Community discussions

MikroTik App
 
jvolkhausen
just joined
Posts: 5
Joined: Fri Apr 26, 2019 8:44 am

Re: Feature requests

Mon Mar 16, 2020 1:06 pm

Give the ability to secure firewall rules.
For remote systems it will be not good if the managemend firewall rules are deleted. For this reason i think it would be nice to have a feature to secure these rules in any way like locking. For the first step it would reach the target to just secure the rule itself. The big shot would be to lock also the place in the firewall chain.
The workflow in my mind looks like this:
creation
- create rule
- lock rule

modify
- unlock rule
- modify rule
- lock rule

delete
- unlock rule
- delete rule
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 16, 2020 2:13 pm

Give the ability to secure firewall rules.
I think it would be more useful as a limited-user capability where users can be created that have precisely
defined capabilities for each configuration item. (no access, read-only, add-only, modify, delete)
This is not limited to firewall.
This would allow ISPs that roll out managed routers to give their customers some limited capability that they
require, but not full access to the entire config.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Mon Mar 16, 2020 2:28 pm

To the last 2 answers.
In my opinion that changes are good but not must. Proper comments with chain-name with jump action can create a proper tree of action at firewall and this "lock/unlock" is not that necessery.
About change in firewall, better will be better note/log a change what we do inside ROS, currently history is not useful when you do few changes in one module, like firewall.
From what I will be know what rule change what back/undo command where are all the same in system history ?
Image
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25224
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature requests

Mon Mar 16, 2020 2:35 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:38 pm

For remote systems it will be not good if the managemend firewall rules are deleted.
Welcome to the Safe Mode :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Mar 16, 2020 3:44 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.
Just an example, that's cool:
 > /sys history print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip remove bridge2 
    undo=
      /interface eoip add arp=enabled arp-timeout=auto disabled=no mac-address=\
          6A:F5:C8:E5:62:12 mtu=auto name=bridge2
    action="device removed" by="admin" policy=write time=mar/13/2020 14:06:52 
The only problem is... That was actually "bridge" interface, not "eoip" :D
> /interface/bridge/add name=brrr
> /sys history print detail      
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip add name=brrr undo=/interface eoip remove *3 
    action="device added" by="admin" policy=write time=mar/16/2020 16:44:09 

Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6601
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature requests

Mon Mar 16, 2020 4:19 pm

Thanks, If you find anything else strange with history report to support.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature requests

Tue Mar 17, 2020 2:40 pm

Don't forget to add VRF for management interface!
+1
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Mar 26, 2020 1:45 pm

Please add extra parameter "regexp" (including NOT operator) to "/system logging" rules so you can specify a regexp on the logged message to be (not) matched before the specified action is taken.
Often there are many messages with exactly the same topics but widely different purpose, and some of the topics are quite verbose so one would want to see (or suppress) certain messages.

Also, it would be nice to have some way of triggering scripts directly from logging, e.g. a new "action" type "script" that executes a script for every logging item sent to that action.
 
neticted
Member Candidate
Member Candidate
Posts: 129
Joined: Wed Jan 04, 2012 10:36 am

Re: Feature requests

Fri Apr 24, 2020 9:47 am

It is mush of a struggle to protect router for constant login attempts to it's services that must be open to public.
Handling it in firewall is complicated, wastes resources and often cannot even be done in satisfactory manner.

It would be great if Mikrotik introduces new script trigger called something like onLoginFail to all services that have login. That would make it very easy and efficient tool for admins to handle repeated failed login attempts.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 24, 2020 10:42 am

Yes indeed. But that would actually one of the use cases I had in mind for the previous feature request I made (on Mar 26, 2020)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

6 GHz a/n/ac 2x2 ( when ? )

Wed Apr 29, 2020 6:45 pm

6 GHz a/n/ac 2x2 ( when ? )

The FCC recently opened up the 6 GHz frequency range ( 1,200 Megahertz Of spectrum ) for un-licensed use.
The new unlicensed 6-GHz frequency range includes 5.925 GHz -through- 7.125 GHz.
Question - how soon will Mikrotik have products which will support 6-GHz a/n/ac 2x2 in the new frequency range of 5.925 GHz -through- 7.125 GHz ?

Ideally, I would love to see a Mikrotik wireless device/card with SuperChannel support from 4.8-GHZ up through 7.125 GHz.

I desire to as soon as possible begin adding new FCC 6-GHz ( a/n/ac 2x2 ) APs/clients to my existing 5-Ghz networks. If Mikrotik is prompt with products to fulfill this new market, then I will stay with Mikrotik .

North Idaho Tom Jones
 
WeWiNet
Long time Member
Long time Member
Posts: 586
Joined: Thu Sep 27, 2018 4:11 pm

Re: Feature requests

Wed Apr 29, 2020 8:18 pm

I would like to see so many things in routeros but here is a my list I think should happen:
  • Have DFS/radar detection log/counter since boot in 5Ghz wireless status tab
  • Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare. If you could use percentages of that max values in those various places you could easily adapt to throughput change on your WAN side (like moving to a better LTE modem, adding another WAN link, or Fiber link) and your device would scale up withou any other change.
  • More flexible scheduling, PLEASE. Not only one time per day but different times per day and on different days etc. It is already there in some parts of routerOS, so should be simple (I put that request in the wrong place in another post earlier)

And then yes some day finally Wifi Wave 2 features like band steering, but now I am starting to dream about paradise ... so forget this one... :lol:
**
MTCNA
Chateau 5G: high speed :D meets ROS7 :shock: , the perfect match... :lol:.
Having an Audience? Use wifiwave2!!! (the more people complain, the faster it gets fixed 8) )
 
kiwistag
just joined
Posts: 14
Joined: Mon Jun 24, 2013 12:53 am
Location: New Zealand

Re: Feature requests

Sun May 10, 2020 1:36 am

3 differing requests that may become very useful
  • Within Winbox: Right click menu option for on an ARP record or DHCP Lease to quickly issue WOL request
  • Consider a GeoIP package allowing for firewall filtering by Country (a big ask I know, but there are good Linux resources for this - https://www.maxmind.com)
I know that the two latter may take some considerable resource to implement and is more practical to MMIPS, ARM and even Tile architectures, however for the sakes of IOT these days - the ability to remotely interface via USB into devices to program may be a large drawcard for purchasing Mikrotik routers to an untapped market.

Bevan
NZ
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:49 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun May 10, 2020 11:55 am

Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare.
I think the queue trees should allow an additional form of rate configuration in the form of a percentage of the rate of the next higher level in the queue tree.
When the next level is an interface, there should be some options, e.g. default the negotiated interface rate, possibility to manually set a lower rate, and e.g. on a WiFi link also the possibility to track the actual datarate of the link as depending on link quality. or indeed a fourth option could be to set it to some name of a global variable where the value is taken. that would be the feature you request.
I recognize the pain of having to walk through entire trees when the top-level speed is changed. However I usually do it from commandline so larger numbers of items can be set all at the same time. Still a laborious procedure.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Wed May 13, 2020 11:59 pm

Add column TYPE who give us a result from :typeof $variable
Image
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
emad1984
just joined
Posts: 1
Joined: Sat Jun 06, 2020 4:03 pm

Re: Feature requests

Sat Jun 06, 2020 4:05 pm

Please add Shadowsock / shadowsocksr to the vpn features.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 2:33 am

WiFi 6 ( 6 GHz )

Yesterday I went into Costco ( a large everything store ). And guess what is on display as you walk in the store - a bunch of WiFi 6 wireless networking devices !!!

Emmmm, soooooooo ,,,, Where are any Mikrotik WiFi 6 WISP products ?

I need to start adding at least one-hundred WiFi 6 APs to my multiple tower networks then begin migrating a thousand or so 5 GHz customers to some WiFi 6 networks while the 6 GHz channels are still clear/clean , however ,,, there are no Mikrotik WiFi 6 products available.

How can Mikrotik not have any WiFi 6 products when the shelfs in Costco are full of non-Mikrotik WiFi 6 products ?

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jun 09, 2020 11:06 am

Add "usage counters" to static DNS entries and display them in the table.
These need to be in RAM only, no need to write back to flash.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: WiFi 6 ( 6 GHz )

Tue Jun 09, 2020 5:32 pm

WiFi 6 ( 6 GHz )
WiFi6 ist 2.4 and 5 GHz.
WiFi6e includes 6GHz
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Wed Jun 10, 2020 3:59 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Jun 10, 2020 12:20 pm

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.

Do you want it to refer to the physical location of the system having that address, the citizensship of the owner of that system, or its network? Or of the system's user?
E.g. when you think "I only want to receive mail from people in Australia so I will block all mail from servers in other countries" but that will fail because people in Australia might (even unknown to themselves) have their mail server located in another country.

Similar for websites. "I want my users only to see websites from Australia" might look easy to do with such a list, but it isn't. The list will not refer to the content of the site, nor to the owner/operator of that site, but (at best) only to the physical location of the server. Which errs in both directions: reputable Australian sites may be hosted overseas, and overseas phishers/hackers might have their site physically located in Australia.

I don't know the situation in Australia, but here in the Netherlands we have MANY MANY networks that lookup as "country=NL" but really are operated by rogue hosters from anywhere in the world. So limiting my router logins to "only from NL" really brings me nothing but a false sense of security, as those ongoing portscans from the many foreign VPSes hosted in local datacenters here will just go through.
Furthermore, anyone can use a VPN (in the newfangled meaning) to have a source IP address in any country they desire.

And when you operate on a mobile network provided by a company that originates from outside of your country, it may well be that your external IP address is registered in another country too. Maybe not in Australia (due to its isolated topology), but certainly in other places.

Then, making something like this available as a standard feature where every operator can just click some selection list (even without knowing all of the above) is certainly not a good thing, in my opinion. But you can differ on that.

Firewall filtering is something that has to happen on-the-fly so it has to use locally stored tables. However, services like a login or VPN connect could to an external query to determine parameters of the source IP address, and use the result to accept or reject the connection.
There are DNS-based country lookup services (you query a name like 1.2.3.4.somedomain.example.com for a TXT record and you get a reply with the AS number and country code of the specified address.
Maybe it would be good when login procedures would be able to do such queries (or allow calling a script where such customized queries can be made).
That would still have the disadvantages listed above, though.
 
msatter
Forum Guru
Forum Guru
Posts: 2657
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Wed Jun 10, 2020 1:57 pm

Those list can be obtained at mikrotikconfig dot com

Beside that you need to maintain a seperate list with scanning IP add. that are domestic or listed with the wrong country.

I am doing it myself since a few days becsuse I got fed up with maintaining the separate list all the time. Now is because very quiet and still the checkers come in preparing a scan.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. 12% inflation but still giving money to Italy.

Running:
RouterOS 7.2RC6 and 7.21 / Winbox 3.35 64bits
 
doctorpangloss
just joined
Posts: 6
Joined: Thu Jun 11, 2020 1:07 am

Re: Feature requests

Thu Jun 11, 2020 1:19 am

Hairpin NAT should be enabled in Quick Set.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Thu Jun 11, 2020 8:31 am

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 8818
Joined: Mon Dec 04, 2017 9:19 pm

Re: Feature requests

Thu Jun 11, 2020 12:50 pm

If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 1:31 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
 
solar77
Long time Member
Long time Member
Posts: 587
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 8:15 pm

good firewall rule stops attacks, picks up IP of attacker, keep them in your Address List for as long as you want and block all future attacks from the same IP.
I'd like to see the IP cloud to include a function so that we can all share these IP address. that would be nice!
MTCNA MTCTCE UEWA
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 773
Joined: Wed Mar 25, 2020 4:04 am

Re: Feature requests

Thu Jun 11, 2020 8:35 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.
Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jun 11, 2020 8:39 pm

Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
As I explained before, that is not going to work. Your own users may appear to come from another country.
 
solar77
Long time Member
Long time Member
Posts: 587
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Feature requests

Thu Jun 11, 2020 10:38 pm

Imagine you have a service for users from your own country only.
this is was nearly my user-case. a local WISP. and at one point it was very attempting to do so to fence off all failed authentication to our VPN service. Most of them are from one country.
However, I realized that we cannot just block connection from the rest of the world. one of my customer might want to travel :-)

We don't have a list of known IP address to allow. So ended up to log 3 failed connection attempt and add the source IP to an Address list, add a /24 to it and block the Address List .
From the list, I can see the attacker jumps from IP to IP, different range, clearly blocking by country is not going to stop them at all.
Also they were clever enough to do this less frequently so they don't get caught. I had to increase the time-out at each stage as well.

I try to mess with them by using Tarpit instead of Drop. Making their life slightly more difficult. :lol: 8)

again, a platform for Mikrotik users to share these IP address would be useful.
MTCNA MTCTCE UEWA
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Thu Jun 11, 2020 10:48 pm

Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D. :-)
And as I did write, how to access these services if the user are out travelling in another country?
If I would like to surf from an Australian address, I could use "Hola Free VPN" and bypass your country rule.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 3:25 am

My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.
You are WAY overthinking this. It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up. But behind the scenes this is done by simply enabling an option in a firewall rule that says i.e. "Country!=Australia" and it uses all the known prefixes residing inside Australia. Done behind the scenes, and ideally periodically updated so you don't have to run scripts to manually pull the latest IANA data

This is no different to what many other countries do with geoblocking of services. I have zero interest in making 100% absolutely damn sure that the 'user' is in Australia. If they have an overseas IP, are using a VPN etc, not my problem. This is a broad sweeping rule that will catch a significant number of attacks, it's not about ensuring we definitely have someone physically located in Australia, don't care
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.
That would not be an 'input' chain, that would be forward chain, so the rule would not block traffic going to a server that resides behind the router. Only traffic directly destined to the router itself would get blocked
The specific conditions of each person can be taken into account by either adjusting firewall rules to the companies needs, or just not using the country filter......... amazing concept I know. But for us, we 100% absolutely have zero need for allowing overseas connections directly to our routers. Now if we need to get a consultant in, or someone goes overseas or we have some special purpose we can always go ahead and just add a more specific 'accept' rule above the general country filter. Until this, this 1 rule would reduce our attack footprint massively
If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.
It isn't useless. It's not about 100% perfect security either (such a thing doesn't exist). It's just about reducing the broader attack spectrum. In the same way most people move the default Winbox port off 8291 to something else, that isn't 100% effective so therefore its a useless feature? may as well not have it?
Why do people block port scans? That's not a guarantee of anything either....
If 1 very simple rule reduces the attack vector by 90% then how is it useless..... the other 10% can still be handled as normal anyway. Heck if nothing else its a performance boost, anything overseas gets dropped in the first couple of rules without processing further
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Fri Jun 12, 2020 10:33 am

That would not be an 'input' chain, that would be forward chain.
Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router.

If you can not use VPN to manage your router, follow this:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. If possible setup the remote router to connect using VPN to an admin site.
8.++++

4. you can give only on IP to manage your system if you need.

Then you can administrate your router from where you like and better security.
Using a country based access list only limit the number of hack attempt to your system, nothing more.

PS I have an access list that block an IP for 24 hour if they try one port on my system that is not open. This blocks most of the automatic script running out there.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 11:09 am

It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up.
I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.

So the feature you request is nothing more than what you would get when you load the address list and use that in the firewall rules, and the only
thing you could expect here is that some native tool for loading the address list would have an easier time getting around the limitations posed
by scripting and the flash-wear caused by repeatedly loading static address lists.

I have asked before for extensions on the DNS-based loading of address lists:
- remove or at least increase the limit on the number of records returned for a DNS lookup when loading an address list item via a DNS name so longer lists like blocklists can be loaded this way
- add support to load "subnet" address list items e.g. by lookup of TXT records which contain subnets in the CIDR notation (1.3.3.0/24 for example)
(a DNS record type exists specifically for this, but it is experimental and probably not widely supported, TXT seems a safer bet)

With this in place, your request could be fulfilled by a DNS service (hosted by MikroTik or by another company or indvidual) that returns all
subnets for "australia" on some specific DNS lookup, and you could get your "security" by configuring that address list in your router and using it
in your firewall rules.
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Jun 12, 2020 11:52 am

I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.
I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.

Why are you guys not seeing the value in this? DDNS does a similar thing. It's entirely possible to script your own DDNS implementation but isn't it a LOT better just having a single tick-box in IP-Cloud? I know I sure appreciate that feature for when I need it. Do I use it all the time? no. Is it perfect with i.e. multiple gateways? no. Does it have a purpose though? Absolutely. So why are you so opposed to having a country feature?
I dunno, maybe you guys are right, because its not an absolutely perfect implementation that works for absolutely everybody, it must be totally useless........
I don't use IPv6 on Mikrotik whatsoever, can I put in a request to remove it? because for me its totally useless, therefore it must also be totally useless for everyone else.........
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Feature requests

Fri Jun 12, 2020 3:09 pm

Hello

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.


Regards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:04 pm

I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.
I hoped you would have understood by now that this is not possible because there is no simple attribute on a packet that indicates it is "from Australia" so such filters can only work with that address list of thousands of entries in place.
I stop this useless discussion, when you want to keep going on about how you think this could be implemented please post a separate topic so it can be kept outside of the "Feature requests" topic.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jun 12, 2020 4:07 pm

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.
The use of separate packages for part of functionality (like routing, advanced tools, PPP, etc) has been abandoned in v7. Everything is now in a single package except the truly special things like UPS monitoring.
So you will have to get used to loading the single routeros package that has all the things that you do not need.

The separate package files (for v6) are already available for download from upgrade.mikrotik.com via fetch, you only need to figure out the URL.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jun 12, 2020 7:38 pm

Blocking countries and remote bad/rogue locations - ( related information )

If you use PfSense , take a look at the package "pfBlockerNG-devel".
My multiple core network routers are a mix of Mikrotik and PfSense routers/firewalls/NAT. The optional PfBlocker on PfSense allows you do block by country and/or use multiple Internet list servers to auto download/update bad IP address on the Internet. I have a syslog server that receives firewall logs from my Mikrotik and PfSense firewalls. My syslog server then auto creates a custom block-list that my other PfSense routers/firewalls will also use. So if one PfSense firewall blocks something, that IP address will auto propagate to my other PfSense firewalls. This works well because when somebody is scanning your network searching for vulnerabilities, it only takes one PfSense firewall hit to redistribute the new firewall rule list to all other PfSense firewalls. Default pfBlockerNG can use IP lists and DNSBL lists freely available, and you can even create your own custom lists for other PfSense firewalls to use.

I have found many infected computers on some of the networks I manage simply by looking at my syslog. When you see repeated never-ending attempts from a computer in your network trying to connect to ( China or other sometimes rogue locations), then it is a fair bet that you may want to further inspect/scan that local computer on your network.

I don't know if something like pfBlocker is possible on a Mikrotik, but if it were then I would be very interested in testing it out.

North Idaho Tom Jones
 
Sob
Forum Guru
Forum Guru
Posts: 8180
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sat Jun 13, 2020 1:01 am

So why are you so opposed to having a country feature?
Remember, you don't need to convince anyone in this forum, just MikroTik. Non-technical reasons and user's business decisions aside, first question is what exactly should MikroTik provide. I see big difference between just support for something and providing all the data.

For example, in the past I played with MaxMind's GeoIP database (no, I didn't block anyone), which is periodically updated database with IP to country mapping. They even had iptables module for it. Adding support for something like that should be relatively simple one-time thing. Providing such database themselves, keeping it updated and everything, that's much more work and may not be worth it for MikroTik.

I don't care about countries myself, but it could be interesting if it would be something more generic. Assuming that working with static precompiled database is faster than with address lists (I guess it could, I didn't test it, but it would be interesting to know), it could be useful for any kind of large (semi)static lists. No only it could be faster (maybe), but updates could be done by simply downloading and replacing one file, instead of scripting address list updates or abusing dns, etc.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Sat Jun 13, 2020 7:14 pm

Regarding that geoip databases... Ten years ago I had to contact MaxMind because the ISP I was working for leased two /24 PA blocks from Czech company, and MaxMind (well, together with many other services, but they are among the biggest ones) was ignoring this fact for years. They told us they don't read all the changes, so most small ISPs are treated as their aggregated IP block by default. Only after that (about ~ a month later) our clients started to be identified as coming from Belarus, not Czech.

Nowadays, when IP space is exhausted, more and more leasing happens, so today the problem can be even bigger.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Sat Jun 13, 2020 10:13 pm

This just add more to why block by country is not a good thing. Quality of search a service would never be high and you can bypass it using proxy/VPN. It looks like millenium7 like this to protect input chain that is used to admin the router. VPN should give the needed security.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Put Dude ports 2210 and 2211 in IP-Services where it belongs ( RESOLVED )

Fri Jun 26, 2020 3:57 am

*** RESOLVED *** ( it works like it is supposed to. This post was an error asking a question. There is no issue *** RESOLVED ***

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Last edited by TomjNorthIdaho on Fri Jun 26, 2020 7:55 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 11:15 am

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!
But you can just handle them in the input firewall, right? That is where I regulate the other services as well, when they are enabled.
A subnet limitation in the service still allows connect to the service which then refuses to serve you, but an input firewall rule entirely protects it.
(and can be more advanced than just checking for source subnet)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:00 pm

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones
Never mind - I got an email that says Dude uses the same ports as Winbox.
So what traffic is on 2210 and/or 2211 ?
And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:19 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 7:50 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.
Again - thank you for your prompt reply(s) to my questions :)
I guess I was not understanding the sequence "service accepts the connection then drops it and logs" , I wrongly thought it was "don't accept the connection".
Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Mikrotik - I love your products and your highly knowledgeable team.

Thank you

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Put Dude ports 2210 and 2211 in IP-Services where it belongs

Fri Jun 26, 2020 8:12 pm

Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Yes, that is how it works. In Linux this is called "TCP Wrappers" with their associated config files "/etc/hosts.allow" and "/etc/hosts.deny". It sits between the listening TCP port and the daemon that runs the connection, it first accepts the connection (or rather the kernel does that), looks up the source network in those files, and if not allowed it just closes the connection again. This whole thing was invented before firewalls were available in operating systems.
You can observe this yourself when you use telnet.
 
Retral
newbie
Posts: 33
Joined: Wed Jul 25, 2018 9:10 pm

Re: Feature requests Winbox Optimization

Sun Jun 28, 2020 4:11 am

Hey I'd like to throw these ones out there.
Can you make the menu in Winbox collapse able to where it's just a column of icons?
I think it would be a great asset to anyone wanting to squeeze every inch out of their screen(s) real estate.

Optimize the re-opening of Winbox. Often I find when I make changes to rules inside different areas like the firewall I'll have the inner window randomly resize on me. When I close and re-open Winbox it has a habit of auto changing it's zoom level, which mangles up the inner windows.

Give us the ability to make the options we check off in the torch default for the next time a torch is opened and give us the option to turn it off if we want.
 
ivicask
Member
Member
Posts: 344
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Sun Jun 28, 2020 9:00 pm

Not sure if was asked but can we get option to specify multiple adress lists inside single firewall rule?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Sun Jun 28, 2020 10:48 pm

option to specify multiple adress lists inside single firewall rule?
You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Jun 29, 2020 11:31 am

It would be nice to have some additions from the ipset mechanism available as address list items.
- list:set would enable you to make an address list that has a couple of other address lists as members (and can implement the above request)
- counters would show a hit-count in an address list for each item (enabling evaluation of relevance of items in a list)
 
anuser
Long time Member
Long time Member
Posts: 570
Joined: Sat Nov 29, 2014 7:27 pm

Re: Feature requests

Sun Jul 05, 2020 9:49 am

Feature request: "Airtime Fairness" for Wireless, because it helps a lot when there is a huge number of clients is connected to one SSID and one is able to slow down the rest (Take a look at https://www.smallnetbuilder.com/wireles ... l=&start=1)
 
eguun
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Apr 10, 2020 10:18 pm

Re: Feature requests

Tue Jul 07, 2020 10:24 am

Hi,

as feature request, I would like mikrotik to have IPsec support of DH group 31 (EC25519)

Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519)

It's today the only undisputed secure Elliptic Curve algorithm.
And several competitive product already supports it (pfSense, OPNsense, Fortigate ...)
It's absent from Mikrotik supported protocols: https://wiki.mikrotik.com/wiki/Manual:I ... man_Groups and the Wiki is up-to-date.

Is there a procedure to formally request this support?

Reference RFC: https://tools.ietf.org/html/rfc8031

Thanks
 
opientka
just joined
Posts: 4
Joined: Wed Nov 13, 2019 12:09 pm

Re: Feature requests

Fri Jul 10, 2020 9:22 am

Hello Mikrotik,

here's another feature request:

Add support for LTE Devices to be controlled via CAPsMAN

Example Use case:
My company uses serval smaller MikroTik Routers (like hAP-AC²) spread over the whole campus as office dektop switches.
All of them share their WiFi hardware to a central CRS328-4C-20S-4S+RM, located in our Server Room, which is our CAPsMAN.
Two of the CAPs are also used to connect an LTE-USB-Stick to provide a backup internet connection over 4G/LTE mobile network.

It would be great if those USB-sticks could be virtually relocated into the the CAPsMAN, like the WiFi Antennas of the CAPs.
Having LTE connected to the central Router/Gateway makes sense. But since CRS328-4C-20S-4S+RM does not have USB and the LTE-Signal inside the server room is really bad, it seems like a good idea to relocate those Sticks to a Desktop-Router, which is located next to a window.

Sure, it is possible to configure that router as a second gateway, but having it configured centralized within CAPsMAN would be a great benefit.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Fri Jul 10, 2020 10:51 am

Add support for LTE Devices to be controlled via CAPsMAN
No, it's bad idea. USB Stick are detected and dhcp-client is automatical created, you can do many fix to your needs by scripts&schedulers.

You have few other ways to massive config like ssh, scheduler & fetch, .auto.rsc via ftp who work with autostart...
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
Wyz4k
Member Candidate
Member Candidate
Posts: 221
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 7:23 am

Can we get an option to add a reason for rebooting? For example /system reboot reason="upgrading to new ROS" and have that reason be stated in the next log?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 11:09 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
 
Wyz4k
Member Candidate
Member Candidate
Posts: 221
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:20 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?
That's right yes. reason = "Shutting down because DHCP broken script triggered a restart."
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue Aug 18, 2020 11:22 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
Wyz4k
Member Candidate
Member Candidate
Posts: 221
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 11:42 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
 
al3xeezer
just joined
Posts: 22
Joined: Thu Feb 27, 2020 11:46 am

Re: Feature requests

Tue Aug 18, 2020 12:35 pm

Would be very useful to have the src-address parameter available for /tool speedtest (as it is for fetch, traceroute, ping...)

Have you consider adding it?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 18, 2020 4:26 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 221
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Tue Aug 18, 2020 6:47 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.
Yes, that would be a useful approach. Unfortunately I operate in an infrastructure-less environment where the configurations are built up and destroyed dynamically and as such we don't have a syslog server option.

Can I get a syslog server too? :D Yes I know dude has one, but a small one for normal routers would be nice.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Aug 21, 2020 4:17 am

FYI - Reboots and logs.

- 1'st; I don't use the Mikrotik native ( /system watchdog " Watch Address" ).
I do not like the way it behaves and it is not smart. Because it is not smart, it can/will trigger a reboot when everything is connected. When the default WatchDog detects a no-ping condition , it will auto-reboot ( even if the connection is restored prior to auto-reboot ).

-2'nd; I use my own WatchDog scripts.
My WatchDog scripts for a Mikrotik have configurable variables which include:
A - How often to perform a Watch-Dog test ping
B - How often to retry Watch-Dog test pings when something is down. It can retry test-pings for seconds or minutes or hours prior to forcing a auto-reboot.
C - Prior to a reboot, it will perform a wireless-site-survey and save the results in a file in the Mikrotik flash file system.
D - After a wireless-site-survey , it will again wait/retry Watch-Dog pings for an additional configuration time period.
E - Finally , when there is actually going to be a reboot, my scripts will write an additional file to the flash file system indicating the time/date/reason for the reboot.

I have use my Watch-Dog scripts for over 10-years now on thousands of Mikrotiks. It works and it works great. I can always find out when a Mikrotik rebooted and why - and a very big advantage is I don't need a remote syslog server.

Also - with these scripts , it's super easy to perform a site-survey on a remote client customer Mikrotik , then drag the site-survey file to your computer and open it to see the site-survey results. Comes in very very handy to see the customer might have many wireless routers in their house on the same frequency or close to the frequency you are using to connect your customers. :)

For many years now, I have posted some of these scripts in the Mikrotik forums.
If you are an ISP or WISP , it is 100-percent worth your time/effort to do the same in your environment/business.

North Idaho Tom Jones
 
dalami
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Dec 12, 2011 9:18 am

Re: Feature requests

Sat Aug 22, 2020 12:06 pm

New request - add a new action to Firewall (probably under Filter)..."Run Script".

Possible horrible security hole? Of course - like anything else.

My first intended use case - via a port knock sequence, update the stored IP for an IPSec peer.

An alternative solution for this use case - allow IPSec peer definitions to be defined with an address-list parameter instead of only a fixed IP.

Another option - allow scripts to be triggered on an address-list change.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Aug 22, 2020 2:01 pm

That is technically not feasible, I'm afraid. Firewall rules are evaluated inside the kernel and they cannot call something in a user process.
The best that could be done is direct some matched traffic towards an NFLOG socket and then have a process listening there and executing the script.
But that still would mean the actual traffic is either passed or blocked depending on the firewall rule, not depending on the outcome of the script.
I'm not sure if that would be obvious to the average user. It would also likely require some complicated setup.

About the IPsec use case: I have requested before to have scripts called in Phase1 that could setup Phase2 policies. That is possible in racoon, but it appears that RouterOS is using FreeSwan/StrongSwan instead. I don't know if that software allows such scripts.
 
gutzeit
newbie
Posts: 26
Joined: Mon Feb 04, 2013 1:19 pm

Re: Feature requests

Fri Sep 11, 2020 7:17 am

Hello, please introduce support for the coa radius for the dhcp server. This is required to change the Mikrotik-Rate-Limit. Thank you.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 11:56 am

I wouId like to see some classification options (filters) in the DHCP server, so that one can direct different device classes into different pools/networks.

E.g. the ISC DHCP server has a quite powerful mechanism for that, where you can define a "class" based on the DHCP request parameters (like vendor class identifier, DHCP requested options, MAC address, hostname etc), and then you can have different pools where each pool has a list of classes that can or cannot use that pool.
(you can have different allow and deny rules in each pool)

This would allow things like putting devices in another pool/network and thus have different attributes like access to internet yes/no, while they connect to the same physical network.
It would be a good start when it can filter on these attributes:
- vendor class identifier (a string)
- MAC address (a value and a mask)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Tue Sep 15, 2020 12:42 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 15, 2020 2:29 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes
Ok I was not aware of that. Indeed it is most like what I need except that I would like an extra match capability on MAC address/mask.
- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
I want to give users with a local (random) MAC address (02:00:00:00:00:00/03:00:00:00:00:00) an IP address from a different pool where they will get a portal page that prompts them to set "device MAC" for this connection...
The reason for this is that I want to be prepared for a possible meltdown of the network when some manufacturer decides that it is best for privacy to change the MAC all the time, or when they bind it to AP MAC instead of SSID (we have 34 APs so that would cause mayhem in our network)

So this makes my feature request probably much easier to implement as the framework for doing this is already present. It becomes like:
- add capability for "dhcp vendor class" to match on MAC address/mask in addition to match on DHCP request class-id.
 
mkx
Forum Guru
Forum Guru
Posts: 7672
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Tue Sep 15, 2020 4:01 pm

- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)
Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to have some way to remind users to switch off MAC randomization for a particular SSID.
BR,
Metod
 
santyx32
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Oct 25, 2019 2:17 am

Re: Feature requests

Tue Sep 15, 2020 10:19 pm

As a home user I request the following to Mikrotik:

Proper WiFi 5 Wave2 support for IPQ40XX and QCA9984 chipsets along with new WiFi 6/6E hardware.

Fq_codel queue type to be available on ROS.
 
davit1988
just joined
Posts: 1
Joined: Thu Feb 23, 2017 8:51 pm

Re: Feature requests

Fri Sep 25, 2020 7:00 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Sep 29, 2020 7:52 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA
You may be surprised as a network engineer, but SWos does not require this information!
You will find that when you access the switch from another network (reachable only via a gateway), that will just work, even without any subnet mask or gateway information.
Maybe it is an interesting study object to find out how it does that :-)
(it is described somewhere in the online manual, so don't look there first)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

A Mikrotik 40-Gig switch is much needed

Wed Sep 30, 2020 1:03 am

A Mikrotik 40-Gig switch is much needed

I sure would like to see a Mikrotik switch with at least eight 40-Gig ports ( or even better yet a 16-port 40-Gig switch ) and also somewhere between two to 8 10-Gig ports ( and zero 1-Gig ports ).

I need some 40-Gig switches right now. We are currently in the process of changing our internal 10-Gig core switches to 40-Gig. If Mikrotik routers/switches had any 100-Gig interfaces , then I would be fork-lifting my core internal network ( routers & switches ) to a 100-Gig core network.

A 10-Gig core network is just not enough core network throughput these days.
I am getting ready to install a second 10-Gig BGP peering session, ( so two CHR 10-Gig BGP peering routers and a CHR 10-Gig core OSPF router just does not cut it.
Also my internal 10-Gig NFS/iSCSI network is already peaking at 10-Gig now and needs to also be upgraded to 40-Gig interfaces.
In addition, with a eight-port 40-Gig switch , I could then connect connect all of my VmWare ESXi servers at 40-Gig ( I have several CHRs I also want to get talking on 40-Gig networks - but I need a 40-Gig switch first...

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Wed Sep 30, 2020 5:32 pm

viewtopic.php?p=818709#p818709

They semi-announced 100G in their newsletter :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
michaels
just joined
Posts: 11
Joined: Fri May 17, 2019 8:02 pm

Re: Feature requests

Thu Oct 22, 2020 8:30 pm

Feature requests IPv6 DHCP Relay - Prefix Delegation - create route

Currently (6.48beta48 and 7.1beta2) the relay does not create a route for the prefix.
Without the route on the relay router, the prefix is not reachable.

further description:
viewtopic.php?t=117283
viewtopic.php?f=2&t=97156
 
neszt
just joined
Posts: 2
Joined: Fri Nov 13, 2020 12:46 pm

Re: Feature requests

Tue Nov 17, 2020 7:01 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)

Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.
 
Sparhawk76
just joined
Posts: 3
Joined: Sun Nov 24, 2019 12:14 am

Re: Feature requests

Sun Dec 06, 2020 9:22 pm

Is it at all possible to add a "Add to Connect-List" button next to the "Connect" button in the Wi Fi Scan result detail's in the web interface.

If the network is an encrypted one, then it should prompt you for the encryption key and automatically add a new entry to the Security Profiles for the new network named to match the SSID.

This would get around the problem of the Connect button changing the default rule in the connect list, that allows the router to automatically connect to available wifi networks as the router moves in mobile installations (RV/Boat).
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Mon Dec 07, 2020 2:15 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)
Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.
They listing at that post :) and now... ros7.1beta3

[marcin.przysowa@SXTR_LTE6] > ping mikrotik.com
SEQ HOST SIZE TTL TIME STATUS
0 159.148.147.196 56 47 115ms363us
1 159.148.147.196 56 47 78ms822us
2 159.148.147.196 56 47 67ms953us
3 159.148.147.196 56 47 64ms792us
sent=4 received=4 packet-loss=0% min-rtt=64ms792us avg-rtt=81ms732us max-rtt=115ms363us
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
expo
newbie
Posts: 30
Joined: Tue Jan 27, 2009 7:57 am

Re: Feature requests

Sat Jan 09, 2021 10:23 pm

Feature request;

HA feature that will synchronize configuration and connection state between two routers for a active/standby type of network.

See this HA script for inspiration;

https://github.com/svlsResearch/ha-mikrotik

Would like this deployed as a official feature of Ros
 
tpedko
just joined
Posts: 14
Joined: Wed May 22, 2019 9:58 am

Re: Feature requests

Wed Jan 20, 2021 2:29 pm

Add Transmission of Syslog Messages over TCP
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1571
Joined: Fri Aug 10, 2012 6:46 am
Location: Denver, CO USA
Contact:

Re: Feature requests

Wed Jan 20, 2021 5:08 pm

IS-IS and Segment Routing (SR-MPLS)

Discussion is here:

viewtopic.php?f=1&t=171278&p=837339#p837339
Global - MikroTik Support & Consulting - English | Español | Serbian | Danish +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jan 22, 2021 11:27 am

Change /tool netwatch so that it can also use ARP instead of PING (similar to route gateway checking)
When a local address of the router is entered, it is still to send ARP to the interface of that subnet and react on ARP replies.
UP/DOWN status is maintained depending on the arrival of ARP replies.

Purpose: to watch if another host on the network has set the same IP address as the address a local interface, and possibly send alerts if so.
Similar to "DHCP server alerts".
But of course can also be used to monitor hosts on the local network for being up/down.

Background: someone has entered the address of the default gateway as their own IP address by mistake. Big mayhem. It would be nice to be able to send alerts for that condition before debugging has to be done.
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Fri Feb 05, 2021 8:11 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up. Only way to see state changes from i.e. down to exstart, 2way, up etc you need to enable full OSPF debugging, this floods the log file with all OSPF packet data and is totally impractical.
We use remote syslog alerts to notify us of any OSPF state changes in real-time as they are critical to network operation and detecting a failure. It wastes a lot of staff time manually checking when it wouldn't be necessary if 2 seconds later we could see a message for "Up"

Secondly I think OSPF state changes shouldn't be in 'route, ospf, info' but rather 'route, ospf, warning'. As most of the time Info messages aren't important and i'd like to exclude them. I feel Warning is a more appropriate level

Third please change the default view in OSPF->Neighbors tab to include the 'Adjacency' and 'State' columns. Adjacency time in particular is probably the single most important piece of information to quickly glance and see "Hang on, why has that neighbor only been up for 30 minutes and all the rest are 60 days? time to investigate link quality". It would be nice to not have to keep turning this on across hundreds of routers

Edit: Fourthly, please include the interface in the state change messages, since right now you can't tell which link between routers has gone up/down. The log messages look identical with no regard for which interface has lost adjacency. In cases of primary/backup link its far more important knowing if the primary link has failed, as its usually the much faster/better route

I've written a script as a temporary workaround for points #1 and #4 (only when Up) viewtopic.php?f=2&t=153606&p=842398#p842398
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Mon Feb 22, 2021 10:26 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.
 
MerManMaid
just joined
Posts: 2
Joined: Fri Feb 26, 2021 7:04 am

Re: Feature requests

Fri Feb 26, 2021 10:42 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.
Seconded
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 10:52 am

Maybe you should explain what "snapping capabilities" are?
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Fri Feb 26, 2021 10:59 am

Maybe you should explain what "snapping capabilities" are?
I refer to the option you have in Windows: select the title bar of the window you want to snap, and drag it to the edge of your screen. An outline indicates where the window will snap to once you drop it. Drag it to the left or right side of your screen depending on where you want to snap it to. Some other interfaces allow you to snap windows against each other.

There is an app in Windows that I use: http://windowgrid.net/

It helps to keep several windows visible and organized at the same time.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 11:45 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.
 
User avatar
iperezandres
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon Feb 13, 2017 1:17 pm
Location: Madrid
Contact:

Re: Feature requests

Fri Feb 26, 2021 11:57 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.
I like your taskbar aproach and the access to the open windows. And also compatible with the tile suggestion.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Fri Feb 26, 2021 4:29 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11754
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature requests

Fri Feb 26, 2021 5:31 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.
Easy for a teddy bear with straw for a neck!!!

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Feb 26, 2021 7:11 pm

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.
That feature has been present for years. But people don't bother to really study the matter so they often will not find that by themselves.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Sat Feb 27, 2021 12:57 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Feb 27, 2021 5:22 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
That makes no sense! TCP and UDP are different protocols, they cannot be grouped.
Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.
As I said before: people don't bother to really study the matter so they often will not find that by themselves.
They do stupid things that can easily be done another way.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Sun Feb 28, 2021 7:17 pm

That makes no sense! TCP and UDP are different protocols, they cannot be grouped.
TCP&UDP for 53, 3389 can be done by 2 rules, not 4.
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sun Feb 28, 2021 7:55 pm

And rules for a number of different addresses can be combined using address lists.
Rules that are some exception e.g. only for certain interfaces can be grouped into a single chain that is jumped from the toplevel chains.
So there really is not a problem.
 
prawira
Trainer
Trainer
Posts: 341
Joined: Fri Feb 10, 2006 5:11 am

Re: Feature requests

Mon Mar 01, 2021 11:33 am

another feature request from me :
viewtopic.php?t=172489

Paul
 
craterman
newbie
Posts: 25
Joined: Tue Oct 14, 2014 1:26 pm

Re: Feature requests

Mon Mar 01, 2021 1:06 pm

BGP Link Bandwidth Extended Communities
https://tools.ietf.org/html/draft-ietf- ... ndwidth-07
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Mon Mar 15, 2021 2:48 am

MikroTik please fix/implement the SNMP-Get output as standard
Currently /tool snmp-get does not allow you to store the output to a string/variable, it remains empty, making it a rather useless command

I need to be able to poll other devices in our network and then take action
Our main use case is for monitoring values on a radio link
i.e. RouterA->RadioA->RouterB->RouterB
We run OSPF from RouterA to RouterB which is fine for detecting outright link failure. But if the link between RadioA and RadioB becomes slow or unreliable, then neither router has any knowledge of it

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 15, 2021 11:08 am

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls
I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.
 
prawira
Trainer
Trainer
Posts: 341
Joined: Fri Feb 10, 2006 5:11 am

Re: Feature requests

Tue Mar 16, 2021 3:14 pm

dear all,

as dhcp-server on mikrotik already support vendor-class but mikrotik device itself does not have vid, than it's good ide to put special vid for all of mikrotik devices. so we can put mikrotik devices on different pool (still on the same dhcp-server) according to the vid.

cheers

Paul
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Wed Mar 17, 2021 3:00 am


I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.
Absolutely. However assuming we stick with OSPF it's not viable as it would break compatibility with other devices. However if its another protocol that rides on top of it as an extension and can completely override the OSPF behavior (much like what MPLS does) then, maybe
However this still presents a problem because the radio's need to be polled, and all devices have different methods of reading the data. Vast majority don't have API's or any sort of protocol to communicate whats happening, the only possible solution is SNMP and thats just too messy to be used in any sort of official protocol

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic
So you could do things like use Radio link A for all traffic, but as it progressively drops it'll start to shift high CoS traffic elsewhere and/or load balance (or even transmit duplicate frames to improve delivery efforts) but then steer it back as needed

However the short simple version is this: Right now MikroTik is just 1 small step away from allowing the community to write their own pseudo protocol by way of reading SNMP values. Everything is already in place to do this, literally just need the ability to store SNMP values for use in scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Mar 17, 2021 11:45 am

Yes, that surely would help. It would be nice to have the possibility to read SNMP values into variables and then run a script to modify parameters of the routing.
In BGP it would be possible to change route filters that set "BGP prepend" and "BGP local pref". Unfortunately they are course controls but it is at least better than disabling an entire interface and potentially make a destination completely unreachable.
I have been thinking about it before, and considered writing something that would be running at a central location (or a location per area) e.g. on a Raspberry Pi, which would collect this information for several links, do some calculation of an optimal usage of the available links, and then configure the routers via API.
I have no experience with OSPF. I did use EIGRP in the past and there is a calculation of a path metric from bandwidth, load, delay and reliability there which would suit much better what we need here.
 
millenium7
Member
Member
Posts: 413
Joined: Wed Mar 16, 2016 6:12 am

Re: Feature requests

Thu Mar 18, 2021 12:03 am

I don't like OSPF for wireless networks, it really isn't a very good protocol for it at all, EIGRP definitely would be better suited but i've had this discussion before but it seemed to fall on deaf ears
The next best thing (and I actually agree for more widespread use, not just wireless networks) is IS-IS
With OSPF you don't have many metrics to tweak, best you can do is path cost and that will drop the adjacency so it isn't suited for live adjustment
BGP is really not suited for internal networks. iBGP has problems, and BGP routes don't get used as MPLS labels so that's already a problem

We have 2 options, MPLS-TE potentially, though I really don't have much experience with it to know if its suited

And this viewtopic.php?f=14&t=161968&p=843061#p843061
Which is also very messy and only allows traffic steering 1 hop at a time. However combined with some lists of mangle rules its possible to define levels and steer traffic accordingly
i.e. under normal circumstances just ignore it, but as load increases or conditions worsen by reading radio values, create a 'Level1' global variable and then enable a mangle rule that sends just DSCP 46 traffic for instance
As it gets worse again, go to Level2 which in addition to DSCP46 might start steering control protocols like winbox, BGP, SNMP etc
Then Level3 which includes TCP handshakes
Level4 business class traffic etc etc

This would allow some dynamic traffic offloading. It's just very messy with scripts. However for the most part its copy/paste once setup correctly, this is what i'd be implementing i'm just waiting on 1 particular key thing.................... ABILITY TO STORE SNMP VALUES! :\
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Mar 18, 2021 11:51 am

I think your only real option for routing differently depending on packet marks (e.g. based on DSCP or other kinds of SLA) is to have multiple different routing tables each maintained by a separate instance of a routing protocol (or different routing protocols), and using a selection of the routing table that is the same all through the network.
In your case: you maintain a separate routing table for VoIP and select it based on DSCP 46 or "upper 3 bits of DSCP are 5".
The routing table (also called "routing mark" in RouterOS is maintained by a routing protocol instance that is tuned differently, and emphasizes on reliable paths rather than fast paths.
To get this working OK in more complex networks than you picture it is essential that all the nodes in the network are configured the same, and that there are no nodes where e.g. the routing table selection based on DSCP is forgotten or is different. Because that would easily result in routing loops.
 
Helix
just joined
Posts: 1
Joined: Sun Nov 22, 2020 1:00 am

Re: Feature requests

Thu Mar 18, 2021 7:02 pm

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic
Last edited by Helix on Mon Apr 12, 2021 6:21 pm, edited 7 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Mar 19, 2021 10:39 am

Please add average cpu usage for the last day / month / year whatever.
That has been available for many years already! Look at Tools->Graphing
 
mada3k
Long time Member
Long time Member
Posts: 537
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature requests

Fri Mar 19, 2021 10:52 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up.
I agree. All other platforms reports Up's and Down's.
CCR/CRS/hEX/wAP • Ansible • NetXMS
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Apr 17, 2021 12:18 pm

Can you please add the "rpfilter" matcher to the firewall matching rule options?
See viewtopic.php?f=2&t=120863 and viewtopic.php?f=14&t=56572
 
emunt6
newbie
Posts: 29
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Mon Apr 19, 2021 1:57 am

What is the future replacement plan for CCR1072?
( Tilera CPU support is dropped by linux kernel - so its no future ).

I would like to see a new CCR hardware like this:
- Intel BareFoot TOFINO based ASIC
- ARM64 CPU (example: Marvell OCTEON )
- 32GB ECC RAM
- 2x msata / SATA port
- 2x USB port
- 2x hot swap PSU

Just for comparison:
-Ubiquiti USW Leaf Switch (48x 25GbE and 6x 100GbE)

:)
 
Cablenut9
Long time Member
Long time Member
Posts: 544
Joined: Fri Jan 08, 2021 5:30 am

Re: Feature requests

Mon Apr 19, 2021 2:32 am

( Tilera CPU support is dropped by linux kernel - so its no future ).
Mikrotik has already made kernel patches just for Tilera, so no worries there.
Serial question asker
 
mkx
Forum Guru
Forum Guru
Posts: 7672
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Mon Apr 19, 2021 8:23 am

( Tilera CPU support is dropped by linux kernel - so its no future ).
Mikrotik has already made kernel patches just for Tilera, so no worries there.

Tile is an old platform never the less and would be unwise to introduce new products based on outdated hardware. Future support for current products is a completely different matter.
BR,
Metod
 
Guscht
Member Candidate
Member Candidate
Posts: 126
Joined: Thu Jul 01, 2010 5:32 pm

Re: Feature requests

Fri Apr 30, 2021 11:39 am

Hi, I have seen Mikrotik has implemented in ROS V7 beta / UserManager an OTP-option to couple the Google Authenticator App.
This works flawlessly great!

My request would be: PLEASE add this feature to the normal PPP-Secrets as well and also in ROS V6 (because I assume ROS V7 will not show up the next 2 - 5 years and 2FA is really important)!
This would dramatically increase security!!

First factor the normal password.
Second factor the OTP from the Authenticator App.
Unbenannt-1.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Apr 30, 2021 11:50 am

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y


Regards
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
+10
It's better than firewall, like all other /ip services you an directly put here the IP range without using firewall,
and is more logical approach for SERVICE inside the RouterBOARD than firewalling itself....
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Apr 30, 2021 12:23 pm

In the scripts and schedules editor in winbox can we please add the ability to select all - ie ctrl a? At the moment in order to select a big script you have to manually drag from start to finish.
ctrl + home
ctr + shift + end
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 30, 2021 4:26 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.
 
akschu
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Mar 15, 2012 2:09 am

Re: Feature requests

Fri Apr 30, 2021 6:02 pm

Formatting for /tool sniffer quick needs some work. The wider the console, the more space is given to the INTERFACE column, however that is static and we know what that is since we probably defined it. It would be FAR better to give the space to the SRC-ADDRESS and DST-ADDRESS columns. That way we don't end up with something like this:
INTERFACE                                                                                        TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP
ether1                                                                                    0.3      1 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   1.29      2 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   2.29      3 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                  3.307      4 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    4.3      5 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    5.3      6 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
Notice we have all the space in the world for the INTERFACE, but the arp request shown in SRC-address is cut off and useless. If I make the console wider, I still can't see the ARP, I just get more blank space in the INTERFACE column.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Apr 30, 2021 6:09 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.

Prefix already exist...
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Apr 30, 2021 6:32 pm

Prefix already exist...
That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Apr 30, 2021 9:09 pm

Prefix already exist...
That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
Ah, sorry, I have misunderstand...
 
DJGlooM
newbie
Posts: 37
Joined: Thu May 15, 2014 2:28 am

Re: Feature requests

Tue May 04, 2021 3:32 am

Just thought of:

Is it possible to make winbox open predefined sets of windows on connect?
I guess it'll be like universal session. Because from time to time you need to manually configure some sets of typical settings and it would be nice not to navigate the same tabs over and over.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 8:05 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue May 04, 2021 11:01 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7
True, but in this case I am not referring to cleanup of the topic names or capabilities to match it inside RouterOS, but to
the possibility of sending the topic names in a syslog message. As far as I know that isn't possible, or do you know a way?
I want the message sent to a BSD syslog server to include those topic names into the message text, not only setting the
message priority based on the warn/info/debug thing. As far as I know all other topic info is gone once it is sent as syslog.
Or am I wrong?

And indeed, the reason I post it is also that nothing is changed in v7 w.r.t. this, while it is apparent that some improvements
can be made to the logging.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 1:16 pm

Can you post an example on how it looks like and how you would like it to be.
I do use lots of logging in Splunk for Mikrotik, see my signature, and not sure what you miss.

PS no need to quote the complete message above you. Use Post Reply button blow the post, please.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
imager
just joined
Posts: 1
Joined: Tue May 04, 2021 1:57 pm

Re: Feature requests

Tue May 04, 2021 2:21 pm

Add feature support for industry standards IEC 61850-3 and IEEE 1613 for electrical substations.
 
modsx
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Wed Feb 24, 2016 3:54 pm

Re: Feature requests

Tue May 04, 2021 3:07 pm

Need to The Dude with one mouse click on the Device opens the Winbox. We are not woodpeckers!
P.S. It would still be nice if could drag&drop the Devices to another Network Map, but this is secondary.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue May 04, 2021 4:47 pm

Can you post an example on how it looks like and how you would like it to be.
When I look in the logging that my BSD syslog server writes to disk I see:
May 2 10:43:20 MikroTik Connection closed

When I look in the Log viewer in Winbox I see:
May/02/2021 10:43:20 | route, bgp, info | Connection closed

I see no way to get that "route, bgp, info" part in the log message sent to the BSD syslog server.
How do you do that?

Oh and please do not bug me about including some context in a reply! When I put replies without context I get nonsense reactions from people that reply to it without first checking to what it was a reply.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue May 04, 2021 9:26 pm

Strange. I do get lots of module info. Look at example in my link:
viewtopic.php?t=124291

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.

Here are some example. I have added MikroTik as a prefix.
firewall,info MikroTik: FI_D_port-test input: in:ether1 out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 11.11.183.214:47494->22.20.2.91:24063, len 40
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,NETBIOS-Name-Server,Static-Route
script,info MikroTik: script=pool pool=default-dhcp used=9 total=244
dhcp,info MikroTik: DHCP-vlan1-Home assigned 192.168.10.186 to 3D:8E:20:1D:F0:29
dns,error MikroTik: DoH server connection error: remote disconnected while in HTTP exchange
dns,packet MikroTik: <gew1-accesspoint-e-l0np.ap.spotify.com:A:107=104.199.64.182>
wireless,info MikroTik: 9E:7A:3A:89:36:A1@wlan2: disconnected, received disassoc: sending station leaving (8)
bridge,stp MikroTik: wlan2 forwarding
dhcp,warning MikroTik: DHCP-vlan1-Home offering lease 192.168.10.206 for D8:BF:C0:50:33:DC without success
l2tp,ppp,info MikroTik: <l2tp-Kjell-Ivar>: disconnected
ipsec,info MikroTik: ISAKMP-SA deleted 22.20.2.91[4500]-9.19.78.44[4500] spi:46f07f9aaad565f3:4b0b7aaaa22ae161 rekey:1
l2tp,info MikroTik: first L2TP UDP packet received from 9.19.78.44
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Wed May 05, 2021 3:01 am

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed May 05, 2021 11:23 am

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.
Well, when I do not set BSD Syslog I cannot set Syslog Facility. That is required because I use that to direct the logs on the syslog server to the correct file.
(if not it will mix with the logs from the local system)
I set "Syslog Facility 16 (local0)" and then in the receiving system in rsyslogd.conf I match on local0 like this:
local0.* /var/log/mikrotik

I guess to solve that I would need to run a second syslog daemon on another port number and with a separate config that just sends everything to a single log...

Strange that this flag has any influence on the inclusion of the topics in the message!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Wed May 05, 2021 2:38 pm

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.
2) already exist by address-list, but

example for 1) ?
thanks
 
syadnom
Long time Member
Long time Member
Posts: 638
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature requests

Fri May 07, 2021 9:00 pm

For LoRaWAN devices

Add a package to support their 'light hotspot' so we can use Mikrotik's on the helium network. Helium is a rapidly growing IoT network.
Helium.com
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Sun May 09, 2021 9:09 pm

example for 1) ?
For example, to save any state of a process between individual script launches.
For example, for more convenient writing of configuration scripts for different routers according to a single template.

2) already exist by address-list, but
What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?
 
Mike33
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jun 25, 2013 2:13 am

Re: Feature requests

Mon May 10, 2021 12:41 am

example for 1) ?
For example, in the script, an SMS is sent via the lte port to a certain phone number.
It would be convenient if this number was taken from some global variable. When it becomes necessary to change this number, then there will be no need to change the script text, but it will be enough to change the value of the global variable.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Mon May 10, 2021 1:05 am

:global variables already exist...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Mon May 10, 2021 1:10 am

2) already exist by address-list, but
What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?
" already exist by address-list" is not "already exist the address-list"
The addres list auto add and update dynamically the IP, if you put inside the address list the dns name.

But for me is a very bad idea to add DNS name to Firewall rule, if the IP change often, like on CDN, for example Netflix,
everytime the rule is hit, firewall must wait DNS resolution...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Mon May 10, 2021 1:15 am

example for 1) ?
For example, to save any state of a process between individual script launches.
":global" variables already exist...
and you can save variable value on file,
and you also can send file to another device, and on that device read variable(s) inside file and set it on (locally) global variables...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Mon May 10, 2021 1:17 am

For example, for more convenient writing of configuration scripts for different routers according to a single template.
???
already I'm using the scripts with inside Global variables to configure the devices, like all the CPE, AP, PTP, etc.
 
emunt6
newbie
Posts: 29
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Wed May 12, 2021 4:20 pm

*Feature Request

Mikrotik CCR products:
> Comformity againts the Telcordia NEBS (GR-63, GR-1089) requirements
( https://telecom-info.njdepot.ericsson.net/ )
 
mike548141
newbie
Posts: 41
Joined: Sun Aug 16, 2020 5:14 am

Re: Feature requests

Thu May 20, 2021 2:21 am

With the default NTP client I can use DNS FQDN's to specify the NTP sources, but if I install the NTP server package I can only specify IP addresses as the NTP sources. Not ideal since the IP addresses change over time and are out of my control (and the same for most people using an Internet NTP source).
Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.

/system ntp client set enabled=yes server-dns-names=0.nz.pool.ntp.org,1.nz.pool.ntp.org;
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu May 20, 2021 11:23 am

Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.
This has been resolved in the version 7 beta so I guess you will have to wait until that becomes the stable version.
It also allows more NTP servers and the server package is no longer separate (all installations have client and server).
 
ivicask
Member
Member
Posts: 344
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Feature requests

Fri May 21, 2021 2:03 pm

Can we get ICAP client support?
 
codykl
just joined
Posts: 1
Joined: Tue Dec 03, 2019 4:41 pm

Re: Feature requests

Sun Jun 13, 2021 8:48 pm

Can you add the ability to disable and enable caps-man configurations?

This would allow for more flexible control of SSID's for groups of provisioned routers, for example:
Provisioning1: Config1:SSID1, Config2:SSID2, Config3:SSID3
Config3 gets enabled/disabled via scheduler script.
 
mike548141
newbie
Posts: 41
Joined: Sun Aug 16, 2020 5:14 am

Re: Feature requests

Fri Jun 18, 2021 11:13 am

If an ethernet interface has been made a slave of a bonded interface (e.g. LACP) then it should have a value assigned on the physical interface that tells you (a) it is bonded and (b) the name of the bonded interface.
This way when querying interfaces from a script we can see whats bonded by looking at either the physical or bonded interfaces.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Jun 18, 2021 2:30 pm

set the syslog remote address as fqdn or domain name and not only IP.
untill is not like this, you can still use scripting for update IP.
 
mike548141
newbie
Posts: 41
Joined: Sun Aug 16, 2020 5:14 am

Re: Feature requests

Tue Jun 22, 2021 8:12 am

The :log command should accept a variable for the log event severity e.g.
:log $severity message=$message;
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Tue Jun 22, 2021 3:38 pm

The :log command should accept a variable for the log event severity e.g.

Sure it's not already feasible?...

:global type "warning"
:global message "test"
:execute ":log $type $message"   
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Jun 25, 2021 2:10 pm

Already exist, and is not a routeros feature
 
prawira
Trainer
Trainer
Posts: 341
Joined: Fri Feb 10, 2006 5:11 am

Re: Feature requests

Sun Jun 27, 2021 9:27 am

As CRS3xx having more features compare to CRS1xx/CRS2xx, we request to create CRS312-8G-4S and CRS312-8G-4S or CRS310-8G-2S and CRS310-8G-2S as not many customers need the big number of ports for their switches.

Example, we need to install a wifi on 6 floors of dormitory with 6 APs for each floor. the AP using cap-ac and the current switch using CRS112-8P-4S. but we stuck on the switch itself as the hardware offload turned-off when we activated vlan-filtering.
by putting 1 CRS328-24P-4S will make difficulty of the future maintenance as that switch can cover for 4 floors.
we prefer 1 switch for each floor. putting CRS328-24P-4S or CRS318-16P-2S will be cost inefficient

thank you
Last edited by prawira on Sun Jun 27, 2021 11:35 am, edited 1 time in total.
 
mada3k
Long time Member
Long time Member
Posts: 537
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature requests

Sun Jun 27, 2021 11:21 am

Abut we stuck on the switch itself as the hardware offload turned-off when we activated vlan-filtering.
Then you are doing it wrong. You should do the configuration under /interface ethernet switch

But I can agree that it would be nice if the CRS1xx had the same configuration style as CRS3xx
CCR/CRS/hEX/wAP • Ansible • NetXMS
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

ONIE ( bare metal switch )

Thu Jul 01, 2021 8:12 pm

ONIE ( bare metal switch )

First - some quick background information:
* Mikrotik has a couple of decent Router Operating Systems ( ROS ) which work well and can run very fast routing functions when installed on generic x86 hardware systems.
* X86 ROS is a 32-Bit stand-alone ISO installable Router Operating Systems what can be installed on almost any x86 computer.
* CHR ROS is a 64-Bit virtual Router Operating system which can only be installed as a virtual system on a hyper-visor system such as VmWare ESXi ( there are other supported hyper-visors also supported ).
** Both x86 and CHR both have the capability to process packets ( Layer-3 routing & firewall functions ) at some impressive very fast rates when they are installed on a high-end bare-metal-box.
** Note - there are other software non-Mikrotik-ROS routing operating systems that are also available ( such as PfSense and others ).
** All of the above have their strengths and weakness areas in price and performance.

Second
Now - here is where I am going with this; There is a growing open-source standard called ONIE which is for Layer-2 bare-metal switches.
With an ONIE bare-metal switch ( with interfaces and a switch chip) , you select and install the Network Operating System of your choice ( software operating system ) you want to run on your bare-metal Layer-2 switch.
Note: Mikrotik does not have a 32-Port 40GbE switch. However there is one or more ONIE bare-metal switches that do have 32-Port 40GbE ports. There are also some ONIE bare-metal switches with more and fewer ports and there are some ONIE bare-metal switches with 100-Gig ports ( with ONIE , the sky is the hardware limit ).

I would like to see a new ONIE compatible Network Operating System ( NOS ) from Mikrotik that is similar to x86 ROS but has the ability to communicate and manage the switch chip on an ONIE bare-metal switch. ((( For the heck of it - I will call this possible new Mikrotik switch operating system CHS ( Cloud Hosted Switch - similar to CHR for routers ) ))).
Don't get me wrong here - I love Mikrotik products - however I know Mikrotik will never build a high-end switch with every possible interface and quantity of ports that many larger ISPs and WISPs need.

I would love to have a 3-foot tall bare-metal ONIE switch with hundreds of network interfaces of all types which would allow me to select the NOS ( Network Operating System ) of my choice ( possibly a new Mikrotik Cloud Hosted Switch operating system and install in on a single ONIE bare-metal switch. It might even be possible to yank out a dozen+ switches in my NOC and replace my pile of switches with a single ONIE bare-metal switch.

I am guessing that x86 ROS might already be installable on most x86 CPU based ONIE switches - however you would likely only be able to software bridge interfaces instead of using the bare-metal ethernet switch to connect interfaces together.

With all of the above thoughts and information I have mentioned , I have a Feature request :

Feature request to Mikrotik - please consider adding a few minor supporting lines of code in the existing x86 Linux base ROS to support ONIE x86 bare-metal switches.
With an ONIE compatible Mikrotik x86 ROS system, it would not be very possible to have some incredibly fast high-throughput switches with just about every combination and quantity of interfaces needed and wanted. Note - at this time , there are already several existing Network Operating Systems (NOS) readily available and already being used/installed on existing ONIE switches. I hope that Mikrotik does not ignore the ONIE standard of open-source bare-metal switches.

Note: I am currently getting ready to order two or more bare-metal ONIE compatible switches with 32 QSFP+ ports. So which ONIE compatible Switch Operating System will install on them ? Will I use Microsoft's Switch Operating System or a Linux or BSD Network Operating System ? I know it will not be a Mikrotik ONIE NOS because they currently don't have anything.

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Jul 01, 2021 8:28 pm

Are you not under-estimating the effort?
It should be easy to make a RouterOS version that runs on the management CPU, but it should also be able to manage the switching ASIC in use in the product.
When your switch has switching hardware that MikroTik does not already support because the same chipset is used on one of their switches (maybe a different number of chips), there is more work to be done, right?
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Jul 01, 2021 9:27 pm

Are you not under-estimating the effort?
It should be easy to make a RouterOS version that runs on the management CPU, but it should also be able to manage the switching ASIC in use in the product.
When your switch has switching hardware that MikroTik does not already support because the same chipset is used on one of their switches (maybe a different number of chips), there is more work to be done, right?
Yes , I am aware there will be some additions in x86 to manage the ASICs on ONIE compatible switches.
However , I believe there may be some ready-to-go or near-ready Linux drivers for most x86 CPU based ONIE switches.
Most Mikrotik ROS systems that run on a switch already have a working software driver to configure those switch chip ASICs.
I am aware that none the existing ROS operating systems with switch chip ASIC drivers and software code are running on x86 CPU hardware - however you have a good head start and there should be no need to start from scratch. How much software work would be involved to take the ROS x86 source code , and add in the switch chip ASIC code & ROS functions so that an updated x86 ROS could run on some of the x86 CPU based ONIE compatible switches ? Also - because there are several types and brands of ethernet switch chip ASICs, could it be as simple as creating optional packages that can be downloaded and installed on x86 ROS - where - depending on the ASIC , a specific ROS package that supports that specific ASIC can be packaged downloaded and installed onto normal x86 ROS already installed on a ONIE bare-metal switch which then add support for the ASIC. And - because there are several types of ASICS, it might be possible to have a x86 ROS package list - where each optional package adds support for a specific ASIC.

In other words ... the ability to install the existing x86 ROS system on a x86 based ONIE switch ( no ASIC support yet - only the out-of-band ethernet interface is working at this point ).
Then allow a package download that supports the specific ASIC on the ONIE bare-metal switch. If there was support for 10 ASICS, then have 10 different ASIC packages available.
As additional ASICs are supported , just create new additional ASIC downloadable packages.

I am aware none if this is easy - but Mikrotik x86 ROS should already have a good head start and might only need optional downloadable ASIC packages - instead of managing multiple x86 ROS Linux-based systems , just have one x86 ROS that supports optional downloadable ASIC packages.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Thu Jul 01, 2021 10:27 pm

I guess what I am asking for , is a Mikrotik ONIE compatible x86 ROS with optional ASIC drivers.

Then I could install x86 Mikrotik with the correct ASIC package on some ONIE switches - such as the one in this picture ( qty 64 100-gig ports ) or any other x86 CPU based ONIE switch which has an optional Mikrotik x86 ROS package for the specific ASIC chip set.
onie-100-Gig--64-ports.png
.

Or - I could wait until Mikrotik makes a switch like this...
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jul 02, 2021 12:10 pm

I am aware that none the existing ROS operating systems with switch chip ASIC drivers and software code are running on x86 CPU hardware - however you have a good head start and there should be no need to start from scratch. How much software work would be involved to take the ROS x86 source code , and add in the switch chip ASIC code & ROS functions so that an updated x86 ROS could run on some of the x86 CPU based ONIE compatible switches ? Also - because there are several types and brands of ethernet switch chip ASICs, could it be as simple as creating optional packages that can be downloaded and installed on x86 ROS - where - depending on the ASIC , a specific ROS package that supports that specific ASIC can be packaged downloaded and installed onto normal x86 ROS already installed on a ONIE bare-metal switch which then add support for the ASIC. And - because there are several types of ASICS, it might be possible to have a x86 ROS package list - where each optional package adds support for a specific ASIC.
We do not even have that for native MikroTik hardware! All RouterOS versions for a specific CPU contain all drivers for all routers with that CPU.
And the tendency is for MikroTik to move away from optional packages and incorporate all options into the main package, leaving only truely niche functionality that can live as a completely independent package (like UPS monitoring) as an optional package.

Putting drivers and other low-level functionality in packages is not as easy as you think.
Sure, you can put a driver in a package that installes the modules and they will be loaded when that hardware is detected, but there normally will be higher level code as well that interweaves with many other things and introduces tricky dependencies.
You not only want to configure your switch ASIC for basic VLAN switching, you also want L3 routing acceleration, DHCP and ARP snooping, spanning tree, LCP, etc.
Adding a new switch ASIC will not be simple, and certainly cannot be made independent from MikroTik (MikroTik providing the RouterOS and others providing the support for their favorite ASIC).
At least not without a complicated standardized interface between ASIC drivers and router operating systems, which does not appear to be covered in ONIE.
(ONIE just specifies how an OS is installed and loaded, i.e. the trivial part of the entire operation)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jul 02, 2021 4:39 pm

Well ... when it comes to hardware - software - firmware - features and cost ...
. I guess I am more of a "How do I do it" person and not a "I can't do that because it's to hard" person.

Back in the late 1970s and 1980, I started a computer manufacturing company ( IBM PC not invented yet ).
As the engineer, I always made products and services that others said can't be done or it's to hard. We made $ millions
Now - today 40+ years later, I have a pretty good idea of what direction technology is going.
I've seen hundreds of computer companies loose money and go out of business because they do not have products that the world wants to pay for.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 774
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature requests

Fri Jul 02, 2021 5:25 pm

Well ... when it comes to hardware - software - firmware - features and cost ...
. I guess I am more of a "How do I do it" person and not a "I can't do that because it's to hard" person.
..........
Now - today 40+ years later, I have a pretty good idea of what direction technology is going.
I've seen hundreds of computer companies loose money and go out of business because they do not have products that the world wants to pay for.
Frist ... Thank You very much for introducing me to https://www.opencompute.org/wiki/Networ ... NOS_Status ..... very interesting

2nd ... 100% agree with you commentary and Contribution.
 
emunt6
newbie
Posts: 29
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Sat Jul 03, 2021 6:16 pm

I guess what I am asking for , is a Mikrotik ONIE compatible x86 ROS with optional ASIC drivers.

Then I could install x86 Mikrotik with the correct ASIC package on some ONIE switches - such as the one in this picture ( qty 64 100-gig ports ) or any other x86 CPU based ONIE switch which has an optional Mikrotik x86 ROS package for the specific ASIC chip set.

onie-100-Gig--64-ports.png.

Or - I could wait until Mikrotik makes a switch like this...
ASIC Drivers/APIs are not "Open-Sourced" you need buy "license/contract" from the manufacturer to have full access to ASIC to be able to implement specific functions for offloading-to-ASIC. Currently what you get now is a CPU based switch( = software switch ) - that cannot handle large Gb/s , TB/s switching-routing - due the limitations of the PCI-E bus bandwidth (PCIE-E Version 4.0 ×16: 31.5 GB/s ) and X86-CPU computational limits ( impossible ).

ONIE or "white-box-hardware" will be the future but now is not for the following reasons:
- Hardware: There is no open-sourced/standardised generic-offloading capable FPGA/CPU (ASIC) for real time processing,
- Hardware: There is no open-sourced/standardised generic-offloading capable BUS for high-speed/low-latency for real time processing ( PCI/PCI-E is not capable for such thing ),
- Hardware: X86 CPU and PCI-E BUS bandwidth limitation,
- Software: There is no generic programmability ( P4Lang - https://p4.org/ - partially solve this, but not entirely )
- Software: Stability and bugs

To summarize, you will going back to the "classic" vendors like CISCO, JUNIPER, HPE, others - they already done this, so you can do your business without headache.
 
runbound
Member Candidate
Member Candidate
Posts: 110
Joined: Fri Apr 19, 2013 9:28 am

Re: Feature requests

Tue Jul 06, 2021 8:05 am

please add email, phone and notes in ppp secret
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jul 06, 2021 9:58 am

please add email, phone and notes in ppp secret
ppp secret already has a comment field like most of the configuration records in RouterOS!
You can use it for that purpose.
 
kelner
just joined
Posts: 10
Joined: Fri Sep 28, 2018 2:10 pm

Re: Feature requests

Tue Jul 06, 2021 6:18 pm

Please add feature "reget" for "/tool fetch". Sometimes on bad links it is a problem to download to router the file of sufficient size (f.e. new firmware). AFAIK both FTP and HTTP support such functionality.
Thanks.
Last edited by kelner on Tue Jul 06, 2021 8:36 pm, edited 1 time in total.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 171
Joined: Wed Aug 09, 2017 1:15 pm

Re: Feature requests

Tue Jul 06, 2021 6:40 pm

I'd like to be able to queue changes and apply them all at once. Like an inverted safe mode.
I often need this when I have to make multiple changes to interfaces / ip addresses.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1863
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Feature requests

Tue Jul 06, 2021 6:44 pm

osc86 write:
Like an inverted safe mode.
Then create a backup and a scheduler with +1h who do a load of this backup.
You can do many disconnection in this 1h time and you have a safe information that in 1h if you not disable this scheduler then it came back to proper Point Of Time with reboot.
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Tue Jul 06, 2021 6:53 pm

osc86 write:
Like an inverted safe mode.
Then create a backup and a scheduler with +1h who do a load of this backup.
You can do many disconnection in this 1h time and you have a safe information that in 1h if you not disable this scheduler then it came back to proper Point Of Time with reboot.
I've done this many a time on remote located Cisco routers & Cisco switches.
Hmmm , it would be a nice feature if Mikrotik came out with a Safe-Mode timer - where you can disconnect and reconnect and reboot while making configuration changes. Then after all configurations are finished , simply turn off the Safe-Mode timer or force the Safe-Mode timer to kick-in and revert if needed , or wait and do nothing and let Safe-Mode revert any changes after it times-out.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 171
Joined: Wed Aug 09, 2017 1:15 pm

Re: Feature requests

Tue Jul 06, 2021 7:20 pm

@SiB While this surely is a good solution for some scenarios, it won't work if you need to make multiple changes to the uplink interface of a remote device. If you need to change the ip address and the pvid of the bridge port, you could only do one of n changes, before losing connection to the router. Restoring a backup won't help in this case. Sure you could paste every command needed into a script and execute it, but this is very time consuming and doesn't scale with a larger amount of devices.
I think a native queue feature would be welcomed by many users. I see more and more vendors implementing this, Aruba and paloalto to name only 2.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jul 06, 2021 10:29 pm

I'd like to be able to queue changes and apply them all at once. Like an inverted safe mode.
I often need this when I have to make multiple changes to interfaces / ip addresses.
In command (terminal) mode, you already have that!
Type a { to open a block, then you can issue a number of commands that will not get executed right away, and finally close the block with }
This will execute all commands in one go.
Of course when there is an error somewhere... well...
But you can use safe mode around this whole thing.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Tue Jul 06, 2021 10:49 pm

also on same line of command: /ip add set ether1 address=1.2.3.4/12;/int bri port remove [find]; etc....

on another post I explain "auto-reload start session backup if the session is lost for more than 5 minutes"
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 171
Joined: Wed Aug 09, 2017 1:15 pm

Re: Feature requests

Wed Jul 07, 2021 3:52 pm

@pe1chl didn't know about this, thanks!
 
satori
just joined
Posts: 2
Joined: Sun Nov 18, 2018 2:56 pm

Re: Feature requests

Sat Jul 24, 2021 8:11 pm

Please add SMB support to the fetch tool
+1
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Sat Jul 24, 2021 8:15 pm

Right!

+10
 
michaels
just joined
Posts: 11
Joined: Fri May 17, 2019 8:02 pm

Re: Feature requests

Sat Aug 14, 2021 1:03 pm

CRS Port Security - max-mac-count

When using port security, the switch will stop learning the ports specified when the new MAC address reaches the configured maximum
number. Only in the dynamic or static address table already stored on that port is the source address authorized to do the following on
incoming traffic: access the network. The port will discard any incoming frames that are unknown or previously exist in the source MAC
address, learned from another port.
 
kelner
just joined
Posts: 10
Joined: Fri Sep 28, 2018 2:10 pm

Re: Feature requests

Fri Aug 20, 2021 11:13 pm

Please add SMB support to the fetch tool
+1
In my Linux "stripped" CLI smbclient executable file has size 1.7 MB and more than 100 dynamicaly loaded libraries in addition. Don't you know why? Because SMB protocol is a creature of MicroSoft with all it complex functionality such as authentications, versions, locks, printing, etc. And thus it is too complex for such class device. I am sure it's implementation is not nesessary and definitelly can decrease stability of RouterOS.

In general, I think Mikrotik device must be considered a ROUTER, and not a soapbox with home gateway.
 
zainarbani
newbie
Posts: 25
Joined: Thu Jul 22, 2021 9:42 am

Re: Feature requests

Sat Aug 21, 2021 11:31 am

smbclient with less features than samba maybe? libdsm
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Aug 21, 2021 11:40 am

In general, I think Mikrotik device must be considered a ROUTER, and not a soapbox with home gateway.
I agree with that! Support for complex protocols like SMB should not be expanded, but rather it should be REMOVED (e.g. the IP->SMB feature).
That would make room for more router-oriented functionality.
Those that want to fetch files from Microsoft stuff can always install a webservice on their PC and use fetch with that.
 
Basdno
Member Candidate
Member Candidate
Posts: 119
Joined: Wed Feb 17, 2010 10:11 pm

Re: Feature requests

Sun Sep 05, 2021 11:05 am

For LoRaWAN devices

Add a package to support their 'light hotspot' so we can use Mikrotik's on the helium network. Helium is a rapidly growing IoT network.
Helium.com
I have also suggested this to Mikrotik support via email, if Mikrotik as an established professional wireless manufacturer, with good production capabilitys would certify their LoRa products for Helium network, it would probably BOOST SALES extremely.
Especially since no other manufacturer of Helium Hotspots are able do deliver according to the extreme demand from customers!

So Mikrotik, you already have the know how to do it, all it takes is a Helium certification and necessery ROS package! :)

Please make it happen, and make it happen soon!

You will be sold out in the blink of an eye! ;)
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Sep 23, 2021 3:45 pm

For wireless connect-list it would be nice when it could skip to the next entry when authentication fails.
As it is now, it will match the first entry with correct SSID (and other criteria like MAC) and try to connect, but when that connection is rejected because the password has changed, it does not skip to the next.
E.g. when password is announced to change in the future, it is not possible to setup a connect list that uses the new password as soon as it becomes active.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25224
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature requests

Thu Sep 23, 2021 4:57 pm

We have absolutely zero plans to support helium.
No answer to your question? How to write posts
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2125
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Feature requests

Thu Sep 23, 2021 5:12 pm

What about MAC address lists?
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
Larsa
Member
Member
Posts: 417
Joined: Sat Aug 29, 2015 7:40 pm

Re: Feature requests

Thu Sep 23, 2021 11:49 pm

Satori: Please add SMB support to the fetch tool
Rextended: Right! +10
Well, that would be nice but there are plenty of different versions to choose from using alternativ network protocols as well as different authentication protocols. Depending of which ones you pick the implementation can be quite complex which would reflect on the code size and manability. Have a look at https://en.wikipedia.org/wiki/Server_Message_Block. You have to be more specific than just "SMB"...
 
MCN
just joined
Posts: 13
Joined: Thu Feb 21, 2019 8:57 pm

Re: Feature requests

Sun Sep 26, 2021 7:57 pm

HFS+ formatted storage, AFP, Spotlight indexing, Time Machine support, SMB 2.0

Working Bonjour (mDNS) intra-router (not inter) routing across subnets with example
YES - PLEASE - Time Machine support. SMB 2.0 / AFP - something for the damm Apple users!

Have a LOT of users that we could set to use this!

:)
 
ccanto
just joined
Posts: 10
Joined: Mon Apr 22, 2019 11:36 am

Re: Feature requests

Mon Oct 11, 2021 3:24 am

For the CRS3xx series, implement bridge-forwarding (software) with packets that are "redirected to cpu" in the Switch Rules when hardware offload is enabled.

That would allow the bulk of traffic to be hardware forwarded (by switch chip) and have Switch Rules for some very selective packets redirected to cpu to be processed by the software based bridge-forward packet flow logic (filtered, logged, nat'ed, etc)
 
ccanto
just joined
Posts: 10
Joined: Mon Apr 22, 2019 11:36 am

Re: Feature requests

Mon Oct 11, 2021 3:53 am

When "DHCP Snooping" is enabled on a bridge, add a new option to the "Bridge Port" (when not trusted), that would add a static entry to the bridge hosts table with the MAC, VID (if applicable), interface, bridge and age from the DHCPACK packet. The entry is to be removed when the Age expires (dhcp lease), the port is no longer in a Running state, an DHCPDECLINE is sent in response to DHCPACK, a DHCPRELEASE is sent or a new DHCPACK is received for the same MAC (bridge wide, for every port where this option is enabled).

In this regard, the "auto" option in the bridge port "learn" could also mean that MAC learning is disabled on that port if this new option was enabled.
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Tue Oct 12, 2021 2:49 pm

As i see in https://wiki.mikrotik.com/wiki/Manual:I ... .29_routes
"packets with the same source address, destination address, source interface, routing mark and ToS are sent to the same gateway. This means that ECMP route does not perform pure per-connection balancing"

My suggestion: take into account not only the src/dst address, but also the port number.
do not ask me why it is necessary.
 
jaxed8
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Jul 27, 2021 8:25 pm

Re: Feature requests

Wed Oct 13, 2021 6:45 pm

Winbox dark mode
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Fri Oct 22, 2021 3:51 pm

Feature request: network interfaces for IPsec in Tunnel mode.
do not ask me why it is necessary.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Oct 22, 2021 4:09 pm

Feature request: network interfaces for IPsec in Tunnel mode.
That is the about same thing as IPIP tunnel with IPsec protection...
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Fri Oct 22, 2021 5:07 pm

No, IPIP uses IPsec in Transport Mode
do not ask me why it is necessary.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Fri Oct 22, 2021 7:26 pm

Feature request: network interfaces for IPsec in Tunnel mode.
That is the about same thing as IPIP tunnel with IPsec protection...
Tell that to people trying to setup Google Cloud VPN on MikroTik...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
maigonis
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Sat Jul 20, 2019 8:16 pm

Re: Feature requests

Sat Oct 23, 2021 1:14 am

When Winbox looses connection, or otherwise have been closed not the proper way, it always messes up my windows. After reopen all my windows are messed up and I have to organise them again. I know there is "Autosave on close" checkbox, but it is not working right. I can uncheck it, but it is back on reconnect.

So to make this bug repotr more as a feature request. Maybe you can implement default template in Winbox? If I connect to new MT device my log is always on right side in full length, Interfaces, DHCP server leases on left side etc.

And of course Capsman, Dude improvements like Wireless snooper, noisefloor, CCQ in Capsman, Dude on Linux (better software support on Linux in general).
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Oct 23, 2021 11:54 am

When Winbox looses connection, or otherwise have been closed not the proper way, it always messes up my windows. After reopen all my windows are messed up and I have to organise them again. I know there is "Autosave on close" checkbox, but it is not working right. I can uncheck it, but it is back on reconnect.
"losing connection" does not activate autosave on close. That only works when you close the connection yourself by exiting winbox or closing the window.
I have requested before to have an "autosave on disconnect", that would certainly be useful. and also the possibility to tweak the parameters for automatic disconnect, it happens much too soon I think. when a link needs to re-establish it already is too late and all sessions are lost, it should be possible to keep trying for a minute or so.
So to make this bug repotr more as a feature request. Maybe you can implement default template in Winbox? If I connect to new MT device my log is always on right side in full length, Interfaces, DHCP server leases on left side etc.
That is already available, but it is not very clear to new users how it is supposed to work.
In the winbox connection setup window, under Tools enable Advanced mode.
Then you can select the saved session file to be used for the connection. You can share it between different devices so you have the same layout for those devices.
 
maigonis
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Sat Jul 20, 2019 8:16 pm

Re: Feature requests

Sat Oct 23, 2021 8:55 pm

That is already available, but it is not very clear to new users how it is supposed to work.
In the winbox connection setup window, under Tools enable Advanced mode.
Then you can select the saved session file to be used for the connection. You can share it between different devices so you have the same layout for those devices.
Thx for the tip, will use it.
 
jaxed8
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Jul 27, 2021 8:25 pm

Re: Feature requests

Thu Oct 28, 2021 1:04 am

"losing connection" does not activate autosave on close. That only works when you close the connection yourself by exiting winbox or closing the window.
I have requested before to have an "autosave on disconnect", that would certainly be useful. and also the possibility to tweak the parameters for automatic disconnect, it happens much too soon I think. when a link needs to re-establish it already is too late and all sessions are lost, it should be possible to keep trying for a minute or so.
Isn't it just working when safe mode is enabled?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Oct 28, 2021 1:22 am

Sorry but there is no relation whatsoever between "safe mode" and the topics I discussed.
 
jaxed8
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Jul 27, 2021 8:25 pm

Re: Feature requests

Thu Oct 28, 2021 2:36 pm

Can DOH3 and DOQ be added to the mikrotik?
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature requests

Thu Oct 28, 2021 7:27 pm

How about a "dry run" option to import? This way we could test an export, to see if it would actually run to the end? An easy way to check if the restore would stop in the middle of the run...
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Oct 28, 2021 7:47 pm

How about a "dry run" option to import? This way we could test an export, to see if it would actually run to the end? An easy way to check if the restore would stop in the middle of the run...
Probably difficult, as the success of an import does not only depend on the syntax of each imported line, but also on the state of the router at the time it is imported.
E.g. when the /export contains an "add" line with a name, and an item with that name already exists on the router when it is imported, it errors out.
So you would need to have a known state before the import (usually you would want "reset-configuration no-default-configuration" as a starting point but that is not necessarily true) and then build the config line-by-line from the import and then again discard it all.

Not sure if the existing "undo" mechanism would cover that kind of thing.
Maybe it is doable to release a standalone program to validate a config externally from a router.

I think a more realistic implementation is an option for /import that:
- prints the imported line but only when some event occurs (the command issues a prompt, a warning, an error)
- then print the corresponding message and its line/pos number
- when the error is not completely fatal, continue with the next line in the import

This would result in a short segment of output that can be reviewed, notes made and manual fixes applied after that.
When the import is done as part of a reset-configuration with "run script", do the same thing but output the errors to a file so it can be viewed afterwards.
Also, when running an import as part of reset-configuration, wait until the interfaces are up and ready before starting the import.
(so we do not need to patch a /delay 30 at the top of the file, an ugly workaround for an issue introduced ages ago, somewhere near 6.35 or so)
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature requests

Thu Oct 28, 2021 9:11 pm

Probably difficult, as the success of an import does not only depend on the syntax of each imported line, but also on the state of the router at the time it is imported.
E.g. when the /export contains an "add" line with a name, and an item with that name already exists on the router when it is imported, it errors out.
So you would need to have a known state before the import (usually you would want "reset-configuration no-default-configuration" as a starting point but that is not necessarily true) and then build the config line-by-line from the import and then again discard it all.
Why? The system must already have some kind of validation. Even if it doesn't, we already have 50% of the work done - it's the safe mode. There is already enough checks to stop the execution when an error is found.

The best case would be a legitimate dry run: don't do anything, just test. The second best case would be a real rollback in case of an error: just undo what was already done - just like safe mode. In the second case we couldn't call "dry run", as it could lead to a temporary service interruption, but You got the idea.

Wouldn't be great to be able to run a restore, knowing that if the worst happened our router would be as before?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Oct 28, 2021 10:51 pm

I explained why it is not so easy: validating an import file is not only a matter of reading it line by line and making sure there are no syntax errors, but also checking that each line is valid in the context of the router state as it is as the line is read (which changes after applying each line).
There is no point in checking only the syntax, especially when your goal is to validate an exported file (rather than a file you edited yourself). The exported files are normally free of syntax errors, but often still fail to import because of inconsistencies in the file. Missing parameters (see my bgp example above), wrongly ordered statements (I have seen it before especially in the ipv6 config), etc.

What RouterOS needs is a viable mechanism to transfer configuration from one device to another. I just bought a new router, I want to transfer the config of the old router, I can only succeed in that because I have a lot of experience in it. "the average user" would never be able to do this. Mostly because of the finicky import mechanism, as you rightly noted.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature requests

Fri Oct 29, 2021 4:45 pm

I explained why it is not so easy: validating an import file is not only a matter of reading it line by line and making sure there are no syntax errors, but also checking that each line is valid in the context of the router state as it is as the line is read (which changes after applying each line).
Who said something about syntax? I was talking about validating in the context of the router. Validating syntax would be good too, if we changed something, but I was talking about sanity check against the actual router. And, yes: it is reasonable to assume a full wipe and test against either the default conf or the empty one.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Oct 29, 2021 5:10 pm

.... but that depends. I regularly send partial exports to users wanting to join a network that I manage, and these users are expected to import these into their already configured router.
I could understand why someone would want to validate the file to see if it can be fully applied to their router before they attempt that, but it should not assume a blank or default router then.

In practice most users just cut-and-paste the config into a terminal window, possibly in smaller sections (usually my file has some VPN setup, some policy routing setup, and some BGP setup).
When I have time I will probably work on a config generator that makes a suitable config as a script and applies it with some error handling, but it would be so much more convenient when the router could do more of that itself with some new import options.
And another big use case for this would be the transfer of configuration from one device to another, both in cases of upgrades (user buys a new router and wants config of old router to be transferred) and in case of rollouts (many similarly configured routers to be installed).
There could be large improvements in this area for MikroTik, as neither backup/restore nor export/import handles this.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature requests

Sat Oct 30, 2021 4:00 am

.... but that depends. I regularly send partial exports to users wanting to join a network that I manage, and these users are expected to import these into their already configured router.
I could understand why someone would want to validate the file to see if it can be fully applied to their router before they attempt that, but it should not assume a blank or default router then.
This changes everything. I was talking about a full export/restore. A partial one would be, as You pointed out, much harder to validate.
 
MtHoodlum
newbie
Posts: 49
Joined: Fri Sep 07, 2012 2:09 am
Location: USA
Contact:

Re: Feature requests

Sat Oct 30, 2021 4:34 pm

We are tracking changes to MikroTik device configurations using scripts on the local devices and we log the changes on a private server. This will allow network operators to easily see who changed the configurations and when they changed.

We use scripts with varying schedules. Every time we make a change to the schedule it puts an entry into the "system history" and the system history is filled with this:
 U action="changed scheduled script settings" by="admin" policy=write time=oct/30/2021 08:08:28 
It would be helpful if the system history provided categorization and filter options by menu item so we could filter out these entries.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Mon Nov 01, 2021 8:18 am

We are tracking changes to MikroTik device configurations using scripts on the local devices and we log the changes on a private server.
I do log these changes to Splunk, so it could be sorted and read on later time.
2021-10-09 21:53:08	10.11.12.1	server1	xyz	added	new script
2021-10-03 00:10:00	10.11.12.1	server1	xyz	removed	static dns entry
2021-10-02 00:10:00	10.11.12.1	server	xyz	removed	static dns entry
In version 7+, you can get the full command log like shown here in Splunk.
cmd_log.jpg
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Dec 02, 2021 8:48 pm

When logging "system,error,critical login failure for user ..." please remove the logged username when it is not a known user.
E.g. "system,error,critical login failure for user not_a_known_user".

This is to avoid the password being logged when the user accidentally types the password where the username is expected.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Fri Dec 03, 2021 9:17 am

Not a big problem. Only user who can log in can see the password or if log is sent remote.
I do see the problem when you have different types of users. Example Read only user will see these message.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Dec 03, 2021 11:10 am

Not a big problem. Only user who can log in can see the password or if log is sent remote.
Maybe for you it is not a big problem, but for me it is. My logs are sent to a write-only remote syslog server and now my admin password is permanently archived there, possibly to be seen by someone else in the future.
I do not like that idea.
I do see the problem when you have different types of users. Example Read only user will see these message.
That is another scenario where it would be bad.
It is always a bad idea to log this information for login failures.
 
User avatar
Znevna
Long time Member
Long time Member
Posts: 640
Joined: Mon Sep 23, 2019 1:04 pm

Re: Feature requests

Fri Dec 03, 2021 12:02 pm

So lemme get this straight, you made a mistake and tried to login with your password as the username and now your password is stored somewhere as a failed login from user=yoursekretpassword
You did not change your password yet.
You make a request for replacing, as an example, a log from sshd:
   
sshd[8494]: Failed password for invalid user admin from 172.25.1.1 port 11206 ssh2
sshd[8496]: Failed password for invalid user chris from 172.25.1.1 port 63459 ssh2
sshd[8498]: Failed password for invalid user david from 172.25.1.1 port 52512 ssh2
sshd[8500]: Failed password for invalid user foobar from 172.25.1.1 port 35772 ssh2
With this:
  
sshd[8494]: Failed password for invalid user not_a_known_user from 172.25.1.1 port 11206 ssh2
sshd[8496]: Failed password for invalid user not_a_known_user from 172.25.1.1 port 63459 ssh2
sshd[8498]: Failed password for invalid user not_a_known_user from 172.25.1.1 port 52512 ssh2
sshd[8500]: Failed password for invalid user not_a_known_user from 172.25.1.1 port 35772 ssh2
Are you serious right now?
Change your password and be more responsible next time?
MTKEK Certified, IP Sparky
Check yer peers!
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature requests

Fri Dec 03, 2021 12:11 pm


Are you serious right now?
Change your password and be more responsible next time?
Yes, he is serious. This is a real problem, and bad practice all around. One can type password instead of user for various reasons, ranging from not paying attention to bad interface design.

By all means log the failed attempt, log the IP, log the date and time. But do not log the username itself.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Dec 03, 2021 1:24 pm

Yes, that is the problem. When starting ssh, e.g. from a script, in some cases it asks for the username and in other cases (when it is started as admin@router) it immediately asks for the password.
Same for scp, ftp etc.
So it can happen when you are very busy doing some admin work across several routers that you type the password where it asks for the username.
It is bad that the router logs that. It should be changed like in the example you give, except that it would be ok to log the actual username when that is an existing username (e.g. admin) and not when it is a nonexisting username lile MySecretPassword.
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Mon Dec 06, 2021 7:29 pm

Please add "Packet Sniffer" and/or "Torch" buttons to the firewall rule box.
do not ask me why it is necessary.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8676
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Mon Dec 06, 2021 10:07 pm

Please add "Packet Sniffer" and/or "Torch" buttons to the firewall rule box.
What should these buttons do in that case?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Tue Dec 07, 2021 9:59 pm

show packets that match this rule
do not ask me why it is necessary.
 
shafiqrahman
Member Candidate
Member Candidate
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Feature requests

Fri Dec 17, 2021 3:22 pm

Since, MikroTik added wireguard in the new ros 7.1. it will be nice if Mikrotik adds a VPN option(zero configuration) in the mikrotik app which works over dynamic ip's. So, that we can connect to our home network.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Dec 17, 2021 3:42 pm

VPN access has been in the v6 QuickSet for ages. Just enable the checkmark and enter a password.
For the case of managing a couple of routers from the same company and dealing with CGNAT, you might want a VPN where all devices are clients of a single server.
That is also quite trivial to setup, or in case of v7.1 you might want to look at Zerotier.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Dec 24, 2021 3:56 pm

Maybe MikroTik can consider to send a PADT packet on a PPPoE connection when it appears to be dead, or when there is no response on PADI packets and it gives up.
This is required to work around a bug in some transport networks that sniff the PPPoE setup and add additional info (line identification).
This "proxy" keeps state and does not understand the sudden appearance of PADI packets on a session it believes to be "up and running".
Apparently other router manufacturers implement that workaround already...
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests ( tri-band & phased array )

Tue Jan 04, 2022 6:43 pm

I have a new product feature request which I think Mikrotik should consider.

Two new AP products with the following features:
- An indoor tri-band ( 2.4-Ghz & 5-GHz & 6-GHz Wi-Fi 6E ) indoor AP
- An outdoor tri-band ( 2.4-Ghz & 5-GHz & 6-GHz Wi-Fi 6E ) outdoor AP
- An outdoor dual-band ( 5-GHz & 6-GHz Wi-Fi 6E ) outdoor AP

* - All of the above have two variants
- Built-in antennas ( for indoor use and an outdoor version )

* - Three antenna options
- Normal built-in antennas
- External antenna connectors ( to allow use of other brands of antennas )
- A phased array version ( indoor model and outdoor model ).******************

**** The phased array indoor antenna version could use a round circular tube slot ( or ball ) antenna to provide beam steering/aiming in a circular 360-degree horizontal pattern and possibly a up/down 30-degree vertical pattern.
**** The phased array outdoor antenna version could use a flat or 30-degree curved antenna to provide beam steering/aiming in a 30-degree horizontal pattern and a up/down 15-degree vertical pattern.

Why phased array ? I have some experience with 2.4 GHz phased array outdoor antennas ( Vivato ). I had 17 outdoor Vivato 180-pound tower mounted APs. This Vivato system was FCC registered as a point-to-point system ( although it functioned like a multi-point system ). Because this was FCC registered as a point-to-point system, it was the only Microwave system that could use the new FCC higher TX power and it was able to totally blow away all other omni and multi-point microwave systems. The Vivato was able to beam steer the microwave signals in the direction of a remote client ( much like a modern ethernet switch will send data out a single ethernet port to talk to a remote MAC address ). This system was able to beam steer to each remote connected microwave client. To give you an idea how well this beam steering worked , I was able to get reliable/working 2.4 GHz B/G microwave links to stock notebook computers 10+ miles away from the tower mounted Vivato Base Station. It worked so well , that we had the Department-Of-Defense come over to our coverage areas ( for about a week ) and test out our phased array system ( communications, drones and ... ).

The new TP-Link Archer AXE200 Omni system is close with their new Wi-Fi 6E system but it uses motorized antennas to beam-steer signals. IMO , cool idea but it has moving parts and I doubt if it will have the ability to physically move the external antennas fast enough to handle more than four remote connections. With electronic beam steering phased array technology , similar to what Vivato did, it would be possible to connect 1,500 moving wireless clients and achieve a point-to-point beam to each client and perform simultaneous TX and RX at the same time to/from more than one connected client at the same time.

I think a new Mikrotik product line like this could again blow away the industry with never seen high throughput performance.

North Idaho Tom Jones
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests ( tri-band & phased array )

Tue Jan 04, 2022 8:08 pm

I have a new product feature request which I think Mikrotik should consider.

- An outdoor tri-band ( 2.4-Ghz & 5-GHz & 6-GHz Wi-Fi 6E ) outdoor AP
In Europe, 6 GHz WiFi is only allowed indoor on low power (200mW EIRP). Not much use for an outdoor AP here, unless you want to illuminate an enclosed back garden and do not mind violating the rules.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests ( tri-band & phased array )

Tue Jan 04, 2022 8:40 pm

I have a new product feature request which I think Mikrotik should consider.

- An outdoor tri-band ( 2.4-Ghz & 5-GHz & 6-GHz Wi-Fi 6E ) outdoor AP
In Europe, 6 GHz WiFi is only allowed indoor on low power (200mW EIRP). Not much use for an outdoor AP here, unless you want to illuminate an enclosed back garden and do not mind violating the rules.
Does Europe have rules for higher TX power point-to-point microwave links verses lower TX power on mult-point links ( similar to the FCC rules which allow higher power on point-to-point microwave links ) ?
--- A phased array system with beam steering is a point-to-point system and can use much more TX power with high gain antennas ( high gain phased array beam steering antennas ).
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jan 04, 2022 9:03 pm

No, we have an EIRP limit here, which of course means you can run higher TX power on lower gain (thus wider beam) antennas.
But the EIRP limit is fixed: 30dBm on channel 100-136 in/outdoor, and 23dBm on the indoor-only channels (low 5GHz channels and also now on 6 GHz).
There is an exception: it is allowed to run 6 GHz outdoor with max 14dBm mobile, but of course that is not very useful for PtP links (fixed install not allowed).
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Tue Jan 04, 2022 10:47 pm

No, we have an EIRP limit here, which of course means you can run higher TX power on lower gain (thus wider beam) antennas.
But the EIRP limit is fixed: 30dBm on channel 100-136 in/outdoor, and 23dBm on the indoor-only channels (low 5GHz channels and also now on 6 GHz).
There is an exception: it is allowed to run 6 GHz outdoor with max 14dBm mobile, but of course that is not very useful for PtP links (fixed install not allowed).
pe1chl - question for you - not directly related to this specific "Feature requests" forum topic.
Are you seeing any issues with cellular LTE-U ( unlicensed 5-GHz interference/noise ) between 5-GHz microwave devices and 5-GHz cellular LTE-U 5-GHz usage ?
I am beginning to experience all kinds of new interference at all of my tower locations that have near-by cellular LTE-U 5-GHz ( #46 ) coverage.
Which kinda leads me to this Mikrotik topic of "Feature requests" , my suggestion about a phased array Mikrotik that falls under the FCC higher TX power of point-to-point. With point-to-point rules , for every 3-db antenna gain , the transmitter TX power only needs to be reduced by 1-db ( unlike multi-point where every 3-db of antenna gain also requires the TX transmitter power to be reduced by 3-DB ). Thus a really good high-gain beam steering point-to-point system can replace a multi-point sector antenna and end up with much much higher TX power ( possibly 12-db average gain on microwave connections). Something like this should help in noisy congested environments where there is roague noise ( such as LTE-U and other WISP operators ) using the same frequencies.
North Idaho Tom Jones.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Wed Jan 05, 2022 12:52 am

I don't think this technology is in use here. Our next LTE/5G band will be around 3.5 GHz (in the USA that band is used for satellite TV).
 
emunt6
newbie
Posts: 29
Joined: Fri Feb 02, 2018 7:00 pm

Re: Feature requests

Sun Jan 16, 2022 6:13 am

Feature Request:
-ITU-T Y.1564 (EtherSAM) - in hardware implementation
> Throughput, Latency, Frame Loss, Back-to-Back

Maybe, the RouterOS v10 is came out :)
 
jmginer
Member Candidate
Member Candidate
Posts: 151
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Feature requests

Thu Jan 20, 2022 12:33 am

Feature Request for switch ACL.

- Add negative conditions with !
- Add src-address-list
- Add dst-address-list

These options will allow to reduce the number of rules, in many switches limited to a very low number.

In order to protect the access of some computers against other computers connected to the same switch, I had to create 56 ACL rules... With negative rules and address-list, 5 rules would have been sufficient.

And the difficulty to implement and manage them in the future...

Thanks!
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests - NAT444 new rule type

Thu Jan 20, 2022 5:01 am

Feature requests - NAT444 new rule type

I would like to see a new feature that is directly related to NAT444

Currently , to perform NAT44 ( not NAT444 ) , where a CGN IP address /21 block ( example 100.64.0.0/21 - aka 8 consecutive Cs ) is mapped to a live IP /30 ( 4 consecutive Cs ), only one line is needed in the ip-firewall-nat configuration. This works , but without logging every CGN customer NAT translation , it is 100-percent impossible to trace an outside IP & port range back to a customer. ((( Such as when we get one of those copyright notices where a NATted customer downloaded a copyrighted movie or something ).

NAT444 ( not NAT44 ) has the ability to map each and every natted CGN customer to a live IP address and a port range.
The problem: If I want to nat a CGN /21 block ( 8 consecutive Cs ) to a live /30 IP address block where each customer gets a port range of 250 ports , the NAT444 configuration will require over 6-thousand lines of code in the ip-firewall-nat configuration. If you have ten CGN /21 blocks where each /21 goes to a live IP /30 address & port range , the configuration will require about 63-thousand lines of code.

I would like to see a new feature where there is added support for NAT444 where it would be possible to have a ip-firewall-nat statement that understands CGN /21 ( or and / ) port-range into a live IP /30 ( or any / ).
With a new feature such as this , 10 lines of ip-firewall-nat configs could replace many thousands of lines of NAT444 configuration statements.
Then with such a new NAT444 single line , also have a lookup tool so that with a known live IP address and port, the system can then report which CGN NAT444 is the one being looked up.

North Idaho Tom Jones
EDIT - have you ever tried pasting in 63-thousand lines of code into any server , especially a Mikrotik ??? Over 7 MEG of text in a single paste. The possible buffer-overruns is huge !
 
gammy69er
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun May 18, 2014 3:01 am

Re: Feature requests

Thu Jan 20, 2022 11:11 pm

IDK if anything is getting observed here anymore - But I have a request.

Route Table selection under Bandwidth Test
Ping has this function and is fine for a quick check of "Up/Down" - but does not show potential throughput.
Yes, I can add a specific route to a specific server - but often am just running to our core - so changing the route will drop my session and having to fluff around opening and closing another suitable router is a pain (as often closing is forgotten)

Couldn't see any previous requests for a function like this (again, not sure am in the right spot)
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests - NAT444 new rule type

Thu Jan 20, 2022 11:15 pm

EDIT - have you ever tried pasting in 63-thousand lines of code into any server , especially a Mikrotik ??? Over 7 MEG of text in a single paste. The possible buffer-overruns is huge !
It would be silly to do that. Upload it as a file and then /import it. Or make a script that auto-generates the configuration (which likely has a repeating pattern).
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests - NAT444 new rule type

Thu Jan 20, 2022 11:52 pm

EDIT - have you ever tried pasting in 63-thousand lines of code into any server , especially a Mikrotik ??? Over 7 MEG of text in a single paste. The possible buffer-overruns is huge !
It would be silly to do that. Upload it as a file and then /import it. Or make a script that auto-generates the configuration (which likely has a repeating pattern).
I am aware I could upload the a file then import it ( I do that all of the time ).
I generally prefer a telnet/ssh connection then paste in something. - Note a normal telnet/ssh then paste can get buffer-overruns so I instead use Terra-Term for the telnet/ssh connection - then configure a 75 ms delay for each line pasted in ( thousands of lines ). This habit goes back to my dial-up days to a phone-connected remote router that was off-line and being completely reconfigured via the RS-232 serial port.
Also - another reason for using paste , I was worried the Mikrotik router would die with that many lines of configuration , so I used Safe-Mode then pasted in the configurations. ( was was worried that a import of 63-thousand line might break the router and that it might no longer reboot.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jan 21, 2022 12:07 am

Safe mode will not help you when making thousands of changes, its undo buffer will have overrun long before that.
(I think it can only contain about 20 commands, maybe less)

Unless you have a very powerful router, having so many rules likely will result in performance problems.
Maybe it can work when the rules somehow can be made two-level, i.e. a first level that selects e.g. on subnet and then jumps to a dedicated
chain where several rules for that subnet (from the customer IP space) are handled and that ends in an accept.
This avoids having to go through half the 63000 rules (on average) for every new connection. It can be done with more than 2 levels as well.
 
guipoletto
Member Candidate
Member Candidate
Posts: 162
Joined: Mon Sep 19, 2011 5:31 am

Re: Feature requests - NAT444 new rule type

Fri Jan 21, 2022 12:24 am

I would like to see a new feature where there is added support for NAT444 where it would be possible to have a ip-firewall-nat statement that understands CGN /21 ( or and / ) port-range into a live IP /30 ( or any / ).
+1 for that.

(or better: #BPA on ROS7! :)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Fri Jan 21, 2022 2:37 am

Safe mode will not help you when making thousands of changes, its undo buffer will have overrun long before that.
(I think it can only contain about 20 commands, maybe less)

Unless you have a very powerful router, having so many rules likely will result in performance problems.
Maybe it can work when the rules somehow can be made two-level, i.e. a first level that selects e.g. on subnet and then jumps to a dedicated
chain where several rules for that subnet (from the customer IP space) are handled and that ends in an accept.
This avoids having to go through half the 63000 rules (on average) for every new connection. It can be done with more than 2 levels as well.
... having so many rules likely will result in performance problems ...
That was a huge concern on my first trial run with thousands of lines in the ip-firewall-nat section.
What I discovered with the new configuration (is that it actually ran better & faster )
EDIT: Also , the CHR CPU load went down 5 percent and the Ethernet customer traffic went up by about 5 percent during peak-hour usage ( I use Cacti to graph everything ).
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 211
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Feature requests

Tue Jan 25, 2022 8:59 am

Hi to all.

Couple of Feature requests.

I have suggestion for Mikrotik.
Would be possible to make central management for switches / routers like CAPSman is ?
For admins like I am ( with hundreds and hundreds Mikrotik devices under one big roof )it would be awesome.
Also native MacOS and Linux Winbox would be awesome, but this is what i saying (typing) here nonstop.
For admin which spend most of their work hours in winbox....native version for their main OS should be obvious choice.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jan 25, 2022 10:54 am

Would be possible to make central management for switches / routers like CAPSman is ?
For admins like I am ( with hundreds and hundreds Mikrotik devices under one big roof )it would be awesome.
There are some limited possibilities with "dude", but it is mostly for monitoring.
Also native MacOS and Linux Winbox would be awesome, but this is what i saying (typing) here nonstop.
For admin which spend most of their work hours in winbox....native version for their main OS should be obvious choice.
IMHO the "webfig" should be made fully capable like "winbox" and then winbox can be dropped and replaced by some
small agent to allow MAC-level connect and netinstall, native for each environment. All environments would then
use a web browser, and MikroTIk does not need to develop it because others already do that.
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 211
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Feature requests

Tue Jan 25, 2022 6:15 pm

dont get me wrong but you do not get it.... If you will spend 8hr daily in winbox, than you WILL get it.

There is no way managing hundreds devices daily through web interface, there is just no way...
Is very important for Mikrotik team understand how important is winbox for network admins which have all of their work based on mikrotik.

These types of admins DO NOT have windows.

WE ( I mean admins) using nmap, ping, mactelnet, iftop, arpwatch and BUNCH of others network tools and we do not using them under such a sh*tty OS which windows are.
WE using Linux, MacOS, some others maybe BSD. But NOT windows. I don't really know even one network admin which using windows as main OS.

This is how I feel about that. No flame, just MHO.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Jan 25, 2022 8:13 pm

I am myself exclusively using Linux with winbox running under wine. For me that works OK, it seems that the bugs I encountered in winbox are not related to this solution as they can be reproduced on native windows OS as well.

What I mean with improving webfig is to make webfig behave exactly the same as winbox does now. I.e. inside a browser window you have the same as what winbox does now.
Aside from maybe the performance on old hardware, really that can be done. Other manufacturers have shown it in their web configuration interfaces, that support a desktop-like structure with many open subwindows just like winbox does.
 
Sob
Forum Guru
Forum Guru
Posts: 8180
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Tue Jan 25, 2022 10:06 pm

We've been over this before, I'm all for better WebFig, but don't touch my WinBox. :) Some of these "desktop-like experience in browser" attempts may be sort of ok, but I have yet to see one as good as native, with right controls, fast, snappy, ...
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Feb 08, 2022 4:34 pm

Allow for volatile changes to the configuration. E.g. add a keyword "volatile" or "volatile=yes" to each configuration command, and when this is passed to a configuration item it is applied to the running router but not saved in the flash, so it will be lost at the next reboot. It will also not appear in backups or exports.
Example:
/interface ethernet
set [ find name=ether2 ] disabled=yes volatile=yes
Now ether2 will be disabled until this is reversed or the router is rebooted, at which time it is enabled again.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1340
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Tue Feb 08, 2022 5:31 pm

Allow for volatile changes to the configuration. E.g. add a keyword "volatile" or "volatile=yes" to each configuration command, and when this is passed to a configuration item it is applied to the running router but not saved in the flash, so it will be lost at the next reboot. It will also not appear in backups or exports.
Example:
/interface ethernet
set [ find name=ether2 ] disabled=yes volatile=yes
Now ether2 will be disabled until this is reversed or the router is rebooted, at which time it is enabled again.
There may be three types of semi-work-arounds for what you describe.
- Safe Mode
- Backup the running configuration , then schedule a reload of the backup. If you loose connectivity , the schedule will eventually reload your router ( if you don't disable the schedule ).
- Schedule a command. If the schedule is allowed to continue , your command may then be executed or cancel the schedule so that your command does not occure.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Feb 08, 2022 6:51 pm

The use case is not to recover from mistakes (by asking someone to powercycle the router), it is more to have scripts that dynamically modify the configuration but return to a known state should the router be rebooted.
For example, I require a workaround for some problem that disables my internet line for 5 minutes (so that PPPoE client is not hammering on the nonresponding PPPoE server).
I can do that with a script that disables the interface, delays 300 seconds, then re-enables it but when the router would be rebooted between those times I would permanently lose access.
To work around that, I have added yet another script that enables the interface after a reboot.
It would all be clearer and safer when I could disable the interface in such a way that it would not be saved in the config.

Similarly, Sob was writing a script that fiddles the IPv6 configuration when a new prefix is received from the ISP. It is not required to save that, it only wears out the flash.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue Feb 08, 2022 7:27 pm

This is how Cisco works. Any config you are setting will not be stored in a reboot, if you do not "write mem" or "copy running-config startup-config"
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Feb 08, 2022 7:49 pm

This is how Cisco works. Any config you are setting will not be stored in a reboot, if you do not "write mem" or "copy running-config startup-config"
I know that, but that is not a behavior I would want to copy to other devices. It has been inherited from long long ago. But it also leads to mysterious problems, e.g. when someone modifies the config, forgets to write it, and then (months) later the power cycles and the config change is lost.

What would be nice to have is some capability for temporary config changes that are not stored and a lost on reboot.
And we know that this is possible, at least in RouterOS v7, because it is doing that (for some config items) even when we do not want it!
 
itmethod
newbie
Posts: 32
Joined: Tue Feb 18, 2014 8:44 pm

Re: Feature requests

Wed Mar 02, 2022 5:30 am

Kid Control Feature Request

I would like to request it support Address Lists, so we can bypass addresses, for when it blocks access.

or the ability to put firewall rules before the kid control rules.
 
mikruser
Long time Member
Long time Member
Posts: 574
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature requests

Tue Mar 15, 2022 2:21 pm

Please add more detailed description to log
for example, now I see:

address list entry changed by admin
filter rule changed by admin


I need to know which entry and which rule was changed
do not ask me why it is necessary.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue Mar 15, 2022 3:12 pm

Please add more detailed description to log
This is already implemented in v7. of RouterOS.
Here is an example on where I do add cnn.com to access-list demo

Syslog (or you can see it in the local log)
script,info EndCMD
script,info ;undoable=true
script,info ;time=mar/15/2022 14:02:06;undo=/ip firewall address-list remove *636
script,info .id=*33;action=address list entry added;by=admin;policy=write;redo=/ip firewall address-list add address=cnn.com disabled=no list=demo
script,info StartCMD
Or as its shown if you use Splunk and the Mikrotik addon I have made:
.
cmd.jpg
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Mar 15, 2022 3:50 pm

What logging config did you make to see this detailed logging? I only see generic entries like "ip firewall rule added by admin" and in many cases only " by admin" (suggesting that the further detail still has to be put in a function parameter by the programmer).
But now that I see your log messages I start thinking I need to set some logging parameter?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Tue Mar 15, 2022 5:33 pm

What logging config did you make to see this detailed logging?
No config, but use this command:
/system history print detail
This part of my Splunk/Mikrotik script sends the data to Syslog:
# Get detailed command history RouterOS >= v7
# ----------------------------------
:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory) do={
	:global cmd
	:local f 0
	:foreach i in=[/system history find] do={
		:if ($i = $cmd) do={ :set f 1 }
		:if ($f != 1) do={
			:log info message="StartCMD"
			:log info message=[/system history get $i]
			:log info message="EndCMD"
		}
	}
	:global cmd  [:pick [/system history find] 0]
}
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Mar 15, 2022 5:59 pm

Ah.. OK. That is nice. I would wish that there is some way to enable such logging using a setting.
(journalling of entered commands to an external syslog server)
It is partly there but not detailed enough to be useful.
 
kraal
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jan 19, 2021 10:24 pm

Re: Feature requests

Sun Mar 20, 2022 11:06 pm

Would it be possible to have a flag to display firewall filter comments in winbox not as a new line before the filter rule, but as a column ? It would greatly improve the readability of the UI IMHO. Thank you.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun May 03, 2015 5:22 pm

Re: Feature requests

Mon Mar 21, 2022 12:16 am

Would it be possible to have a flag to display firewall filter comments in winbox not as a new line before the filter rule, but as a column ? It would greatly improve the readability of the UI IMHO. Thank you.
In Winbox -> Settings -> "Inline Comments"
 
kraal
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jan 19, 2021 10:24 pm

Re: Feature requests

Mon Mar 21, 2022 1:09 am

Would it be possible to have a flag to display firewall filter comments in winbox not as a new line before the filter rule, but as a column ? It would greatly improve the readability of the UI IMHO. Thank you.
In Winbox -> Settings -> "Inline Comments"
Fastest feature request implementation ever ;-)
Thank you and sorry for not having searched first.
 
pe1chl
Forum Guru
Forum Guru
Posts: 8372
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Mon Mar 21, 2022 10:33 am

Yeah, it should probably be made the default by now. Such options are made settable when they are first introduced but after a long time everyone forgets about that.
 
copyliu
just joined
Posts: 2
Joined: Mon Aug 12, 2019 4:47 pm

Re: Feature requests

Tue Mar 22, 2022 9:45 am

I am using IGMP proxy for routing my IPTV multicast stream to my home network, but my ISP seems did some limit to their IPTV network: I can't join more than 2 multicast group at same time,
since my PC/NAS/etc. will join some multicast group by default (UPnP discovery etc.), then these group join request will route to IPTV network through IGMP proxy and touch the limit by ISP.

afaik, igmpproxy from Linux can defined a whitelist to route only needed groups to upstream, I hope routeros can add this feature.

https://manpages.debian.org/testing/igm ... .5.en.html , whitelist section
 
flydvorkin
just joined
Posts: 7
Joined: Mon Mar 11, 2019 12:59 pm

Re: Feature requests

Fri Apr 15, 2022 3:48 pm

Feature requests:

1) Add ipv6 tunnel dynamic address from pool for ikev2 in mode-config
2) Add ipv6 leases in dhcpv6-server (single address, not prefixes), for administrative managed ipv6 in office.
 
mindcloud
just joined
Posts: 1
Joined: Sun Feb 27, 2022 7:00 pm

Re: Feature requests

Thu Apr 21, 2022 7:55 pm

Dark mode for winbox please.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 6968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Feature requests

Fri Apr 22, 2022 11:48 am

Dark mode for winbox please.
Is already requested, and probably is to the end to the to-do list.
 
aon
just joined
Posts: 2
Joined: Sat Apr 30, 2022 1:37 pm

Re: Feature requests

Sat Apr 30, 2022 1:40 pm

Feature request: send/expect-like scripting functionality for serial ports that you could use to talk with devices connected to the serial port. Would be nice for "IoT"-like scenarios.
Last edited by aon on Sat Apr 30, 2022 1:42 pm, edited 1 time in total.
 
clueluzz
newbie
Posts: 30
Joined: Sun Feb 23, 2020 5:47 pm
Location: Jakarta, Indonesia
Contact:

Re: Feature requests

Sun May 01, 2022 1:19 pm

There should be a page in WebFig to view the activity of a combination of ports (customizable), like the per port page.
Screen Shot 2022-05-01 at 17.09.24.png
I think this would be useful to see in one page visually (instead of the numbers in the interface page). e.g. combination of WANS, VLANs, an certain LAN ports.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], siwatsirichai, w32pamela and 38 guests