. Future support for current products is a completely different matter.
BR,
Metod
 
Guscht
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Thu Jul 01, 2010 5:32 pm

Re: Feature requests

Fri Apr 30, 2021 11:39 am

Hi, I have seen Mikrotik has implemented in ROS V7 beta / UserManager an OTP-option to couple the Google Authenticator App.
This works flawlessly great!

My request would be: PLEASE add this feature to the normal PPP-Secrets as well and also in ROS V6 (because I assume ROS V7 will not show up the next 2 - 5 years and 2FA is really important)!
This would dramatically increase security!!

First factor the normal password.
Second factor the OTP from the Authenticator App.
Unbenannt-1.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Fri Apr 30, 2021 11:50 am

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y


Regards
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
+10
It's better than firewall, like all other /ip services you an directly put here the IP range without using firewall,
and is more logical approach for SERVICE inside the RouterBOARD than firewalling itself....
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Fri Apr 30, 2021 12:23 pm

In the scripts and schedules editor in winbox can we please add the ability to select all - ie ctrl a? At the moment in order to select a big script you have to manually drag from start to finish.
ctrl + home
ctr + shift + end
I'm Italian, not English. Sorry for my imperfect grammar.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 30, 2021 4:26 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.
 
akschu
newbie
Posts: 47
Joined: Thu Mar 15, 2012 2:09 am

Re: Feature requests

Fri Apr 30, 2021 6:02 pm

Formatting for /tool sniffer quick needs some work. The wider the console, the more space is given to the INTERFACE column, however that is static and we know what that is since we probably defined it. It would be FAR better to give the space to the SRC-ADDRESS and DST-ADDRESS columns. That way we don't end up with something like this:
INTERFACE                                                                                        TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP
ether1                                                                                    0.3      1 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   1.29      2 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   2.29      3 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                  3.307      4 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    4.3      5 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    5.3      6 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
Notice we have all the space in the world for the INTERFACE, but the arp request shown in SRC-address is cut off and useless. If I make the console wider, I still can't see the ARP, I just get more blank space in the INTERFACE column.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Fri Apr 30, 2021 6:09 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.

Prefix already exist...
I'm Italian, not English. Sorry for my imperfect grammar.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 30, 2021 6:32 pm

Prefix already exist...
That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Fri Apr 30, 2021 9:09 pm

Prefix already exist...
That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
Ah, sorry, I have misunderstand...
I'm Italian, not English. Sorry for my imperfect grammar.
 
DJGlooM
newbie
Posts: 30
Joined: Thu May 15, 2014 2:28 am

Re: Feature requests

Tue May 04, 2021 3:32 am

Just thought of:

Is it possible to make winbox open predefined sets of windows on connect?
I guess it'll be like universal session. Because from time to time you need to manually configure some sets of typical settings and it would be nice not to navigate the same tabs over and over.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 8:05 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue May 04, 2021 11:01 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7
True, but in this case I am not referring to cleanup of the topic names or capabilities to match it inside RouterOS, but to
the possibility of sending the topic names in a syslog message. As far as I know that isn't possible, or do you know a way?
I want the message sent to a BSD syslog server to include those topic names into the message text, not only setting the
message priority based on the warn/info/debug thing. As far as I know all other topic info is gone once it is sent as syslog.
Or am I wrong?

And indeed, the reason I post it is also that nothing is changed in v7 w.r.t. this, while it is apparent that some improvements
can be made to the logging.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 1:16 pm

Can you post an example on how it looks like and how you would like it to be.
I do use lots of logging in Splunk for Mikrotik, see my signature, and not sure what you miss.

PS no need to quote the complete message above you. Use Post Reply button blow the post, please.
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
imager
just joined
Posts: 1
Joined: Tue May 04, 2021 1:57 pm

Re: Feature requests

Tue May 04, 2021 2:21 pm

Add feature support for industry standards IEC 61850-3 and IEEE 1613 for electrical substations.
 
modsx
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Feb 24, 2016 3:54 pm

Re: Feature requests

Tue May 04, 2021 3:07 pm

Need to The Dude with one mouse click on the Device opens the Winbox. We are not woodpeckers!
P.S. It would still be nice if could drag&drop the Devices to another Network Map, but this is secondary.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue May 04, 2021 4:47 pm

Can you post an example on how it looks like and how you would like it to be.
When I look in the logging that my BSD syslog server writes to disk I see:
May 2 10:43:20 MikroTik Connection closed

When I look in the Log viewer in Winbox I see:
May/02/2021 10:43:20 | route, bgp, info | Connection closed

I see no way to get that "route, bgp, info" part in the log message sent to the BSD syslog server.
How do you do that?

Oh and please do not bug me about including some context in a reply! When I put replies without context I get nonsense reactions from people that reply to it without first checking to what it was a reply.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2162
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 9:26 pm

Strange. I do get lots of module info. Look at example in my link:
viewtopic.php?t=124291

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.

Here are some example. I have added MikroTik as a prefix.
firewall,info MikroTik: FI_D_port-test input: in:ether1 out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 11.11.183.214:47494->22.20.2.91:24063, len 40
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,NETBIOS-Name-Server,Static-Route
script,info MikroTik: script=pool pool=default-dhcp used=9 total=244
dhcp,info MikroTik: DHCP-vlan1-Home assigned 192.168.10.186 to 3D:8E:20:1D:F0:29
dns,error MikroTik: DoH server connection error: remote disconnected while in HTTP exchange
dns,packet MikroTik: <gew1-accesspoint-e-l0np.ap.spotify.com:A:107=104.199.64.182>
wireless,info MikroTik: 9E:7A:3A:89:36:A1@wlan2: disconnected, received disassoc: sending station leaving (8)
bridge,stp MikroTik: wlan2 forwarding
dhcp,warning MikroTik: DHCP-vlan1-Home offering lease 192.168.10.206 for D8:BF:C0:50:33:DC without success
l2tp,ppp,info MikroTik: <l2tp-Kjell-Ivar>: disconnected
ipsec,info MikroTik: ISAKMP-SA deleted 22.20.2.91[4500]-9.19.78.44[4500] spi:46f07f9aaad565f3:4b0b7aaaa22ae161 rekey:1
l2tp,info MikroTik: first L2TP UDP packet received from 9.19.78.44
 
Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk
 
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Wed May 05, 2021 3:01 am

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed May 05, 2021 11:23 am

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.
Well, when I do not set BSD Syslog I cannot set Syslog Facility. That is required because I use that to direct the logs on the syslog server to the correct file.
(if not it will mix with the logs from the local system)
I set "Syslog Facility 16 (local0)" and then in the receiving system in rsyslogd.conf I match on local0 like this:
local0.* /var/log/mikrotik

I guess to solve that I would need to run a second syslog daemon on another port number and with a separate config that just sends everything to a single log...

Strange that this flag has any influence on the inclusion of the topics in the message!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Wed May 05, 2021 2:38 pm

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.
2) already exist by address-list, but

example for 1) ?
thanks
I'm Italian, not English. Sorry for my imperfect grammar.
 
syadnom
Long time Member
Long time Member
Posts: 537
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature requests

Fri May 07, 2021 9:00 pm

For LoRaWAN devices

Add a package to support their 'light hotspot' so we can use Mikrotik's on the helium network. Helium is a rapidly growing IoT network.
Helium.com
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Sun May 09, 2021 9:09 pm

example for 1) ?
For example, to save any state of a process between individual script launches.
For example, for more convenient writing of configuration scripts for different routers according to a single template.

2) already exist by address-list, but
What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Mon May 10, 2021 12:41 am

example for 1) ?
For example, in the script, an SMS is sent via the lte port to a certain phone number.
It would be convenient if this number was taken from some global variable. When it becomes necessary to change this number, then there will be no need to change the script text, but it will be enough to change the value of the global variable.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Mon May 10, 2021 1:05 am

:global variables already exist...
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Mon May 10, 2021 1:10 am

2) already exist by address-list, but
What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?
" already exist by address-list" is not "already exist the address-list"
The addres list auto add and update dynamically the IP, if you put inside the address list the dns name.

But for me is a very bad idea to add DNS name to Firewall rule, if the IP change often, like on CDN, for example Netflix,
everytime the rule is hit, firewall must wait DNS resolution...
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Mon May 10, 2021 1:15 am

example for 1) ?
For example, to save any state of a process between individual script launches.
":global" variables already exist...
and you can save variable value on file,
and you also can send file to another device, and on that device read variable(s) inside file and set it on (locally) global variables...
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Mon May 10, 2021 1:17 am

For example, for more convenient writing of configuration scripts for different routers according to a single template.
???
already I'm using the scripts with inside Global variables to configure the devices, like all the CPE, AP, PTP, etc.
I'm Italian, not English. Sorry for my imperfect grammar.
 
emunt6
just joined
Posts: 15
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Wed May 12, 2021 4:20 pm

*Feature Request

Mikrotik CCR products:
> Comformity againts the Telcordia NEBS (GR-63, GR-1089) requirements
( https://telecom-info.njdepot.ericsson.net/ )
 
mike548141
just joined
Posts: 8
Joined: Sun Aug 16, 2020 5:14 am

Re: Feature requests

Thu May 20, 2021 2:21 am

With the default NTP client I can use DNS FQDN's to specify the NTP sources, but if I install the NTP server package I can only specify IP addresses as the NTP sources. Not ideal since the IP addresses change over time and are out of my control (and the same for most people using an Internet NTP source).
Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.

/system ntp client set enabled=yes server-dns-names=0.nz.pool.ntp.org,1.nz.pool.ntp.org;
 
pe1chl
Forum Guru
Forum Guru
Posts: 7483
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu May 20, 2021 11:23 am

Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.
This has been resolved in the version 7 beta so I guess you will have to wait until that becomes the stable version.
It also allows more NTP servers and the server package is no longer separate (all installations have client and server).
 
ivicask
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Fri May 21, 2021 2:03 pm

Can we get ICAP client support?
 
codykl
just joined
Posts: 1
Joined: Tue Dec 03, 2019 4:41 pm

Re: Feature requests

Sun Jun 13, 2021 8:48 pm

Can you add the ability to disable and enable caps-man configurations?

This would allow for more flexible control of SSID's for groups of provisioned routers, for example:
Provisioning1: Config1:SSID1, Config2:SSID2, Config3:SSID3
Config3 gets enabled/disabled via scheduler script.
 
mike548141
just joined
Posts: 8
Joined: Sun Aug 16, 2020 5:14 am

Re: Feature requests

Fri Jun 18, 2021 11:13 am

If an ethernet interface has been made a slave of a bonded interface (e.g. LACP) then it should have a value assigned on the physical interface that tells you (a) it is bonded and (b) the name of the bonded interface.
This way when querying interfaces from a script we can see whats bonded by looking at either the physical or bonded interfaces.
 
Mallok
just joined
Posts: 2
Joined: Mon Mar 22, 2021 2:41 pm

Re: Feature requests

Fri Jun 18, 2021 2:27 pm

Functional yachts of the Polish brand Galeon are presented for you to buy on this site https://galeonyachtsforsale.com/ such yachts are ideal for travel and family holidays at sea! When developing their yachts, the manufacturer uses all the advantages of the ship's hull, as well as provide the maximum number of amenities. The result is luxury yachts!
Last edited by Mallok on Sat Jun 19, 2021 6:42 am, edited 4 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3884
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Feature requests

Fri Jun 18, 2021 2:30 pm

set the syslog remote address as fqdn or domain name and not only IP.
untill is not like this, you can still use scripting for update IP.
I'm Italian, not English. Sorry for my imperfect grammar.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot], ISPApp, marktorres, Raster, robotpandarocket and 239 guests