Community discussions

MikroTik App
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Fri Apr 28, 2017 3:58 am

Can we get standard 802.11s support? https://wiki.mikrotik.com/wiki/Manual:I ... e/HWMPplus indicates that the HWMP+ protocol is based on 802.11s draft but is not compatible with it.
 
kalaposl
Trainer
Trainer
Posts: 11
Joined: Fri Apr 23, 2010 3:41 pm

Re: Feature requests

Fri Apr 28, 2017 1:00 pm

I would love if I could run a script as a firewall action.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Sat Apr 29, 2017 12:25 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1007
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Feature requests

Sat Apr 29, 2017 2:27 am

I've been waiting over five years for /system upgrade upgrade-package-source to allow specification of its password parameter on the command line instead of demanding it interactively. This one deficiency makes Flashfig entirely useless to us and makes initializing every one of our MikroTik CPEs a multi-step manual process. I've been told this is done for "security," but every other password, encryption key, secret, etc. can be set from the CLI except this one (which is a relatively minor "security" function at best), so I'm not buying that argument. How hard can this be, guys?
 
nordex
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Mar 23, 2007 7:46 pm
Location: Croatia

Re: Feature requests

Sat Apr 29, 2017 8:14 pm

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Mon May 01, 2017 4:10 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks
On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: Feature requests

Mon May 01, 2017 6:07 am

request switch vlan support on RB750Gr3
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Wed May 03, 2017 10:57 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.
where i do see the quite a bit of flexibility, but it is a fundamental change how the PF code is organised. say we're just fine with a serialised code execution on a single core if it comes down to handle a flow, but that doesn't mean that cpu cycles are there to be wasted on unoptimised execution. also for me is not clear whether the script should be run in a non-blocking or blocking manner. all in all, since its just a set of interpretable code, it would be quite unpredictable whether it is to be executed parallelised or not. the result would be varying delay that could potentially affect (read: ruin) TCP throughput.

i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

i think this fulfils your requirements of "hands shall not be bound", but also provides enough safeguarding for the "not so creative/unexperienced" users, whose forwarding performance would be seriously degraded by running code based on firewall rule matches. and for the RouterOS developers its always a give-and-take situation, where to go, what to risk: provide a very versatile toolset where you can do anything, which can (and most probably will) result a thousands of trouble-tickets and sad faces when used inappropriately, or leave it to be solved by the excessive creativity of the few ones who actually do require it. they need to think in the dimensions of megapackets per seconds for a while, and "tinkering" does not fit into the scope no more. and there is a whole world outside of RouterOS, a lots of tools that may be used to contribute to its original functionality, we just need to think outside the box.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed May 03, 2017 4:54 pm

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)
I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.

Yes, the method that you describe of using a firewall rule and logging is an option, but potentially something that can become really messy really quickly.

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Wed May 03, 2017 5:52 pm

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.
seems we have to leave it to Mikrotik guys do decide which way to go :-)
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu May 04, 2017 7:46 am

seems we have to leave it to Mikrotik guys do decide which way to go :-)
Indupitably :)
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed May 10, 2017 8:11 am

Please add the ability to ping / ssh / telnet / other from the ip dhcp-server screen in winbox. This is already offered from the wireless registration page.

Any chance we could get the ability to form simple socket connections / ssh from the router in a script? Currently it's really one sided in that it's possible to connect to the router, but not possible for the router to automatically connect to other things.
 
makstex
newbie
Posts: 49
Joined: Fri Mar 27, 2009 6:31 am

Re: Feature requests

Thu May 11, 2017 7:25 am

Please add compression for the OpenVPN client.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu May 11, 2017 9:16 am

Could we get a proper AT command + reply interface?

Sending down AT commands in the info string and then having them randomly overwrite some output as a response is far from ideal.

On that same topic, it would be great if the /interface ppp-client info section can be rewritten to go away and read all the data and then come back with the data instead of having to be polled repeatedly hoping to get all the data after x polls.
 
felipelinkmais
just joined
Posts: 3
Joined: Thu Oct 20, 2016 1:32 pm

Re: Feature requests

Thu May 11, 2017 4:34 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
 
teddyhsu
just joined
Posts: 2
Joined: Sun Nov 16, 2014 5:56 pm

Re: Feature requests

Fri May 12, 2017 2:25 pm

I hope I can create a counter only supout file, that only take process information and count connections and users.

When my routerboard have more then 100K connections and 2000 users, making supout file will take more 2 hours and bigger then 1GB.
The heavy loading reboot is very hard to debug.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Sat May 13, 2017 3:38 pm

I would like to request the required changes in order to allow 3G/LTE signal strength to be monitored on a continual basis without interrupting the signal - see https://forum.sierrawireless.com/viewto ... 108#p41108
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature requests

Mon May 15, 2017 12:20 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
:D this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1007
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Feature requests

Tue May 16, 2017 10:11 pm

/ip firewall address-list has a creation-time field that is read only, although it appears in the add box. It would be quite handy if that were writeable at add time, such that the entry would take effect at whatever date and time is entered. This would allow us to schedule changes in account behavior at a future date without having to be sure to log in on that date to make it happen.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Wed May 17, 2017 10:14 am

Now I must create the same few rules in FILTER ICON again and again in many place of WinBox (I use AutoIt to do it like workaround)
PLEASE ADD the SAVE option for filtering rules.
I will be creating prifile filters like, dhcp with dynamic only, Arp static only, Contrack show network1, conntrack show net2 - You gotta idea. Open filters and select own save before filters rules - perfect.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Feature requests

Wed May 17, 2017 11:19 am

Hi.
I know, that Mikrotik dropped the mipsle platform support... I know... but..
Please, backport two fantastic changes to mipsle, specifically to RB532.
1. WPS client mode.
2. EAP-PEAP-MSCHAPv2

Please, make a "routeros-mipsle-6.32.5" package with these features to make our old routers happier. :)

Thanks and best regards: CsXen
 
Vooray
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Mon Feb 23, 2015 3:34 pm

Re: Feature requests

Tue May 23, 2017 10:39 am

Please, add /31 mask on p2p support (rfc3021).
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Feature requests

Mon May 29, 2017 3:12 pm

it would be nice in capsman interfaces tab a column with how many devices are connected per cap.
 
User avatar
Murmaider
Member Candidate
Member Candidate
Posts: 126
Joined: Fri Oct 30, 2015 10:10 am

Re: Feature requests

Mon May 29, 2017 8:46 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
:D this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...
+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests

Thu Jun 01, 2017 12:58 pm

Please add support for DHCPInform for PPP link. It is usefull for Windows VPN clients (push additional info such as domain name, classless routes etc.). Now I must redirect DHCPInform request from PPP to external DHCP server.
 
Pilson
just joined
Posts: 1
Joined: Fri Jun 02, 2017 9:27 pm

Re: Feature requests

Fri Jun 02, 2017 9:40 pm

Please add support for setup l2tp client source portselection - set port by maunal, or set random port. Something like /interface l2tp-client set l2tp-out1 src-port=port_number, or src-port=random. It would be a very useful feature, especially if multiple l2tp clients + ipsec establishes connections from local network via one NAT address.
Thanks.
 
User avatar
aacable
Member
Member
Posts: 435
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: Feature requests

Sat Jun 10, 2017 8:35 am

'Unmetered Content' / to bypass local servers from radius accounting.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Feature requests

Sun Jun 11, 2017 1:45 am

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:
Screen Shot 2017-06-10 at 23.44.39.png
You do not have the required permissions to view the files attached to this post.
 
craterman
just joined
Posts: 22
Joined: Tue Oct 14, 2014 1:26 pm

Re: Feature requests

Sun Jun 11, 2017 11:07 am

Please add:
- Incremental SPF
- IP FRR (RFC5714) and microloops (RFC5715)
- LFA (RFC5286) & Remote LFA (RFC7490)

And it would be really great if you add:
- RSVP FRR (RFC4090)
- MRT (RFC7812)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sun Jun 11, 2017 7:13 pm

About the WireGuard idea, are you a time traveller writing to us from future? :) I almost got excited, but at present time, things don't look so bright yet:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.
So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:
After version 1 is finalized, an RFC will be written and standardized.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Feature requests

Sun Jun 11, 2017 7:23 pm

About the WireGuard idea, are you a time traveller writing to us from future? :)
Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)
 
drivebydex
just joined
Posts: 1
Joined: Wed Jun 14, 2017 11:50 pm

Re: Feature requests

Wed Jun 14, 2017 11:53 pm

Please add in capsman registration table "active host name" and "active address"! THX
 
ajack46
newbie
Posts: 37
Joined: Tue Mar 28, 2017 9:08 am

Re: Feature requests

Thu Jun 22, 2017 3:51 pm

Providing Compression for the OpenVPN client, would be something i would wish for.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: Feature requests

Sat Jul 01, 2017 10:45 am

1. add /ip route check-gateway-ping-interval
2. ability to customize fasttrack rules a little bit. more dual wan friendly. right now i cannot figure out a way to have fasttrack with both ipsec and multi wan, although it does appear possible if its just one extra feature.
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: Feature requests

Sat Jul 01, 2017 4:34 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: Feature requests

Sat Jul 01, 2017 9:59 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: Feature requests

Sat Jul 01, 2017 10:01 pm

/tool fetch keep-result (yes | no; Default: yes) If yes, creates an input file.

rename this to save-tofile or something.... from what i am seeing, keep-result appears to save the output to disk. or is it input? i've no idea anymore.

MT could possibly hire an englishman to straighten the terms out.
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: Feature requests

Mon Jul 03, 2017 1:22 am

Could you please describe how did you worked out port forwarding in dual wan environment with fasttrack?
 
platitude
just joined
Posts: 2
Joined: Sat Jun 03, 2017 10:15 am

Re: Feature requests

Tue Jul 04, 2017 11:59 pm

DNSCrypt feature request topic has been started in 2012! Your customers waiting it about 5 years and still no support from you. Looks like you are not interested in customer's data privacy at all. Now open your eyes, read the message and satisfy us.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: Feature requests

Sun Jul 09, 2017 2:42 am

add tool: tcp/udp open port tester.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun Jul 09, 2017 12:34 pm

Feature request: move all configuration related to one physical interface to another.
E.g. you have a router with two hardware switches or with ports inside/outside switch.
You have configured e.g. ether8 which is on switch2 with all kinds of options (address, dhcp server, firewall config, etc)
and you decide it would be better to move all this to ether4 which is on switch1, e.g. because you want to free up a port
that is on switch2, to do hardware switching to the other ports on that switch. It would be convenient when this could
be done with a single command, just like an interface can be renamed with a single command and it is reflected everywhere
in the config. After issuing that command and plugging the cable from port 8 to port 4, all functionality would remain the same.
For practical purposes (what would happen to the config that was on port 4), maybe the easiest implementation would
be in the form of "swap interface configurations" What was on ether4 will be on ether8 and vice-versa.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Sun Jul 09, 2017 2:21 pm

When adding an adress in large adress-list is a PITA when an address already exits. The the script is stopped an you can work with on-error to seek sequential through the list use set to update it timeout on the dynamic address. This takes ages when you have to seek each time.

On the moment you get collision it would be a pleasure to be able to directly use set on that entry to set the expire time in the on-error.
 
cental63
just joined
Posts: 11
Joined: Wed Mar 15, 2017 11:12 pm
Location: Italy

Re: Feature requests

Sun Jul 09, 2017 6:22 pm

I find that Userman is a really good choice to build a hotspot service for a company, but i think, as installer, that there is something missing, few things like embedded sms verification (and not the script), and the one that i found more interesting, make the userman database readable (just think about a company with a newsletter). All could be added to make userman like a serious radius server (chr would allows more performance for anought clients). more competitive !
Thats all :o

Regards from an Italian user
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: Feature requests

Sun Jul 09, 2017 7:56 pm

Please add the 'Comments' column and the 'Add/Edit Comment Button' which is currently missing in WinBox 3.11 under

Routing =>BGP => Networks
Routing => BGP => Aggregates

Interestingly it is available in Routing => OSPF => Networks, but missing in all of the other tabs
While I personally prefer the CLI for configuration, WinBox is nice to get a quick overview.

Thanks
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu Aug 10, 2017 1:39 pm

Please add SMB support to the fetch tool or the ability to limit FTP accounts to specific folders to the FTP server. The SMB server is considerably more advanced than the FTP server on Mikrotik and makes it easier to limit clients to a specific folder.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Aug 11, 2017 12:16 pm

/queue tree elements can now only match on "packet marks", when multiple packet marks are specified they are OR'ed.

Please add the capability to also match on the "packet priority" field, and make it an AND match with the packet marks.
(so if a queue tree element is specified with both packet marks and a priority, it will only be used when one of the specified packet
marks is present AND the priority field of the packet is as specified)

Alternatively, introduce the option of doing an AND match on packet marks. It is already possible (although cumbersome)
to add packet marks based on the packet priority field.
 
dgrenetz
just joined
Posts: 1
Joined: Wed Sep 13, 2017 1:45 am

Re: Feature requests

Wed Sep 13, 2017 2:31 am

We are deploying Mikrotik virtual appliances to centralize and replace several disparate VPN solutions. We need a way to hand out our domain suffix to VPN clients so they won't have to use Netbios broadcast to resolve names. Currently, without domain suffix setting, accessing hosts by hostname takes about 5 seconds longer than it does on our existing legacy VPN solutions. I Googled the issue and see people complaining about this all the way back to 2010. However I do not see it anywhere in this Feature Request thread. Longstanding issue - please help!!
David
 
diasem
just joined
Posts: 5
Joined: Tue Dec 08, 2015 4:15 am

Re: Feature requests

Tue Sep 19, 2017 1:22 am

Normis add /31 address for PTP links.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Sep 19, 2017 10:23 am

Normis add /31 address for PTP links.
/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3
 
vytuz
newbie
Posts: 30
Joined: Mon Jul 31, 2017 3:12 pm

Re: Feature requests

Tue Sep 19, 2017 3:09 pm

Do You maybe have in plans to make more detailed user group list? Different user access to i.e. wireless, firewall filter, nat rules, ip addresses, dhcp and etc. I imagine it may be hard to add databases and additional cunfiguration to every configuration field. Maybe any possibility to add at least additional wireless user option. Clients sometimes wants to change wifi name, password, but we do not want to allow to change other options with given password.
 
nelfou
just joined
Posts: 17
Joined: Wed Mar 22, 2017 3:10 pm

Re: Feature requests

Fri Sep 22, 2017 1:07 pm

Being able to customize the hAP WPS button behavior, like having it trigger a script.
(our use case would be to easily turn the Wi-Fi on/off)
 
Vooray
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Mon Feb 23, 2015 3:34 pm

Re: Feature requests

Sat Sep 23, 2017 8:42 pm

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Sep 25, 2017 11:01 am

It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
... and routing table/vrf :)
 
OnixJonix
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu Jun 22, 2006 11:35 am
Location: Latvia

Re: Feature requests

Tue Sep 26, 2017 12:37 pm

Make Address List from DHCP lease table!!
For example - select multiple LEASE entries and put them in address list (then you can use for firewall)!! Something like in wirelless - you can add entries from registration table to access list!!
Thansk!
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Feature requests

Tue Sep 26, 2017 1:53 pm

Lease script doesn't work for you in this case?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Sep 26, 2017 3:59 pm

Looks like he needs it in WinBox (one-time context menu like 'Make static' or something)

By the way, if your leases are static, you can just set 'Address List' for them
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature requests

Wed Sep 27, 2017 12:41 am

Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Sep 27, 2017 1:46 am

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
Netwatch can trigger a script.

Example - my netwatch:

/tool netwatch
add comment="Watch Dog" down-script="log info \"Netwatch missed a ping to 192.0.2.254 - starting 5 minute timeout script\" ; /system script run NetWatchBoot-192.0.2.254" host=192.0.2.254 timeout=1s500ms

Example - My script called by netwatch:
/system script
add name=NetWatchBoot-192.0.2.254 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local addresstoping 192.0.2.254;
:local addresstoping 192.0.2.254;
:local interface "wlan1";
#
:local continue true;
:local counter 0;
:local maxcounter 28;
:local sleepseconds 10;
:local goodpings 0;
:log error "-----> Tom's Netwatch-Script-Warning - Netwatch could not ping $addresstoping - Will begin further testing in $sleepseconds seconds - and will continue for $maxcounter times $sleepseconds seconds";
:while ($continue) do={
:set counter ($counter + 1);
:delay $sleepseconds;
:if ([/ping $addresstoping interval=1 count=1] =0) do={
:log info "----->ping to $addresstoping failed on attempt $counter of $maxcounter -- Will try again in $sleepseconds seconds";
} else {
:log warning "-----> ping success on to $addresstoping attempt $counter of $maxcounter <----- No Further testing needed --- Program will exit -----";
:set continue false;
:set goodpings ($goodpings +1);
/interface wireless monitor $interface once without-paging do={
:local status $"status";
:local band $"band";
:local freq $"frequency";
:local wprotocol $"wireless-protocol";
:local noise $"noise-floor";
:local signal $"signal-strength";
:local snr $"signal-to-noise";
:local thruput $"p-throughput";
:log info "-----> Status: $status --- Band: $band --- Frequency: $frequency --- WProtocol: $wprotocol --- NoiseFloor: $noise";
:log info "-----> Optional Info if Available ---> SignalStrength: $signal --- SNR: $signal --- PThroughput: $throughput";
/interface wireless monitor $interface once
:local txr $"tx-rate";
:local rxr $"rx-rate";
:local sstr $"signal-strength";
:local signoise $"signal-to-noise";
:local curdistance $"current-distance";
:local txccq $"tx-ccq";
:local rxccq $"rx-ccq";
:log info "-----> TxRate: $txr --- RxRate: $rxr --- SignalStreng: $sstr --- SignalToNoise: $signoise --- CurrentDistance: $curdistance --- TxCcq: $txccq --- RxCcq: $rxccq";
};
}
:if ($counter=$maxcounter) do={:set continue false;}
}
:if ($"goodpings" = 0 ) do={
:log info "-----> Rebooting in 15 seconds";
:delay 5;
/file print file=ScriptRebootReason
/file set ScriptRebootReason.txt contents="Rebooted by Toms script on $[/system clock get date] at $[/system clock get time]"
:log error "-----> Rebooting in 10 seconds";
:delay 5;
:log error "-----> Rebooting in 5 seconds";
:delay 5;
:log error "-----> Rebooting now";
:delay 1;
/system reboot
/system reboot
/system reboot
/system reboot
}

With the above - a netwatch ping failure will trigger my script "NetWatchBoot-192.0.2.254"
The script will retry the ping for (:local maxcounter 28) 28 times
While pausing (:local sleepseconds 10;) 10 seconds between pings

If the script gets a ping response, the script aborts - and make a log.
If the script loops through the count-down and does not get a ping, the script will reboot the Mikrotik - and make a file named ScriptRebootReason just prior to the reboot.

I am sure this netwatch & script procedure could be modified to do many things you may want when netwatch triggers.

In my case, I have this netwatch & script on all of my Mikrotik client devices and all of my internal core network Mikrotik devices. The IP address 192.0.2.254 is an RFC IP address and is OK to use for in-house (non-external-Internet-Routed). If I want to reboot every Mikrotik everywhere on my network, all I need to do is disable the 192.0.2.254 device a few minutes. Presto - everything everywhere will auto-reboot. This is good for keeping Mikrotiks on-line when the network might have a problem.

North Idaho Tom Jones
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Feature requests

Wed Sep 27, 2017 1:57 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature requests

Wed Sep 27, 2017 10:31 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
+1
 
anv
newbie
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Openvpn server route push

Mon Oct 16, 2017 3:23 pm

Routeros openvpn server needs a way to push routes to the clients.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Feature requests

Sat Oct 21, 2017 6:51 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick. :)
(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen
 
WreckLoose
just joined
Posts: 2
Joined: Tue Oct 24, 2017 10:48 pm

Re: Feature requests

Tue Oct 24, 2017 11:25 pm

Yes, I think that a great feature would be greater support for Intel network interfaces. Most notably the I218 stuff. I would love top be able to run RouterOS in the Intel NUC.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Oct 25, 2017 6:48 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick. :)
(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen
It might be nice to have an option for color in the logs.
There is a work-around that I use which gives me three colors in my logs.

In your script that writes to the logs (or at the CLI prompt) you can use this:

log error "This is a log error --- RED"
log info "This is a log info --- BLACK"
log warning "This is a log warning --- Blue"

With the above 3 lines, you will see this in your logs:

This is a log error --- RED
This is a log info --- BLACK
This is a log warning --- Blue

North Idaho Tom Jones
 
gorec2005
just joined
Posts: 17
Joined: Mon Nov 25, 2013 2:08 pm

Re: Feature requests

Fri Nov 03, 2017 6:43 am

Add please shadowsocks server & client ?
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Feature requests

Sun Nov 26, 2017 2:30 pm

Can you please add a feature in which Hotspot doesn't account the local traffic, or to a specific subnet?
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: Feature requests

Fri Dec 01, 2017 4:15 pm

Despite being asked before in the past.
It seems that implementation of Wireguard is planned for the future Kernel.

https://www.phoronix.com/scan.php?page= ... d-Features

I would like you to consider implementing this function which has high encryption strength and excellent performance.
It seems that correspondence to several distributions is progressing as well.
 
Florian
Member Candidate
Member Candidate
Posts: 117
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: Feature requests

Tue Dec 19, 2017 2:23 pm

I know it's not ready yet, but +1 on Wireguard.
You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Dec 19, 2017 2:36 pm

When you read "it is planned in a future Linux kernel" you know it is not going to happen in RouterOS 6.x and probably not in 7.x either (because a kernel version probably has been decided on).
So, you can put it on the wishlist for RouterOS 8.x
 
Florian
Member Candidate
Member Candidate
Posts: 117
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: Feature requests

Tue Dec 19, 2017 2:39 pm

I guess so, but, It's to show the devs my (or "ours") interest in this, if they can find a way to implement it, some people would be very happy.
 
lavv17
Member Candidate
Member Candidate
Posts: 120
Joined: Sat Sep 01, 2007 9:01 am

Re: Feature requests

Mon Dec 25, 2017 2:59 pm

I'd like to have a setting to change ppp aaa order: radius first, then local. The default is now local first.
 
ege
just joined
Posts: 17
Joined: Thu May 28, 2009 4:58 am

Re: Feature requests

Tue Dec 26, 2017 6:52 pm

SSL Bump feature for webproxy like Squid-in-the-middle.
Thanks
 
eccles
just joined
Posts: 3
Joined: Thu Dec 28, 2017 1:42 am

Re: Feature requests - OpenVPN Options

Thu Dec 28, 2017 2:10 am

We really need two options which are normally provided with OpenVPN on most Routers:

a) LZO Compression - I suspect that this might be an issue if the CPU doesn't natively support it

b) UDP - We can achieve faster transmission (with less bandwidth) by using UDP instead of TCP. UDP is an OpenVPN option provided on all other routers that I have worked with. Our protocol incorporates all of the required checking to ensure reliable delivery so the additional overhead of TCP isn't required or justified.

The reason is that we are using the wapLTE device at remote sites with 4-G transmission of datalogging records to a central site. Bandwidth is expensive (we pay by the MB/GB). We have done what we can by reducing transmissions to one per day, etc. but with the increasing number of remote sites the cost of traffic is becoming a real issue. It seems that the local ISPs are wanting to capitalise on IoT device traffic, but in any case cellular data transfer is very expensive here.

Eric
 
pamribeirox
just joined
Posts: 18
Joined: Fri Dec 22, 2017 6:20 pm

IPv6 Default Router Preferences (RFC4191)

Thu Dec 28, 2017 1:37 pm

It should be very simple to add support for selecting the bits of the IPv6 RA that announce if the router have "High", "Medium" or "Low" preference for being selected as a default router for the terminals in the segment. (RFC4191 2.1 Preference values)
I know VRRP could be used for that, but I think this clean and native solution is better for IPv6 first hop redundancy.
As an example, Cisco does it with the command "ipv6 nd router-preference [High|Low|Medium]" at interface level.
regards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Default Router Preferences (RFC4191)

Thu Dec 28, 2017 1:50 pm

It should be very simple to add support for selecting the bits of the IPv6 RA
I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.
 
pamribeirox
just joined
Posts: 18
Joined: Fri Dec 22, 2017 6:20 pm

IPv6 replacing the link-local address

Thu Dec 28, 2017 2:06 pm

To ease the management of IPv6 networks is useful as a first step to base them on the existing IPv4 network structure.
One of the things that could be done is using some elements embedded in the IPv6 link-local address so the Windows "ipconfig /all" (and alike from other OSs) provide an simple way to verify the terminal are correctly connected/configured.

RouterOS should allow us to change the IPv6 link-local address from the default one (based on EUI-64 logic) to a manual defined address in the block reserved for link-locals in the RFC4291 (fe80::/10)

Then, as an example, the interface with IPv4 address 192.0.2.1 could also have an IPv6 LL fe90::192:0:2:1

regards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Jan 01, 2018 1:23 pm

Feature request: enable WMM (QoS based on DSCP) for WiFi interfaces (preferably by default) without having to use mangle rules to set priority based on DSCP.
The disadvantage of mangle rules is that they only work when all "fast" options are disabled and when the "use IP firewall" is enabled on the bridge.
Competing products have WMM enabled by default without having to configure anything. In MikroTik it requires settings like:
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
and deleting the "fast track" rules.
As some of these have quite global effect on performance, it would be preferable to have some way of just doing WMM with a simple checkmark in the Wireless settings.
(there is one, but it does not do the prioritization)
 
moose999
just joined
Posts: 5
Joined: Fri Sep 11, 2015 8:46 pm

Feature request - Granular User Levels

Tue Jan 16, 2018 12:49 pm

I am aware I can control access to services (web, winbox, api, etc.) and rights (read, write, sensitive, etc.) but it would be very useful to be able to control access to features (/ip firewall nat for example) as well.

Does anyone know if this is possible?

Thanks,
Justin.
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: Feature requests

Thu Jan 18, 2018 8:59 am

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.
 
ViennaAustria
just joined
Posts: 4
Joined: Fri Jan 18, 2013 12:58 pm

rinetd

Thu Mar 01, 2018 9:23 am

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...). A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

If a rinetd-like function would be added to RouterOS it would be GREAT!

Thanks!
Thomas
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: rinetd

Thu Mar 01, 2018 9:28 am

I might me a bit wrong but why don't you just use NAT?
I'd like to re-request the function of rinetd.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: rinetd

Thu Mar 01, 2018 12:16 pm

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd
Never heard of that before, but I did similar things in the past using "netcat" ("nc")
We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).
You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!
A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.
HOW???
A local linux box can be a Raspberry Pi which would be more like $50.
 
wtm
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue May 24, 2011 5:27 am

Re: Feature requests

Sun Mar 04, 2018 2:06 am

Would like to see a Radius tester available for the "Tools section". Something along the lines of Radtest, so you can see that the external radius server is actually getting something from the Mikrotik router, and if not what the problem may be to fix it. Currently there is not enough information available in the Logging to help you on that.
 
Quasar
newbie
Posts: 33
Joined: Sun Oct 05, 2014 1:11 pm

Re: Feature requests

Fri Mar 09, 2018 2:45 pm

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.
Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.

Virtual private networks with WireGuard
 
gerakon
Member Candidate
Member Candidate
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: Feature requests

Wed Mar 21, 2018 3:46 pm

In Winbox I think the Dashboard menu could go away and just have all of it's items enabled by default. Unless there's some reason people don't want to see this information or there is some amount of overhead on the router.

If it can't go away, it would be great if it would at least remember my settings between routers so that I don't have to re-enable them to compare times more easily between routers that are having IPSEC negotiation problems or when the CPU is maxed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Mar 21, 2018 5:01 pm

it would be great if it would at least remember my settings between routers
This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.
Some other requests have been seen to e.g. allow "set current winbox settings as default for new connections" and/or to simply allow
the sharing of the same settings between all routers in a Group.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Wed Mar 21, 2018 5:07 pm

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Mar 21, 2018 5:35 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.
 
hackclub
newbie
Posts: 26
Joined: Thu Dec 12, 2013 7:28 am

Re: Feature requests

Wed Mar 21, 2018 8:51 pm

urgent request to (for) mikrotik
viewtopic.php?f=1&t=132062
 
gerakon
Member Candidate
Member Candidate
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: Feature requests

Thu Mar 22, 2018 12:26 am

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.
But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.

Unless there's some reason that I'm not seeing?
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Please increase Simple-Queue limits - they max at 4,294 Meg

Thu Mar 22, 2018 12:28 am

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)


ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions) ,
The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Please increase Simple-Queue limits - they max at 4,294 Meg

Thu Mar 22, 2018 11:25 am

The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
.
Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

Perhaps by giving us possibility to set unit ... e.g. bits/second (default, current setting) or kbps (gives 1000-times higher limits) or Mbps. After all, with Gbps speeds it is not really sensible to set limits with bps resolution. Or is it?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Please increase Simple-Queue limits - they max at 4,294 Meg

Thu Mar 22, 2018 11:43 am

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Feature requests

Thu Mar 22, 2018 12:02 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.
This is what I have been asking for several times over the years. It's good someone else now asks again.
Somewhere some Mikrotik guy decided what the default settings are when on a virgin router a virgin winbox is openend. I would like to be able to just change that 'virgin' setting myself.
By default winbox shows a lot of info I have never interest in. But many other field I need everytime again are not there by default.... Especial when you work with many PC's it would be easy to have one winbox.exe that is everywhere the same to MY like.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Please increase Simple-Queue limits - they max at 4,294 Meg

Thu Mar 22, 2018 5:09 pm

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.
Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.

I am pretty sure my CHR-x86-64Bit and my ROS-x86-32-Bit systems have plenty of CPU horse-power. All of my virtual ROS systems can btest to 127.0.0.1 in the 19+Gig ranges. (btest uses only 1-core. Now if you use 8+ cores (hyper-threading disabled for maximum CPU throughput) then I would assume possible system-wide-throughput might be 8x greater.

(My next hyper-visor system I am planning to build soon will allow me to configure 44 Xeon CPU cores to a hosted system - such as a CHR.)

Also , just about all new carrier-grade network equipment has one or more 10-Gig interfaces. Thus another reason for a simple-queue fix/update is needed.

Also - remember the Mikrotik post about "What would you like to see in a future Mikrotik ...something... with a 40-Gig throughput..." Thus another reason for a simple-queue fix/update.

Everything in my server room and my Internet feed uses 10-Gig interfaces. And I need an ability to use simple-queues up to 10-Gig.
 
artemk
newbie
Posts: 26
Joined: Wed Jun 20, 2012 8:06 pm
Location: Kyiv, Ukraine

Re: Feature requests

Sat Mar 24, 2018 8:07 pm

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
+1
It works for SSH but it would be really good to make Winbox to be able to authenticate via radius.
 
User avatar
ahmedramze
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Feature requests

Sun Mar 25, 2018 4:34 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y


Regards
 
ivicask
Member
Member
Posts: 417
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Sun Mar 25, 2018 4:39 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y


Regards
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sun Mar 25, 2018 8:52 pm

... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.
 
sarada
just joined
Posts: 9
Joined: Mon Mar 12, 2018 2:26 pm
Location: Hungary

Re: Feature requests

Sun Apr 01, 2018 11:03 pm

Hi,

Can you add a feature in User manager which support WPA EAP and add 6to4 tunnel to vlan or bridge, please?
 
Railander
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Thu Jun 16, 2016 11:30 pm

Re: Feature requests

Thu Apr 05, 2018 7:50 pm

Feature Request:

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Sat Apr 07, 2018 9:32 pm

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.
this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.

but i don't really think this is a good idea, as routers are to forward packets and to run web servers. if you want real granular read/write control for defined routeros resources (interface, addresses, queues) you will be better off with an external web server using API integration.
 
pepek
just joined
Posts: 23
Joined: Tue Apr 10, 2018 12:14 am
Location: CZ

Re: Feature requests

Tue Apr 10, 2018 1:14 am

I've tried to search this topic, but I haven't found it (hope there are not any duplicates):

NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
 
zappulec
just joined
Posts: 1
Joined: Tue Apr 10, 2018 6:08 pm

Re: Feature requests

Tue Apr 10, 2018 6:15 pm

Secured DNS
- DNS over HTTPS
- DNS over TLS
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Apr 11, 2018 10:34 am

Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!
It provides an overview of some basic config but it is not showing correct values after you made manual changes (not only this!) and should you later change some
things via QuickSet you will seriously mess up the configuration!
So please don't worry about things like this and don't use QuickSet.

In fact a more appropriate feature request would be: make QuickSet disappear once it has been used and manual changes have been made afterwards.
That would protect a lot of beginners from serious trouble.
 
miencek
just joined
Posts: 8
Joined: Tue Apr 10, 2018 8:51 am

Re: Feature requests

Wed Apr 11, 2018 11:55 am

RAM Disk for temporaty files ex. configuration to/from other devices, scripts
 
User avatar
pudjo
just joined
Posts: 8
Joined: Tue May 06, 2008 8:01 pm
Location: Indonesia
Contact:

Request : alternative DNS Port for IP DNS Setting

Tue Apr 17, 2018 1:04 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You
 
Miracle
Member Candidate
Member Candidate
Posts: 106
Joined: Fri Sep 11, 2015 9:04 am

Re: Request : alternative DNS Port for IP DNS Setting

Tue Apr 17, 2018 5:48 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You
Do you know dst-nat ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Apr 17, 2018 5:53 pm

Is there any DNS server on port other than 53?..
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Tue Apr 17, 2018 7:52 pm

Is there any DNS server on port other than 53?..
There are some non port 53 DNS configurations/uses.
Example: DNS over TLS is often port 853 -and- I kinda remember something about 135 End-Point-Mapper being used also for DNS

Also - security through obscurity can help prevent some attacks - such as running ssh on non-standard ports , DNS could possibly be remapped to use a non-standard port other than 53 to achieve a security through obscurity.

However , the standard well-known DNS port is 53. I would think if there is a security concern , that a FW configuration would be easier and more compatible method to control DNS access and better prevent attacks against DNS servers.

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Apr 17, 2018 8:06 pm

There are some non port 53 DNS configurations/uses.
The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)
but does not have advanced DPI in place. Then just using a different port may circumvent their efforts. E.g. OpenDNS listens on port 5353,
and one could sents the requests there. I don't know if Google DNS and CloudFlare DNS have similar alternate ports.

Of course this works only until the ISP admins know it and block or redirect that port as well. Not worth it to make a change in the router
for that, just use dst-nat.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Tue Apr 17, 2018 9:48 pm

Not worth it to make a change in the router for that, just use dst-nat.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Apr 17, 2018 11:10 pm

It may be possible to use a loopback interface and set the DNS server address to the address of this interface, then dstnat that traffic.
(I did not try, but I *do* use dstnat for traffic incoming to a router and that works)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Tue Apr 17, 2018 11:42 pm

Or you use an local DNS server on a RaspberryPI like DNSmasq, PiHole, etc.and you are able to control it all yourself.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Apr 18, 2018 1:17 am

As stupid as it might sound -almost a lol-
What happens if you add ":XY" to the IP address of the DNS server , where XY is the port #

Say you wanted you mikrotik to use port 5320
then use IP address format of the DNS server of:
a.b.c.d:5320

I remember this working on an old DSL router 15 years ago.

North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed Apr 18, 2018 2:03 am

@pe1chl: No, dstnat happens in prerouting, so traffic coming to router (no matter if it will end up in forward or input) can be matched by dstnat rule. Traffic from router doesn't come through prerouting in RouterOS.

@msatter: External device would work fine, but sometimes it may not be desired or even possible to add it.

@TomjNorthIdaho: Nope, to quote WinBox: "Error in - non zero ip address or non zero ipv6 address expected!"

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Apr 18, 2018 10:38 am

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.
Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.
But maybe the address is considered local and it does not work then.
 
Chupakabra303
just joined
Posts: 14
Joined: Tue Jun 20, 2017 3:07 pm

Re: Feature requests

Wed Apr 18, 2018 1:39 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Apr 18, 2018 2:34 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!
It is not a limitation of those routines, but of the maximal length of a variable content.
What is needed is an open/readline/close feature so files can be read line-by-line into a variable.
(for completeness also a read(n) to read a fixed number of bytes instead of a single line)
Last edited by pe1chl on Wed Apr 18, 2018 2:35 pm, edited 1 time in total.
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 228
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Feature requests

Wed Apr 18, 2018 3:44 pm

Is there any DNS server on port other than 53?..
I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.
This also helps in the security of this resolver.
I can give you more details if anyone has an interest.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Apr 18, 2018 4:25 pm

So how do you point your Windows/Linux/MacOS machine to some non-53 DNS port?..
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 228
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Feature requests

Wed Apr 18, 2018 8:32 pm

I was using firewall nat:

add action=dst-nat chain=dstnat disabled=no dst-port=53 log=yes protocol=udp to-addresses=aa.bb.cc.dd to-ports=5353

this forces anyone to use my resolver, even if some user tries to use another different dns server.

This has other implications of redundance and security that is not part of this topic.
 
fernandolcx
newbie
Posts: 47
Joined: Fri Sep 06, 2013 6:51 pm

Re: Feature requests

Thu Apr 19, 2018 6:06 pm

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:
1.3.6.1.4.1.9.9.150.1.1.1.0
But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:
/interface pppoe-server print count-only where service=service5
BUT it should be a nice feature to add to SNMP
 
samsung172
Forum Guru
Forum Guru
Posts: 1191
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: Feature requests

Fri Apr 20, 2018 12:20 am

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:
1.3.6.1.4.1.9.9.150.1.1.1.0
But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:
/interface pppoe-server print count-only where service=service5
BUT it should be a nice feature to add to SNMP
You can have this info from the radius server. (if used)
 
raymondr15
Member Candidate
Member Candidate
Posts: 118
Joined: Fri Sep 05, 2014 1:11 am
Location: East London, South Africa
Contact:

Re: Feature requests

Fri Apr 20, 2018 1:34 am

Please add the ability to enable or disable successful login attempts for specific users, for example an API user, accounting software logging in and out updating information on the router.
 
User avatar
lordcoke
newbie
Posts: 29
Joined: Thu Jun 10, 2010 10:11 am
Location: Germany
Contact:

Re: Feature requests

Fri Apr 20, 2018 4:03 pm

Feature request for /tool sniffer. Please make it possible to submit a filter-port range to the sniffer to allow sniffing like this:
/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255
 
User avatar
pudjo
just joined
Posts: 8
Joined: Tue May 06, 2008 8:01 pm
Location: Indonesia
Contact:

Re: Feature requests

Mon Apr 23, 2018 3:16 pm

Is there any DNS server on port other than 53?..
i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.php
 
User avatar
pudjo
just joined
Posts: 8
Joined: Tue May 06, 2008 8:01 pm
Location: Indonesia
Contact:

Re: Feature requests

Mon Apr 23, 2018 6:43 pm

Not worth it to make a change in the router for that, just use dst-nat.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.
vote +1 for dstnat in output chain
 
User avatar
pudjo
just joined
Posts: 8
Joined: Tue May 06, 2008 8:01 pm
Location: Indonesia
Contact:

Re: Request : alternative DNS Port for IP DNS Setting

Mon Apr 23, 2018 6:45 pm

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You
Do you know dst-nat ?
dst-nat not working in output chain, AFAIK
 
lugovoyma
just joined
Posts: 2
Joined: Mon Apr 23, 2018 8:10 pm

Re: Feature requests

Mon Apr 23, 2018 8:20 pm

openvpn UDP
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Apr 25, 2018 5:07 pm

Now that ip firewall address-list (and ipv6 firewall address-list) support DNS lookups, add a way to get subnet entries from DNS.
Unfortunately there is no standard DNS record type for subnets. There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
Therefore, I suggest to use TXT records.
Do a query for TXT records for the specified name (after or in parallel to the A and AAAA records already queried) and for each TXT record coming back, check if it conforms to valid subnet notation like 11.22.33.0/24 or 11:22:33:44::/64 and if valid, add it as an address list item.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed Apr 25, 2018 8:12 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.

So it may sound perhaps a little too optimistic, but I'd say it's almost there. And a gentle push (like MikroTik adding support in RouterOS) might help to move things forward. Some people could start using it right away and others would have motivation to nag their DNS providers to add support.
 
User avatar
erebusodora
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Jan 23, 2012 3:46 pm
Location: Bulgaria

Re: Feature requests

Wed Apr 25, 2018 8:20 pm

It would be very nice to have a feature to hide rows. Column Hide and Show Footer Works is a great job on the look. Screenshot feature must be implementet too.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Apr 25, 2018 8:28 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).
I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.
However, if it is supported it would be fine to use APL. Probably with TXT there are less obstacles.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed Apr 25, 2018 10:31 pm

It doesn't seem to be advertised much, but it looks like BIND has it since 2002.

Advantage of using TXT would be instant availability everywhere. Probably even better reliability, at least in short term, because some broken resolvers will surely show up somewhere. But it's reinventing the wheel. Purists might also argue that we don't need yet another thing in TXT, there's enough of them already.
 
hurymak
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Mon Oct 06, 2014 1:31 pm

Re: Feature requests

Thu Apr 26, 2018 1:54 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.
 
cis2131
just joined
Posts: 5
Joined: Fri Mar 30, 2012 12:27 am

Re: Feature requests

Thu Apr 26, 2018 11:11 pm

Run a script when a port is closed by loop protect.
 
PtDragon
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Sun Apr 26, 2009 8:52 pm

Re: Feature requests

Fri Apr 27, 2018 12:08 am

Small feature request:
Please make Syn Cookies tunable!
I explain a bit: right now we can only turn on or off.
I wish we could have cookie timeout tunable in our hands (so if no cookie reply for example in 5 or 10 or 30 sec just drop connection).
That will make defense way easier :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue May 01, 2018 3:26 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.
So, you'll need to enter encryption password each time router reboots? :)
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests

Mon May 07, 2018 12:29 pm

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.
 
pedromrocha
just joined
Posts: 1
Joined: Wed Jul 05, 2017 5:01 pm

Re: Feature requests

Mon May 07, 2018 2:48 pm

Please implement TACACS autentication.

We can't get your equipments certified in a ISP without that feature.
 
netwpl
newbie
Posts: 27
Joined: Fri Jun 22, 2012 8:09 pm

Re: Feature requests

Wed May 09, 2018 8:37 am

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.
1+
 
psannz
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: Feature requests

Wed May 09, 2018 9:15 am

Please, add support 802.1x for wire interfaces.
Yes! +1, pretty please?
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Simple Queues - Please increase limits - they max at 4,294 Meg

Wed May 09, 2018 9:29 pm

BUMP - I originally posted this: Wed Mar 21, 2018 3:28 pm

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions and I have read nothing in newer versions) ,
The current maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a huge problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection (using CHR) - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Thu May 10, 2018 11:39 am

Tom, did you write to support@mikrotik.com ? Because this looks not like feature request but like important fix :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu May 10, 2018 6:45 pm

No this is just established standard functionality hitting limitations as technology proceeds.
The queue mechanism uses 32-bit values (variables) and so the values are limited to 2^32
In fact practical limits are lower because "buckets of data" have to be calculated to be transmitted on each timer tick
and when the datarate gets so high the buckets become very large and those bursts could hit other limits or not play
along with others as nicely as you would like.
So it is not as easy to fix as you might think.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri May 11, 2018 6:48 pm

I suspect the simple-queue maximum value settings are going to be a bigger and bigger problem in the near future. - because of the new Mikrotik 40-Gig interfaces and newer/faster CPUs.

I can't help but wonder how much of the 64-Bit CHR software actually uses 64-bit instrustions.
Many 64-bit CPU instructions use fewer CPU clock cycles compared to a 32-bit set of instructions doing the same software function.

If Mikrotik is gonna compete in the router throughput world with the other guys in the faster than 3-Gig enviornment, they need to do everything possible to gain every speed/function/feature advantage possible.

I think I will write to Mikrotik support.

North Idaho Tom Jones
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Tue May 15, 2018 1:09 am

EXTRA TAB CHANGE!!

The mere fact of viewing any of the parameters ACTIVATES the parameter and this is WRONG.
All entries should be blank and if you want to offer default settings, GREY THEM OUT.
Suggest putting an apply button or something.

This is not consistent with the rest of the filter rules.
Right now I call it the DANGER DANGER TAB. ;-)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue May 15, 2018 11:13 am

Huh... Any more details? What do you mean saying 'Activates'?.. Why can't you 'deactivate' it back? :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Tue May 15, 2018 2:14 pm

Sorry chupka, I am just a beginner. I didnt know I was changing router settings just by looking at the paramaters in the ExtraTab.
In my limited experience when I clicked on the little arrow tabs, I thought I was simply viewing the default parameters in those selections.
I did NOT REALIZE that I was activating those parameters.
This is not consistent with how we apply items elsewhere in winbox.

Thus suggesting that the default entries be grayed out and one has an implement button when one wants to turn grey into white.
Or it is like every other

Or add a warning at the bottom of the EXTRA TAB. Stating, opening these items ACTIVATES them.
If you do not want them activated CLOSE after viewing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue May 15, 2018 3:54 pm

The same with TCP Flags and ICMP Option in Advanced tab.

Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Tue May 15, 2018 4:25 pm

As I stated, I am new to mikrotik.
To have to rely on intuition vice standard methods is a ridiculous way of setting up programming the router.
Every other selection I make on the router is checking a box, typing in a selection, pulling a selection from a pull-down menu.

I am not saying its wrong, just that from my perspective its bad design and terrible for the non-expert.
Would it hurt that much to have a fixed text at the bottom of the EXTRA TAB.....

"CAUTION: Opening up the parameters via the arrow icons, activates the parameters. If the entries are not modified, the default settings are accepted"

OR

"NOTE: Up facing arrow icons indicates an ACTIVE parameter"


If I could add an image here, and not from an URL, I would post one to give you an idea. :-(

EDIT,,,,,,,,, posted in elsewhere for viewing here.............. the llama cannot be stopped.
Image

Well that was less than useful....... argggg Lets try that again....

https://www.dslreports.com/speak/slides ... RhcnQ9MTgw
Last edited by anav on Tue May 15, 2018 5:41 pm, edited 3 times in total.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: Feature requests

Tue May 15, 2018 5:23 pm

I've posted a message on the forwarding protocols area, linked from here:

viewtopic.php?f=14&t=134423

BFD support for static routes would be extremely useful. Basicly, a static route would have an attribute to use BFD to check gateway availability. It's much better than check-gateway because it's a standard and it will help both a Mikrotik router and a router from a different manufacturer to detect a link down event.

I think it's simple to implement, even!
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests - ability to select :port on a telnet

Wed May 16, 2018 2:00 am

A new added feature I would like to see (when using Winbox to a client Mikrotik) , would be the ability to Tools-->Telnet-->Select (*) telnet and also select a port # to telnet to (and the same for SSH).

Example: Lets say a client Mikrotik has a natted LAN IP address of 192.168.1.1/24 and there is a web server on IP address 192.168.1.20 (possibly not running a non-standard port).
Normally, you can do a telnet to IP-Address:Port# , and when it connects, you can simply type in "GET /" to verify the web server is running. However, if you can't telnet to an alternate port, then it becomes much harder to test out port - which might require a TCP/IP port forward on the outside WAN interface to the inside - then originate you telnet to alternate port from another machine.

Lets say you have a web server locally connected to the same network as your work station - try this: Telnet ip-address:80
At connection , you might not see anything - however type in this: GET /
And you will get some web server information so that you know it is actually running.


North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed May 16, 2018 2:17 am

I agree that selecting port in Tools->Telnet should be possible, but until it happens, you can do it from Terminal, it already works there:
/system telnet address=192.168.1.20 port=80
 
GuillermoHA
just joined
Posts: 2
Joined: Wed May 31, 2017 1:51 pm

Re: Feature requests

Tue May 22, 2018 6:30 pm

-Will be great in /ip hotspot active see directly what "user profile" are using without using address-list
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Feature requests

Tue May 22, 2018 8:22 pm

Those units that have multiple PoE out ports under 'Health' menu the option to read the amps - watts of the input. Thus we can see what the total consumption is for attached devices AND this unit itself.

For many battery/solar operated units it's quit handy to see what the 'real' average power consumption is for a given actual setup.
(It would be even nicer if under 'graphs' a graph could be displayed for the last 24 hours of voltage amp/Watts consumption. Sometimes it is o so handy to know when batteries where charged (= high voltage) and when not (low voltage). The total power consumption also gives us a power budget over a 24 hour period. Power consumption depends on radio usage and that depends on actual data throughput. With a graph we can see if our actual power budget (batteries! Solar panels) are actually up to their task.
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Feature requests

Fri May 25, 2018 12:03 am

It is possible add something like Web Aplication Proxy / redirector for HTTPS (SSL/TLS) trafic? Mikrotik will be able DNAT or redirect HTTPS(generaly SSL/TLS connections with SNI) for specific URL to another IP. It will be usable for hiding more HTTPS servers with diferent URL behind one public IP, or for very simple HTTPS (SSL/TLS) load balancing.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Fri May 25, 2018 3:48 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
 
bdallen
just joined
Posts: 8
Joined: Fri Nov 07, 2014 12:28 pm
Location: Brisbane, Straya

Re: Feature requests

Mon May 28, 2018 3:43 am

no, the list does not influence our priorities, just gives us ideas about what people want to see.
Sorry Normis, and no disrespect to you, but what does influence this list? People screaming for proper vrf seperation, IPSec VTI Support, DHCP Option 82 Snooping in ROS, Proper BNG Features, IPv6 Needs alot of fixing, BFD (YMMV), BGPv4 MIB and many others.

But yet Kid Control turns up on a CCR??

Confused :S
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Mon May 28, 2018 5:01 am

Apparently IPSET uses the hdd memory in my HEX for address tables.
I am very low on HDD due to lists being used.
This is despite the fact that Ihave a 16 gig sd card and 16 gig usb stick in the unit.
FEATURE REQUEST: REMOVE IPSET limitation of internal HDD and be able to apply lists to usb or sdc.

As to the question above rather amusing but a good example of something that doesnt make sense.
Typically easy and no usage of capacity wins - or Kid Control is a billioinaire and wants his feature (or significant segment of market) etc......
Last edited by anav on Mon May 28, 2018 2:06 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon May 28, 2018 10:37 am

ipset uses in-memory storage to be able to lookup an address quickly. the CPU can just walk along the list (using hashes and/or tree), without reading from SD card first.
when it would be on disk, it would take far too much time to do the lookup to do it in the routing path.
so it does not make sense to request ipset (ip firewall address-list) to be put on disk instead of in memory.
when your ipset uses too much memory, you should back down on the use you make of it and/or buy a router with more memory.
I don't think it makes any sense to have a list that is to be checked in the routing path to be offline on disk. That would only be useful in the proxy service.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Mon May 28, 2018 2:08 pm

Thanks pe1chi, that makes sense.
Oh well I have two hexes, perhaps I could connect them with a vulcan mind meld and have more memory available.
Which model do you suggest for a home owner, who is only trying to keep the dogs away from the home network.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon May 28, 2018 2:55 pm

The hEX r3 has 256 MB of RAM which is normally enough for quite large lists.
You should not try to make a dynamic address list to which items are added e.g. upon unexpected incoming traffic, as this makes the list grow very large.
It is better to focus on firewall settings to keep all that traffic out. That should be easy to do on the typical NAT routing config used at home.
Just don't allow remote management (i.e. do not allow any input from internet except for established/related).
When you really have to have remote management, configure some form of VPN service on the router and allow management only from authenticated VPN users.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Mon May 28, 2018 3:36 pm

I understand, I have fixed lists, based on firehol type information, and I do have some spammer,synflooder,scan lists but they are weighted or need x connections so they are rarely entered.
That said I have 3K left in hdd memory. Will see what I can do to reduce fixed lists..........
 
wfuzatto
newbie
Posts: 37
Joined: Wed Dec 28, 2016 3:46 am

Re: Feature requests

Wed May 30, 2018 7:01 am

What about a fixed VHT data rate for AC device? It would be a nice feature!
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

better ping feedback in scripting

Wed May 30, 2018 10:03 am

can we have at least the summary of the sent/received ping probes returned as values? all we have right now in the number of successful responses received.
[me@router] > put [ping 8.8.8.8 count=3]
  SEQ HOST                                     SIZE TTL TIME  STATUS          
    0 8.8.8.8                                    56  57 9ms  
    1 8.8.8.8                                    56  57 10ms 
    2 8.8.8.8                                    56  57 8ms  
    sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=9ms max-rtt=10ms 

3
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed May 30, 2018 10:12 am

In the scripts and schedules editor in winbox can we please add the ability to select all - ie ctrl a? At the moment in order to select a big script you have to manually drag from start to finish.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed May 30, 2018 4:14 pm

@Wyz4k: There's also Select All in right-click menu.
 
adziahel
just joined
Posts: 1
Joined: Tue May 29, 2018 1:06 pm
Location: Brest, Belarus

Re: Feature requests

Thu May 31, 2018 1:31 am

DNS-over-HTTPS or DNS-over-TLS, in that order of preference
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Fri Jun 01, 2018 3:18 am

@Wyz4k: There's also Select All in right-click menu.
There is indeed. Thanks Sob, you are a legend!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Wed Jun 06, 2018 4:34 pm

The same with TCP Flags and ICMP Option in Advanced tab.

Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD
Hi Chupakha I just wanted to say thanks for your patience, I am just a tad slow and finally get what you are saying.
Yes, without even knowing it I was using the up and down arrow functionality everywhere and thus should have realized what I was in effect doing on the extra page.
I still would like a note at the bottom of the page (text is cheap right?) for new users "Opening a field activates shown parameters, if Apply or OK is selected."
 
eroberts9
just joined
Posts: 7
Joined: Tue May 29, 2018 12:26 am

Re: Feature requests

Fri Jun 08, 2018 5:15 am

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
Not WDS AP/Slave where the bridge is wireless as it currently can work but having all radios connected Ethernet.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Fri Jun 08, 2018 1:11 pm

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc. :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 08, 2018 1:54 pm

So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc. :)
That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens when the signal has
become too weak to maintain the connection, so before that the client already experience bad performance.
There are other competitors (Aruba networks, Ruckus, Zyxel and maybe others) who offer true seamless roaming where all your access points have the
same MAC address and the client connects with a "virtual" access point (a controller or a function in a master AP) and remains connected to that, only
the radio layer solves the location issue (all access points try to receive the client, the one who receives it strongest is used to send data to the client).
Indeed it is a nice feature, of course it has drawbacks but it performs best when clients are wandering around in a building or park.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jun 08, 2018 6:00 pm

When using multiple WiFi systems with the same SSID and wireless security settings, you should NOT have the APs perform NAT , but instead those APs should bridge the wireless wlan to an Ethernet network. Then have central core router perform NAT & DHCP on the inside LAN that the AP wireless clients are bridged to.
This will then permit client seamless roaming from AP to AP. When a client roams in your network of APs, the client maintains the same IP address.

If your APs are all doing NAT, then when a client roams to a different AP, you can experience all kinds of problems and end up with of two of the same IP address on the same network.

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Fri Jun 08, 2018 6:27 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jun 08, 2018 6:45 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
One of the problems with RFCs and standards is that often 90% of manufacturer network devices only follow RFCs and standards by only 90%.
When you think about it - it's amazing that the Internet even works with all of the different connected brands of devices
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 08, 2018 10:51 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There are standards for fast handover but they weaken the security. Also there are standards to provide roaming information so the clients know what other AP's to look
for, still there is trouble all the time. Those seamless roaming networks do not have those problems because the controller decides how it operates and it has complete
knowledge of the topology. However, MikroTIk does not have products in that segment (and neither does Cisco, for that matter).
 
eroberts9
just joined
Posts: 7
Joined: Tue May 29, 2018 12:26 am

Re: Feature requests

Fri Jun 08, 2018 11:50 pm

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc. :)
There is only one association, a client does not reassociate if they move from one AP to another. There is not a loss of service when a client moves to a closer AP.

Somewhat like WDS works now via WDS AP -> WDS Slave except backhaul isnt wireless, its via ethernet.
 
lesnikov
just joined
Posts: 17
Joined: Tue Jul 15, 2014 9:33 pm
Location: Slovenia

Re: Feature requests

Sat Jun 09, 2018 4:22 pm

Hey,

Probably posted before but here goes again. We need 802.1x integration on routerOS for wired ports.
Been looking for this feature for years now...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Mon Jun 11, 2018 3:24 pm

Due to SIP issues, a friend pointed out this thread.
viewtopic.php?t=129048

So requesting that mikrotik address the issues discovered .
Best to let the experts read and absorb just provided the following quotes....

The issue is stated as...... " A limitation of the UDP + NAT schema" in the mikrotik engine.
or stated another way......
"the conclusion is that the connection tracking engine's architecture on RouterOS is the root cause of this"
"The issue here is that Mikrotik's acceleration tactic of skipping the nat table for packets found in the connections list is the fault"
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon May 27, 2013 3:05 pm

Tuneable wireless keep-alive interval

Mon Jun 11, 2018 5:21 pm

By default, RouterOS pings all idle wireless clients every 60s. With many associated clients over a larger area (therefore low bitrates) with 1-2 active at any given time, network efficiency is reduced and client battery life is reduced.

Disabling keepalive-frames causes issues wherein clients are listed in the registration table, but the wireless interface goes down.

Please make "/interface wireless set keepalive-frames" an adjustable delay, so we can set eg 300s rather than enabled at 60s or disabled.

Thanks!
Daniel
 
DummyPLUG
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 03, 2018 10:17 am

Re: Feature requests

Fri Jun 15, 2018 10:10 am

Please add port redirect in IPv6 firewall, will much easier to force all http/https redirect to proxy and redirect all free/public DNS server access back to local dns server.
p.s. newer linux kernel and ip6tables already support this, hope routeros will have this feature as well.
 
craterman
just joined
Posts: 22
Joined: Tue Oct 14, 2014 1:26 pm

Re: Feature requests

Sun Jun 17, 2018 12:34 pm

OSPF and BGP Graceful Shutdown
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

New type of APs - BaseStation - long range - PhassedArray

Wed Jun 20, 2018 9:34 pm

I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).

Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).

Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)

If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.

The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.


North Idaho Tom Jones
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: New type of APs - BaseStation - long range - PhassedArray

Thu Jun 21, 2018 12:41 pm

I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).

Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).

Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)

If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.

The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.


North Idaho Tom Jones
Sounds interesting. But is part of the evolution in wireless also not that now the spectrum is saturated where 10 years ago is was hardly used? I mean, my first Mikrotik 2,4Ghz 802.11b outdoor AP on a 8dBi omnidirectional had no problem to communicate with my laptop at some 300-400 meters away. And that communication was the sending of an e-mail.
Now I am glad my new dual chain 802.11a/b/g/n/c laptop still has a connection to a 18deBi dual chain 90º sector with Netmetal 30dBm radio some 50 meters away. And I am not interested in sending an e-mail, it needs to be a 4K streaming full duplex Skype video conversation (I am a bit exaggerating).....
10 years ago in a 2,4Ghz scan I'd performed all I saw was my own AP..... Now a scan reveals some 100+ radios..... Ok, we have 5Ghz now, but that is sort of similar. My 5Ghz AP's easy pickup 20 other AP's.... and there must be several hundreds of CPE's communicating with them.

I must mention though we have one 'alien brand' AP working on a village that is also full of 5Ghz AP's and users, but they work with their own protocol on the 5Ghz band. They work with 4 antenas on one AP and then each of these 60º sectors are overlapping to get some 200º reach. The AP works on 10Mhz wide channels but each antena has its own frequency slightly different from the others. Now the OS switches connected CPE's to that sector with a good enough signal to supply the top PHY rate achievable that carries the least traffic. The result is that each of the connected clients have no issue to reach the OS limited top download of just over 30Mbps and sustain that for prolonged times. Basically each sector can sustain a full 30+Mb download to a single client thus the AP can do 4 at once.... in a 10Mhz channel! Low latency, sustained speed...... Try that with a Mikrotik 20 or even 40Mhz normal Wifi solution....
Over the same village we have 2 more AP's, both Netmetal and working 5Ghz NV2 or plain 802.11ac but 30Mbp is only possible if that client is the only one using the AP and only peak speeds. This is with -45dB signals all duo chain 20Mhz wide channels.....

So yeah, there are better ways of doing wireless.....
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Jun 21, 2018 6:48 pm

WirelessRudy
un-releated to this forum topic ...
Back in 2002, I did a site-survey in all areas we now service (20+ towns/citys). I found zero APs.
Earlier this year , I did a site-survey using 1,000 customer Mikrotiks I manage (I used a Linux script). I found several thousand different APs.
 
datajerk
newbie
Posts: 36
Joined: Sun Aug 28, 2016 1:02 am

Re: Feature requests

Fri Jun 29, 2018 4:02 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.

If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Fri Jun 29, 2018 4:46 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.
This is the feature requests channel. I am requesting a very basic feature that will take all of 30 seconds for somebody to add.

New request:
[admin@MikroTik] > { :put [:resolve www.example.com]; :put "lala";}
failure: dns name does not exist

Please add a way to read the error ("failure: dns name does not exist" in the error above) when using the on-error catch below.

:do {
:put [:resolve www.example.com];
} on-error={ :put "resolver failed"};
 
raymondr15
Member Candidate
Member Candidate
Posts: 118
Joined: Fri Sep 05, 2014 1:11 am
Location: East London, South Africa
Contact:

Re: Feature requests

Mon Jul 09, 2018 9:39 pm

Please add support for USB booting on RouterBoards so we can have the ability to install RouterOS onto a USB drive.
Maybe in NetInstall also make it possible which device RouterOS should be installed to if there is more than one. ie: nand, USB...

Reason 1: In case something happens to the nand chip on the RouterBoard.
Reason 2: For testing purposes to test RouterOS releases without making changes to the nand config/software.
Reason 3: In case someone is doing heavy changes all the time that will put undue strain on the nand.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Jul 10, 2018 6:33 am

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Jul 10, 2018 12:34 pm

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you set
/ip ssh set always-allow-password-login=yes
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Jul 10, 2018 1:03 pm

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you set
/ip ssh set always-allow-password-login=yes
Not for winbox though.
 
User avatar
genesispro
Member Candidate
Member Candidate
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: Feature requests

Tue Jul 10, 2018 1:19 pm

I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Jul 10, 2018 1:27 pm

Not for winbox though.
Yeah. Also not for WebBox, not for Telnet, not for API...

Anyway, your initial message was not about WinBox. If you need WinBox - use SSH with port forwarding for WinBox :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Jul 10, 2018 1:31 pm

I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
Not a script, but in a Terminal:
{
  /interface bridge port remove [find interface=ether1]
  /ip dhcp-client add disabled=no interface=ether1
}
or
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
 
User avatar
genesispro
Member Candidate
Member Candidate
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: Feature requests

Tue Jul 10, 2018 1:50 pm

Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection


I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
Not a script, but in a Terminal:
{
  /interface bridge port remove [find interface=ether1]
  /ip dhcp-client add disabled=no interface=ether1
}
or
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Jul 10, 2018 2:18 pm

Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection
Just press Terminal on the left of WinBox. If you use "{ }" - commands inside of brackets will be executed when you press Enter after the bracket. Like this:
[admin@s.internal] > {
{... :put "here"                                 
{... :put "we"  
{... :put "go!"
{... }         
here
we
go!
[admin@s.internal] > 
 
nicutdk
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sat Sep 24, 2016 12:06 pm

Re: Feature requests

Mon Jul 16, 2018 1:27 pm

Hi,

I want to make a suggestion for IP cloud
So...

Will be nice to have feature to associate IPcloud from routerOS with Mikrotik Account to manage all mikrotik router.

For Example I have many clients and I make my own structure to manage. If I forgot to add is to hard to put again.


Regards,
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Jul 16, 2018 2:18 pm

A WiFi TDMA mode that is compatible with UBNT airMAX.
We usually have a mix of MikroTik/UBNT access points and clients in our network so we can only use bare 802.11 even when TDMA would perform much better.
Alternative: an IEEE standard for this mode that is implemented by both companies.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jul 17, 2018 10:36 am

Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.
 
diode
newbie
Posts: 32
Joined: Sun Sep 13, 2009 8:40 pm

Re: Feature requests

Tue Jul 17, 2018 12:24 pm

Having an integrated 5 GHz Backup in LHG 60.

Now I need to mount 2 dishes plus a HEX POE for power ...
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Feature requests

Tue Jul 17, 2018 2:29 pm

A WiFi TDMA mode that is compatible with UBNT airMAX.
We usually have a mix of MikroTik/UBNT access points and clients in our network so we can only use bare 802.11 even when TDMA would perform much better.
Alternative: an IEEE standard for this mode that is implemented by both companies.
Now you'd wish manufacturers to give one of their main tools to keep clients with them away...

tdma is 'proprietary' protocol. Meaning every radio manufacturer can deviate from the IEEE standard to improve (or at least try to...) the standard on their own. Hence they do and each and every manufacturer has its own ideology and arguments to do it the way they do.

And why should Mikrotik allow Ubiquity to use their standard, or vice versa. And others?
Many wisp made a choice some years ago to go for one brand. Now they are 'married' to that brand if they use tdma. Imagine tdma could be freely used in-between brands. Mikrotik probably would have been bankrupt by then since many WISPs would over time then have move to other platforms.

And to show how complicate it is anyway. The eCambium 'elevate' product line was supposed to be working with 3rd party devices. So far after 2 years of promises it still only worked for Ubnt devices and I believe one model of Mikrotik.

So if you really want to stick to a 'multi brand' network you have to stick to plain 802.11 and to be honest, if you use 'ac' with good antennas and properly configure (RTS/CTS!) that protocol might work in several circumstances better then tdma what I already proved in some posts and just the last week still see is the case. Even after the latest ROS v.6.42.6 I have some P2MP network running in 802.11 instead of NV2 because it give much more capacity for the single client and in total over the AP...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jul 17, 2018 2:47 pm

We are operating an amateur radio network and we do not control the manufacturer of equipment chosen by the users.
And in fact, the product gamma of the two main manufacturers has been varying over time to give preference to one or the other.
e.g. before the LHG there was no cheap MikroTik user device with some gain, the SXT was too small for many users.
UBNT has the AirGRID devices which, although single-polarization, work over longer distances.
Now with the LHG this has changed, but we still have:
- sites with UBNT AP and a mix of AirGRID and LHG/SXT clients
- sites with MikroTik AP and a mix of AirGRID and LHG/SXT clients
Pracitce shows that the UBNT AP works better in the presence of interference (less problems with spurious RADAR detection)
but the LHG is the better choice for user equipment because it uses both polarisations.

It would be nice if both of them could operate under the same managed access protocol. I have no idea of the internals
of the different protocols now in use. The term TDMA is a bit worrying, hopefully (and likely) it does not mean there is a fixed
timeslot allocation for clients. A good protocol would use some form of round-robin polling of the clients with polling priority
dropping when traffic is low. Something more like DAMA.

I think when neither MikroTIk nor UBNT come up with some openness, the IEEE should publish a standard. Then both
manufacturers can do nothing but implement that standard (possibly alongside their own offering) or they would lose all
their marketshare to a manufacturer that does.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature requests

Tue Jul 17, 2018 4:32 pm

Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.
+1

Also it would be nice if a MikroTik installation itself can be a netinstall server for another RouterBoard.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jul 17, 2018 5:44 pm

And install of a clean new RouterOS in an inactive partition on a router with 2 or more partitions.
Router running from Active partition part0, download new npk files and do "install into part1",
optionally copy config from part0 to part1, set part1 to Active and reboot: new clean install without doing netinstall.
 
andreiroos
just joined
Posts: 12
Joined: Sat Oct 01, 2016 8:22 pm

Re: Feature requests

Wed Jul 18, 2018 4:26 pm

I saw that it is mentioned to have the ability to set limits in queues from child queues to be expressed in a percentage value of the parent, This have been mentioned about in 2012 (Saw it on tab 5). Would also like it to be implemented especially for the fact that our internet connections get throttled (shaped) at times and this would make life much easier to adjust only the parent queue to implement speed changes.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Jul 18, 2018 11:40 pm

Winbox proxy ???

It might be nice to be able to connect to another Mikrotik using the 1st mikrotik as a proxy to be able to connect up to a 2nd Mikrotik.

Where , an admin might not be able to directly connecte to the 2nd mikrotik, but if the 1st mikrotik can mac/IP connect to the 2nd then allow a winbox proxy connection through the 1st mikrotik to a 2nd mikrotik.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Feature requests

Thu Jul 19, 2018 1:04 am

@TomjNorthIdaho
RoMON
https://wiki.mikrotik.com/wiki/Manual:RoMON

Regards,
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jul 19, 2018 11:43 am

@TomjNorthIdaho
RoMON
RoMON works only over L2 transparent links. A proxy could be operating at IP level. A nice feature would be to add an IP-level layer to RoMON so you can
extend the RoMON network like this:

PC <---------IP link--------------->Router1<----------L2 link ----------->Router2

and then access Router2 "via RoMON" from the PC. This can now be done only at commandline-level, not winbox.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Thu Jul 19, 2018 12:04 pm

 
craterman
just joined
Posts: 22
Joined: Tue Oct 14, 2014 1:26 pm

Re: Feature requests

Thu Jul 19, 2018 2:31 pm

Please make the opportunity to make rules for the firewall with timerange starting today and ending at some time tomorrow. For example from 20:00:00 to 06:00:00
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Thu Jul 19, 2018 2:37 pm

[admin@rOS] /ip firewall> filter add time=

Time ::= [!]Start-End,Day
Start -- 0s..1d (time interval)
End -- 0s..1d (time interval)
Day ::= sun|mon|tue|wed|thu|fri|sat[,Day*]
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Feature requests

Fri Jul 20, 2018 1:08 am

When testing P2MP networks for best throughput and latency you need to run a test from several CPE's (in a 'all MT' network) and then switch between the different protocols and setting to see what gives best result.
Each time though the connection with AP is lost due a config change, the CPE needs to be opened up again in its winbox session. And each time all settings for the bandwidth test are gone... each time you need to fill these again..

Can bandwidth test not be made to at least remember its settings? It has to be stopped when the CPE drops the connection over the interface the test runs, but it would be o so helpful if the settings for the test just come back after the winbox session is opened again. Just click on 'run' and the test can run again..

Would make it a great time saver in troubleshooting and fine tuning P2MP networks...
 
metricmoose
newbie
Posts: 48
Joined: Sat Nov 21, 2015 2:03 am

Re: Feature requests

Sat Jul 28, 2018 5:25 am

I would like some way of hiding profiles in usermanager from the customer-facing parts, like in the signup and user pages. This would allow us to generate vouchers that will be priced differently or have different limitations than what's available on the self-signup, without making those packages available to self-signup customers.
 
wpeople
Member
Member
Posts: 378
Joined: Sat May 26, 2007 6:36 pm

Re: Feature requests

Sat Jul 28, 2018 4:21 pm

Winbox proxy ???

It might be nice to be able to connect to another Mikrotik using the 1st mikrotik as a proxy to be able to connect up to a 2nd Mikrotik.

Where , an admin might not be able to directly connecte to the 2nd mikrotik, but if the 1st mikrotik can mac/IP connect to the 2nd then allow a winbox proxy connection through the 1st mikrotik to a 2nd mikrotik.
If you can connect to 1st mikrotik via TCP (ssh), than using putty, you can configure additional port forwards on the fly.
(using linux, port forward should be added at connection - windows based putty allows on the fly)

Like: ssh into box1, open putty configuration (connection/ssh/tunnels) add new tunnel: 8291 -> 192.168.1.2:8291

that means connection to localhost:8291, putty will grab those packets, push to ssh server (remote mikrotik) what forwards them to 192.168.1.2:8291 on remote site.
and vice versa
 
taduikis
Member
Member
Posts: 436
Joined: Sat Jul 07, 2007 12:09 pm

Re: Feature requests

Sat Jul 28, 2018 5:53 pm

When testing P2MP networks for best throughput and latency you need to run a test from several CPE's (in a 'all MT' network) and then switch between the different protocols and setting to see what gives best result.
Each time though the connection with AP is lost due a config change, the CPE needs to be opened up again in its winbox session. And each time all settings for the bandwidth test are gone... each time you need to fill these again..

Can bandwidth test not be made to at least remember its settings? It has to be stopped when the CPE drops the connection over the interface the test runs, but it would be o so helpful if the settings for the test just come back after the winbox session is opened again. Just click on 'run' and the test can run again..

Would make it a great time saver in troubleshooting and fine tuning P2MP networks...


I use The Dude for this. Leave the Btest windows open and configure as you want..
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed Aug 01, 2018 9:04 am

Please implement a proper auto channel selection that looks at the usage and noise floor of each frequency in the scanlist before choosing a channel.

And not one that just counts how many devices it sees per frequency (as per now): viewtopic.php?f=7&t=122063&p=677377#p600476
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Aug 01, 2018 6:05 pm

Please implement a proper auto channel selection that looks at the usage and noise floor of each frequency in the scanlist before choosing a channel.

And not one that just counts how many devices it sees per frequency (as per now): viewtopic.php?f=7&t=122063&p=677377#p600476
+1
When a WISP has multiple APs with the same SSID (nv2 APs), often a client will not select the best AP but rather the 1st AP it finds.

I would like to see some client optional settings that will allow an administrator to define some parameters when scanning for an AP to connect to. Such options might include:
- Scan time prior to making a connection to an AP
- AP selection by one of the following:
-- Strongest AP signal strength
-- Best Signal To Noise ratio
-- Best estimated CCQ
-- Fastest connect receive rate

The current client scan to find an AP is not adiquate and very often does NOT select the best possible AP when there are many candidate APs to connect to.


Example … As a LAB test … If you use SuperChannel with a scan list of 5000-6000 and you have 30 APs. The clients will probably NOT select the best AP to connect to. And also some APs might never get a connection and some APs will get almost all of the client connections. There needs to be a better system for client to AP load distribution so that multiple APs balanced with near equal clients per AP.


Or one possible solution --- I suspect the current client scan for AP mechanism scans starting at the lowest frequency in the scan list then walks up through higher frequencies. I suspect a better client scan system might be to randomize the scan list search order to find an AP. Then multiple APs might have near equal client connection counts.

North Idaho Tom Jones
 
DmitryAVET
Member Candidate
Member Candidate
Posts: 112
Joined: Thu Mar 26, 2015 12:27 am
Location: Ukraine, Mukachevo
Contact:

Re: Feature requests

Wed Aug 08, 2018 11:07 am

Hello,

Graphing is very cool tool, but... it killing Flash when using "Store on Disk" option (Interface/Queue/Resources).

7 days = 100K+ writes to flash...

Please, add posibility to store data on external storage, like USB Flash or microSD card.
You do not have the required permissions to view the files attached to this post.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed Aug 08, 2018 11:13 am

Please add all items that are in wireless -> registration table to CAPSMAN -> registration table. I regularly use the last-ip column for example which is not available in CAPSMAN.
 
mlow
just joined
Posts: 18
Joined: Sun Oct 05, 2014 10:42 am

Re: Feature requests

Thu Aug 09, 2018 3:10 pm

I'm throwing this on the list a second time.
Support for RFC6939, i.e, the client link-layer address option, enabling a DHCPv6 relay to pass a client's link-layer address (MAC address) as an option (number 79) to a DHCPv6 server, whereupon the server can use that information for static lease reservation, etc.

The need for such is currently described on the DHCPv6 wikipedia page, here: https://en.wikipedia.org/wiki/DHCPv6#RF ... ess_Option
 
dimonana
just joined
Posts: 3
Joined: Thu Aug 09, 2018 3:19 pm

Re: Feature requests

Thu Aug 09, 2018 3:23 pm

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
 
Lombart
just joined
Posts: 18
Joined: Mon Mar 05, 2012 11:18 am

Re: Feature requests

Mon Aug 13, 2018 6:34 am

add dual-wan mode at quickset
it realy help for us

thank you
 
liwest_alx
just joined
Posts: 3
Joined: Mon Jul 07, 2008 4:00 pm

Re: Feature requests

Mon Aug 13, 2018 1:30 pm

CRS112-8P-4S:
SNMP Oid's for PSU1 + PSU2 Voltage or at least a status.
Currently only Temperature under system health supported.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Mon Aug 13, 2018 1:33 pm

CRS112-8P-4S:
SNMP Oid's for PSU1 + PSU2 Voltage or at least a status.
Currently only Temperature under system health supported.
So you see it under /system healt print ?
If so you can us Script/Syslog/Splunk to graph it.

See here on how I monitor Temperature.
viewtopic.php?t=137338
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: Feature requests

Mon Aug 13, 2018 9:23 pm

Hi Mikrotik Staff,
any chance for implement MLPPP server ?

Read: viewtopic.php?f=1&t=66192&p=679772#p679772
 
eroberts9
just joined
Posts: 7
Joined: Tue May 29, 2018 12:26 am

Re: Feature requests

Tue Aug 14, 2018 4:15 am

DFS certification for the US .
 
paulct
Member
Member
Posts: 336
Joined: Fri Jul 12, 2013 5:38 pm

Re: Feature requests

Tue Aug 14, 2018 10:53 am

Until there is version 7, or whatever it is called. Can we get a BGP peer priority?

e.g say if you need to upgrade ROS, swap out a CCR, or reboot - each BGP is assigned a priority and receives/sends routes according to that policy in order?
e.g:
Peer 1 - default route (priority 1)
IX route server - priority 2
IX2 route server - priority 3
Private peer 1 - Priority 4
Private peer 2 - Priority 5

In that way, essential peer routes are loaded into the routing table first according to what you decide. This would help when provider A peers on a route server and you privately peer with them - rather load the routes from the route server first and so on. We know ROS is not great loading thousands of routes - but at least with this method there is some control.

Maybe even a timer or such?

Basically a stop gap solution until we have higher clocked CPU's / better software.
 
User avatar
LucZWFM
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Dec 26, 2017 10:47 pm
Location: Bergen op Zoom, The Netherlands

Re: Feature requests

Tue Aug 14, 2018 1:06 pm

Making the headers of the tables sticky, so when one scrolls down one still sees the header...

What I mean with header:

Image
Image
Image
Image

Make the gray part sticky please. It's much more comfortable that it will not dissapear when scrolling down...

Thanks!
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests - SNMP OID Ethernet link speed

Tue Aug 14, 2018 5:59 pm

Feature requests - SNMP OID Ethernet link speed

It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).

These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.

North Idaho Tom Jones
 
Omniflux
just joined
Posts: 12
Joined: Sun Sep 19, 2004 1:27 am
Location: Nephi, UT. USA
Contact:

Re: Feature requests - SNMP OID Ethernet link speed

Tue Aug 14, 2018 8:22 pm

Feature requests - SNMP OID Ethernet link speed

It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).

These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.

North Idaho Tom Jones
$ snmpwalk -v2c -c public 192.168.88.1 |grep ifSpeed
IF-MIB::ifSpeed.1 = Gauge32: 0
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
IF-MIB::ifSpeed.3 = Gauge32: 1000000000
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 100000000
IF-MIB::ifSpeed.6 = Gauge32: 1000000000
IF-MIB::ifSpeed.7 = Gauge32: 0
IF-MIB::ifSpeed.8 = Gauge32: 0
IF-MIB::ifSpeed.9 = Gauge32: 1000000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000
IF-MIB::ifSpeed.12 = Gauge32: 100000000
IF-MIB::ifSpeed.14 = Gauge32: 1000000000
IF-MIB::ifSpeed.15 = Gauge32: 0
IF-MIB::ifSpeed.17 = Gauge32: 0
IF-MIB::ifSpeed.18 = Gauge32: 100000000
IF-MIB::ifSpeed.21 = Gauge32: 10000000
IF-MIB::ifSpeed.22 = Gauge32: 0
IF-MIB::ifSpeed.24 = Gauge32: 0
IF-MIB::ifSpeed.25 = Gauge32: 1000000000
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Feature requests - SNMP OID Ethernet link speed

Tue Aug 14, 2018 10:53 pm

Feature requests - SNMP OID Ethernet link speed

It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).

These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.

North Idaho Tom Jones
+1 !!!!!!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 14, 2018 11:06 pm

As was written above, this feature is already available. And has been for as long as I use RouterOS. So "that could be" and "+1" is completely meaningless.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Wed Aug 15, 2018 8:25 am

It works fine on my hEX RB750Gr3
snmpwalk -v2c -c public 192.168.0.1  .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 1000000000
IF-MIB::ifSpeed.5 = Gauge32: 1000000000
IF-MIB::ifSpeed.6 = Gauge32: 10000000
IF-MIB::ifSpeed.8 = Gauge32: 1000000000
IF-MIB::ifSpeed.9 = Gauge32: 100000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000

snmpwalk -v2c -c public 192.168.0.1 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: ether1-Wan
IF-MIB::ifDescr.2 = STRING: bridge_vlan1
IF-MIB::ifDescr.3 = STRING: ether3
IF-MIB::ifDescr.4 = STRING: ether4-Win_Server
IF-MIB::ifDescr.5 = STRING: ether5-Linux_server
IF-MIB::ifDescr.6 = STRING: pptp-in1
IF-MIB::ifDescr.8 = STRING: ether2-Cisco-Switch
IF-MIB::ifDescr.9 = STRING: bridge-vlan20
IF-MIB::ifDescr.10 = STRING: eth2-vlan20
And on hAP lite 941-2
snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: wlan1
IF-MIB::ifDescr.2 = STRING: ether1
IF-MIB::ifDescr.3 = STRING: ether2
IF-MIB::ifDescr.4 = STRING: ether3
IF-MIB::ifDescr.5 = STRING: ether4
IF-MIB::ifDescr.6 = STRING: bridge

snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 50000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 10000000
IF-MIB::ifSpeed.6 = Gauge32: 100000000
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Aug 15, 2018 7:26 pm

It would be nice if there was a "print oid" output result that contained the OID for ethernet link speed.

North Idaho Tom Jones
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Sat Aug 25, 2018 3:09 pm

Feature request: AES hardware acceleration for OpenVPN
 
tigro11
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Tue Feb 20, 2018 12:31 am

Re: Feature requests

Tue Aug 28, 2018 12:11 am

hi guys, it seems to me that it is still not possible to change the date format in dd/mm/yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Wed Aug 29, 2018 1:00 am

rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.

it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.

in general you only need to remove the check that was required in rfc4271.

this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Aug 29, 2018 1:05 am

A somewhat simple feature I would like to see in ROS.
The ability to restore a backup and have the option to "Do Not Re-Write MAC Addresses"

it would be great to be able to restore a Mikrotik and have the option to NOT re-write every ethernet & wlan & bridge MAC address
North Idaho Tom Jones
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Feature Request CLI site-survey include Radio-Name

Wed Aug 29, 2018 10:17 pm

Feature Request CLI site-survey include Radio-Name

I would like to see the CLI site-survey include "Radio-Name" in the results.
When using winbox, you can see "Radio-Name" in the site-survey results - however when using the CLI such as my example below:
/interface wireless> scan wlan1 duration=90 save-file=SiteSurvey.txt
the CLI site-survey does not include "Radio-Name" in the results.

FYI - I am using NV2
FYI - in all of my Mikrotik APs, I use radio names similar to this: Radio-Name 172-16-10-89-Mica-N/AC-2x2
FYI - I can't simply use SSID , because I have hundreds of Mikrotiks APs using the same SSID.

Without the radio-name in the survey results, it makes it difficult to quickly identify which APs are actually being seen and I have to refer back to MAC addresses and frequency to determine which AP is actually being seen.

North Idaho Tom Jones
 
DummyPLUG
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 03, 2018 10:17 am

Re: Feature requests

Mon Sep 03, 2018 5:40 pm

resend syslog email if fail to send, currently any syslog email will be discard if fail to send which raise a problem if wan or mail server down.
 
Simono
newbie
Posts: 49
Joined: Tue Mar 20, 2018 9:41 am

Re: Feature requests

Mon Sep 03, 2018 5:56 pm

Support for ups APC Back-CS via USB cable.
 
tigro11
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Tue Feb 20, 2018 12:31 am

Re: Feature requests

Mon Sep 03, 2018 8:35 pm

hi guys, it seems to me that it is still not possible to change the date format in dd/mm/yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio
news?
 
thobias
newbie
Posts: 25
Joined: Thu Nov 30, 2017 8:45 pm

Re: Feature requests

Mon Sep 03, 2018 9:22 pm

1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
 
helipos
Member Candidate
Member Candidate
Posts: 132
Joined: Sat Jun 25, 2016 11:32 am

Re: Feature requests

Wed Sep 05, 2018 12:14 pm

I would like to see something like triggers when an interface state changes, so router can run a script (like ip-up/ip-down on "real" Linuxes).
+1
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Sep 05, 2018 2:10 pm

1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.
There is no support to have several lists or several addresses in a single firewall item. You can only do that by having several separate items and indeed that is what happens when you try that in Linux.
(you insert a simple rule with different addresses and when you look later you have several rules in your table)
 
User avatar
Moky
just joined
Posts: 6
Joined: Sat Apr 08, 2017 10:50 pm

Re: Feature requests

Wed Sep 05, 2018 3:29 pm

Hi,

I would like to suggest two things:
  1. Webproxy HTTPS support (any of two listed options or both):
    • Possibility to address HTTPS domains with SNI parameter like "tls-host" option in MikroTik filter (e.g. ability to create rules in webproxy with "tls-host").
    • MitM HTTPS decryption support with imported certificate which is trusted on client machines.
  2. NTP client option to show more information about NTP server (like "stratum" etc. - Cisco has a nice info about any configured remote NTP server).

Kind regards,
Moky
 
thobias
newbie
Posts: 25
Joined: Thu Nov 30, 2017 8:45 pm

Re: Feature requests

Wed Sep 05, 2018 4:12 pm

1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.
There is no support to have several lists or several addresses in a single firewall item. You can only do that by having several separate items and indeed that is what happens when you try that in Linux.
(you insert a simple rule with different addresses and when you look later you have several rules in your table)
But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?
 
w0lt
Long time Member
Long time Member
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Feature requests: Winbox

Wed Sep 05, 2018 4:36 pm

1. Please allow the ability to make multiple window column selections instead of "one at a time".
2. Please move the "Torch" selection from the "Tools" to the "Main Menu" !!! :D

Thanks

-tp
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Sep 05, 2018 5:56 pm

But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?
It would not be a good idea to do that because it introduces new possibilities for bugs.
It is also not good for your own network management.

On routers in complicated networks I have lots of address lists often with only a single address or subnet in them, sometimes 2 or 3, and I use them all over the place in the firewall.
That makes it much easier to maintain things, once you get the hang of it (and have a good naming convention).

I can understand the utility of having the list-of-lists feature so you can define a list which contains other lists as members, I sometimes have multiple lists containing the same addresses in different combinations, and that could be cleaned up this way.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

NV2 - increase NV2 client scan-for-AP b4 connect to AP

Wed Sep 05, 2018 10:47 pm

NV2 - increase NV2 client scan-for-AP b4 connect to AP


I need/want a longer nv2 client scan time prior to an nv2 client connecting to an nv2 AP (a new setting would be nice for nv2 scan time before connecting to a nv2 AP)

The wireless AP enviornment:
- The small town/city I am in has 20+ nv2 APs (soon to be 40+ APs)
- All nv2 APs are the same SSID
- nv2 APs do NOT receive near-equal nv2 client connection counts.
- almost 400 nv2 wireless clients
- sustained customer bandwidth during peak periods is always more than 325 meg

The problem:
- Almost always , nv2 wireless clients will connect to APs that are the lowest frequencies in the scan list
- Very often , nv2 wireless clients are not connecting to the best/strongest nv2 APs that are in the upper frequency part of a client nv2 scan list
- This mostly results in an un-blanaced nv2 AP customer-connected-load (where lower frequency APs normally take 80+ percent of all nv2 client connections.
- nv2 APs in the upper part of wireless nv2 client scan lists often only get 20 percent of all clients (the other 80 percent always favor lower frequency APs in the scan list)

Info - I believe that nv2 clients have a limited scan time prior to the nv2 client making a decision on what nv2 AP to connect to. I believe the client scan period needs to be extended/lengthened by about 250 percent longer. With a longer client nv2 scan time-period, nv2 clients searching for a nv2 AP can then choose the best nv2 AP to connect to instead of the lowest-frequency first-found nv2 APs.
If all nv2 clients could fully scan everything in the full (superchannel) nv2 scan list, then all APs would be better client-connect balanced -and- the entire nv2 network could run much faster because the lower frequency APs would not be saturated with nv2 client connections.

Mikrotik , is it possible to add a feature (optional setting) for nv2 clients to have more time to perform a nv2 client scan prior to connecting to an nv2 AP ?

I really like Mikrotik's hybrid version of TDMA ( nv2 ) , however the nv2 client scan time has always been a problem. Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.


North Idaho Tom Jones
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: NV2 - increase NV2 client scan-for-AP b4 connect to AP

Thu Sep 06, 2018 2:44 pm

NV2 - increase NV2 client scan-for-AP b4 connect to AP

Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.


North Idaho Tom Jones
Tom:
As far as I know nstream and 802.11 also cannot do a background scan and then connect/roam to the best signalled AP. The background scan is possible, but only to 'see' what is out there. The client stays connected to what he was. So its only a manual tool the operator can use which in NV2 indeed is not even available. But correct me if I'm wrong! Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?

Second; I agree on the scan 'low frequencies first'. I observed the same when running a scan or when I have a CPE that is allowed to connect to two or three different AP's (Even with different SSID's). If both frequencies come with roughly the same strength the low ones are picked up first and if allowed used to connect.

But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations? Like we have.
I just make sure all clients that have the option to connect to 2, or 3 different AP's it connects to the best one upon my decision as an operator.
Because I know what the average usage is on each AP.
So if I have 2 options for a client to connect to, I'd look to which AP gives the best signal and pick that one. But if signals are good for both AP's I decide to make it connect only to the one with the best P2MP network. And here comes the amount of connected CPE's as well the signals they all have in consideration. I know how the AP's perform in general.
So I'd balance the client load then more based upon my insight as network operator which usually beast any automated process. (Don't forget that most data that could be used in an automated decision making process is variable anyway. Signals vary, traffic vary, which clients are generating traffic vary.. etc.)

As soon as the decision is made that specific client will be add into the 'access list' of that preferred AP, and that same preferred AP will be add as first listing in the 'connect to' list of the CPE.
I might have both units (AP + CPE) to know about the other but in the AP's 'access list' only in a 'disabled' function. So only in case AP1 goes down, I stil allows the CPE to connect to AP2 so at least we can still serve the client. (Most of the times we disable the alternative 'connect to' listing because the setback is that when we do an upgrade on AP1 the clients jumps to AP2. After that we can upgrade AP2 so the client jumps back but for some clients it might be the other way around. And sometimes you just need to reboot an AP and I don't want the kind of client to jump to the alternative AP)
This is all manual work. MT units are pretty reliable so it happens rarely we have to make use of a 'backup AP' because one AP goes down.

A semi automated proces as you suggest imho is hardly achievable. Even when CPE's would automatically populate AP's in a more balanced way by numbers of associated clients to AP, it still doesn't mean you really balance the load on an AP. It is still pretty expectable that one AP has much more traffic then the other. And that variate between those AP's too....
The client would be best connect to an AP with little (overall) traffic then one with high traffic even with only a handful of clients.

I think the experience of the operator is a much more better decisive tool then any automated proces performed in these little intelligent devices.
We set everything manual and in 98% of the case we never have to adjust or change the client's CPE preferred AP any more...
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Sep 06, 2018 6:06 pm

Wireless Rudy

Thanks for your reply post

Re: Maybe you have some script that forces de CPE to switch to another AP when that other one has better signal?
I don't have a client script to do this. I am not that good of a programmer. However I think a client boot-up script to first scan and then have the script select the best AP and modify the scan list for the best AP. And - upon failure , re-scan and select the 2nd best AP and upon failure of ability to connect to any AP in the site-survey , the fall back to the default (or custom configured scan lists.

Re: But why have free roaming clients to start with? If you are using NV2 I'd presume all your clients are fixed installations?
correct

Here is an example of a potential issue with many nv2 APs and many nv2 clients:
- lets say you have a bunch on nv2 APs and a bunch of nv2 clients (all using the same SSID)
-- You have the ability to update the client ROS versions (no problem here)
--- When you update the ROS on your bunch of nv2 APs , there is a problem. When you update an nv2 AP and reboot the nv2 AP, nv2 clients are then forced to re-scan & re-connect to a different AP. After your ROS updates of your bunch of nv2 APs, you end up with the majority of your nv2 clients connected to the nv2 AP that has been up the longest and few nv2 clients connected to your nv2 APs that are the most recent updated/rebooted AP. This forces the Mikrotik network admin to manually bounce weak nv2 clients off of some nv2 APs so that they can again reconnect.
---- Thus , with 20 nv2 APs, updating those AP in sequence of AP#1, then AP#2 through AP#19, AP#20, you will end up with the bulk of nv2 clients connected to lowere # APs and fewer nv2 client connections to your higher # AP. Thus , it may well be worth it to have a nightly script fire off on all nv2 clients to auto-scan and re-distribute the client to AP connect loads. (my thoughts).
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests (ability to view wireless capabilities)

Thu Sep 06, 2018 6:37 pm

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones
 
Simono
newbie
Posts: 49
Joined: Tue Mar 20, 2018 9:41 am

Re: Feature requests

Thu Sep 06, 2018 7:58 pm

Address lists on Simple queue as target
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3119
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Feature requests (ability to view wireless capabilities)

Fri Sep 07, 2018 1:09 pm

Re: Feature requests (ability to view wireless capabilities)

Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.

My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.

I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.

North Idaho Tom Jones
How about performing an IP / neighbor command on your main router (that should 'see' all units) and order by device type? You'll immediately see if a units is 'n' or 'ac'. My antenas all have their designated AP in their name so I can then also set the filter and thus see in an instance which units are 'n' or 'ac' (and thus can do 80Mhz wide channel in 'ac') for each AP.
 
xxiii
Member Candidate
Member Candidate
Posts: 234
Joined: Wed May 31, 2006 12:55 am

Re: Feature requests

Fri Sep 07, 2018 8:19 pm

Just ran into this issue today. Can't establish peering with a neighbor because of:

10:57:39 route,bgp,error Remote RouterId is not a valid unicast address: 247.255.0.240

ros 6.42.7
rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.

it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.

in general you only need to remove the check that was required in rfc4271.

this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature requests

Fri Sep 07, 2018 11:12 pm

Just ran into this issue today.
opened a support request for it earlier today:

Ticket#2018090722004616
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu Sep 13, 2018 3:26 pm

Please add the ability to authenticate with a ssh certificate in Winbox - thereby providing an alternative to passwords.

Yes, this is available for ssh, but lots of people (myself included) prefer using Winbox most of the time.
 
tnrclkr
newbie
Posts: 27
Joined: Tue Aug 25, 2015 8:36 am

Re: Feature requests

Tue Sep 18, 2018 3:47 pm

Advanced management for cap devices,

it would be great if i can change my all cap devices user password, port, service, interface status etc.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 18, 2018 9:23 pm

Stop the use of the bundle package, deliver the routers with the packages required for typical home router use:
advanced-tools, dhcp, ppp, security, system, wireless (the latter only on devices that have wireless) and most important:
add some method in system->packages to download and install packages selecting them from a list of available packages on the download server.

This will make it easy for everyone to add the packages they require, no need to download and unpack zip files and update part of them to the router.
The required files are already on the download server, because upgrade of a router with separate packages downloads only what is required.
Maybe an index file would have to be added and it would be downloaded when you click the new "add package" button.
A list of available packages is displayed, you select one or more of them and click "download&install" just as when upgrading.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: Feature requests

Tue Sep 18, 2018 9:46 pm

Within Winbox I would like to see a "reboot button" within capsman for all CAP devices
Reason: If you have 2 CAPSMAN controller in active-active configuration, you have CAP devices on both controllers. If you upgrade one of them the CAPs use the other controller to connect to. But they won´t go connect back to their primary controller. So we need a simple "reboot" button after which they will connect to the primary one.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Tue Sep 18, 2018 10:43 pm

One of the things I would like to see for all new ROS updates/upgrades is more information as to what the new/fixed featured do.

Example - with the following two lines below - it is not clear what the problem was and what was fixed and what actually improved:

*) wireless - fixed wireless interface lockup after period of inactivity;
*) wireless - improved Nv2 reliability on ARM devices;

More information on new features & things fixed & things improved is almost always useful.

Even a URL in the upgrade menu for more information about the upgrade features/functions/fixes would be very much appreciated.

North Idaho Tom Jones
 
bennyh
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Fri Mar 03, 2017 12:37 pm

Re: Feature requests

Wed Sep 19, 2018 3:17 pm

I didnt find, but sorry if exists.
There sould be a new section, a table in webfig and in winbox for global variables with initial values.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Sep 20, 2018 4:30 am

A bit of fun - but a potential very useful tool …

Info - back in the late 1980s and early 1990s, early notebook computers did not have sound cards , however they ususally had the PC-speaker (in this case a piezo speaker was normally mounted on the motherboard and used for the beep sounds) , well back then there was a Windows piezo speaker driver that could be loaded which offered the ability to play anything that would come out of your normal sound card computer speakers.

Now thinking about Mikrotiks routers with basically the same piezo speaker on the mother board and 99 percent the same electronics, it could be a usefull tool to be able to play a small sound file to/out the Mikrotik piezo speaker. Software PC-motherboard-piezo driver to emulate sound cards have been available for almost 30 years.

I suspect all that might be needed would be an optional Mikrotik ROS package to drive the Mikrotik piezo to behave like a sound card speaker. The software drivers are already out there.

Now as to why this might be a usefull , nifty, handy tool on a Mikrotik ... Rather than a script playing beeps of varing levels , a script could possibly just play a small sound file. This could come in handy for script files that beep messages. Instead , a Mikrotik could announce something you want to hear and a person could know about right away rather than get an alert via another computer device. A WISP could possibly use something like this to play a sound file that contains "Warning - Internet WAN connection is down/up" and/or "Call your ISP tech support at phone number xxx-yyy-zzzz" and/or play any usefull sound file such as "Wireless network information - new device connected using WPA2 encryption". The sound files could be small files with high compression which could fit in the flash file system.

Any-ways , I think the ability for a script to play a sound file could be a very usefull tool.

And to really totally show off your Mikrotik router (such as at a trade show or something) , then have it play full blown music out the piezo --- that would get everybody stopping by your booth.

I've used such tools on old notebook 16 MHz CPU computers with motherboard piezo speakers only and even watched full blown movies with the piezo speaker drivers hundreds of times , it works. If the Mikrotik motherboard hardware is already there then how about an optional ROS package to enable the piezo to do much much more.

North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Thu Sep 20, 2018 5:59 am

A WISP could possibly use something like this to play a sound file ...
@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature. :D
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Sep 20, 2018 5:54 pm

A WISP could possibly use something like this to play a sound file ...
@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature. :D
It would pretty much be a tool for what ever a Mikrotik admin might want/need. Also , because I am suggesting it be an optional package, it would not necessarily be pre-loaded on a fresh Mikrotik router. This optional package could potentially be a nifty tool when used with scripts (including netwatch) to provide audio/verbal information. Also , because I know this type of motherboard speaker driver works on old/slow 16 MHz 16-bit computers , it would not be a Mikrotik resource drain sucking performance away from L2/L3 throughput.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Sep 20, 2018 6:17 pm

Related to optional ROS packages …

Because ROS is Linux based (and many of us know Linux very well) -and- because Linux/Unix may be one of the top two popular operating systems of all time , I would like to ask Mikrotik to consider a creating an optional developer package for ROS. Something that provides real programmer features and a compiler/cross-compiler which also includes an ability to make custom packages.

There are hundreds of small Linux developer motherboards out there already. Why not make a ROS programmer developer package. Who knows what the limits are for a RB ROS developer package ... A programmer could create custom drivers for PCI interfaces. Heck , I could see a possible use for a custom wireless/networked controller in many common things such as security systems, new additional drivers , hardware/interface/software/firmware support for use in all kinds of electric/electronic devices from heating & cooling systems, environmental systems and many everyday home/business devices already being developed using non-Mikrotik motherboards. I for one would tinker with it and see what useful devices I could create.

FYI - Did you know that Linksys released a full-blown Linux developer system with all of their Linksys source code and documentation for their Linux based wireless routers over 10 years ago (for free)? Where do you think DD-WRT came from (and many other systems) - and some of those operating systems derived/created from the Linksys developer system run on Mikrotik devices as a Virtual system right now ???

And also related to this post , when I started my WISP , I started out with 1,000 Linksys WRT routers running DD-WRT. I was very pleased with the DD-WRT Linux back then and it worked great.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Thu Sep 20, 2018 9:06 pm

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Sep 20, 2018 10:32 pm

Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...

But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.
How about the possibilities of a new wireless driver for Wireless chipsets ? With a developent package , a new wireless driver could be created (using all of the available Atheros chipset registers/settings) to make new high-performance high-thoughput wireless drivers (such as a new/better nv2 'TDMA') system that might way outperform the current Mikrotik properitery hybrid TDMA (nv2). Or how about the tens of thousands of Linux drivers and applications/tools/utilities already freely available.

I think a development package would give the Mikrotik ROS the ability to enter other markets - more sales for Mikrotik in custom verticle markets. Even the US DOD could use this because they could then run their version of high-secirity high-encription special-functionality because they could then control their code and what does what. (I've been down this road a few times in the past...)

EDIT - back in the 90s, I was part a team that sold some custom very low power motherboards which supported special DOD software to control some battlefield devices and communications. Thanks to a software developer system , we were able to make $$$ millions in DOD sales of motherboards. With an optional Mikrotik ROS software developer package, new markets could be made available. A single order could potentially add many zeros to Mikrotik's $$$ income - ( I know - been there and did that !!! )
Last edited by TomjNorthIdaho on Thu Sep 20, 2018 11:10 pm, edited 2 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Sep 20, 2018 11:04 pm

I think MikroTik want to be in the market of selling relatively inexpensive hardware with a relatively powerful routing OS which is relatively easy to configure and which can be supported.
(all those parameters of course can vary a little and some may have different opinions about them than others)

It appears you want hardware with an open software environment. However, that is already widely available from other manufacturers.
(many network-oriented system boards are available from our Chinese friends and there is also a lot of Linksys-like hardware)

You can install Linux or OpenWRT and do everything yourself. However, it is difficult to support when everyone can add their own things.
Some other manufacturers have experimented with partly-open boxes (e.g. you enter some code and it becomes open, and you lose support).
But some of them have reverted that and now you cannot do that anymore without installing entirely your own software.
And you can already do that on MikroTik's hardware!

To be successful and make money you have to find some market where people want your product and you can manufacture and support it at reasonable cost.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Thu Sep 20, 2018 11:26 pm

I don't know, maybe there are people or organizations willing to make drivers for RouterOS (or port existing Linux drivers) and keep up with possible changes done by MikroTik, instead of just using completely free Linux and have everything under their control. I can't really say. Another matter is how attractive prospect it would be for MikroTik. If they like to be in control, it would end, because driver can do anything. For this, "my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system. It could also be interesting for more people, because dealing with drivers is not for everyone, but to compile some simple daemon, that could be done by almost anyone.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Sep 21, 2018 10:06 am

"my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system.
Yes it would certainly be nice to have user-mode daemons under isolated user IDs so they cannot mess with the MikroTik part of the system, but frankly I doubt that the infrastructure for that is currently in place.
I mean: probably now everything runs as root and there has been no attention to file and directory permissions for a long time, so first that would have to be prepared.
It would improve overall security and decrease the risk for vulnerabilities as we have recently seen when services would run as restricted users, but apparently the webserver runs as root (only Linux system where I have seen that for a long long time!).
Of course the CHR provides a way to look into that, maybe I will do some research now that we have a shiny new ESXi server with lots of spare capacity.
 
Dragonk
just joined
Posts: 1
Joined: Fri Sep 21, 2018 10:46 am

Re: Feature requests

Fri Sep 21, 2018 10:51 am

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
 
helipos
Member Candidate
Member Candidate
Posts: 132
Joined: Sat Jun 25, 2016 11:32 am

Re: Feature requests

Mon Sep 24, 2018 2:23 am

There sould be a new section, a table in webfig and in winbox for global variables with initial values.
System > scripts > environment (both winbox and webfig) ( it's only the current values however)

It would be nice to be able to properly append to text files. So we can get around the whole reading the file to another variable, adding what we needed and then writing the whole thing out again.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Tue Sep 25, 2018 11:30 am

I join the request, i need secure way to use NordVPN.

I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
Such request is pretty useless. Defince what you consider "complete"? Which features you are missing?
 
bennyh
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Fri Mar 03, 2017 12:37 pm

Re: Feature requests

Tue Sep 25, 2018 1:04 pm

Please fix webproxy with IPv6 sites.
It doesnt work, more people said in the forum, that there is some problem with IPv6 sites trough webproxy. Someone said, only direct ip address works in url (if remote webserver accepts direct IP address behalf domain name).
I tried with IPv6 address of the IPv6-test.com, and i got the error message of the remote webserver ("these aren't the droids you're looking for").

IPv6 test webpage (http://testipv6.com/) results trough proxy:
Test with IPv4 DNS record ok (2.023s) using ipv4
Test with IPv6 DNS record timeout (17.107s)
Test with Dual Stack DNS record ok (2.022s) using ipv4
Test for Dual Stack DNS and large packeto ok (3.011s) using ipv4
Test IPv4 without DNS skipped (3.118s)
Test IPv6 without DNS skipped (17.099s)
Test IPv6 large packet timeout (17.110s)
Test if your ISP's DNS server uses IPv6 ok (3.013s) using ipv4
Find IPv4 Service Provider ok (0.782s) using ipv4 ASN 8990
Find IPv6 Service Provider timeout (16.692s)
 
logicwrath
just joined
Posts: 5
Joined: Wed Nov 04, 2015 10:28 pm

Re: Feature requests

Tue Sep 25, 2018 11:39 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Sep 26, 2018 9:19 am

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
This can be done using scripting. The underlying mechanism in the kernel does not support a DNS name so it would have to be solved in a similar way.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 26, 2018 1:18 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
Isn't the support already here for some time?.. quite long time...
What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Wed Sep 26, 2018 4:48 pm

Yes, it's there, but only for remote address. Local address accepts only IP address.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 26, 2018 5:36 pm

Yes, it's there, but only for remote address. Local address accepts only IP address.
Why not just unset it? :)

What should router do if FQDN resolves to non-local address?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Sep 26, 2018 6:22 pm

Well, when you unset the local address, you cannot enable IPsec.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 26, 2018 6:47 pm

Good point. Then I vote for the ability to set local-interface instead of local-address, so that IP address from that interface got used automagically.

As a workaround, simple scripting does this job.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1492
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Sep 26, 2018 8:03 pm

Hey Mikrotik marketing staff …

I think Mikrotik should include a Mikrotik bumper sticker in every Mikrotik product box shipped from Mikrotik.

Guess I'll have to stick around and see what happens.

North Idaho Tom Jones
 
2jarek
Member Candidate
Member Candidate
Posts: 151
Joined: Thu May 17, 2007 3:28 pm
Location: Poland

Re: Feature requests

Wed Sep 26, 2018 10:06 pm

Please add Multipath TCP according to RFC 6824.
 
scampbell
Trainer
Trainer
Posts: 487
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Feature requests

Thu Sep 27, 2018 8:10 am

I would like to see an "add comment" feature on any rule that allows you to add an address to an address list so the created address list entry has info about why it was added.

e.g

/ip firewall filter
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=5d chain=input protocol=tcp dst-port=8291 address-list-comment="Winbox Attempt"
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Thu Sep 27, 2018 9:19 am

A few suggestions I'd love:

1) Line item groupings, specifically in firewall stuff - basically a completely empty 'rule' / line thats just a comment, stays in block when comments are set to inline. The work around for this is setting dummy unmatchable rules or putting the comment on the first line in the block, but then I also like to comment all my rules, so having a 'header' comment stay in block and all the normal comments go inline would help organise firewall tables with heaps of chains/100's of rules etc.

2) Custom release cycle channel, basically to make it easier for the router you add custom, set a name to it and give it a URL, that URL might be a format that Mikrotik provide / documentation on how we should respond to the server to give it the latest firmware we want it to have. An example would be, im currently keeping my fleet of Routerboards on 6.42.x (mix of 5/6/7), as I haven't been able to test some of the bigger changes in 6.43.x, but some staff will just hit the check for updates and do updates that way, if we could have a custom release channel maintained by ourselves I could keep routers more inline.

There's plenty more but thats just some 'smaller' ideas I dont think would be too hard to implement.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Sep 27, 2018 9:32 am

I agree with the above two. In addition with #2 I would like to add the possibility to make the release channel refer to some URL on a local webserver that
has information about the releases to track. E.g. a single version, or a major/minor version (like 6.42.x). So the routers configured that way will upgrade
to a version you set on a central system and you can change it without having to go all along those routers.
E.g. you set a custom release channel with URL http(s)://server.local.domain/mikrotik-release which would return a small textfile with either a MikroTik
release channel name (current, bugfix or whatever) or a specific version (6.42.7) or version range (6.42.x) and you can change that as a result of your local
testing outcome and/or security announcements. Of course you can have several of those URLs internal to your organisation so you can test on a couple
of routers first.
This also covers the problem that "current' is suddenly updated by MikroTik but you don't want to jump to it immediately but wait a week or two, but still
want to update some routers from an even older version.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Thu Sep 27, 2018 11:51 am

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done :)
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Sep 27, 2018 12:57 pm

Well in that case it would be nice when there was a custom setting that allows to configure another DNS name for the "upgrade.mikrotik.com" in a router.
Preferably two different settings: one foe the LATEST file and another one for the actual npk files.
In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Thu Sep 27, 2018 1:26 pm

In that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)

But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)
Yeah, in nginx you simply use try_files for your custom files on local server and proxy_pass to the original MikroTik server for the rest :)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Feature requests

Thu Sep 27, 2018 2:02 pm

Please add:

MAC address lists
Port lists in Firewall
 
nicolasemmanuelc
just joined
Posts: 8
Joined: Fri Dec 01, 2017 1:25 am
Location: Argentina

Re: Feature requests

Thu Sep 27, 2018 4:44 pm

Hello!
Please add an option to do "force cloud update" in an time interval, that is useful when have public dynamic IP
And yes, I know that this can be done with an script but will be great and easy if we have an "auto update in X time" function!

MikroTik is great! Have a good day!
 
logicwrath
just joined
Posts: 5
Joined: Wed Nov 04, 2015 10:28 pm

Re: Feature requests

Fri Sep 28, 2018 9:22 pm

Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
Isn't the support already here for some time?.. quite long time...
What's new in 6.33 (2015-Nov-06 12:49):

*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
I should have provided more detail.

If you use an FQDN on the remote address I suspect it then resolves it to an IP one time for the IPSec policy. There does not appear to be any kind of ongoing resolution of that FQDN. The support I am looking for would be compatible with the IPSec wizardry that is built into using the IPSec Secret field. The idea here would be to better support for creating GRE/IPSec tunnels with dynamic IPs without resorting to scripting.
 
logicwrath
just joined
Posts: 5
Joined: Wed Nov 04, 2015 10:28 pm

Re: Feature requests

Fri Sep 28, 2018 9:31 pm

Please add:

MAC address lists
Port lists in Firewall
+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.

We currently have a script that does this using the ARP table.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Sep 28, 2018 10:11 pm

+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.
Having MAC addresses in a list would not be very useful for that. What you want is to match MAC address by prefix, usually by the first 3 octets (manufacturer).
It looks like you can now only match the full MAC address in rules, it should allow a partial address and match that from the left.
(of course this is already possible in the where clause in commands)
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature requests

Sat Sep 29, 2018 1:47 pm

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done :)
So, updates work via plain HTTP? No encryption?

Shame!

Who is online

Users browsing this forum: Bing [Bot], rplant and 67 guests