Community discussions

 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Sep 29, 2018 6:01 pm

So, updates work via plain HTTP? No encryption?

Shame!
Why shame? There is absolutely no problem with that!
Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.

You know, Windows is using http download for windows update as well.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature requests

Sat Sep 29, 2018 6:09 pm

Why shame?
Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt).
Why should any entity between the router and the update server even need to know what is being downloaded? TLS will prevent any type of eavesdropping.
Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.
Yeah, it's fine. Until it somehow gets exploited in the future.
Winbox was considered safe as well, and we all saw the mess we got into recently.
Just because it seems secure now, it doesn't mean it will always be.
You know, Windows is using http download for windows update as well.
Microsoft's policies are not an example to be copied.

So I'll stick to my original comment on this. Shame.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Sep 29, 2018 7:30 pm

I don't agree with you. TLS is a hype and some people believe that nothing can be done without encryption anymore.
But that is of course not true at all. In the case of downloading updates, encryption is not an issue (everyone knows what is being
downloaded!) and the only issue is authenticity. This is guarded MUCH BETTER with the signing using a keypair managed by
the signing authority themselves (as it is done now by MikroTik and also by Microsoft) than by any publicly signed TLS certificate.
The whole system of signing of certificates by "trusted issuers" has too many unreliable parties so it really cannot be relied
upon (anymore) for authenticity. And there is really no point at all in downloading updates using TLS when they are verified
before installation anyway.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature requests

Sat Sep 29, 2018 8:59 pm

Sure,

So next time you login to your web-banking do not check for TLS. Just go blindly with http. Don't even check if you typed the correct domain or weather you got hijacked and redirected to another domain. What's the point anyway? Too many parties involved! :facepalm:

People, it's 2018. Not 1996. Everything MUST be TLS. For encryption, authenticity, everything. Having anything over the public internet in clear text is stupid. It doesn't matter what the content is.
 
Sob
Forum Guru
Forum Guru
Posts: 3566
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Sat Sep 29, 2018 9:31 pm

It's a little different. Well, completely different. I don't want anyone on the way to see what info I exchange with my bank and I don't want evil hacker substituting target account number with their own, when I send some money out. I couldn't care less about downloaded RouterOS updates (*). Even if an evil hacker hijacks the connection and sends me something different instead, RouterOS won't be able to verify signature and will reject it. No harm done.

(*) As long as there's no flaw in MikroTik's package signing. So yeah, TLS would not hurt and could help some people sleep better. But it's not like there must necessarily be an apocalypse without it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Sep 29, 2018 10:16 pm

Sure,

So next time you login to your web-banking do not check for TLS.
I never inferred that. Logging in to some website is COMPLETELY DIFFERENT from downloading a firmware update.
Please don't post crap like that!
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Sep 29, 2018 10:18 pm

So yeah, TLS would not hurt and could help some people sleep better.
TLS would remove the possibility to have a local update repository on a closed network. At least until the update URL is made configurable.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8065
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature requests

Sun Sep 30, 2018 2:26 am

So the problem is that you don't trust MikroTik package signing and you do trust TLS and some "trusted" certification authorities (or just trust it more). It's your choice.

But the problem is you don't actually have a choice :) At least for now.
Russian-speaking forum: http://forum.mikrotik.by. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.
 
helipos
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Jun 25, 2016 11:32 am

Re: Feature requests

Sun Sep 30, 2018 5:07 am

The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually
 
elsuhdnet
just joined
Posts: 1
Joined: Sun May 19, 2013 11:48 pm
Location: Baghdad-Iraq
Contact:

Re: Feature requests

Tue Oct 02, 2018 4:50 pm

We want to suggest using address list from IP Firewall Address list in the System Users allowed access from special list and also could be used in IP services allowed access for services. This will increase the securing of routers when someone need to access them from public using port knocking process with dynamic address list.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed Oct 03, 2018 4:59 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
 
joegoldman
Member
Member
Posts: 357
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Wed Oct 03, 2018 5:34 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)

This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.
 
joegoldman
Member
Member
Posts: 357
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Wed Oct 03, 2018 5:37 am

The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually
Create a 'viw' /session, with those things enabled (And maybe your favourite screens setup and layed out), then use that as your default session view, along with unticking autosave so no matter what you do in that session it resets next time you log-in.

I have 5 or 6 different sessions, some set up for BGP routers, others for Shapers, for PPPoE Servers etc, to give me relevant information as quick as possible.


On this note though, my feature request would be to perhaps have a quick-access drop down of your session files (top left/right), so when logging into a router, you can quickly swap between different views based on what you want to look at (Firewall centric view, wireless centric view, routing centric view etc etc)
 
Wyz4k
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Wed Oct 03, 2018 5:59 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)

This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.
That would be almost okay if the graphs had some authentication built into them as well as opposed to just an ip whitelist.

First prize would still be something that doesn't require the graphs though, which can be scripted through the CLI.
 
joegoldman
Member
Member
Posts: 357
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Wed Oct 03, 2018 6:15 am

You are correct, I dont use the graphs for the same reason, but I generate the same graphs using one of many SNMP based monitoring tools out there, so I have a clear idea on CPU usage of routers.
 
User avatar
Jotne
Member
Member
Posts: 463
Joined: Sat Dec 24, 2016 11:17 am

Re: Feature requests

Wed Oct 03, 2018 8:11 am

Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
Here is a screenshot form my Splunk Mikrotik project found here: viewtopic.php?t=137338
.
CPU.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 860
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Oct 03, 2018 6:11 pm

Although my graph below is way to small to read - On some of my Mikrotiks I graph everthing. I can go back years and see , interface bandwidths , CPU loads, temperature , frequency , signal-to-noise , Signal-strengths , TX & RX rates , connected client counts.

Most SNMP based bandwidth graphing programs allow you to use just about any SNMP Mib OID you want and turn it into a graph item. I use Cacti.
The graph below shows an entire year for one of my Mikrotiks. On some devices, I have graphs going back to the early 2000s.
graphs.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 860
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests

Wed Oct 03, 2018 6:21 pm

Re graphing , I suggest using a 3rd party SNMP server and not using the Mikrotik graphing utility because it helps to lessen the Mikrotik CPU load and overhead which helps increase Mikrotik throughput and reduce L2/L3 packet propagation delay
 
Wyz4k
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu Oct 04, 2018 3:11 am

I just want to see average cpu usage on a router somewhere in the field.

Now I either have to run:
1) unsecured graphing which can't be queried using a script anyway
2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik and no ability to query snmp registers from the router itself.

Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Nov 10, 2017 8:19 am

Re: Feature requests

Thu Oct 04, 2018 3:57 am

1) unsecured graphing which can't be queried using a script anyway
If IP whitelist is not enough, you can limit it to VPN via firewall.
2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik
Mikrotik has "The Dude" which works well enough as SNMP server. It is not masterpiece, has its own bugs, but works.
... and no ability to query snmp registers from the router itself.
Unsure what do you mean. You can query SNMP from router.
Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...
Everyone will ask for different average. Someone will ask for 5m, someone for 1hour, someone for 1day... Cmon, if you have such specific requirements, is it really that hard to make own script, which will grab SNMP counters and show you absolutely anything you can imagine?

To sum up - we got two methods - either very simple graphing, or fully featured SNMP. You want something simple, yet advanced...
 
ilovepancakes
just joined
Posts: 2
Joined: Thu Oct 04, 2018 4:37 am

Re: Feature requests

Thu Oct 04, 2018 4:39 am

Would like a way to be able to send user agent header with the fetch tool. For example, Google DDNS with Google Domains and other DDNS providers can accept IP updates through HTTPS get requests, but they need a valid user agent sent with the request. Right now, a script to do this returns a "badagent" error from Google. A way to send and even customize a user agent with the fetch tool would be great.
 
Wyz4k
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu Oct 04, 2018 4:57 am

My mistake. I thought this was the "Feature requests" topic, not the "We'll find creative ways to partially solve your problems in inefficient ways" topic.

That being said the snmp get functionality on the mikrotik is useful and isn't something that I've used before. Thanks for that suggestion. I'll look into it.
 
Sob
Forum Guru
Forum Guru
Posts: 3566
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature requests

Thu Oct 04, 2018 5:40 am

@Wyz4k: Actually, people are trying to help. Problem with your original request is that averages are not very useful. If you check your router and see daily CPU average 40%, what does it tell you? It could mean plenty of power to spare, but it can also mean that CPU is maxed out during whole business hours and router is struggling to survive. And the longer interval, the more useless the numbers get. So what would be such misleading feature good for?
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Nov 10, 2017 8:19 am

Re: Feature requests

Thu Oct 04, 2018 6:15 am

@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you
 
Wyz4k
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Jul 10, 2009 10:23 am

Re: Feature requests

Thu Oct 04, 2018 11:27 am

@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you
It's okay, I apologize for getting a bit irritated as well. I appreciate your suggestion and will give it a try.
 
fneto
just joined
Posts: 5
Joined: Tue Oct 02, 2018 12:40 am

Re: Feature requests

Thu Oct 04, 2018 5:04 pm

Hello!!

I'm new to the forum, and I'd like to know where is the right place for a feature request.

Actually I think Mikrotik should authenticate itself through radius in a uniform way, Winbox uses CHAP-MD5 what's on, but terminal uses PAP??? We uses centralized authentication in a very hostile environment and transmit password in clear way is not an option for us!!

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Thu Oct 04, 2018 8:54 pm

I'm new to the forum, and I'd like to know where is the right place for a feature request.
Your feature is already implemented in RC/testing version. And some people don't like it...
 
joegoldman
Member
Member
Posts: 357
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Fri Oct 05, 2018 9:14 am

Clustered PPPoE servers....to an extent of course.

Basically only really IP Pool clustering - with limited IP addressing and a decentralised core, I currently have 4 different routers doing PPP termination. Rather than split up a /25 and have to try manage enough IP's in the pool between the routers, would be cool if I could give the whole range in the pool, and have the routers be aware of each others state and not give out an already used address.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Oct 05, 2018 11:26 am

That is already possible via RADIUS!
 
joegoldman
Member
Member
Posts: 357
Joined: Mon May 27, 2013 2:05 am

Re: Feature requests

Fri Oct 05, 2018 2:40 pm

That is already possible via RADIUS!
No, RADIUS is not a pool manager it can assign statics, software behind RADIUS would need to still manage a pool, which can get out of sync if you miss a stop record or something.
 
tinodj
just joined
Posts: 1
Joined: Fri Oct 05, 2018 4:04 pm

Re: Feature requests

Fri Oct 05, 2018 4:07 pm

What about Copy rule option in Webfig?

It would be nice to be there. Thanks.
 
dihrmax
just joined
Posts: 7
Joined: Wed Nov 23, 2016 11:00 pm

Re: Feature requests

Fri Oct 05, 2018 11:17 pm

Hi,

It's not a feature request but a model request. I didn't find a Topic about it.
I need a CCR with 4S+. I know there have a 1072 with 8S+ but it's to high and expensive for what I need. I need like CCR1009-8G-4S+ (1016 or 1036) dual PSU rackmount. (Doesn't matter how many Gig port)

Thank you
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Oct 06, 2018 11:49 am

Maybe when you don't really need the full 10G performance you could use one of the new SFP+ switches together with a CCR1009 as router-on-a-stick?
 
expert
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Sun Dec 04, 2016 1:22 pm

Re: Feature requests

Sat Oct 06, 2018 12:27 pm

1. Please allow adding many to many entries into vlan table for CRS1xx,2xx. Currently, only many to one entries are allowed:
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201

Proposed:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200,201
The same should also work for egress-vlan-tag table.

2. This is improvement over point (1). Please allow interface lists to be added into vlan table for CRS1xx,2xx:
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201

Proposed:
/interface list add name=sfp-list
/interface list member add interface=sfp1 list=sfp-list
/interface list member add interface=sfp2 list=sfp-list
/interface ethernet switch vlan add ports=sfp-list vlan-id=200,201
The same should also work for egress-vlan-tag table.
Idea: vlan lists similar to interface lists would be amazing...
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Oct 06, 2018 1:08 pm

Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.
 
expert
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Sun Dec 04, 2016 1:22 pm

Re: Feature requests

Sat Oct 06, 2018 6:40 pm

Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.
Thanks for explanation, I didn't know what's the underlying implementation of interface lists. Well, the idea(1) is still nice to have, since my vlan table entries contain same trunk ports.
 
logicwrath
just joined
Posts: 5
Joined: Wed Nov 04, 2015 10:28 pm

Re: Feature requests

Wed Oct 10, 2018 11:24 pm

It would be great if all forms in Winbox.exe had a help button you could press that would take you to the relevent online documentation.

example:
http://prntscr.com/l4lfty
 
schadom
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Feature requests

Thu Oct 11, 2018 3:21 am

MT please consider doing some BGP and routing-related fixes for christmas.
Would make A LOT of MT users very, very happy! Just to give some examples:
- multi-threading
- BGP4 SNMP MIBs
- better BGP convergence time
- faster route table searches
- fix ipv6 route reflection
- add RPKI support

:-)
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 860
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Feature requests (IP Services)

Fri Oct 12, 2018 10:56 pm

It might be a new nice feature to add a couple of items under IP-Services.
In /ip service , add the follwoing:
snmp ( normally SNMP uses port 161 , add ability to set what IP addresses can even get to the SNMP service )
icmp ( add ability to set what IP addresses can even get to the icmp service when pings are directed to a Mikrotik )

And yes , I am aware in Mikrotik ROS there is the ability in SNMP access using the /snmp community addresses=IPs name=community , however should this possibley be added to /ip service ???

Re icmp , withoug going into firewall rule settings , shouldnt icmp be located in /ip service ?

Also - what other services are running on Mikrotik ROS that can/should be also in the /ip service area ?
Any possible btest server settings in /ip service ?

What about any service that uses a username (where we want to control what IPs have access to the service and the ability to control which username can be accessed from different IP-lists.

Also - If there is a IP service which is locked down by username (and possibly an IP-address-list) , if the service is running then there is a possibility of a denial-of-service attack. So , any ideas about adding additional functionality in the [/i] /ip service area ?

Also - re /ip service for any Mikrotik service running , how do we limit repeated connections from the same remote IP address over and over again --- Such as a remote attacker repeatedly trying usernames and passwords using a dictionary sequence of logins/passwords ( telnet , ssh , winbox , http , https , snmp , ftp , api ).




North Idaho Tom Jones
 
raymondr15
Member Candidate
Member Candidate
Posts: 109
Joined: Fri Sep 05, 2014 1:11 am
Location: East London, South Africa
Contact:

Re: Feature requests

Sat Oct 13, 2018 4:12 pm

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Oct 13, 2018 4:51 pm

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.
There should simply be the possibility to add "user graphing" where an SNMP OID is entered and the value is graphed. It has been requested before.

Who is online

Users browsing this forum: No registered users and 5 guests