Community discussions

MikroTik App
 
jvolkhausen
just joined
Posts: 5
Joined: Fri Apr 26, 2019 8:44 am

Re: Feature requests

Mon Mar 16, 2020 1:06 pm

Give the ability to secure firewall rules.
For remote systems it will be not good if the managemend firewall rules are deleted. For this reason i think it would be nice to have a feature to secure these rules in any way like locking. For the first step it would reach the target to just secure the rule itself. The big shot would be to lock also the place in the firewall chain.
The workflow in my mind looks like this:
creation
- create rule
- lock rule

modify
- unlock rule
- modify rule
- lock rule

delete
- unlock rule
- delete rule
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 16, 2020 2:13 pm

Give the ability to secure firewall rules.
I think it would be more useful as a limited-user capability where users can be created that have precisely
defined capabilities for each configuration item. (no access, read-only, add-only, modify, delete)
This is not limited to firewall.
This would allow ISPs that roll out managed routers to give their customers some limited capability that they
require, but not full access to the entire config.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1035
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Mon Mar 16, 2020 2:28 pm

To the last 2 answers.
In my opinion that changes are good but not must. Proper comments with chain-name with jump action can create a proper tree of action at firewall and this "lock/unlock" is not that necessery.
About change in firewall, better will be better note/log a change what we do inside ROS, currently history is not useful when you do few changes in one module, like firewall.
From what I will be know what rule change what back/undo command where are all the same in system history ?
Image
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on ?? ?? 202?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24745
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature requests

Mon Mar 16, 2020 2:35 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8474
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:38 pm

For remote systems it will be not good if the managemend firewall rules are deleted.
Welcome to the Safe Mode :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8474
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:44 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
Just an example, that's cool:
 > /sys history print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip remove bridge2 
    undo=
      /interface eoip add arp=enabled arp-timeout=auto disabled=no mac-address=\
          6A:F5:C8:E5:62:12 mtu=auto name=bridge2
    action="device removed" by="admin" policy=write time=mar/13/2020 14:06:52 
The only problem is... That was actually "bridge" interface, not "eoip" :D
> /interface/bridge/add name=brrr
> /sys history print detail      
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip add name=brrr undo=/interface eoip remove *3 
    action="device added" by="admin" policy=write time=mar/16/2020 16:44:09 

Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6130
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Mon Mar 16, 2020 4:19 pm

Thanks, If you find anything else strange with history report to support.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature requests

Tue Mar 17, 2020 2:40 pm

Don't forget to add VRF for management interface!
+1
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Mar 26, 2020 1:45 pm

Please add extra parameter "regexp" (including NOT operator) to "/system logging" rules so you can specify a regexp on the logged message to be (not) matched before the specified action is taken.
Often there are many messages with exactly the same topics but widely different purpose, and some of the topics are quite verbose so one would want to see (or suppress) certain messages.

Also, it would be nice to have some way of triggering scripts directly from logging, e.g. a new "action" type "script" that executes a script for every logging item sent to that action.
 
neticted
Member Candidate
Member Candidate
Posts: 129
Joined: Wed Jan 04, 2012 10:36 am

Re: Feature requests

Fri Apr 24, 2020 9:47 am

It is mush of a struggle to protect router for constant login attempts to it's services that must be open to public.
Handling it in firewall is complicated, wastes resources and often cannot even be done in satisfactory manner.

It would be great if Mikrotik introduces new script trigger called something like onLoginFail to all services that have login. That would make it very easy and efficient tool for admins to handle repeated failed login attempts.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 24, 2020 10:42 am

Yes indeed. But that would actually one of the use cases I had in mind for the previous feature request I made (on Mar 26, 2020)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

6 GHz a/n/ac 2x2 ( when ? )

Wed Apr 29, 2020 6:45 pm

6 GHz a/n/ac 2x2 ( when ? )

The FCC recently opened up the 6 GHz frequency range ( 1,200 Megahertz Of spectrum ) for un-licensed use.
The new unlicensed 6-GHz frequency range includes 5.925 GHz -through- 7.125 GHz.
Question - how soon will Mikrotik have products which will support 6-GHz a/n/ac 2x2 in the new frequency range of 5.925 GHz -through- 7.125 GHz ?

Ideally, I would love to see a Mikrotik wireless device/card with SuperChannel support from 4.8-GHZ up through 7.125 GHz.

I desire to as soon as possible begin adding new FCC 6-GHz ( a/n/ac 2x2 ) APs/clients to my existing 5-Ghz networks. If Mikrotik is prompt with products to fulfill this new market, then I will stay with Mikrotik .

North Idaho Tom Jones
 
WeWiNet
Member
Member
Posts: 434
Joined: Thu Sep 27, 2018 4:11 pm

Re: Feature requests

Wed Apr 29, 2020 8:18 pm

I would like to see so many things in routeros but here is a my list I think should happen:
  • Have DFS/radar detection log/counter since boot in 5Ghz wireless status tab
  • Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare. If you could use percentages of that max values in those various places you could easily adapt to throughput change on your WAN side (like moving to a better LTE modem, adding another WAN link, or Fiber link) and your device would scale up withou any other change.
  • More flexible scheduling, PLEASE. Not only one time per day but different times per day and on different days etc. It is already there in some parts of routerOS, so should be simple (I put that request in the wrong place in another post earlier)

And then yes some day finally Wifi Wave 2 features like band steering, but now I am starting to dream about paradise ... so forget this one... :lol:
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 (good!), Audience (better), Audience + Wap R ac LTE Hybrid DSL + LTE FWA (best :-) ) !!!
 
kiwistag
just joined
Posts: 13
Joined: Mon Jun 24, 2013 12:53 am
Location: New Zealand

Re: Feature requests

Sun May 10, 2020 1:36 am

3 differing requests that may become very useful
  • Within Winbox: Right click menu option for on an ARP record or DHCP Lease to quickly issue WOL request
  • Consider a GeoIP package allowing for firewall filtering by Country (a big ask I know, but there are good Linux resources for this - https://www.maxmind.com)
I know that the two latter may take some considerable resource to implement and is more practical to MMIPS, ARM and even Tile architectures, however for the sakes of IOT these days - the ability to remotely interface via USB into devices to program may be a large drawcard for purchasing Mikrotik routers to an untapped market.

Bevan
NZ
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:49 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:55 am

Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare.
I think the queue trees should allow an additional form of rate configuration in the form of a percentage of the rate of the next higher level in the queue tree.
When the next level is an interface, there should be some options, e.g. default the negotiated interface rate, possibility to manually set a lower rate, and e.g. on a WiFi link also the possibility to track the actual datarate of the link as depending on link quality. or indeed a fourth option could be to set it to some name of a global variable where the value is taken. that would be the feature you request.
I recognize the pain of having to walk through entire trees when the top-level speed is changed. However I usually do it from commandline so larger numbers of items can be set all at the same time. Still a laborious procedure.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1035
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Wed May 13, 2020 11:59 pm

Add column TYPE who give us a result from :typeof $variable
Image
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on ?? ?? 202?
 
emad1984
just joined
Posts: 1
Joined: Sat Jun 06, 2020 4:03 pm

Re: Feature requests

Sat Jun 06, 2020 4:05 pm

Please add Shadowsock / shadowsocksr to the vpn features.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 2:33 am

WiFi 6 ( 6 GHz )

Yesterday I went into Costco ( a large everything store ). And guess what is on display as you walk in the store - a bunch of WiFi 6 wireless networking devices !!!

Emmmm, soooooooo ,,,, Where are any Mikrotik WiFi 6 WISP products ?

I need to start adding at least one-hundred WiFi 6 APs to my multiple tower networks then begin migrating a thousand or so 5 GHz customers to some WiFi 6 networks while the 6 GHz channels are still clear/clean , however ,,, there are no Mikrotik WiFi 6 products available.

How can Mikrotik not have any WiFi 6 products when the shelfs in Costco are full of non-Mikrotik WiFi 6 products ?

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jun 09, 2020 11:06 am

Add "usage counters" to static DNS entries and display them in the table.
These need to be in RAM only, no need to write back to flash.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 165
Joined: Fri Jun 29, 2018 2:34 pm

Re: WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 5:32 pm

WiFi 6 ( 6 GHz )
WiFi6 ist 2.4 and 5 GHz.
WiFi6e includes 6GHz
 
millenium7
Member
Member
Posts: 313
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Wed Jun 10, 2020 3:59 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Jun 10, 2020 12:20 pm

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.

Do you want it to refer to the physical location of the system having that address, the citizensship of the owner of that system, or its network? Or of the system's user?
E.g. when you think "I only want to receive mail from people in Australia so I will block all mail from servers in other countries" but that will fail because people in Australia might (even unknown to themselves) have their mail server located in another country.

Similar for websites. "I want my users only to see websites from Australia" might look easy to do with such a list, but it isn't. The list will not refer to the content of the site, nor to the owner/operator of that site, but (at best) only to the physical location of the server. Which errs in both directions: reputable Australian sites may be hosted overseas, and overseas phishers/hackers might have their site physically located in Australia.

I don't know the situation in Australia, but here in the Netherlands we have MANY MANY networks that lookup as "country=NL" but really are operated by rogue hosters from anywhere in the world. So limiting my router logins to "only from NL" really brings me nothing but a false sense of security, as those ongoing portscans from the many foreign VPSes hosted in local datacenters here will just go through.
Furthermore, anyone can use a VPN (in the newfangled meaning) to have a source IP address in any country they desire.

And when you operate on a mobile network provided by a company that originates from outside of your country, it may well be that your external IP address is registered in another country too. Maybe not in Australia (due to its isolated topology), but certainly in other places.

Then, making something like this available as a standard feature where every operator can just click some selection list (even without knowing all of the above) is certainly not a good thing, in my opinion. But you can differ on that.

Firewall filtering is something that has to happen on-the-fly so it has to use locally stored tables. However, services like a login or VPN connect could to an external query to determine parameters of the source IP address, and use the result to accept or reject the connection.
There are DNS-based country lookup services (you query a name like 1.2.3.4.somedomain.example.com for a TXT record and you get a reply with the AS number and country code of the specified address.
Maybe it would be good when login procedures would be able to do such queries (or allow calling a script where such customized queries can be made).
That would still have the disadvantages listed above, though.
 
msatter
Forum Guru
Forum Guru
Posts: 1904
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Wed Jun 10, 2020 1:57 pm

Those list can be obtained at mikrotikconfig dot com

Beside that you need to maintain a seperate list with scanning IP add. that are domestic or listed with the wrong country.

I am doing it myself since a few days becsuse I got fed up with maintaining the separate list all the time. Now is because very quiet and still the checkers come in preparing a scan.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta48 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
doctorpangloss
just joined
Posts: 6
Joined: Thu Jun 11, 2020 1:07 am

Re: Feature requests

Thu Jun 11, 2020 1:19 am

Hairpin NAT should be enabled in Quick Set.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Thu Jun 11, 2020 8:31 am

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 5941
Joined: Mon Dec 04, 2017 9:19 pm

Re: Feature requests

Thu Jun 11, 2020 12:50 pm

If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 1:31 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
 
solar77
Long time Member
Long time Member
Posts: 577
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 8:15 pm

good firewall rule stops attacks, picks up IP of attacker, keep them in your Address List for as long as you want and block all future attacks from the same IP.
I'd like to see the IP cloud to include a function so that we can all share these IP address. that would be nice!
MTCNA MTCTCE UEWA
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 758
Joined: Wed Mar 25, 2020 4:04 am

Re: Feature requests

Thu Jun 11, 2020 8:35 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 8:39 pm

Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
As I explained before, that is not going to work. Your own users may appear to come from another country.
 
solar77
Long time Member
Long time Member
Posts: 577
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 10:38 pm

Imagine you have a service for users from your own country only.
this is was nearly my user-case. a local WISP. and at one point it was very attempting to do so to fence off all failed authentication to our VPN service. Most of them are from one country.
However, I realized that we cannot just block connection from the rest of the world. one of my customer might want to travel :-)

We don't have a list of known IP address to allow. So ended up to log 3 failed connection attempt and add the source IP to an Address list, add a /24 to it and block the Address List .
From the list, I can see the attacker jumps from IP to IP, different range, clearly blocking by country is not going to stop them at all.
Also they were clever enough to do this less frequently so they don't get caught. I had to increase the time-out at each stage as well.

I try to mess with them by using Tarpit instead of Drop. Making their life slightly more difficult. :lol: 8)

again, a platform for Mikrotik users to share these IP address would be useful.
MTCNA MTCTCE UEWA
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Thu Jun 11, 2020 10:48 pm

Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
And as I did write, how to access these services if the user are out travelling in another country?
If I would like to surf from an Australian address, I could use "Hola Free VPN" and bypass your country rule.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
millenium7
Member
Member
Posts: 313
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 3:25 am

My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.
You are WAY overthinking this. It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up. But behind the scenes this is done by simply enabling an option in a firewall rule that says i.e. "Country!=Australia" and it uses all the known prefixes residing inside Australia. Done behind the scenes, and ideally periodically updated so you don't have to run scripts to manually pull the latest IANA data

This is no different to what many other countries do with geoblocking of services. I have zero interest in making 100% absolutely damn sure that the 'user' is in Australia. If they have an overseas IP, are using a VPN etc, not my problem. This is a broad sweeping rule that will catch a significant number of attacks, it's not about ensuring we definitely have someone physically located in Australia, don't care
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
That would not be an 'input' chain, that would be forward chain, so the rule would not block traffic going to a server that resides behind the router. Only traffic directly destined to the router itself would get blocked
The specific conditions of each person can be taken into account by either adjusting firewall rules to the companies needs, or just not using the country filter......... amazing concept I know. But for us, we 100% absolutely have zero need for allowing overseas connections directly to our routers. Now if we need to get a consultant in, or someone goes overseas or we have some special purpose we can always go ahead and just add a more specific 'accept' rule above the general country filter. Until this, this 1 rule would reduce our attack footprint massively
If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
It isn't useless. It's not about 100% perfect security either (such a thing doesn't exist). It's just about reducing the broader attack spectrum. In the same way most people move the default Winbox port off 8291 to something else, that isn't 100% effective so therefore its a useless feature? may as well not have it?
Why do people block port scans? That's not a guarantee of anything either....
If 1 very simple rule reduces the attack vector by 90% then how is it useless..... the other 10% can still be handled as normal anyway. Heck if nothing else its a performance boost, anything overseas gets dropped in the first couple of rules without processing further
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Fri Jun 12, 2020 10:33 am

That would not be an 'input' chain, that would be forward chain.
Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router.

If you can not use VPN to manage your router, follow this:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. If possible setup the remote router to connect using VPN to an admin site.
8.++++

4. you can give only on IP to manage your system if you need.

Then you can administrate your router from where you like and better security.
Using a country based access list only limit the number of hack attempt to your system, nothing more.

PS I have an access list that block an IP for 24 hour if they try one port on my system that is not open. This blocks most of the automatic script running out there.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 11:09 am

It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up.
I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.

So the feature you request is nothing more than what you would get when you load the address list and use that in the firewall rules, and the only
thing you could expect here is that some native tool for loading the address list would have an easier time getting around the limitations posed
by scripting and the flash-wear caused by repeatedly loading static address lists.

I have asked before for extensions on the DNS-based loading of address lists:
- remove or at least increase the limit on the number of records returned for a DNS lookup when loading an address list item via a DNS name so longer lists like blocklists can be loaded this way
- add support to load "subnet" address list items e.g. by lookup of TXT records which contain subnets in the CIDR notation (1.3.3.0/24 for example)
(a DNS record type exists specifically for this, but it is experimental and probably not widely supported, TXT seems a safer bet)

With this in place, your request could be fulfilled by a DNS service (hosted by MikroTik or by another company or indvidual) that returns all
subnets for "australia" on some specific DNS lookup, and you could get your "security" by configuring that address list in your router and using it
in your firewall rules.
 
millenium7
Member
Member
Posts: 313
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 11:52 am

I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.
I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.

Why are you guys not seeing the value in this? DDNS does a similar thing. It's entirely possible to script your own DDNS implementation but isn't it a LOT better just having a single tick-box in IP-Cloud? I know I sure appreciate that feature for when I need it. Do I use it all the time? no. Is it perfect with i.e. multiple gateways? no. Does it have a purpose though? Absolutely. So why are you so opposed to having a country feature?
I dunno, maybe you guys are right, because its not an absolutely perfect implementation that works for absolutely everybody, it must be totally useless........
I don't use IPv6 on Mikrotik whatsoever, can I put in a request to remove it? because for me its totally useless, therefore it must also be totally useless for everyone else.........
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Feature requests

Fri Jun 12, 2020 3:09 pm

Hello

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.


Regards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:04 pm

I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.
I hoped you would have understood by now that this is not possible because there is no simple attribute on a packet that indicates it is "from Australia" so such filters can only work with that address list of thousands of entries in place.
I stop this useless discussion, when you want to keep going on about how you think this could be implemented please post a separate topic so it can be kept outside of the "Feature requests" topic.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:07 pm

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.
The use of separate packages for part of functionality (like routing, advanced tools, PPP, etc) has been abandoned in v7. Everything is now in a single package except the truly special things like UPS monitoring.
So you will have to get used to loading the single routeros package that has all the things that you do not need.

The separate package files (for v6) are already available for download from upgrade.mikrotik.com via fetch, you only need to figure out the URL.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jun 12, 2020 7:38 pm

Blocking countries and remote bad/rogue locations - ( related information )

If you use PfSense , take a look at the package "pfBlockerNG-devel".
My multiple core network routers are a mix of Mikrotik and PfSense routers/firewalls/NAT. The optional PfBlocker on PfSense allows you do block by country and/or use multiple Internet list servers to auto download/update bad IP address on the Internet. I have a syslog server that receives firewall logs from my Mikrotik and PfSense firewalls. My syslog server then auto creates a custom block-list that my other PfSense routers/firewalls will also use. So if one PfSense firewall blocks something, that IP address will auto propagate to my other PfSense firewalls. This works well because when somebody is scanning your network searching for vulnerabilities, it only takes one PfSense firewall hit to redistribute the new firewall rule list to all other PfSense firewalls. Default pfBlockerNG can use IP lists and DNSBL lists freely available, and you can even create your own custom lists for other PfSense firewalls to use.

I have found many infected computers on some of the networks I manage simply by looking at my syslog. When you see repeated never-ending attempts from a computer in your network trying to connect to ( China or other sometimes rogue locations), then it is a fair bet that you may want to further inspect/scan that local computer on your network.

I don't know if something like pfBlocker is possible on a Mikrotik, but if it were then I would be very interested in testing it out.

North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 6081
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sat Jun 13, 2020 1:01 am

So why are you so opposed to having a country feature?
Remember, you don't need to convince anyone in this forum, just MikroTik. Non-technical reasons and user's business decisions aside, first question is what exactly should MikroTik provide. I see big difference between just support for something and providing all the data.

For example, in the past I played with MaxMind's GeoIP database (no, I didn't block anyone), which is periodically updated database with IP to country mapping. They even had iptables module for it. Adding support for something like that should be relatively simple one-time thing. Providing such database themselves, keeping it updated and everything, that's much more work and may not be worth it for MikroTik.

I don't care about countries myself, but it could be interesting if it would be something more generic. Assuming that working with static precompiled database is faster than with address lists (I guess it could, I didn't test it, but it would be interesting to know), it could be useful for any kind of large (semi)static lists. No only it could be faster (maybe), but updates could be done by simply downloading and replacing one file, instead of scripting address list updates or abusing dns, etc.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8474
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Sat Jun 13, 2020 7:14 pm

Regarding that geoip databases... Ten years ago I had to contact MaxMind because the ISP I was working for leased two /24 PA blocks from Czech company, and MaxMind (well, together with many other services, but they are among the biggest ones) was ignoring this fact for years. They told us they don't read all the changes, so most small ISPs are treated as their aggregated IP block by default. Only after that (about ~ a month later) our clients started to be identified as coming from Belarus, not Czech.

Nowadays, when IP space is exhausted, more and more leasing happens, so today the problem can be even bigger.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Sat Jun 13, 2020 10:13 pm

This just add more to why block by country is not a good thing. Quality of search a service would never be high and you can bypass it using proxy/VPN. It looks like millenium7 like this to protect input chain that is used to admin the router. VPN should give the needed security.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Put Dude ports 2210 and 2211 in IP-Services where it belongs ( RESOLVED )

Fri Jun 26, 2020 3:57 am

*** RESOLVED *** ( it works like it is supposed to. This post was an error asking a question. There is no issue *** RESOLVED ***

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Last edited by TomjNorthIdaho on Fri Jun 26, 2020 7:55 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 11:15 am

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!
But you can just handle them in the input firewall, right? That is where I regulate the other services as well, when they are enabled.
A subnet limitation in the service still allows connect to the service which then refuses to serve you, but an input firewall rule entirely protects it.
(and can be more advanced than just checking for source subnet)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:00 pm

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Never mind - I got an email that says Dude uses the same ports as Winbox.
So what traffic is on 2210 and/or 2211 ?
And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:19 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:50 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
Again - thank you for your prompt reply(s) to my questions :)
I guess I was not understanding the sequence "service accepts the connection then drops it and logs" , I wrongly thought it was "don't accept the connection".
Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Mikrotik - I love your products and your highly knowledgeable team.

Thank you

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 8:12 pm

Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Yes, that is how it works. In Linux this is called "TCP Wrappers" with their associated config files "/etc/hosts.allow" and "/etc/hosts.deny". It sits between the listening TCP port and the daemon that runs the connection, it first accepts the connection (or rather the kernel does that), looks up the source network in those files, and if not allowed it just closes the connection again. This whole thing was invented before firewalls were available in operating systems.
You can observe this yourself when you use telnet.
 
Retral
newbie
Posts: 31
Joined: Wed Jul 25, 2018 9:10 pm

Re: Feature requests Winbox Optimization

Sun Jun 28, 2020 4:11 am

Hey I'd like to throw these ones out there.
Can you make the menu in Winbox collapse able to where it's just a column of icons?
I think it would be a great asset to anyone wanting to squeeze every inch out of their screen(s) real estate.

Optimize the re-opening of Winbox. Often I find when I make changes to rules inside different areas like the firewall I'll have the inner window randomly resize on me. When I close and re-open Winbox it has a habit of auto changing it's zoom level, which mangles up the inner windows.

Give us the ability to make the options we check off in the torch default for the next time a torch is opened and give us the option to turn it off if we want.
 
ivicask
Member Candidate
Member Candidate
Posts: 260
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Sun Jun 28, 2020 9:00 pm

Not sure if was asked but can we get option to specify multiple adress lists inside single firewall rule?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Sun Jun 28, 2020 10:48 pm

option to specify multiple adress lists inside single firewall rule?
You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Jun 29, 2020 11:31 am

It would be nice to have some additions from the ipset mechanism available as address list items.
- list:set would enable you to make an address list that has a couple of other address lists as members (and can implement the above request)
- counters would show a hit-count in an address list for each item (enabling evaluation of relevance of items in a list)
 
anuser
Member
Member
Posts: 484
Joined: Sat Nov 29, 2014 7:27 pm

Re: Feature requests

Sun Jul 05, 2020 9:49 am

Feature request: "Airtime Fairness" for Wireless, because it helps a lot when there is a huge number of clients is connected to one SSID and one is able to slow down the rest (Take a look at https://www.smallnetbuilder.com/wireles ... l=&start=1)
 
eguun
newbie
Posts: 33
Joined: Fri Apr 10, 2020 10:18 pm

Re: Feature requests

Tue Jul 07, 2020 10:24 am

Hi,

as feature request, I would like mikrotik to have IPsec support of DH group 31 (EC25519)

Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519)

It's today the only undisputed secure Elliptic Curve algorithm.
And several competitive product already supports it (pfSense, OPNsense, Fortigate ...)
It's absent from Mikrotik supported protocols: https://wiki.mikrotik.com/wiki/Manual:I ... man_Groups and the Wiki is up-to-date.

Is there a procedure to formally request this support?

Reference RFC: https://tools.ietf.org/html/rfc8031

Thanks
 
opientka
just joined
Posts: 4
Joined: Wed Nov 13, 2019 12:09 pm

Re: Feature requests

Fri Jul 10, 2020 9:22 am

Hello Mikrotik,

here's another feature request:

Add support for LTE Devices to be controlled via CAPsMAN

Example Use case:
My company uses serval smaller MikroTik Routers (like hAP-AC²) spread over the whole campus as office dektop switches.
All of them share their WiFi hardware to a central CRS328-4C-20S-4S+RM, located in our Server Room, which is our CAPsMAN.
Two of the CAPs are also used to connect an LTE-USB-Stick to provide a backup internet connection over 4G/LTE mobile network.

It would be great if those USB-sticks could be virtually relocated into the the CAPsMAN, like the WiFi Antennas of the CAPs.
Having LTE connected to the central Router/Gateway makes sense. But since CRS328-4C-20S-4S+RM does not have USB and the LTE-Signal inside the server room is really bad, it seems like a good idea to relocate those Sticks to a Desktop-Router, which is located next to a window.

Sure, it is possible to configure that router as a second gateway, but having it configured centralized within CAPsMAN would be a great benefit.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1035
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Fri Jul 10, 2020 10:51 am

Add support for LTE Devices to be controlled via CAPsMAN
No, it's bad idea. USB Stick are detected and dhcp-client is automatical created, you can do many fix to your needs by scripts&schedulers.

You have few other ways to massive config like ssh, scheduler & fetch, .auto.rsc via ftp who work with autostart...
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on ?? ?? 202?
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 7:23 am

Can we get an option to add a reason for rebooting? For example /system reboot reason="upgrading to new ROS" and have that reason be stated in the next log?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 11:09 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:20 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
That's right yes. reason = "Shutting down because DHCP broken script triggered a restart."
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1819
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Feature requests

Tue Aug 18, 2020 11:22 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:42 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
 
al3xeezer
just joined
Posts: 21
Joined: Thu Feb 27, 2020 11:46 am

Re: Feature requests

Tue Aug 18, 2020 12:35 pm

Would be very useful to have the src-address parameter available for /tool speedtest (as it is for fetch, traceroute, ping...)

Have you consider adding it?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 4:26 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 6:47 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
Yes, that would be a useful approach. Unfortunately I operate in an infrastructure-less environment where the configurations are built up and destroyed dynamically and as such we don't have a syslog server option.

Can I get a syslog server too? :D Yes I know dude has one, but a small one for normal routers would be nice.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Aug 21, 2020 4:17 am

FYI - Reboots and logs.

- 1'st; I don't use the Mikrotik native ( /system watchdog " Watch Address" ).
I do not like the way it behaves and it is not smart. Because it is not smart, it can/will trigger a reboot when everything is connected. When the default WatchDog detects a no-ping condition , it will auto-reboot ( even if the connection is restored prior to auto-reboot ).

-2'nd; I use my own WatchDog scripts.
My WatchDog scripts for a Mikrotik have configurable variables which include:
A - How often to perform a Watch-Dog test ping
B - How often to retry Watch-Dog test pings when something is down. It can retry test-pings for seconds or minutes or hours prior to forcing a auto-reboot.
C - Prior to a reboot, it will perform a wireless-site-survey and save the results in a file in the Mikrotik flash file system.
D - After a wireless-site-survey , it will again wait/retry Watch-Dog pings for an additional configuration time period.
E - Finally , when there is actually going to be a reboot, my scripts will write an additional file to the flash file system indicating the time/date/reason for the reboot.

I have use my Watch-Dog scripts for over 10-years now on thousands of Mikrotiks. It works and it works great. I can always find out when a Mikrotik rebooted and why - and a very big advantage is I don't need a remote syslog server.

Also - with these scripts , it's super easy to perform a site-survey on a remote client customer Mikrotik , then drag the site-survey file to your computer and open it to see the site-survey results. Comes in very very handy to see the customer might have many wireless routers in their house on the same frequency or close to the frequency you are using to connect your customers. :)

For many years now, I have posted some of these scripts in the Mikrotik forums.
If you are an ISP or WISP , it is 100-percent worth your time/effort to do the same in your environment/business.

North Idaho Tom Jones
 
dalami
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Mon Dec 12, 2011 9:18 am

Re: Feature requests

Sat Aug 22, 2020 12:06 pm

New request - add a new action to Firewall (probably under Filter)..."Run Script".

Possible horrible security hole? Of course - like anything else.

My first intended use case - via a port knock sequence, update the stored IP for an IPSec peer.

An alternative solution for this use case - allow IPSec peer definitions to be defined with an address-list parameter instead of only a fixed IP.

Another option - allow scripts to be triggered on an address-list change.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Aug 22, 2020 2:01 pm

That is technically not feasible, I'm afraid. Firewall rules are evaluated inside the kernel and they cannot call something in a user process.
The best that could be done is direct some matched traffic towards an NFLOG socket and then have a process listening there and executing the script.
But that still would mean the actual traffic is either passed or blocked depending on the firewall rule, not depending on the outcome of the script.
I'm not sure if that would be obvious to the average user. It would also likely require some complicated setup.

About the IPsec use case: I have requested before to have scripts called in Phase1 that could setup Phase2 policies. That is possible in racoon, but it appears that RouterOS is using FreeSwan/StrongSwan instead. I don't know if that software allows such scripts.
 
gutzeit
newbie
Posts: 26
Joined: Mon Feb 04, 2013 1:19 pm

Re: Feature requests

Fri Sep 11, 2020 7:17 am

Hello, please introduce support for the coa radius for the dhcp server. This is required to change the Mikrotik-Rate-Limit. Thank you.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 11:56 am

I wouId like to see some classification options (filters) in the DHCP server, so that one can direct different device classes into different pools/networks.

E.g. the ISC DHCP server has a quite powerful mechanism for that, where you can define a "class" based on the DHCP request parameters (like vendor class identifier, DHCP requested options, MAC address, hostname etc), and then you can have different pools where each pool has a list of classes that can or cannot use that pool.
(you can have different allow and deny rules in each pool)

This would allow things like putting devices in another pool/network and thus have different attributes like access to internet yes/no, while they connect to the same physical network.
It would be a good start when it can filter on these attributes:
- vendor class identifier (a string)
- MAC address (a value and a mask)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8474
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Sep 15, 2020 12:42 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 2:29 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
Ok I was not aware of that. Indeed it is most like what I need except that I would like an extra match capability on MAC address/mask.
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
I want to give users with a local (random) MAC address (02:00:00:00:00:00/03:00:00:00:00:00) an IP address from a different pool where they will get a portal page that prompts them to set "device MAC" for this connection...
The reason for this is that I want to be prepared for a possible meltdown of the network when some manufacturer decides that it is best for privacy to change the MAC all the time, or when they bind it to AP MAC instead of SSID (we have 34 APs so that would cause mayhem in our network)

So this makes my feature request probably much easier to implement as the framework for doing this is already present. It becomes like:
- add capability for "dhcp vendor class" to match on MAC address/mask in addition to match on DHCP request class-id.
 
mkx
Forum Guru
Forum Guru
Posts: 4733
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Tue Sep 15, 2020 4:01 pm

- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to have some way to remind users to switch off MAC randomization for a particular SSID.
BR,
Metod
 
santyx32
Member Candidate
Member Candidate
Posts: 149
Joined: Fri Oct 25, 2019 2:17 am

Re: Feature requests

Tue Sep 15, 2020 10:19 pm

As a home user I request the following to Mikrotik:

Proper WiFi 5 Wave2 support for IPQ40XX and QCA9984 chipsets along with new WiFi 6/6E hardware.

Fq_codel queue type to be available on ROS.
[https://drive.google.com/drive/folders/ ... sp=sharing] 11/10/2020 OpenWRT build download for hAP ac2[/url], don't forget to backup ROS license

I'm the guy known as geminis3
 
davit1988
just joined
Posts: 1
Joined: Thu Feb 23, 2017 8:51 pm

Re: Feature requests

Fri Sep 25, 2020 7:00 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
 
pe1chl
Forum Guru
Forum Guru
Posts: 6956
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 29, 2020 7:52 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
You may be surprised as a network engineer, but SWos does not require this information!
You will find that when you access the switch from another network (reachable only via a gateway), that will just work, even without any subnet mask or gateway information.
Maybe it is an interesting study object to find out how it does that :-)
(it is described somewhere in the online manual, so don't look there first)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1067
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

A Mikrotik 40-Gig switch is much needed

Wed Sep 30, 2020 1:03 am

A Mikrotik 40-Gig switch is much needed

I sure would like to see a Mikrotik switch with at least eight 40-Gig ports ( or even better yet a 16-port 40-Gig switch ) and also somewhere between two to 8 10-Gig ports ( and zero 1-Gig ports ).

I need some 40-Gig switches right now. We are currently in the process of changing our internal 10-Gig core switches to 40-Gig. If Mikrotik routers/switches had any 100-Gig interfaces , then I would be fork-lifting my core internal network ( routers & switches ) to a 100-Gig core network.

A 10-Gig core network is just not enough core network throughput these days.
I am getting ready to install a second 10-Gig BGP peering session, ( so two CHR 10-Gig BGP peering routers and a CHR 10-Gig core OSPF router just does not cut it.
Also my internal 10-Gig NFS/iSCSI network is already peaking at 10-Gig now and needs to also be upgraded to 40-Gig interfaces.
In addition, with a eight-port 40-Gig switch , I could then connect connect all of my VmWare ESXi servers at 40-Gig ( I have several CHRs I also want to get talking on 40-Gig networks - but I need a 40-Gig switch first...

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8474
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 30, 2020 5:32 pm

viewtopic.php?p=818709#p818709

They semi-announced 100G in their newsletter :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
michaels
just joined
Posts: 8
Joined: Fri May 17, 2019 8:02 pm

Re: Feature requests

Thu Oct 22, 2020 8:30 pm

Feature requests IPv6 DHCP Relay - Prefix Delegation - create route

Currently (6.48beta48 and 7.1beta2) the relay does not create a route for the prefix.
Without the route on the relay router, the prefix is not reachable.

further description:
viewtopic.php?t=117283
viewtopic.php?f=2&t=97156

Who is online

Users browsing this forum: alidamji, Baidu [Spider], Google [Bot], N2B, ozzyBLR, Yeehaa and 143 guests