Feature requests

jvolkhausen · Mon Mar 16, 2020 1:06 pm

Give the ability to secure firewall rules.
For remote systems it will be not good if the managemend firewall rules are deleted. For this reason i think it would be nice to have a feature to secure these rules in any way like locking. For the first step it would reach the target to just secure the rule itself. The big shot would be to lock also the place in the firewall chain.
The workflow in my mind looks like this:
creation
- create rule
- lock rule

modify
- unlock rule
- modify rule
- lock rule

delete
- unlock rule
- delete rule

pe1chl · Mon Mar 16, 2020 2:13 pm

Give the ability to secure firewall rules.

I think it would be more useful as a limited-user capability where users can be created that have precisely
defined capabilities for each configuration item. (no access, read-only, add-only, modify, delete)
This is not limited to firewall.
This would allow ISPs that roll out managed routers to give their customers some limited capability that they
require, but not full access to the entire config.

SiB · Mon Mar 16, 2020 2:28 pm

To the last 2 answers.
In my opinion that changes are good but not must. Proper comments with chain-name with jump action can create a proper tree of action at firewall and this "lock/unlock" is not that necessery.
About change in firewall, better will be better note/log a change what we do inside ROS, currently history is not useful when you do few changes in one module, like firewall.
From what I will be know what rule change what back/undo command where are all the same in system history ?

Mon Mar 16, 2020 2:35 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.

Chupaka · Mon Mar 16, 2020 3:38 pm

For remote systems it will be not good if the managemend firewall rules are deleted.

Welcome to the Safe Mode

Chupaka · Mon Mar 16, 2020 3:44 pm

Yes, RouterOS v7 has better command history, you will be able to see specific command that was executed.

Just an example, that's cool:

 > /sys history print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip remove bridge2 
    undo=
      /interface eoip add arp=enabled arp-timeout=auto disabled=no mac-address=\
          6A:F5:C8:E5:62:12 mtu=auto name=bridge2
    action="device removed" by="admin" policy=write time=mar/13/2020 14:06:52

The only problem is... That was actually "bridge" interface, not "eoip"

> /interface/bridge/add name=brrr
> /sys history print detail      
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/interface eoip add name=brrr undo=/interface eoip remove *3 
    action="device added" by="admin" policy=write time=mar/16/2020 16:44:09

Mon Mar 16, 2020 4:19 pm

Thanks, If you find anything else strange with history report to support.

nimbo78 · Tue Mar 17, 2020 2:40 pm

Don't forget to add VRF for management interface!

+1

pe1chl · Thu Mar 26, 2020 1:45 pm

Please add extra parameter "regexp" (including NOT operator) to "/system logging" rules so you can specify a regexp on the logged message to be (not) matched before the specified action is taken.
Often there are many messages with exactly the same topics but widely different purpose, and some of the topics are quite verbose so one would want to see (or suppress) certain messages.

Also, it would be nice to have some way of triggering scripts directly from logging, e.g. a new "action" type "script" that executes a script for every logging item sent to that action.

neticted · Fri Apr 24, 2020 9:47 am

It is mush of a struggle to protect router for constant login attempts to it's services that must be open to public.
Handling it in firewall is complicated, wastes resources and often cannot even be done in satisfactory manner.

It would be great if Mikrotik introduces new script trigger called something like onLoginFail to all services that have login. That would make it very easy and efficient tool for admins to handle repeated failed login attempts.

pe1chl · Fri Apr 24, 2020 10:42 am

Yes indeed. But that would actually one of the use cases I had in mind for the previous feature request I made (on Mar 26, 2020)

TomjNorthIdaho · Wed Apr 29, 2020 6:45 pm

6 GHz a/n/ac 2x2 ( when ? )

The FCC recently opened up the 6 GHz frequency range ( 1,200 Megahertz Of spectrum ) for un-licensed use.
The new unlicensed 6-GHz frequency range includes 5.925 GHz -through- 7.125 GHz.
Question - how soon will Mikrotik have products which will support 6-GHz a/n/ac 2x2 in the new frequency range of 5.925 GHz -through- 7.125 GHz ?

Ideally, I would love to see a Mikrotik wireless device/card with SuperChannel support from 4.8-GHZ up through 7.125 GHz.

I desire to as soon as possible begin adding new FCC 6-GHz ( a/n/ac 2x2 ) APs/clients to my existing 5-Ghz networks. If Mikrotik is prompt with products to fulfill this new market, then I will stay with Mikrotik .

North Idaho Tom Jones

WeWiNet · Wed Apr 29, 2020 8:18 pm

I would like to see so many things in routeros but here is a my list I think should happen:

Have DFS/radar detection log/counter since boot in 5Ghz wireless status tab

Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare. If you could use percentages of that max values in those various places you could easily adapt to throughput change on your WAN side (like moving to a better LTE modem, adding another WAN link, or Fiber link) and your device would scale up withou any other change.

More flexible scheduling, PLEASE. Not only one time per day but different times per day and on different days etc. It is already there in some parts of routerOS, so should be simple (I put that request in the wrong place in another post earlier)

And then yes some day finally Wifi Wave 2 features like band steering, but now I am starting to dream about paradise ... so forget this one...

kiwistag · Sun May 10, 2020 1:36 am

3 differing requests that may become very useful

Within Winbox: Right click menu option for on an ARP record or DHCP Lease to quickly issue WOL request

Consider a GeoIP package allowing for firewall filtering by Country (a big ask I know, but there are good Linux resources for this - https://www.maxmind.com)

USB-IP sharing, allowing the included USB interfaces on the routers to be accessible remotely by a PC (http://usbip.sourceforge.net/)

I know that the two latter may take some considerable resource to implement and is more practical to MMIPS, ARM and even Tile architectures, however for the sakes of IOT these days - the ability to remotely interface via USB into devices to program may be a large drawcard for purchasing Mikrotik routers to an untapped market.

Bevan
NZ

pe1chl · Sun May 10, 2020 11:49 am

Consider a GeoIP package allowing for firewall filtering by Country

I'm against that. It is completely useless, and it tends to racism.

pe1chl · Sun May 10, 2020 11:55 am

Enable using a global "MAX Speed" parameter you expect on your WAN interfaces. This should then be possible to be used within routeros within queue trees, mangle rules, hotspot etc. Today one needs to define each time an absolute value for Max Limit, Buffer Limit, trigger limit etc.! What a nightmare.

I think the queue trees should allow an additional form of rate configuration in the form of a percentage of the rate of the next higher level in the queue tree.
When the next level is an interface, there should be some options, e.g. default the negotiated interface rate, possibility to manually set a lower rate, and e.g. on a WiFi link also the possibility to track the actual datarate of the link as depending on link quality. or indeed a fourth option could be to set it to some name of a global variable where the value is taken. that would be the feature you request.
I recognize the pain of having to walk through entire trees when the top-level speed is changed. However I usually do it from commandline so larger numbers of items can be set all at the same time. Still a laborious procedure.

SiB · Wed May 13, 2020 11:59 pm

Add column TYPE who give us a result from :typeof $variable

emad1984 · Sat Jun 06, 2020 4:05 pm

Please add Shadowsock / shadowsocksr to the vpn features.

TomjNorthIdaho · Tue Jun 09, 2020 2:33 am

WiFi 6 ( 6 GHz )

Yesterday I went into Costco ( a large everything store ). And guess what is on display as you walk in the store - a bunch of WiFi 6 wireless networking devices !!!

Emmmm, soooooooo ,,,, Where are any Mikrotik WiFi 6 WISP products ?

I need to start adding at least one-hundred WiFi 6 APs to my multiple tower networks then begin migrating a thousand or so 5 GHz customers to some WiFi 6 networks while the 6 GHz channels are still clear/clean , however ,,, there are no Mikrotik WiFi 6 products available.

How can Mikrotik not have any WiFi 6 products when the shelfs in Costco are full of non-Mikrotik WiFi 6 products ?

North Idaho Tom Jones

pe1chl · Tue Jun 09, 2020 11:06 am

Add "usage counters" to static DNS entries and display them in the table.
These need to be in RAM only, no need to write back to flash.

muetzekoeln · Tue Jun 09, 2020 5:32 pm

WiFi 6 ( 6 GHz )

WiFi6 ist 2.4 and 5 GHz.
WiFi6e includes 6GHz

millenium7 · Wed Jun 10, 2020 3:59 am

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.

lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem

pe1chl · Wed Jun 10, 2020 12:20 pm

Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem

My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.

Do you want it to refer to the physical location of the system having that address, the citizensship of the owner of that system, or its network? Or of the system's user?
E.g. when you think "I only want to receive mail from people in Australia so I will block all mail from servers in other countries" but that will fail because people in Australia might (even unknown to themselves) have their mail server located in another country.

Similar for websites. "I want my users only to see websites from Australia" might look easy to do with such a list, but it isn't. The list will not refer to the content of the site, nor to the owner/operator of that site, but (at best) only to the physical location of the server. Which errs in both directions: reputable Australian sites may be hosted overseas, and overseas phishers/hackers might have their site physically located in Australia.

I don't know the situation in Australia, but here in the Netherlands we have MANY MANY networks that lookup as "country=NL" but really are operated by rogue hosters from anywhere in the world. So limiting my router logins to "only from NL" really brings me nothing but a false sense of security, as those ongoing portscans from the many foreign VPSes hosted in local datacenters here will just go through.
Furthermore, anyone can use a VPN (in the newfangled meaning) to have a source IP address in any country they desire.

And when you operate on a mobile network provided by a company that originates from outside of your country, it may well be that your external IP address is registered in another country too. Maybe not in Australia (due to its isolated topology), but certainly in other places.

Then, making something like this available as a standard feature where every operator can just click some selection list (even without knowing all of the above) is certainly not a good thing, in my opinion. But you can differ on that.

Firewall filtering is something that has to happen on-the-fly so it has to use locally stored tables. However, services like a login or VPN connect could to an external query to determine parameters of the source IP address, and use the result to accept or reject the connection.
There are DNS-based country lookup services (you query a name like 1.2.3.4.somedomain.example.com for a TXT record and you get a reply with the AS number and country code of the specified address.
Maybe it would be good when login procedures would be able to do such queries (or allow calling a script where such customized queries can be made).
That would still have the disadvantages listed above, though.

msatter · Wed Jun 10, 2020 1:57 pm

Those list can be obtained at mikrotikconfig dot com

Beside that you need to maintain a seperate list with scanning IP add. that are domestic or listed with the wrong country.

I am doing it myself since a few days becsuse I got fed up with maintaining the separate list all the time. Now is because very quiet and still the checkers come in preparing a scan.

doctorpangloss · Thu Jun 11, 2020 1:19 am

Hairpin NAT should be enabled in Quick Set.

Jotne · Thu Jun 11, 2020 8:31 am

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.

You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.

sindy · Thu Jun 11, 2020 12:50 pm

If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.

pe1chl · Thu Jun 11, 2020 1:31 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.

My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.

solar77 · Thu Jun 11, 2020 8:15 pm

good firewall rule stops attacks, picks up IP of attacker, keep them in your Address List for as long as you want and block all future attacks from the same IP.
I'd like to see the IP cloud to include a function so that we can all share these IP address. that would be nice!

mutluit · Thu Jun 11, 2020 8:35 pm

So I don't know whether using discrimination per country is racist, but it is definitely useless.
My claim was: It is completely useless, and it tends to racism.
It is useless for the reasons I described, and it tends to "let's block Nigeria because Nigerians are scammers. let's block Russia because Russians are hackers", etc etc.
That quickly slides towards racism.

Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D.

pe1chl · Thu Jun 11, 2020 8:39 pm

Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D.

As I explained before, that is not going to work. Your own users may appear to come from another country.

solar77 · Thu Jun 11, 2020 10:38 pm

Imagine you have a service for users from your own country only.

this is was nearly my user-case. a local WISP. and at one point it was very attempting to do so to fence off all failed authentication to our VPN service. Most of them are from one country.
However, I realized that we cannot just block connection from the rest of the world. one of my customer might want to travel

We don't have a list of known IP address to allow. So ended up to log 3 failed connection attempt and add the source IP to an Address list, add a /24 to it and block the Address List .
From the list, I can see the attacker jumps from IP to IP, different range, clearly blocking by country is not going to stop them at all.
Also they were clever enough to do this less frequently so they don't get caught. I had to increase the time-out at each stage as well.

I try to mess with them by using Tarpit instead of Drop. Making their life slightly more difficult.

again, a platform for Mikrotik users to share these IP address would be useful.

Jotne · Thu Jun 11, 2020 10:48 pm

Hmm. here is a counter use-case:
Imagine you have a service for users from your own country only.
Then it makes sense to block all login attempts from any other country.
Q.E.D.

And as I did write, how to access these services if the user are out travelling in another country?
If I would like to surf from an Australian address, I could use "Hola Free VPN" and bypass your country rule.

millenium7 · Fri Jun 12, 2020 3:25 am

My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.

You are WAY overthinking this. It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up. But behind the scenes this is done by simply enabling an option in a firewall rule that says i.e. "Country!=Australia" and it uses all the known prefixes residing inside Australia. Done behind the scenes, and ideally periodically updated so you don't have to run scripts to manually pull the latest IANA data

This is no different to what many other countries do with geoblocking of services. I have zero interest in making 100% absolutely damn sure that the 'user' is in Australia. If they have an overseas IP, are using a VPN etc, not my problem. This is a broad sweeping rule that will catch a significant number of attacks, it's not about ensuring we definitely have someone physically located in Australia, don't care

There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas.
You may think so. Take an example. On your server you have a small web server that is for you local bicycle club. There user can get information about training times, when there are competition etc. Lets say a someone from Australia is on vacation in Bali and wants to know when the training is for his son that are home in Australia. Why should he not do that.

Or your work have an proxy or head quarter in an other country, he the could not open your local web server, since you blocked all from outside Australia.

But if you have no webserver nor other services needed for any other, block it 100% for all, not just for people from overseas. Use VPN to access your local resources if needed.

That would not be an 'input' chain, that would be forward chain, so the rule would not block traffic going to a server that resides behind the router. Only traffic directly destined to the router itself would get blocked
The specific conditions of each person can be taken into account by either adjusting firewall rules to the companies needs, or just not using the country filter......... amazing concept I know. But for us, we 100% absolutely have zero need for allowing overseas connections directly to our routers. Now if we need to get a consultant in, or someone goes overseas or we have some special purpose we can always go ahead and just add a more specific 'accept' rule above the general country filter. Until this, this 1 rule would reduce our attack footprint massively

If someone wants to attack you specifically, it is not a big deal for them to use a zombie device in your own country as a proxy. The internet is full of vulnerable devices which have never been upgraded since unpacking. So I don't know whether using discrimination per country is racist, but it is definitely useless.

It isn't useless. It's not about 100% perfect security either (such a thing doesn't exist). It's just about reducing the broader attack spectrum. In the same way most people move the default Winbox port off 8291 to something else, that isn't 100% effective so therefore its a useless feature? may as well not have it?
Why do people block port scans? That's not a guarantee of anything either....
If 1 very simple rule reduces the attack vector by 90% then how is it useless..... the other 10% can still be handled as normal anyway. Heck if nothing else its a performance boost, anything overseas gets dropped in the first couple of rules without processing further

Jotne · Fri Jun 12, 2020 10:33 am

That would not be an 'input' chain, that would be forward chain.

Then Is see what you do wrong. There should be no input rules coming from the outside using the input chain. VPN is the way to go if you need to access services on the router.

If you can not use VPN to manage your router, follow this:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. If possible setup the remote router to connect using VPN to an admin site.
8.++++

4. you can give only on IP to manage your system if you need.

Then you can administrate your router from where you like and better security.
Using a country based access list only limit the number of hack attempt to your system, nothing more.

PS I have an access list that block an IP for 24 hour if they try one port on my system that is not open. This blocks most of the automatic script running out there.

pe1chl · Fri Jun 12, 2020 11:09 am

It's really as simple as an address list generated from IANA that says i.e.
1.x.x.x/8 = Belongs in USA.
2.1.x.x/16 = Belongs to Belaruse
3.x.x.x/8 = Australia
etc etc
Functionally identical to an address list allow/block rule, except without having many thousands of entries in the address list and cluttering it up.

I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.

So the feature you request is nothing more than what you would get when you load the address list and use that in the firewall rules, and the only
thing you could expect here is that some native tool for loading the address list would have an easier time getting around the limitations posed
by scripting and the flash-wear caused by repeatedly loading static address lists.

I have asked before for extensions on the DNS-based loading of address lists:
- remove or at least increase the limit on the number of records returned for a DNS lookup when loading an address list item via a DNS name so longer lists like blocklists can be loaded this way
- add support to load "subnet" address list items e.g. by lookup of TXT records which contain subnets in the CIDR notation (1.3.3.0/24 for example)
(a DNS record type exists specifically for this, but it is experimental and probably not widely supported, TXT seems a safer bet)

With this in place, your request could be fulfilled by a DNS service (hosted by MikroTik or by another company or indvidual) that returns all
subnets for "australia" on some specific DNS lookup, and you could get your "security" by configuring that address list in your router and using it
in your firewall rules.

millenium7 · Fri Jun 12, 2020 11:52 am

I'm sorry to tell you, but that isn't possible. Addresses have not been assigned that way! I also sometimes thought it would have been much better
when it had been done that way, but it hasn't.
LIRs have assigned /24.../16 blocks to "users" (companies, internet providers) completely randomly, within their region. So it is rarely possible
to aggregate subsequent blocks into larger blocks that represent a country. The blocks for Australia are completely intermixed with blocks for
the asia-pacific region. The list of blocks for Australia would have many thousands of entries no matter how you like that.

I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.

Why are you guys not seeing the value in this? DDNS does a similar thing. It's entirely possible to script your own DDNS implementation but isn't it a LOT better just having a single tick-box in IP-Cloud? I know I sure appreciate that feature for when I need it. Do I use it all the time? no. Is it perfect with i.e. multiple gateways? no. Does it have a purpose though? Absolutely. So why are you so opposed to having a country feature?
I dunno, maybe you guys are right, because its not an absolutely perfect implementation that works for absolutely everybody, it must be totally useless........
I don't use IPv6 on Mikrotik whatsoever, can I put in a request to remove it? because for me its totally useless, therefore it must also be totally useless for everyone else.........

ahmedramze · Fri Jun 12, 2020 3:09 pm

Hello

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.

Regards.

pe1chl · Fri Jun 12, 2020 4:04 pm

I am entirely aware of this, what I provided was clearly just an oversimplified example, I thought that was clear when I mentioned 'instead of having several thousand address list entries'
It's doing exactly the same job as manually adding them to an address list. But in a very simplified and clean way by just enabling 1 option and specifying countries. Ideally that is then dynamically updated
The alternative is entries need to be manually added to a MikroTik, that could be hundreds/thousands of routes especially if I want to do multiple things with multiple countries
Then I need another script running that updates this list automatically...... it's just really messy to keep everything updated and everything in sync.... when it could be a simple 1 tick-box operation instead.

I hoped you would have understood by now that this is not possible because there is no simple attribute on a packet that indicates it is "from Australia" so such filters can only work with that address list of thousands of entries in place.
I stop this useless discussion, when you want to keep going on about how you think this could be implemented please post a separate topic so it can be kept outside of the "Feature requests" topic.

pe1chl · Fri Jun 12, 2020 4:07 pm

Please can upload All packages as separated files then we can use fetch command also , add Https mikrotik certificate for url download.mikrotik.com
installing packages required unzip the file and upload it agian some sites time we use mobile network and slow connection.

The use of separate packages for part of functionality (like routing, advanced tools, PPP, etc) has been abandoned in v7. Everything is now in a single package except the truly special things like UPS monitoring.
So you will have to get used to loading the single routeros package that has all the things that you do not need.

The separate package files (for v6) are already available for download from upgrade.mikrotik.com via fetch, you only need to figure out the URL.

TomjNorthIdaho · Fri Jun 12, 2020 7:38 pm

Blocking countries and remote bad/rogue locations - ( related information )

If you use PfSense , take a look at the package "pfBlockerNG-devel".
My multiple core network routers are a mix of Mikrotik and PfSense routers/firewalls/NAT. The optional PfBlocker on PfSense allows you do block by country and/or use multiple Internet list servers to auto download/update bad IP address on the Internet. I have a syslog server that receives firewall logs from my Mikrotik and PfSense firewalls. My syslog server then auto creates a custom block-list that my other PfSense routers/firewalls will also use. So if one PfSense firewall blocks something, that IP address will auto propagate to my other PfSense firewalls. This works well because when somebody is scanning your network searching for vulnerabilities, it only takes one PfSense firewall hit to redistribute the new firewall rule list to all other PfSense firewalls. Default pfBlockerNG can use IP lists and DNSBL lists freely available, and you can even create your own custom lists for other PfSense firewalls to use.

I have found many infected computers on some of the networks I manage simply by looking at my syslog. When you see repeated never-ending attempts from a computer in your network trying to connect to ( China or other sometimes rogue locations), then it is a fair bet that you may want to further inspect/scan that local computer on your network.

I don't know if something like pfBlocker is possible on a Mikrotik, but if it were then I would be very interested in testing it out.

North Idaho Tom Jones

Sob · Sat Jun 13, 2020 1:01 am

So why are you so opposed to having a country feature?

Remember, you don't need to convince anyone in this forum, just MikroTik. Non-technical reasons and user's business decisions aside, first question is what exactly should MikroTik provide. I see big difference between just support for something and providing all the data.

For example, in the past I played with MaxMind's GeoIP database (no, I didn't block anyone), which is periodically updated database with IP to country mapping. They even had iptables module for it. Adding support for something like that should be relatively simple one-time thing. Providing such database themselves, keeping it updated and everything, that's much more work and may not be worth it for MikroTik.

I don't care about countries myself, but it could be interesting if it would be something more generic. Assuming that working with static precompiled database is faster than with address lists (I guess it could, I didn't test it, but it would be interesting to know), it could be useful for any kind of large (semi)static lists. No only it could be faster (maybe), but updates could be done by simply downloading and replacing one file, instead of scripting address list updates or abusing dns, etc.

Chupaka · Sat Jun 13, 2020 7:14 pm

Regarding that geoip databases... Ten years ago I had to contact MaxMind because the ISP I was working for leased two /24 PA blocks from Czech company, and MaxMind (well, together with many other services, but they are among the biggest ones) was ignoring this fact for years. They told us they don't read all the changes, so most small ISPs are treated as their aggregated IP block by default. Only after that (about ~ a month later) our clients started to be identified as coming from Belarus, not Czech.

Nowadays, when IP space is exhausted, more and more leasing happens, so today the problem can be even bigger.

Jotne · Sat Jun 13, 2020 10:13 pm

This just add more to why block by country is not a good thing. Quality of search a service would never be high and you can bypass it using proxy/VPN. It looks like millenium7 like this to protect input chain that is used to admin the router. VPN should give the needed security.

TomjNorthIdaho · Fri Jun 26, 2020 3:57 am

*** RESOLVED *** ( it works like it is supposed to. This post was an error asking a question. There is no issue *** RESOLVED ***

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones

pe1chl · Fri Jun 26, 2020 11:15 am

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

But you can just handle them in the input firewall, right? That is where I regulate the other services as well, when they are enabled.
A subnet limitation in the service still allows connect to the service which then refuses to serve you, but an input firewall rule entirely protects it.
(and can be more advanced than just checking for source subnet)

TomjNorthIdaho · Fri Jun 26, 2020 7:00 pm

Put Dude ports 2210 and 2211 in IP-Services where it belongs

Currently , IP->-Services has a field "Available From"
This functions with api , api-ssl , ftp , ssh , telnet , winbox , www , www-ssl
These services can be turned off/on and/or blocks of IP-networks can be used for each service.

The problem is the dude service on ports 2210 and/or 2211. They are not in the IP-Services settings.
The huge big network security problem is you can't turn this off or limit IP access in the IP-Services settings !!!!!!

This client Dude service is running and there is zero IP-Services control. This is a huge gigantic bulging security problem !
Every day, I see thousands of entries in my Mikrotik logs - example "jun/25 13:32:09 warning denied winbox/dude connect from 185.209.0.62"
Yesterday , I counted 4-thousand "winbox/dude" connect logs. And I know it's not winbox because I IP-Services limit what IP blocks can connect using winbox , so it has to be dude !

I suspect this has the potential to allow remote break-ins where an attacker may be able to do anything they want to your Mikrotik.

Also - it might be a good idea to add ICMP to the IP-Services section

North Idaho Tom Jones

Never mind - I got an email that says Dude uses the same ports as Winbox.
So what traffic is on 2210 and/or 2211 ?
And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?

pe1chl · Fri Jun 26, 2020 7:19 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?

That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.

TomjNorthIdaho · Fri Jun 26, 2020 7:50 pm

And why do I still get "warning denied winbox/dude connect from" indicating remote IP addresses in my logs when I have the IP-Services for winbox configured to only allow my IP address blocks ?
That is normal for using that kind of limit. As I already wrote, the service accepts the connection then drops it and logs a message.
When you do not like that, add a firewall rule (probably with address list) for the filtering.

Again - thank you for your prompt reply(s) to my questions

I guess I was not understanding the sequence "service accepts the connection then drops it and logs" , I wrongly thought it was "don't accept the connection".
Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?
Mikrotik - I love your products and your highly knowledgeable team.

Thank you

North Idaho Tom Jones

pe1chl · Fri Jun 26, 2020 8:12 pm

Question - Am I correct to assume for IP-Services ssh, telnet, http, https api … Is it also "service accepts the connection then drops it if not allowed" ( aka accept the connection , check access-list, then drop if not allowed - if allowed then continue the service connection) ?

Yes, that is how it works. In Linux this is called "TCP Wrappers" with their associated config files "/etc/hosts.allow" and "/etc/hosts.deny". It sits between the listening TCP port and the daemon that runs the connection, it first accepts the connection (or rather the kernel does that), looks up the source network in those files, and if not allowed it just closes the connection again. This whole thing was invented before firewalls were available in operating systems.
You can observe this yourself when you use telnet.

Retral · Sun Jun 28, 2020 4:11 am

Hey I'd like to throw these ones out there.
Can you make the menu in Winbox collapse able to where it's just a column of icons?
I think it would be a great asset to anyone wanting to squeeze every inch out of their screen(s) real estate.

Optimize the re-opening of Winbox. Often I find when I make changes to rules inside different areas like the firewall I'll have the inner window randomly resize on me. When I close and re-open Winbox it has a habit of auto changing it's zoom level, which mangles up the inner windows.

Give us the ability to make the options we check off in the torch default for the next time a torch is opened and give us the option to turn it off if we want.

ivicask · Sun Jun 28, 2020 9:00 pm

Not sure if was asked but can we get option to specify multiple adress lists inside single firewall rule?

Jotne · Sun Jun 28, 2020 10:48 pm

option to specify multiple adress lists inside single firewall rule?

You can make a jump rule and add multiple rules to it, all with an address list. Not exactly the same, but should work.

pe1chl · Mon Jun 29, 2020 11:31 am

It would be nice to have some additions from the ipset mechanism available as address list items.
- list:set would enable you to make an address list that has a couple of other address lists as members (and can implement the above request)
- counters would show a hit-count in an address list for each item (enabling evaluation of relevance of items in a list)

anuser · Sun Jul 05, 2020 9:49 am

Feature request: "Airtime Fairness" for Wireless, because it helps a lot when there is a huge number of clients is connected to one SSID and one is able to slow down the rest (Take a look at https://www.smallnetbuilder.com/wireles ... l=&start=1)

eguun · Tue Jul 07, 2020 10:24 am

Hi,

as feature request, I would like mikrotik to have IPsec support of DH group 31 (EC25519)

Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519)

It's today the only undisputed secure Elliptic Curve algorithm.
And several competitive product already supports it (pfSense, OPNsense, Fortigate ...)
It's absent from Mikrotik supported protocols: https://wiki.mikrotik.com/wiki/Manual:I ... man_Groups and the Wiki is up-to-date.

Is there a procedure to formally request this support?

Reference RFC: https://tools.ietf.org/html/rfc8031

Thanks

opientka · Fri Jul 10, 2020 9:22 am

Hello Mikrotik,

here's another feature request:

Add support for LTE Devices to be controlled via CAPsMAN

Example Use case:
My company uses serval smaller MikroTik Routers (like hAP-AC²) spread over the whole campus as office dektop switches.
All of them share their WiFi hardware to a central CRS328-4C-20S-4S+RM, located in our Server Room, which is our CAPsMAN.
Two of the CAPs are also used to connect an LTE-USB-Stick to provide a backup internet connection over 4G/LTE mobile network.

It would be great if those USB-sticks could be virtually relocated into the the CAPsMAN, like the WiFi Antennas of the CAPs.
Having LTE connected to the central Router/Gateway makes sense. But since CRS328-4C-20S-4S+RM does not have USB and the LTE-Signal inside the server room is really bad, it seems like a good idea to relocate those Sticks to a Desktop-Router, which is located next to a window.

Sure, it is possible to configure that router as a second gateway, but having it configured centralized within CAPsMAN would be a great benefit.

SiB · Fri Jul 10, 2020 10:51 am

Add support for LTE Devices to be controlled via CAPsMAN

No, it's bad idea. USB Stick are detected and dhcp-client is automatical created, you can do many fix to your needs by scripts&schedulers.

You have few other ways to massive config like ssh, scheduler & fetch, .auto.rsc via ftp who work with autostart...

Wyz4k · Tue Aug 18, 2020 7:23 am

Can we get an option to add a reason for rebooting? For example /system reboot reason="upgrading to new ROS" and have that reason be stated in the next log?

pe1chl · Tue Aug 18, 2020 11:09 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?

Wyz4k · Tue Aug 18, 2020 11:20 am

When the reason for the reboot is an upgrade of ROS, the router already logs that...
Maybe it was just an unfortunate example and you want to be able to specify other messages like "shutdown for maintenance in rack #2"?

That's right yes. reason = "Shutting down because DHCP broken script triggered a restart."

Jotne · Tue Aug 18, 2020 11:22 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.

Wyz4k · Tue Aug 18, 2020 11:42 am

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.

No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.

al3xeezer · Tue Aug 18, 2020 12:35 pm

Would be very useful to have the src-address parameter available for /tool speedtest (as it is for fetch, traceroute, ping...)

Have you consider adding it?

pe1chl · Tue Aug 18, 2020 4:26 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.

When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.

Wyz4k · Tue Aug 18, 2020 6:47 pm

If the reboot reason is written to the log before syslog is up and running, it will not send it out externally. So you need to look in local logs.
No, you are misunderstanding my request. I want to be able to specify the reboot reason in a script. For example: I have 10 scripts each that have a set of sequences that might lead to a reboot. Now my router reboots due to 1 of these scripts. It's hard for me to determine which one. If I could in each script give it a unique reboot reason by calling /system reboot reason="blah" then I'd be able to immediately see after reboot which one of those scripts initiated the reboot.
When you are doing such advanced things, I would advise setting up an external logserver and do remote logging to that.
Then you can also keep log messages that occurred just before a crash, including messages you write in the log from a script.
You can easily set this up on any Linux machine, e.g. a Raspberry Pi or similar.

Yes, that would be a useful approach. Unfortunately I operate in an infrastructure-less environment where the configurations are built up and destroyed dynamically and as such we don't have a syslog server option.

Can I get a syslog server too? :D Yes I know dude has one, but a small one for normal routers would be nice.

TomjNorthIdaho · Fri Aug 21, 2020 4:17 am

FYI - Reboots and logs.

- 1'st; I don't use the Mikrotik native ( /system watchdog " Watch Address" ).
I do not like the way it behaves and it is not smart. Because it is not smart, it can/will trigger a reboot when everything is connected. When the default WatchDog detects a no-ping condition , it will auto-reboot ( even if the connection is restored prior to auto-reboot ).

-2'nd; I use my own WatchDog scripts.
My WatchDog scripts for a Mikrotik have configurable variables which include:
A - How often to perform a Watch-Dog test ping
B - How often to retry Watch-Dog test pings when something is down. It can retry test-pings for seconds or minutes or hours prior to forcing a auto-reboot.
C - Prior to a reboot, it will perform a wireless-site-survey and save the results in a file in the Mikrotik flash file system.
D - After a wireless-site-survey , it will again wait/retry Watch-Dog pings for an additional configuration time period.
E - Finally , when there is actually going to be a reboot, my scripts will write an additional file to the flash file system indicating the time/date/reason for the reboot.

I have use my Watch-Dog scripts for over 10-years now on thousands of Mikrotiks. It works and it works great. I can always find out when a Mikrotik rebooted and why - and a very big advantage is I don't need a remote syslog server.

Also - with these scripts , it's super easy to perform a site-survey on a remote client customer Mikrotik , then drag the site-survey file to your computer and open it to see the site-survey results. Comes in very very handy to see the customer might have many wireless routers in their house on the same frequency or close to the frequency you are using to connect your customers. :)

For many years now, I have posted some of these scripts in the Mikrotik forums.
If you are an ISP or WISP , it is 100-percent worth your time/effort to do the same in your environment/business.

North Idaho Tom Jones

dalami · Sat Aug 22, 2020 12:06 pm

New request - add a new action to Firewall (probably under Filter)..."Run Script".

Possible horrible security hole? Of course - like anything else.

My first intended use case - via a port knock sequence, update the stored IP for an IPSec peer.

An alternative solution for this use case - allow IPSec peer definitions to be defined with an address-list parameter instead of only a fixed IP.

Another option - allow scripts to be triggered on an address-list change.

pe1chl · Sat Aug 22, 2020 2:01 pm

That is technically not feasible, I'm afraid. Firewall rules are evaluated inside the kernel and they cannot call something in a user process.
The best that could be done is direct some matched traffic towards an NFLOG socket and then have a process listening there and executing the script.
But that still would mean the actual traffic is either passed or blocked depending on the firewall rule, not depending on the outcome of the script.
I'm not sure if that would be obvious to the average user. It would also likely require some complicated setup.

About the IPsec use case: I have requested before to have scripts called in Phase1 that could setup Phase2 policies. That is possible in racoon, but it appears that RouterOS is using FreeSwan/StrongSwan instead. I don't know if that software allows such scripts.

gutzeit · Fri Sep 11, 2020 7:17 am

Hello, please introduce support for the coa radius for the dhcp server. This is required to change the Mikrotik-Rate-Limit. Thank you.

pe1chl · Tue Sep 15, 2020 11:56 am

I wouId like to see some classification options (filters) in the DHCP server, so that one can direct different device classes into different pools/networks.

E.g. the ISC DHCP server has a quite powerful mechanism for that, where you can define a "class" based on the DHCP request parameters (like vendor class identifier, DHCP requested options, MAC address, hostname etc), and then you can have different pools where each pool has a list of classes that can or cannot use that pool.
(you can have different allow and deny rules in each pool)

This would allow things like putting devices in another pool/network and thus have different attributes like access to internet yes/no, while they connect to the same physical network.
It would be a good start when it can filter on these attributes:
- vendor class identifier (a string)
- MAC address (a value and a mask)

Chupaka · Tue Sep 15, 2020 12:42 pm

- vendor class identifier (a string)

Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes

- MAC address (a value and a mask)

In the light of MAC address randomization it becomes less and less useful...

pe1chl · Tue Sep 15, 2020 2:29 pm

- vendor class identifier (a string)
Isn't that what's already supported? https://wiki.mikrotik.com/wiki/Manual:I ... or_Classes

Ok I was not aware of that. Indeed it is most like what I need except that I would like an extra match capability on MAC address/mask.

- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...

But that is in fact one of the the applications I have for it :-)
I want to give users with a local (random) MAC address (02:00:00:00:00:00/03:00:00:00:00:00) an IP address from a different pool where they will get a portal page that prompts them to set "device MAC" for this connection...
The reason for this is that I want to be prepared for a possible meltdown of the network when some manufacturer decides that it is best for privacy to change the MAC all the time, or when they bind it to AP MAC instead of SSID (we have 34 APs so that would cause mayhem in our network)

So this makes my feature request probably much easier to implement as the framework for doing this is already present. It becomes like:
- add capability for "dhcp vendor class" to match on MAC address/mask in addition to match on DHCP request class-id.

mkx · Tue Sep 15, 2020 4:01 pm

- MAC address (a value and a mask)
In the light of MAC address randomization it becomes less and less useful...
But that is in fact one of the the applications I have for it :-)

Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to have some way to remind users to switch off MAC randomization for a particular SSID.

santyx32 · Tue Sep 15, 2020 10:19 pm

As a home user I request the following to Mikrotik:

Proper WiFi 5 Wave2 support for IPQ40XX and QCA9984 chipsets along with new WiFi 6/6E hardware.

Fq_codel queue type to be available on ROS.

davit1988 · Fri Sep 25, 2020 7:00 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA

pe1chl · Tue Sep 29, 2020 7:52 pm

Can I have a link to the Feature requests for SWos

I am looking for feature of subnet mask default gateway on SWos software.

Without this feature it is impossible to manage/monitor a MikroTik device running on SWos from a different subnet. I am surprised it is omited and is a major limitation.

Regards,
David

Network Engineer, CCNA

You may be surprised as a network engineer, but SWos does not require this information!
You will find that when you access the switch from another network (reachable only via a gateway), that will just work, even without any subnet mask or gateway information.
Maybe it is an interesting study object to find out how it does that :-)
(it is described somewhere in the online manual, so don't look there first)

TomjNorthIdaho · Wed Sep 30, 2020 1:03 am

A Mikrotik 40-Gig switch is much needed

I sure would like to see a Mikrotik switch with at least eight 40-Gig ports ( or even better yet a 16-port 40-Gig switch ) and also somewhere between two to 8 10-Gig ports ( and zero 1-Gig ports ).

I need some 40-Gig switches right now. We are currently in the process of changing our internal 10-Gig core switches to 40-Gig. If Mikrotik routers/switches had any 100-Gig interfaces , then I would be fork-lifting my core internal network ( routers & switches ) to a 100-Gig core network.

A 10-Gig core network is just not enough core network throughput these days.
I am getting ready to install a second 10-Gig BGP peering session, ( so two CHR 10-Gig BGP peering routers and a CHR 10-Gig core OSPF router just does not cut it.
Also my internal 10-Gig NFS/iSCSI network is already peaking at 10-Gig now and needs to also be upgraded to 40-Gig interfaces.
In addition, with a eight-port 40-Gig switch , I could then connect connect all of my VmWare ESXi servers at 40-Gig ( I have several CHRs I also want to get talking on 40-Gig networks - but I need a 40-Gig switch first...

North Idaho Tom Jones

Chupaka · Wed Sep 30, 2020 5:32 pm

viewtopic.php?p=818709#p818709

They semi-announced 100G in their newsletter :)

michaels · Thu Oct 22, 2020 8:30 pm

Feature requests IPv6 DHCP Relay - Prefix Delegation - create route

Currently (6.48beta48 and 7.1beta2) the relay does not create a route for the prefix.
Without the route on the relay router, the prefix is not reachable.

further description:
viewtopic.php?t=117283
viewtopic.php?f=2&t=97156

neszt · Tue Nov 17, 2020 7:01 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)

Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.

Sparhawk76 · Sun Dec 06, 2020 9:22 pm

Is it at all possible to add a "Add to Connect-List" button next to the "Connect" button in the Wi Fi Scan result detail's in the web interface.

If the network is an encrypted one, then it should prompt you for the encryption key and automatically add a new entry to the Security Profiles for the new network named to match the SSID.

This would get around the problem of the Connect button changing the default rule in the connect list, that allows the router to automatically connect to available wifi networks as the router moves in mobile installations (RV/Boat).

SiB · Mon Dec 07, 2020 2:15 pm

Feature request: add do-not-round option for /ping. (or accuracy=1/10, 1/100, 1/1000 or so)
Currently the /ping utility rounds to ms, which accuracy is enough in most cases. However, there are situations where there is a serious need for greater accuracy, e.g. gives a linux ping.

They listing at that post :) and now... ros7.1beta3

[marcin.przysowa@SXTR_LTE6] > ping mikrotik.com
SEQ HOST SIZE TTL TIME STATUS
0 159.148.147.196 56 47 115ms363us
1 159.148.147.196 56 47 78ms822us
2 159.148.147.196 56 47 67ms953us
3 159.148.147.196 56 47 64ms792us
sent=4 received=4 packet-loss=0% min-rtt=64ms792us avg-rtt=81ms732us max-rtt=115ms363us

expo · Sat Jan 09, 2021 10:23 pm

Feature request;

HA feature that will synchronize configuration and connection state between two routers for a active/standby type of network.

See this HA script for inspiration;

https://github.com/svlsResearch/ha-mikrotik

Would like this deployed as a official feature of Ros

tpedko · Wed Jan 20, 2021 2:29 pm

Add Transmission of Syslog Messages over TCP

IPANetEngineer · Wed Jan 20, 2021 5:08 pm

IS-IS and Segment Routing (SR-MPLS)

Discussion is here:

viewtopic.php?f=1&t=171278&p=837339#p837339

pe1chl · Fri Jan 22, 2021 11:27 am

Change /tool netwatch so that it can also use ARP instead of PING (similar to route gateway checking)
When a local address of the router is entered, it is still to send ARP to the interface of that subnet and react on ARP replies.
UP/DOWN status is maintained depending on the arrival of ARP replies.

Purpose: to watch if another host on the network has set the same IP address as the address a local interface, and possibly send alerts if so.
Similar to "DHCP server alerts".
But of course can also be used to monitor hosts on the local network for being up/down.

Background: someone has entered the address of the default gateway as their own IP address by mistake. Big mayhem. It would be nice to be able to send alerts for that condition before debugging has to be done.

millenium7 · Fri Feb 05, 2021 8:11 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up. Only way to see state changes from i.e. down to exstart, 2way, up etc you need to enable full OSPF debugging, this floods the log file with all OSPF packet data and is totally impractical.
We use remote syslog alerts to notify us of any OSPF state changes in real-time as they are critical to network operation and detecting a failure. It wastes a lot of staff time manually checking when it wouldn't be necessary if 2 seconds later we could see a message for "Up"

Secondly I think OSPF state changes shouldn't be in 'route, ospf, info' but rather 'route, ospf, warning'. As most of the time Info messages aren't important and i'd like to exclude them. I feel Warning is a more appropriate level

Third please change the default view in OSPF->Neighbors tab to include the 'Adjacency' and 'State' columns. Adjacency time in particular is probably the single most important piece of information to quickly glance and see "Hang on, why has that neighbor only been up for 30 minutes and all the rest are 60 days? time to investigate link quality". It would be nice to not have to keep turning this on across hundreds of routers

Edit: Fourthly, please include the interface in the state change messages, since right now you can't tell which link between routers has gone up/down. The log messages look identical with no regard for which interface has lost adjacency. In cases of primary/backup link its far more important knowing if the primary link has failed, as its usually the much faster/better route

I've written a script as a temporary workaround for points #1 and #4 (only when Up) viewtopic.php?f=2&t=153606&p=842398#p842398

iperezandres · Mon Feb 22, 2021 10:26 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.

MerManMaid · Fri Feb 26, 2021 10:42 am

Winbox is wonderful, but a small suggestion: consider adding snapping capabilities to the several windows that can be opened within Winbox. It would be much easier to organize it.

Thanks.

Seconded

pe1chl · Fri Feb 26, 2021 10:52 am

Maybe you should explain what "snapping capabilities" are?

iperezandres · Fri Feb 26, 2021 10:59 am

Maybe you should explain what "snapping capabilities" are?

I refer to the option you have in Windows: select the title bar of the window you want to snap, and drag it to the edge of your screen. An outline indicates where the window will snap to once you drop it. Drag it to the left or right side of your screen depending on where you want to snap it to. Some other interfaces allow you to snap windows against each other.

There is an app in Windows that I use: http://windowgrid.net/

It helps to keep several windows visible and organized at the same time.

pe1chl · Fri Feb 26, 2021 11:45 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.

iperezandres · Fri Feb 26, 2021 11:57 am

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to the bottom of the stack.

In daily use I usually have a "log" window full-sized as backdrop and open other windows on top of that. When I advertently click on the log somewhere it raises that window and all other windows disappear behind it. They can be raised only one by one via the menus, but it would be convenient when the log window could be moved back to the backdrop and/or when a list of open windows can be seen or called.

I like your taskbar aproach and the access to the open windows. And also compatible with the tile suggestion.

SiB · Fri Feb 26, 2021 4:29 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.

anav · Fri Feb 26, 2021 5:31 pm

at Win10 we can Snap windows by Win + [Left/Right arrow]. For working with 3 monitors it's OK.

Easy for a teddy bear with straw for a neck!!!

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.

pe1chl · Fri Feb 26, 2021 7:11 pm

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists.
That way we can select a number of firewall lists into a group of their own and so on.

That feature has been present for years. But people don't bother to really study the matter so they often will not find that by themselves.

SiB · Sat Feb 27, 2021 12:57 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.
Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.

pe1chl · Sat Feb 27, 2021 5:22 pm

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically.

That makes no sense! TCP and UDP are different protocols, they cannot be grouped.

Access List of other Access List will be greate like the rules like a one regex: 10.50.[128-254].[30-35] who will match my all 128 branches with printers range in each branch - now I generate 128 rules for one LISTs in Access List.

As I said before: people don't bother to really study the matter so they often will not find that by themselves.
They do stupid things that can easily be done another way.

SiB · Sun Feb 28, 2021 7:17 pm

That makes no sense! TCP and UDP are different protocols, they cannot be grouped.

TCP&UDP for 53, 3389 can be done by 2 rules, not 4.

pe1chl · Sun Feb 28, 2021 7:55 pm

And rules for a number of different addresses can be combined using address lists.
Rules that are some exception e.g. only for certain interfaces can be grouped into a single chain that is jumped from the toplevel chains.
So there really is not a problem.

prawira · Mon Mar 01, 2021 11:33 am

another feature request from me :
viewtopic.php?t=172489

Paul

craterman · Mon Mar 01, 2021 1:06 pm

BGP Link Bandwidth Extended Communities
https://tools.ietf.org/html/draft-ietf- ... ndwidth-07

millenium7 · Mon Mar 15, 2021 2:48 am

MikroTik please fix/implement the SNMP-Get output as standard
Currently /tool snmp-get does not allow you to store the output to a string/variable, it remains empty, making it a rather useless command

I need to be able to poll other devices in our network and then take action
Our main use case is for monitoring values on a radio link
i.e. RouterA->RadioA->RouterB->RouterB
We run OSPF from RouterA to RouterB which is fine for detecting outright link failure. But if the link between RadioA and RadioB becomes slow or unreliable, then neither router has any knowledge of it

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls

pe1chl · Mon Mar 15, 2021 11:08 am

I want routers to poll their radio neighbor and get the RSSI/SNR/MCS values and act upon them. If there's a heavy rain storm causing a link to run at MCS0/1 or flapping, or lots of retransmission I want to disable the OSPF interface so traffic does not use that link and takes another path until it comes back to normal stable values
At the moment it causes havoc with phone calls

I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.

prawira · Tue Mar 16, 2021 3:14 pm

dear all,

as dhcp-server on mikrotik already support vendor-class but mikrotik device itself does not have vid, than it's good ide to put special vid for all of mikrotik devices. so we can put mikrotik devices on different pool (still on the same dhcp-server) according to the vid.

cheers

Paul

millenium7 · Wed Mar 17, 2021 3:00 am

I agree, but although it would be possible to do all kinds of custom scripting for this it would be even more welcome when there would be some standard facility to automatically use link quality metrics in routing protocols. I.e. a worse link can get a lower preference so it is not completely disabled but can still be used as a fallback when all other paths fail.

It appears that a major market for MikroTik is the wireless network where multiple wireless links are combined with routers to form a network, and it is a bit of a pity that the wireless world and the routing world are completely isolated. The wireless world has metrics like RSSI/SNR/CCQ/MCS but the routing world assumes all links are equal and 100%.

Absolutely. However assuming we stick with OSPF it's not viable as it would break compatibility with other devices. However if its another protocol that rides on top of it as an extension and can completely override the OSPF behavior (much like what MPLS does) then, maybe
However this still presents a problem because the radio's need to be polled, and all devices have different methods of reading the data. Vast majority don't have API's or any sort of protocol to communicate whats happening, the only possible solution is SNMP and thats just too messy to be used in any sort of official protocol

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic
So you could do things like use Radio link A for all traffic, but as it progressively drops it'll start to shift high CoS traffic elsewhere and/or load balance (or even transmit duplicate frames to improve delivery efforts) but then steer it back as needed

However the short simple version is this: Right now MikroTik is just 1 small step away from allowing the community to write their own pseudo protocol by way of reading SNMP values. Everything is already in place to do this, literally just need the ability to store SNMP values for use in scripts

pe1chl · Wed Mar 17, 2021 11:45 am

Yes, that surely would help. It would be nice to have the possibility to read SNMP values into variables and then run a script to modify parameters of the routing.
In BGP it would be possible to change route filters that set "BGP prepend" and "BGP local pref". Unfortunately they are course controls but it is at least better than disabling an entire interface and potentially make a destination completely unreachable.
I have been thinking about it before, and considered writing something that would be running at a central location (or a location per area) e.g. on a Raspberry Pi, which would collect this information for several links, do some calculation of an optimal usage of the available links, and then configure the routers via API.
I have no experience with OSPF. I did use EIGRP in the past and there is a calculation of a path metric from bandwidth, load, delay and reliability there which would suit much better what we need here.

millenium7 · Thu Mar 18, 2021 12:03 am

I don't like OSPF for wireless networks, it really isn't a very good protocol for it at all, EIGRP definitely would be better suited but i've had this discussion before but it seemed to fall on deaf ears
The next best thing (and I actually agree for more widespread use, not just wireless networks) is IS-IS
With OSPF you don't have many metrics to tweak, best you can do is path cost and that will drop the adjacency so it isn't suited for live adjustment
BGP is really not suited for internal networks. iBGP has problems, and BGP routes don't get used as MPLS labels so that's already a problem

We have 2 options, MPLS-TE potentially, though I really don't have much experience with it to know if its suited

And this viewtopic.php?f=14&t=161968&p=843061#p843061
Which is also very messy and only allows traffic steering 1 hop at a time. However combined with some lists of mangle rules its possible to define levels and steer traffic accordingly
i.e. under normal circumstances just ignore it, but as load increases or conditions worsen by reading radio values, create a 'Level1' global variable and then enable a mangle rule that sends just DSCP 46 traffic for instance
As it gets worse again, go to Level2 which in addition to DSCP46 might start steering control protocols like winbox, BGP, SNMP etc
Then Level3 which includes TCP handshakes
Level4 business class traffic etc etc

This would allow some dynamic traffic offloading. It's just very messy with scripts. However for the most part its copy/paste once setup correctly, this is what i'd be implementing i'm just waiting on 1 particular key thing.................... ABILITY TO STORE SNMP VALUES! :\

pe1chl · Thu Mar 18, 2021 11:51 am

I think your only real option for routing differently depending on packet marks (e.g. based on DSCP or other kinds of SLA) is to have multiple different routing tables each maintained by a separate instance of a routing protocol (or different routing protocols), and using a selection of the routing table that is the same all through the network.
In your case: you maintain a separate routing table for VoIP and select it based on DSCP 46 or "upper 3 bits of DSCP are 5".
The routing table (also called "routing mark" in RouterOS is maintained by a routing protocol instance that is tuned differently, and emphasizes on reliable paths rather than fast paths.
To get this working OK in more complex networks than you picture it is essential that all the nodes in the network are configured the same, and that there are no nodes where e.g. the routing table selection based on DSCP is forgotten or is different. Because that would easily result in routing loops.

Helix · Thu Mar 18, 2021 7:02 pm

This isn't a MikroTik problem, it's a wireless standards problem. There should be another industry standard protocol that can communicate link quality stats, and any devices in beween link end-points have the ability to communicate what they are, what their role is, what their reported link quality/speed/retransmission/etc is data and then this information can be acted upon by routers that use this language in an MPLS/OSPF/Something else protocol to more intelligently handle traffic

pe1chl · Fri Mar 19, 2021 10:39 am

Please add average cpu usage for the last day / month / year whatever.

That has been available for many years already! Look at Tools->Graphing

mada3k · Fri Mar 19, 2021 10:52 am

Please make some adjustments to OSPF neighbor reporting
First and foremost please take adjacency changes out of the debug,raw log location, its ridiculous. At the moment only 'Down' is included in 'route, ospf, info' so you can see when a neighbor goes down, but you cannot get a log message when neighbor goes up.

I agree. All other platforms reports Up's and Down's.

pe1chl · Sat Apr 17, 2021 12:18 pm

Can you please add the "rpfilter" matcher to the firewall matching rule options?
See viewtopic.php?f=2&t=120863 and viewtopic.php?f=14&t=56572

emunt6 · Mon Apr 19, 2021 1:57 am

What is the future replacement plan for CCR1072?
( Tilera CPU support is dropped by linux kernel - so its no future ).

I would like to see a new CCR hardware like this:
- Intel BareFoot TOFINO based ASIC
- ARM64 CPU (example: Marvell OCTEON )
- 32GB ECC RAM
- 2x msata / SATA port
- 2x USB port
- 2x hot swap PSU

Just for comparison:
-Ubiquiti USW Leaf Switch (48x 25GbE and 6x 100GbE)

:)

Cablenut9 · Mon Apr 19, 2021 2:32 am

( Tilera CPU support is dropped by linux kernel - so its no future ).

Mikrotik has already made kernel patches just for Tilera, so no worries there.

mkx · Mon Apr 19, 2021 8:23 am

( Tilera CPU support is dropped by linux kernel - so its no future ).
Mikrotik has already made kernel patches just for Tilera, so no worries there.

Tile is an old platform never the less and would be unwise to introduce new products based on outdated hardware. Future support for current products is a completely different matter.

Guscht · Fri Apr 30, 2021 11:39 am

Hi, I have seen Mikrotik has implemented in ROS V7 beta / UserManager an OTP-option to couple the Google Authenticator App.
This works flawlessly great!

My request would be: PLEASE add this feature to the normal PPP-Secrets as well and also in ROS V6 (because I assume ROS V7 will not show up the next 2 - 5 years and 2FA is really important)!
This would dramatically increase security!!

First factor the normal password.
Second factor the OTP from the Authenticator App.

Unbenannt-1.jpg

Fri Apr 30, 2021 11:50 am

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

+10
It's better than firewall, like all other /ip services you an directly put here the IP range without using firewall,
and is more logical approach for SERVICE inside the RouterBOARD than firewalling itself....

Fri Apr 30, 2021 12:23 pm

In the scripts and schedules editor in winbox can we please add the ability to select all - ie ctrl a? At the moment in order to select a big script you have to manually drag from start to finish.

ctrl + home
ctr + shift + end

pe1chl · Fri Apr 30, 2021 4:26 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.

akschu · Fri Apr 30, 2021 6:02 pm

Formatting for /tool sniffer quick needs some work. The wider the console, the more space is given to the INTERFACE column, however that is static and we know what that is since we probably defined it. It would be FAR better to give the space to the SRC-ADDRESS and DST-ADDRESS columns. That way we don't end up with something like this:

INTERFACE                                                                                        TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP
ether1                                                                                    0.3      1 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   1.29      2 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                   2.29      3 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                  3.307      4 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    4.3      5 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no
ether1                                                                                    5.3      6 <-  00:50:56:A6:61:84 FF:FF:FF:FF:FF:FF        192.168.99.1: who has 192.168.99...                                     arp          60   1 no

Notice we have all the space in the world for the INTERFACE, but the arp request shown in SRC-address is cut off and useless. If I make the console wider, I still can't see the ARP, I just get more blank space in the INTERFACE column.

Fri Apr 30, 2021 6:09 pm

Under /system logging action for target=remote please add some option to include the topics in the message sent to the remote log server.
E.g. add [topic,topic,topic] between the system name and the message when this option is set.

Prefix already exist...

pe1chl · Fri Apr 30, 2021 6:32 pm

Prefix already exist...

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]

Fri Apr 30, 2021 9:09 pm

Prefix already exist...
That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]

Ah, sorry, I have misunderstand...

DJGlooM · Tue May 04, 2021 3:32 am

Just thought of:

Is it possible to make winbox open predefined sets of windows on connect?
I guess it'll be like universal session. Because from time to time you need to manually configure some sets of typical settings and it would be nice not to navigate the same tabs over and over.

Jotne · Tue May 04, 2021 8:05 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]

See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7

pe1chl · Tue May 04, 2021 11:01 am

That is fixed text. I want to see the topics that are visible when logging in memory. These differ per message.
E.g. [system,info,account] or [ipsec,error]
See my post here from 2017. MT has not fixed anything of this yet.
viewtopic.php?t=124291

Support has only sad that they are looking inn to it. Nothing has changed in v7

True, but in this case I am not referring to cleanup of the topic names or capabilities to match it inside RouterOS, but to
the possibility of sending the topic names in a syslog message. As far as I know that isn't possible, or do you know a way?
I want the message sent to a BSD syslog server to include those topic names into the message text, not only setting the
message priority based on the warn/info/debug thing. As far as I know all other topic info is gone once it is sent as syslog.
Or am I wrong?

And indeed, the reason I post it is also that nothing is changed in v7 w.r.t. this, while it is apparent that some improvements
can be made to the logging.

Jotne · Tue May 04, 2021 1:16 pm

Can you post an example on how it looks like and how you would like it to be.
I do use lots of logging in Splunk for Mikrotik, see my signature, and not sure what you miss.

PS no need to quote the complete message above you. Use Post Reply button blow the post, please.

imager · Tue May 04, 2021 2:21 pm

Add feature support for industry standards IEC 61850-3 and IEEE 1613 for electrical substations.

modsx · Tue May 04, 2021 3:07 pm

Need to The Dude with one mouse click on the Device opens the Winbox. We are not woodpeckers!
P.S. It would still be nice if could drag&drop the Devices to another Network Map, but this is secondary.

pe1chl · Tue May 04, 2021 4:47 pm

Can you post an example on how it looks like and how you would like it to be.

When I look in the logging that my BSD syslog server writes to disk I see:
May 2 10:43:20 MikroTik Connection closed

When I look in the Log viewer in Winbox I see:
May/02/2021 10:43:20 | route, bgp, info | Connection closed

I see no way to get that "route, bgp, info" part in the log message sent to the BSD syslog server.
How do you do that?

Oh and please do not bug me about including some context in a reply! When I put replies without context I get nonsense reactions from people that reply to it without first checking to what it was a reply.

Jotne · Tue May 04, 2021 9:26 pm

Strange. I do get lots of module info. Look at example in my link:
viewtopic.php?t=124291

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.

Here are some example. I have added MikroTik as a prefix.

firewall,info MikroTik: FI_D_port-test input: in:ether1 out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 11.11.183.214:47494->22.20.2.91:24063, len 40
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,NETBIOS-Name-Server,Static-Route
script,info MikroTik: script=pool pool=default-dhcp used=9 total=244
dhcp,info MikroTik: DHCP-vlan1-Home assigned 192.168.10.186 to 3D:8E:20:1D:F0:29
dns,error MikroTik: DoH server connection error: remote disconnected while in HTTP exchange
dns,packet MikroTik: <gew1-accesspoint-e-l0np.ap.spotify.com:A:107=104.199.64.182>
wireless,info MikroTik: 9E:7A:3A:89:36:A1@wlan2: disconnected, received disassoc: sending station leaving (8)
bridge,stp MikroTik: wlan2 forwarding
dhcp,warning MikroTik: DHCP-vlan1-Home offering lease 192.168.10.206 for D8:BF:C0:50:33:DC without success
l2tp,ppp,info MikroTik: <l2tp-Kjell-Ivar>: disconnected
ipsec,info MikroTik: ISAKMP-SA deleted 22.20.2.91[4500]-9.19.78.44[4500] spi:46f07f9aaad565f3:4b0b7aaaa22ae161 rekey:1
l2tp,info MikroTik: first L2TP UDP packet received from 9.19.78.44

Mike33 · Wed May 05, 2021 3:01 am

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.

pe1chl · Wed May 05, 2021 11:23 am

Try to remove the check mark for BSD Syslog format and see if it changes.
I do log to Splunk directly, but I have tested it with rsyslog server and it works there as well.

Well, when I do not set BSD Syslog I cannot set Syslog Facility. That is required because I use that to direct the logs on the syslog server to the correct file.
(if not it will mix with the logs from the local system)
I set "Syslog Facility 16 (local0)" and then in the receiving system in rsyslogd.conf I match on local0 like this:
local0.* /var/log/mikrotik

I guess to solve that I would need to run a second syslog daemon on another port number and with a separate config that just sends everything to a single log...

Strange that this flag has any influence on the inclusion of the topics in the message!

Wed May 05, 2021 2:38 pm

1) Need support for global variables that could be used in firewall rules and scripts.
2) Need support for dns-names in firewall rules.

2) already exist by address-list, but

example for 1) ?
thanks

syadnom · Fri May 07, 2021 9:00 pm

For LoRaWAN devices

Add a package to support their 'light hotspot' so we can use Mikrotik's on the helium network. Helium is a rapidly growing IoT network.
Helium.com

Mike33 · Sun May 09, 2021 9:09 pm

example for 1) ?

For example, to save any state of a process between individual script launches.
For example, for more convenient writing of configuration scripts for different routers according to a single template.

2) already exist by address-list, but

What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?

Mike33 · Mon May 10, 2021 12:41 am

example for 1) ?

For example, in the script, an SMS is sent via the lte port to a certain phone number.
It would be convenient if this number was taken from some global variable. When it becomes necessary to change this number, then there will be no need to change the script text, but it will be enough to change the value of the global variable.

Mon May 10, 2021 1:05 am

:global variables already exist...

Mon May 10, 2021 1:10 am

2) already exist by address-list, but
What's a convenient way to update ip-addresses when one dns-name has multiple ip-addresses?

" already exist by address-list" is not "already exist the address-list"
The addres list auto add and update dynamically the IP, if you put inside the address list the dns name.

But for me is a very bad idea to add DNS name to Firewall rule, if the IP change often, like on CDN, for example Netflix,
everytime the rule is hit, firewall must wait DNS resolution...

Mon May 10, 2021 1:15 am

example for 1) ?
For example, to save any state of a process between individual script launches.

":global" variables already exist...
and you can save variable value on file,
and you also can send file to another device, and on that device read variable(s) inside file and set it on (locally) global variables...

Mon May 10, 2021 1:17 am

For example, for more convenient writing of configuration scripts for different routers according to a single template.

???
already I'm using the scripts with inside Global variables to configure the devices, like all the CPE, AP, PTP, etc.

emunt6 · Wed May 12, 2021 4:20 pm

*Feature Request

Mikrotik CCR products:
> Comformity againts the Telcordia NEBS (GR-63, GR-1089) requirements
( https://telecom-info.njdepot.ericsson.net/ )

mike548141 · Thu May 20, 2021 2:21 am

With the default NTP client I can use DNS FQDN's to specify the NTP sources, but if I install the NTP server package I can only specify IP addresses as the NTP sources. Not ideal since the IP addresses change over time and are out of my control (and the same for most people using an Internet NTP source).
Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.

/system ntp client set enabled=yes server-dns-names=0.nz.pool.ntp.org,1.nz.pool.ntp.org;

pe1chl · Thu May 20, 2021 11:23 am

Could you please merge the standard NTP client code with the NTP server package code so that both support using DNS FQDN's for the source.

This has been resolved in the version 7 beta so I guess you will have to wait until that becomes the stable version.
It also allows more NTP servers and the server package is no longer separate (all installations have client and server).

ivicask · Fri May 21, 2021 2:03 pm

Can we get ICAP client support?

codykl · Sun Jun 13, 2021 8:48 pm

Can you add the ability to disable and enable caps-man configurations?

This would allow for more flexible control of SSID's for groups of provisioned routers, for example:
Provisioning1: Config1:SSID1, Config2:SSID2, Config3:SSID3
Config3 gets enabled/disabled via scheduler script.

mike548141 · Fri Jun 18, 2021 11:13 am

If an ethernet interface has been made a slave of a bonded interface (e.g. LACP) then it should have a value assigned on the physical interface that tells you (a) it is bonded and (b) the name of the bonded interface.
This way when querying interfaces from a script we can see whats bonded by looking at either the physical or bonded interfaces.

Fri Jun 18, 2021 2:30 pm

set the syslog remote address as fqdn or domain name and not only IP.

untill is not like this, you can still use scripting for update IP.

mike548141 · Tue Jun 22, 2021 8:12 am

The :log command should accept a variable for the log event severity e.g.

:log $severity message=$message;

Tue Jun 22, 2021 3:38 pm

The :log command should accept a variable for the log event severity e.g.

Sure it's not already feasible?...

:global type "warning"
:global message "test"
:execute ":log $type $message"

Fri Jun 25, 2021 2:10 pm

Already exist, and is not a routeros feature

prawira · Sun Jun 27, 2021 9:27 am

As CRS3xx having more features compare to CRS1xx/CRS2xx, we request to create CRS312-8G-4S and CRS312-8G-4S or CRS310-8G-2S and CRS310-8G-2S as not many customers need the big number of ports for their switches.

Example, we need to install a wifi on 6 floors of dormitory with 6 APs for each floor. the AP using cap-ac and the current switch using CRS112-8P-4S. but we stuck on the switch itself as the hardware offload turned-off when we activated vlan-filtering.
by putting 1 CRS328-24P-4S will make difficulty of the future maintenance as that switch can cover for 4 floors.
we prefer 1 switch for each floor. putting CRS328-24P-4S or CRS318-16P-2S will be cost inefficient

thank you

mada3k · Sun Jun 27, 2021 11:21 am

Abut we stuck on the switch itself as the hardware offload turned-off when we activated vlan-filtering.

Then you are doing it wrong. You should do the configuration under /interface ethernet switch

But I can agree that it would be nice if the CRS1xx had the same configuration style as CRS3xx

TomjNorthIdaho · Thu Jul 01, 2021 8:12 pm

ONIE ( bare metal switch )

First - some quick background information:
* Mikrotik has a couple of decent Router Operating Systems ( ROS ) which work well and can run very fast routing functions when installed on generic x86 hardware systems.
* X86 ROS is a 32-Bit stand-alone ISO installable Router Operating Systems what can be installed on almost any x86 computer.
* CHR ROS is a 64-Bit virtual Router Operating system which can only be installed as a virtual system on a hyper-visor system such as VmWare ESXi ( there are other supported hyper-visors also supported ).
** Both x86 and CHR both have the capability to process packets ( Layer-3 routing & firewall functions ) at some impressive very fast rates when they are installed on a high-end bare-metal-box.
** Note - there are other software non-Mikrotik-ROS routing operating systems that are also available ( such as PfSense and others ).
** All of the above have their strengths and weakness areas in price and performance.

Second
Now - here is where I am going with this; There is a growing open-source standard called ONIE which is for Layer-2 bare-metal switches.
With an ONIE bare-metal switch ( with interfaces and a switch chip) , you select and install the Network Operating System of your choice ( software operating system ) you want to run on your bare-metal Layer-2 switch.
Note: Mikrotik does not have a 32-Port 40GbE switch. However there is one or more ONIE bare-metal switches that do have 32-Port 40GbE ports. There are also some ONIE bare-metal switches with more and fewer ports and there are some ONIE bare-metal switches with 100-Gig ports ( with ONIE , the sky is the hardware limit ).

I would like to see a new ONIE compatible Network Operating System ( NOS ) from Mikrotik that is similar to x86 ROS but has the ability to communicate and manage the switch chip on an ONIE bare-metal switch. ((( For the heck of it - I will call this possible new Mikrotik switch operating system CHS ( Cloud Hosted Switch - similar to CHR for routers ) ))).
Don't get me wrong here - I love Mikrotik products - however I know Mikrotik will never build a high-end switch with every possible interface and quantity of ports that many larger ISPs and WISPs need.

I would love to have a 3-foot tall bare-metal ONIE switch with hundreds of network interfaces of all types which would allow me to select the NOS ( Network Operating System ) of my choice ( possibly a new Mikrotik Cloud Hosted Switch operating system and install in on a single ONIE bare-metal switch. It might even be possible to yank out a dozen+ switches in my NOC and replace my pile of switches with a single ONIE bare-metal switch.

I am guessing that x86 ROS might already be installable on most x86 CPU based ONIE switches - however you would likely only be able to software bridge interfaces instead of using the bare-metal ethernet switch to connect interfaces together.

With all of the above thoughts and information I have mentioned , I have a Feature request :

Feature request to Mikrotik - please consider adding a few minor supporting lines of code in the existing x86 Linux base ROS to support ONIE x86 bare-metal switches.
With an ONIE compatible Mikrotik x86 ROS system, it would not be very possible to have some incredibly fast high-throughput switches with just about every combination and quantity of interfaces needed and wanted. Note - at this time , there are already several existing Network Operating Systems (NOS) readily available and already being used/installed on existing ONIE switches. I hope that Mikrotik does not ignore the ONIE standard of open-source bare-metal switches.

Note: I am currently getting ready to order two or more bare-metal ONIE compatible switches with 32 QSFP+ ports. So which ONIE compatible Switch Operating System will install on them ? Will I use Microsoft's Switch Operating System or a Linux or BSD Network Operating System ? I know it will not be a Mikrotik ONIE NOS because they currently don't have anything.

North Idaho Tom Jones

pe1chl · Thu Jul 01, 2021 8:28 pm

Are you not under-estimating the effort?
It should be easy to make a RouterOS version that runs on the management CPU, but it should also be able to manage the switching ASIC in use in the product.
When your switch has switching hardware that MikroTik does not already support because the same chipset is used on one of their switches (maybe a different number of chips), there is more work to be done, right?

TomjNorthIdaho · Thu Jul 01, 2021 9:27 pm

Are you not under-estimating the effort?
It should be easy to make a RouterOS version that runs on the management CPU, but it should also be able to manage the switching ASIC in use in the product.
When your switch has switching hardware that MikroTik does not already support because the same chipset is used on one of their switches (maybe a different number of chips), there is more work to be done, right?

Yes , I am aware there will be some additions in x86 to manage the ASICs on ONIE compatible switches.
However , I believe there may be some ready-to-go or near-ready Linux drivers for most x86 CPU based ONIE switches.
Most Mikrotik ROS systems that run on a switch already have a working software driver to configure those switch chip ASICs.
I am aware that none the existing ROS operating systems with switch chip ASIC drivers and software code are running on x86 CPU hardware - however you have a good head start and there should be no need to start from scratch. How much software work would be involved to take the ROS x86 source code , and add in the switch chip ASIC code & ROS functions so that an updated x86 ROS could run on some of the x86 CPU based ONIE compatible switches ? Also - because there are several types and brands of ethernet switch chip ASICs, could it be as simple as creating optional packages that can be downloaded and installed on x86 ROS - where - depending on the ASIC , a specific ROS package that supports that specific ASIC can be packaged downloaded and installed onto normal x86 ROS already installed on a ONIE bare-metal switch which then add support for the ASIC. And - because there are several types of ASICS, it might be possible to have a x86 ROS package list - where each optional package adds support for a specific ASIC.

In other words ... the ability to install the existing x86 ROS system on a x86 based ONIE switch ( no ASIC support yet - only the out-of-band ethernet interface is working at this point ).
Then allow a package download that supports the specific ASIC on the ONIE bare-metal switch. If there was support for 10 ASICS, then have 10 different ASIC packages available.
As additional ASICs are supported , just create new additional ASIC downloadable packages.

I am aware none if this is easy - but Mikrotik x86 ROS should already have a good head start and might only need optional downloadable ASIC packages - instead of managing multiple x86 ROS Linux-based systems , just have one x86 ROS that supports optional downloadable ASIC packages.

TomjNorthIdaho · Thu Jul 01, 2021 10:27 pm

I guess what I am asking for , is a Mikrotik ONIE compatible x86 ROS with optional ASIC drivers.

Then I could install x86 Mikrotik with the correct ASIC package on some ONIE switches - such as the one in this picture ( qty 64 100-gig ports ) or any other x86 CPU based ONIE switch which has an optional Mikrotik x86 ROS package for the specific ASIC chip set.

onie-100-Gig--64-ports.png

.

Or - I could wait until Mikrotik makes a switch like this...

pe1chl · Fri Jul 02, 2021 12:10 pm

I am aware that none the existing ROS operating systems with switch chip ASIC drivers and software code are running on x86 CPU hardware - however you have a good head start and there should be no need to start from scratch. How much software work would be involved to take the ROS x86 source code , and add in the switch chip ASIC code & ROS functions so that an updated x86 ROS could run on some of the x86 CPU based ONIE compatible switches ? Also - because there are several types and brands of ethernet switch chip ASICs, could it be as simple as creating optional packages that can be downloaded and installed on x86 ROS - where - depending on the ASIC , a specific ROS package that supports that specific ASIC can be packaged downloaded and installed onto normal x86 ROS already installed on a ONIE bare-metal switch which then add support for the ASIC. And - because there are several types of ASICS, it might be possible to have a x86 ROS package list - where each optional package adds support for a specific ASIC.

We do not even have that for native MikroTik hardware! All RouterOS versions for a specific CPU contain all drivers for all routers with that CPU.
And the tendency is for MikroTik to move away from optional packages and incorporate all options into the main package, leaving only truely niche functionality that can live as a completely independent package (like UPS monitoring) as an optional package.

Putting drivers and other low-level functionality in packages is not as easy as you think.
Sure, you can put a driver in a package that installes the modules and they will be loaded when that hardware is detected, but there normally will be higher level code as well that interweaves with many other things and introduces tricky dependencies.
You not only want to configure your switch ASIC for basic VLAN switching, you also want L3 routing acceleration, DHCP and ARP snooping, spanning tree, LCP, etc.
Adding a new switch ASIC will not be simple, and certainly cannot be made independent from MikroTik (MikroTik providing the RouterOS and others providing the support for their favorite ASIC).
At least not without a complicated standardized interface between ASIC drivers and router operating systems, which does not appear to be covered in ONIE.
(ONIE just specifies how an OS is installed and loaded, i.e. the trivial part of the entire operation)

TomjNorthIdaho · Fri Jul 02, 2021 4:39 pm

Well ... when it comes to hardware - software - firmware - features and cost ...
. I guess I am more of a "How do I do it" person and not a "I can't do that because it's to hard" person.

Back in the late 1970s and 1980, I started a computer manufacturing company ( IBM PC not invented yet ).
As the engineer, I always made products and services that others said can't be done or it's to hard. We made $ millions
Now - today 40+ years later, I have a pretty good idea of what direction technology is going.
I've seen hundreds of computer companies loose money and go out of business because they do not have products that the world wants to pay for.

mozerd · Fri Jul 02, 2021 5:25 pm

Well ... when it comes to hardware - software - firmware - features and cost ...
. I guess I am more of a "How do I do it" person and not a "I can't do that because it's to hard" person.
..........
Now - today 40+ years later, I have a pretty good idea of what direction technology is going.
I've seen hundreds of computer companies loose money and go out of business because they do not have products that the world wants to pay for.

Frist ... Thank You very much for introducing me to https://www.opencompute.org/wiki/Networ ... NOS_Status ..... very interesting

2nd ... 100% agree with you commentary and Contribution.

emunt6 · Sat Jul 03, 2021 6:16 pm

I guess what I am asking for , is a Mikrotik ONIE compatible x86 ROS with optional ASIC drivers.

Then I could install x86 Mikrotik with the correct ASIC package on some ONIE switches - such as the one in this picture ( qty 64 100-gig ports ) or any other x86 CPU based ONIE switch which has an optional Mikrotik x86 ROS package for the specific ASIC chip set.

onie-100-Gig--64-ports.png.

Or - I could wait until Mikrotik makes a switch like this...

ASIC Drivers/APIs are not "Open-Sourced" you need buy "license/contract" from the manufacturer to have full access to ASIC to be able to implement specific functions for offloading-to-ASIC. Currently what you get now is a CPU based switch( = software switch ) - that cannot handle large Gb/s , TB/s switching-routing - due the limitations of the PCI-E bus bandwidth (PCIE-E Version 4.0 ×16: 31.5 GB/s ) and X86-CPU computational limits ( impossible ).

ONIE or "white-box-hardware" will be the future but now is not for the following reasons:
- Hardware: There is no open-sourced/standardised generic-offloading capable FPGA/CPU (ASIC) for real time processing,
- Hardware: There is no open-sourced/standardised generic-offloading capable BUS for high-speed/low-latency for real time processing ( PCI/PCI-E is not capable for such thing ),
- Hardware: X86 CPU and PCI-E BUS bandwidth limitation,
- Software: There is no generic programmability ( P4Lang - https://p4.org/ - partially solve this, but not entirely )
- Software: Stability and bugs

To summarize, you will going back to the "classic" vendors like CISCO, JUNIPER, HPE, others - they already done this, so you can do your business without headache.

runbound · Tue Jul 06, 2021 8:05 am

please add email, phone and notes in ppp secret

pe1chl · Tue Jul 06, 2021 9:58 am

please add email, phone and notes in ppp secret

ppp secret already has a comment field like most of the configuration records in RouterOS!
You can use it for that purpose.

kelner · Tue Jul 06, 2021 6:18 pm

Please add feature "reget" for "/tool fetch". Sometimes on bad links it is a problem to download to router the file of sufficient size (f.e. new firmware). AFAIK both FTP and HTTP support such functionality.
Thanks.

osc86 · Tue Jul 06, 2021 6:40 pm

I'd like to be able to queue changes and apply them all at once. Like an inverted safe mode.
I often need this when I have to make multiple changes to interfaces / ip addresses.

SiB · Tue Jul 06, 2021 6:44 pm

osc86 write:

Like an inverted safe mode.

Then create a backup and a scheduler with +1h who do a load of this backup.
You can do many disconnection in this 1h time and you have a safe information that in 1h if you not disable this scheduler then it came back to proper Point Of Time with reboot.

TomjNorthIdaho · Tue Jul 06, 2021 6:53 pm

osc86 write:
Like an inverted safe mode.
Then create a backup and a scheduler with +1h who do a load of this backup.
You can do many disconnection in this 1h time and you have a safe information that in 1h if you not disable this scheduler then it came back to proper Point Of Time with reboot.

I've done this many a time on remote located Cisco routers & Cisco switches.
Hmmm , it would be a nice feature if Mikrotik came out with a Safe-Mode timer - where you can disconnect and reconnect and reboot while making configuration changes. Then after all configurations are finished , simply turn off the Safe-Mode timer or force the Safe-Mode timer to kick-in and revert if needed , or wait and do nothing and let Safe-Mode revert any changes after it times-out.

osc86 · Tue Jul 06, 2021 7:20 pm

@SiB While this surely is a good solution for some scenarios, it won't work if you need to make multiple changes to the uplink interface of a remote device. If you need to change the ip address and the pvid of the bridge port, you could only do one of n changes, before losing connection to the router. Restoring a backup won't help in this case. Sure you could paste every command needed into a script and execute it, but this is very time consuming and doesn't scale with a larger amount of devices.
I think a native queue feature would be welcomed by many users. I see more and more vendors implementing this, Aruba and paloalto to name only 2.

pe1chl · Tue Jul 06, 2021 10:29 pm

I'd like to be able to queue changes and apply them all at once. Like an inverted safe mode.
I often need this when I have to make multiple changes to interfaces / ip addresses.

In command (terminal) mode, you already have that!
Type a { to open a block, then you can issue a number of commands that will not get executed right away, and finally close the block with }
This will execute all commands in one go.
Of course when there is an error somewhere... well...
But you can use safe mode around this whole thing.

Tue Jul 06, 2021 10:49 pm

also on same line of command: /ip add set ether1 address=1.2.3.4/12;/int bri port remove [find]; etc....

on another post I explain "auto-reload start session backup if the session is lost for more than 5 minutes"

osc86 · Wed Jul 07, 2021 3:52 pm

@pe1chl didn't know about this, thanks!

satori · Sat Jul 24, 2021 8:11 pm

Please add SMB support to the fetch tool
+1

Sat Jul 24, 2021 8:15 pm

Right!

+10

michaels · Sat Aug 14, 2021 1:03 pm

CRS Port Security - max-mac-count

When using port security, the switch will stop learning the ports specified when the new MAC address reaches the configured maximum
number. Only in the dynamic or static address table already stored on that port is the source address authorized to do the following on
incoming traffic: access the network. The port will discard any incoming frames that are unknown or previously exist in the source MAC
address, learned from another port.

kelner · Fri Aug 20, 2021 11:13 pm

Please add SMB support to the fetch tool
+1

In my Linux "stripped" CLI smbclient executable file has size 1.7 MB and more than 100 dynamicaly loaded libraries in addition. Don't you know why? Because SMB protocol is a creature of MicroSoft with all it complex functionality such as authentications, versions, locks, printing, etc. And thus it is too complex for such class device. I am sure it's implementation is not nesessary and definitelly can decrease stability of RouterOS.

In general, I think Mikrotik device must be considered a ROUTER, and not a soapbox with home gateway.

zainarbani · Sat Aug 21, 2021 11:31 am

smbclient with less features than samba maybe? libdsm

pe1chl · Sat Aug 21, 2021 11:40 am

In general, I think Mikrotik device must be considered a ROUTER, and not a soapbox with home gateway.

I agree with that! Support for complex protocols like SMB should not be expanded, but rather it should be REMOVED (e.g. the IP->SMB feature).
That would make room for more router-oriented functionality.
Those that want to fetch files from Microsoft stuff can always install a webservice on their PC and use fetch with that.

Basdno · Sun Sep 05, 2021 11:05 am

For LoRaWAN devices

Add a package to support their 'light hotspot' so we can use Mikrotik's on the helium network. Helium is a rapidly growing IoT network.
Helium.com

I have also suggested this to Mikrotik support via email, if Mikrotik as an established professional wireless manufacturer, with good production capabilitys would certify their LoRa products for Helium network, it would probably BOOST SALES extremely.
Especially since no other manufacturer of Helium Hotspots are able do deliver according to the extreme demand from customers!

So Mikrotik, you already have the know how to do it, all it takes is a Helium certification and necessery ROS package!

Please make it happen, and make it happen soon!

You will be sold out in the blink of an eye!

pe1chl · Thu Sep 23, 2021 3:45 pm

For wireless connect-list it would be nice when it could skip to the next entry when authentication fails.
As it is now, it will match the first entry with correct SSID (and other criteria like MAC) and try to connect, but when that connection is rejected because the password has changed, it does not skip to the next.
E.g. when password is announced to change in the future, it is not possible to setup a connect list that uses the new password as soon as it becomes active.

Thu Sep 23, 2021 4:57 pm

We have absolutely zero plans to support helium.

Thu Sep 23, 2021 5:12 pm

What about MAC address lists?

Larsa · Thu Sep 23, 2021 11:49 pm

Satori: Please add SMB support to the fetch tool

Rextended: Right! +10

Well, that would be nice but there are plenty of different versions to choose from using alternativ network protocols as well as different authentication protocols. Depending of which ones you pick the implementation can be quite complex which would reflect on the code size and manability. Have a look at https://en.wikipedia.org/wiki/Server_Message_Block. You have to be more specific than just "SMB"...

MCN · Sun Sep 26, 2021 7:57 pm

HFS+ formatted storage, AFP, Spotlight indexing, Time Machine support, SMB 2.0

Working Bonjour (mDNS) intra-router (not inter) routing across subnets with example

YES - PLEASE - Time Machine support. SMB 2.0 / AFP - something for the damm Apple users!

Have a LOT of users that we could set to use this!

ccanto · Mon Oct 11, 2021 3:24 am

For the CRS3xx series, implement bridge-forwarding (software) with packets that are "redirected to cpu" in the Switch Rules when hardware offload is enabled.

That would allow the bulk of traffic to be hardware forwarded (by switch chip) and have Switch Rules for some very selective packets redirected to cpu to be processed by the software based bridge-forward packet flow logic (filtered, logged, nat'ed, etc)

ccanto · Mon Oct 11, 2021 3:53 am

When "DHCP Snooping" is enabled on a bridge, add a new option to the "Bridge Port" (when not trusted), that would add a static entry to the bridge hosts table with the MAC, VID (if applicable), interface, bridge and age from the DHCPACK packet. The entry is to be removed when the Age expires (dhcp lease), the port is no longer in a Running state, an DHCPDECLINE is sent in response to DHCPACK, a DHCPRELEASE is sent or a new DHCPACK is received for the same MAC (bridge wide, for every port where this option is enabled).

In this regard, the "auto" option in the bridge port "learn" could also mean that MAC learning is disabled on that port if this new option was enabled.

mikruser · Tue Oct 12, 2021 2:49 pm

As i see in https://wiki.mikrotik.com/wiki/Manual:I ... .29_routes
"packets with the same source address, destination address, source interface, routing mark and ToS are sent to the same gateway. This means that ECMP route does not perform pure per-connection balancing"

My suggestion: take into account not only the src/dst address, but also the port number.

jaxed8 · Wed Oct 13, 2021 6:45 pm

Winbox dark mode

mikruser · Fri Oct 22, 2021 3:51 pm

Feature request: network interfaces for IPsec in Tunnel mode.

pe1chl · Fri Oct 22, 2021 4:09 pm

Feature request: network interfaces for IPsec in Tunnel mode.

That is the about same thing as IPIP tunnel with IPsec protection...

mikruser · Fri Oct 22, 2021 5:07 pm

No, IPIP uses IPsec in Transport Mode

Chupaka · Fri Oct 22, 2021 7:26 pm

Feature request: network interfaces for IPsec in Tunnel mode.
That is the about same thing as IPIP tunnel with IPsec protection...

Tell that to people trying to setup Google Cloud VPN on MikroTik...

maigonis · Sat Oct 23, 2021 1:14 am

When Winbox looses connection, or otherwise have been closed not the proper way, it always messes up my windows. After reopen all my windows are messed up and I have to organise them again. I know there is "Autosave on close" checkbox, but it is not working right. I can uncheck it, but it is back on reconnect.

So to make this bug repotr more as a feature request. Maybe you can implement default template in Winbox? If I connect to new MT device my log is always on right side in full length, Interfaces, DHCP server leases on left side etc.

And of course Capsman, Dude improvements like Wireless snooper, noisefloor, CCQ in Capsman, Dude on Linux (better software support on Linux in general).

pe1chl · Sat Oct 23, 2021 11:54 am

When Winbox looses connection, or otherwise have been closed not the proper way, it always messes up my windows. After reopen all my windows are messed up and I have to organise them again. I know there is "Autosave on close" checkbox, but it is not working right. I can uncheck it, but it is back on reconnect.

"losing connection" does not activate autosave on close. That only works when you close the connection yourself by exiting winbox or closing the window.
I have requested before to have an "autosave on disconnect", that would certainly be useful. and also the possibility to tweak the parameters for automatic disconnect, it happens much too soon I think. when a link needs to re-establish it already is too late and all sessions are lost, it should be possible to keep trying for a minute or so.

So to make this bug repotr more as a feature request. Maybe you can implement default template in Winbox? If I connect to new MT device my log is always on right side in full length, Interfaces, DHCP server leases on left side etc.

That is already available, but it is not very clear to new users how it is supposed to work.
In the winbox connection setup window, under Tools enable Advanced mode.
Then you can select the saved session file to be used for the connection. You can share it between different devices so you have the same layout for those devices.

maigonis · Sat Oct 23, 2021 8:55 pm

That is already available, but it is not very clear to new users how it is supposed to work.
In the winbox connection setup window, under Tools enable Advanced mode.
Then you can select the saved session file to be used for the connection. You can share it between different devices so you have the same layout for those devices.

Thx for the tip, will use it.

jaxed8 · Thu Oct 28, 2021 1:04 am

"losing connection" does not activate autosave on close. That only works when you close the connection yourself by exiting winbox or closing the window.
I have requested before to have an "autosave on disconnect", that would certainly be useful. and also the possibility to tweak the parameters for automatic disconnect, it happens much too soon I think. when a link needs to re-establish it already is too late and all sessions are lost, it should be possible to keep trying for a minute or so.

Isn't it just working when safe mode is enabled?

pe1chl · Thu Oct 28, 2021 1:22 am

Sorry but there is no relation whatsoever between "safe mode" and the topics I discussed.

jaxed8 · Thu Oct 28, 2021 2:36 pm

Can DOH3 and DOQ be added to the mikrotik?

Paternot · Thu Oct 28, 2021 7:27 pm

How about a "dry run" option to import? This way we could test an export, to see if it would actually run to the end? An easy way to check if the restore would stop in the middle of the run...