MikroTik

Josephny

Wow! That is a beautiful solution. Don't forget you have to install Let's Encrypt's R10 and R11 intermediate CA certificates so that the HTTPS server could send the relevant one of them to the clients along with its own certificate. The issuing intermediate CA is chosen randomly for each renewal. I ...

Josephny

While not perfect, this might work if the MT device were connected to the Internet. There is a setup that "will work until it stops", which is based on the fact that the certificate renewal requests are currently sent to acme-v02.api.letsencrypt.org ; as RouterOS sends them automatically,...

Josephny

I figured it out: The MT devices to be opened on port 80 (to the Internet). It seems this applies to renewals also. Obviously, we don't want to leave 80 open all the time. What is the recommended solution? Schedule a script that opens 80, runs the certificate renewal command, and then closes 80? Whi...

Josephny

I have an environment with a cable modem -> Ubiquity UDMPro -> hEX. The hEX handles the DNS for the entire environment (in addition to other things). The UDM has also been upset when I try access it and throw off errors that there is no certificate and it's unsafe. So I thought I'd install a Let's E...

Josephny

I would love to play around with these types of links, and have plenty of good use for links in the 1-10km (I think in miles, but I'll adapt).

Problem is, I've got nothing but mountains and trees for miles in all directions, so unless I erect 200' towers, my line of sight is limited to 1/2 km.

Josephny

I try to keep up with code/acronyms/etc., but huh??? BTW, K6, I'm a KC2 Its not code just a pronounciation schema. Californicators are a tad odd. ;-) Oh! Got it now! Couldn't agree more. Glad to see more people who recognize NYC as the center of the English speaking world and the only non-accented ...

Josephny

KAL EYE 4RN EYE EH

I try to keep up with code/acronyms/etc., but huh???

BTW, K6, I'm a KC2

Josephny

I just want to say that I have never been able to get a useful environment using VLANs. I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough. I don’t know why, and I can’t sugge...

Josephny

Update: At the location that prompted me to start this "voltage" investigation, I have frequent (but irregular -- i.e., at random times) losses of internet connectivity. Sometimes it turns out the cable modem needs to be rebooted, and other times, service is restored without intervention i...

Josephny

I do know some stuff like LTE – which also uses "monitor" – may not actually get all value every time. For example, on some modems it's ~50% where the CQI or RSRQ will be included in "monitor once". The "loop" version of monitor for more like voltage over 10 seconds, i...

Josephny

If one needs strong 2.4GHz signal for improved coverage, then the only way of decent mobility (in both directions, i.e. also from 2.4GHz to 5GHz) is to use new drivers (wifi) and rely on mobility functions ... where client still has decisive powers. By "mobility functions" do you mean cli...

Josephny

I always keep the SSID identical and play with transmission power (lower 2.4GHz transmission power a lot). My client devices are smart enough to select the 5GHz radio, or roam to it when available. Another disadvantage of having different SSID's is the lack of roaming. You have to change manually, ...

Josephny

I don't know if they all have what You said, but yes: any difference would be due to hardware. Some kits just have more/different sensors than others. Thank you. FYI, I looked at Winbox/ROS on each of these devices and what I wrote reflects what I saw as available. It would be nice if all the hardw...

Josephny

Am I correct that the RB5009 has /system/health CPU TEMP, VOLTAGE, JAC VOLTAGE, POE-IN VOLTAGE, POE-OUT CONSUMPTION, BOARD-TEMPERATURE1 The hEX has /system/heath TEMPERATURE and VOLTAGE? The AX has/system/health but only CPU-TEMPERATURE (no voltage)? The AC doesn't have /system/health? Cube has /sys...

Josephny

Jokes aside, I don't have any UPS directly connected to a RouterBOARD otherwise I would have helped you better, but if you are not familiar with scripting the 1 second scheduler is more than enough and practically does not consume CPU. Oh, how disappointing! I was hoping you were going to provide a...

Josephny

Need to run Assassin's Creed on your router?

No.

Does setting a infinite loop for every nanosecond create a more large CPU overhead?

No idea.

Josephny

It's quicker to set it in the scheduler every second rather than doing intricate things, especially for those who are not familiar with scripting...

Does setting a scheduler for every second create a large CPU overhead?

Josephny

Remove the "once" and it becomes a ":while (true)" loop, so it will run forever. There is an interval= that control how often the do={} code is run, i.e. 1s or 1m or 1h etc.... You can also make only run for a fixed period like duration=1m. This is useful like in a /system/sched...

Josephny

It looks like there is no solution.

Josephny

Not sure if this is a scripting question. I want to be able to poll the UPS's status. Or, more generally, I want the router to do something if the line (input) voltage to the UPS drops below a threshold and/or the UPS has changed to battery power. I have this code which seems to work, but I am hopin...

Josephny

If I may, a meta-question. Why (the heck) are most people here on the forum obsessed with updating? Besides the obvious mistakes the good Mikrotik guys insist on making, pushing out new versions without appropriate testing, and mixing all together, without even an attempt to prioritize them, new fe...

Josephny

That is fabulous! I incorporated it into my script (removing the set of brackets so that the variable $allIPs remains), but the output is still repeating. If I write something, it mean is it needed... :put [:tostr $allIPs] Do not forget to correct ALL: add name=systeminfo contents="$resources\...

Josephny

If your willing to have the data as JSON, the newer [:serialize] makes quick work of this: /file/add name=test.json contents=[:serialize to=json [/system/resource/print as-value] option=json.pretty] For example, the output looks like: :put [:serialize to=json [/system/resource/print as-value] optio...

Josephny

All is useless. Just this: { /ip address :local allIPs [:toarray ""] [pri as-value where [:set allIPs ($allIPs,$address)]] :put [:tostr $allIPs] } That is fabulous! I incorporated it into my script (removing the set of brackets so that the variable $allIPs remains), but the output is stil...

Josephny

Still not exactly what I'd like. This code produces the output below: /file remove systeminfo /system :local cdate [clock get date] :local yyyy [:pick $cdate 0 4] :local MM [:pick $cdate 5 7] :local dd [:pick $cdate 8 10] :local identitydate "$[identity get name]_$yyyy-$MM-$dd" # Collect S...

Josephny

I've made some progress -- it works, I think: # Collect IP addresses :global ipaddressvalues [:toarray ""] :foreach neighborID in=[/ip address find] do={ :local nb [/ip address get $neighborID] :local id [:pick ("$nb"->".id") 1 99] :foreach key,value in=$nb do={ :local ...

Josephny

I would like to save a file with the values discovered during the foreach loop below. But, I'm having a hard time with appending values to the variable. I believe I need to use an array, but it's beyond me at this time. # Collect IP addresses :foreach neighborID in=[/ip address find] do={ :local nb ...

Josephny

You could have avoided many questions by comparing what I wrote with what you wrote. What is wrong with: :local version ([/system resource get version]) Easy: useless parenthesis ( ) that cause other useless calcs... And, I cannot get this line to work: :local newline [:find \$value \"\\\"...

Josephny

ability to pester those far more knowledgeable One big trick, I think, is using "/system/script/edit <scriptname> source" to use Mikrotik's editor. Unlike Winbox's script editor, it will show red marks if the script is invalid (in realtime in edit). While I like @rextended, I know he uses...

Josephny

Is beter you lost instantly bad habit like :local version ([ /system resource get version ]) and do not post export like a script because on this way is full of errors. Copy & paste from winbox to the forum, or posst all the exported script parts. Also use space indentation, or is hard readable...

Josephny

If not, is there a chart of which adapters work for which devices? Are you that lazy?? Checking the plain old hex........ pwr1.JPG ... pwr2.JPG ................. Rules of thumb: 1. voltage (dc output of adapter) must be an exact match for device input voltage ( or within the stated range if one is ...

Josephny

For what it's worth, I researched the topic of UPS facility in Mikrotik years ago and haven't revisited the subject much. I've settled on having smart upses be used as dumb ones and only use the UPS facility in Mikrotik for the occasional peek at what it is doing. The reason for why Mikrotik deviat...

Josephny

Congrats on your scripting journey, seriously! I will say you are braver than I. I have only dabbled in scripting and am mostly content to use functionality as already available, and thus admire anyone that makes the effort. Where I think people are just plain nuts is there love for capsman. I am h...

Josephny

Why are you posting in the General Forum instead of the Scripting Forum???????

Want a ----> cookie.jpg ??

Apologies.

Yes, please.

Josephny

... True, it isn't being sold yet. They may very well sell it with a 24V 0,5A power supply, and problem solved. But as of now, the matched power supply can't power it at 100% usage. These external power supply adapters are most common failure point of Mikrotik hardware. When devices with 24V 0,8A/1...

Josephny

I am at a baby level at scripting and progressing extremely slowly, but I wrote (okay, adapted slightly from @jotne's work) a script to log some basic device info. I know you experts will cringe at a simpleness, but I'm proud of myself. # Collect system resource /system resource :local cpuload [get ...

Josephny

Do your UPS offer the “on-battery” field? While I see it mentioned in the documentation, https://help.mikrotik.com/docs/spaces/ROS/pages/120324130/UPS , my little experience is that the actual UPS implementation on Mikrotik deviates a lot from the documentation. Some of it may be due to the exact m...

Josephny

I have the following working: :local voltage (([/system ups monitor 0 once as-value]->"line-voltage")/100) :log info $voltage But when I include a test for "on-battery" being "true" the script does not work. I wonder if it is a simply syntax error or if I need to conver...

Josephny

It isn't a property. As an aside I'm not sure why load appears in both properties and monitor values, logically it would only be in the latter with the other measured data. To display from the command line :put ([/system/ups/monitor 0 once as-value]->"line-voltage") If you wish to access ...

Josephny

No "line-voltage" [admin@371hEX] /system/ups> print proplist= Flags: X - disabled; I - invalid 0 name="ups1" port=usbhid1 offline-time=0s min-runtime=never alarm-setting=immediate model="Back-UPS RS 700G FW:856.L8 -P.D USB FW:L8 -P" serial="0B2252N07530" manuf...

Josephny

I'm supposed to be on my way home already so I'm not going to write it for you. But I'd do it like this: :if(ups on battery) do={:log voltage} Then add it to the scheduler and run it every 00:00:01. Note that this will be a resource hog and will fill a 1000 entries long log in 15 minutes. Setting t...

Josephny

Using the command: /system ups monitor 0 I see "line-voltage" as well as lots of other data. And, when the line voltage drops, I can see log entries: USB UPS AC power on I would like to see how low the line voltage dropped during those times. And, ideally, the line voltage every second (or...

Josephny

It depends on what you want to do. As mkx wrote Note that in new wifi drivers it's not possible to disable legacy radio standards, it's only possible to cap it to certain radio standards and disable newest ones (yes, sometimes this can be necessary). and according to this: https://forum.mikrotik.co...

Josephny

Thank you again everyone. As much as I try, not a day goes by that I don't learn new things :) Does this correct: /interface wifi set [ find default-name=wifi1 ] channel.band=2ghz-g .width=20mhz configuration.mode=ap .ssid=\ MikroTik-95466C-2.4ghz disabled=no name=wifi1-2ghz security=629 security.au...

Josephny

Most threads nowadays are about the wifi-qcom(-ac) driver. You are still using the legacy/old wireless driver. So...no, I don't see a lot of threads nowadays about this driver. For security settings, start with basic before using more advanced stuff: / interface wireless security-profiles set defau...

Josephny

Beautiful and useful script!

Thank you for writing this.

Josephny

Could you share your config? /export file=anynameyoulike Remove serial and any other private info and post in between code tags by using the </> button. Current config: # 2024-10-19 08:57:00 by RouterOS 7.16.1 # software id = 80FK-6837 # # model = RBD53iG-5HacD2HnD # serial number = E72C0 /interfac...

Josephny

I'm not sure if this problem is one of the other ongoing problems with threads here. This continues to happens, across devices and locations, and after trying everything suggested in threads here. I understand that there is an analysis that this is client-caused. And, the problem does only happen wi...

Josephny

After having months of constant disconnects and i tested every beta versions since 7.15 to 7.17 and tried every possible setting i may discovered something. I changed wireless interfaces default queue type wireless default(SFQ) to CODEL ( /queue/interface>) add fq-codel-ecn=no fq-codel-interval=60m...

Josephny

wAP ax datasheet: https://www.wifihw.cz/img.asp?attid=3848208 Please upload this PDF here, i can't do it. A humble, good-natured suggestion to Mikrotik's marketing people: Don't use the words "drop" or "drop-in" to market a wifi product. "Dropping" (which when spoken s...

Josephny

I still get this bursts of log entries every few days.

It looks like they are always mac devices (Macbook or iPhone).

Any ideas on what this means?

.

Screenshot 2024-10-16 214723.png

Josephny

I see that running export-db also wipes clean the log entries from The Dude client.

Josephny

Full backup or nothing.
Code: Select all
/dude export-db

Thank you.

So it's a backup (in backup/restore format only), and not a human-readable form?

Josephny

I have been playing with The Dude syslog filters rules and have a large enough (finely tuned enough) list that I realize it would be nice to have a backup. I see the rules in /dude/dude.db-wal but it is not easily readable. Is there a way to backup or export these rules? Here's what I have (reminder...

Josephny

I finally worked up the courage to upgrade form 7.14 to 7.16 on a bunch of devices. Mostly went just fine. Couple of scripts needed tweaking. One (of the many things) I noticed is that Netwatch is finding "down" states very very often since the upgrade. I assumed something changed. I use t...

Josephny

Can this be used to collect data from 20+ MT devices?

Josephny

It is 1 year later and I wonder if anything has changed?

Specifically, is there an LTE/4G device that will work in the US without jumping through hoops?

Thanks.

Josephny

I think I got it. I added a second bridge, added the 2ghz and 5ghz wifi interfaces to that bridge, told the dhcp server to use that bridge, etc. I think it's working. Here's the new config (made with my handy-dandy Notepad++ sanitizer script): # 2024-10-07 12:11:06 by RouterOS 7.16 # software id = 5...

Josephny

For one thing, I would think it would be better to to keep the same ip address when a station roams from 2ghz to 5ghz. I'm not sure whether this works even when the two interfaces are connected to the same bridge because the phone typically uses a different MAC address for its own 2.4 GHz and 5 GHz...

Josephny

Is it possible to add/remove/modify systog filter rules via a command line entry?

Are The Dude syslog rules contained in a user-readable config file?

Thanks.

Josephny

Is the fact that there are 2 routes with 0.0.0.0/0 destinations a problem? Two routes with the same destination may be both a desired setup or a wrong one - it depends on circumstances. E.g. if you had two WANs, two default routes could be a desired setup, as the ultimate destination would be the s...

Josephny

Thanks for instruction. It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3 I'm far from an expert, but I'll try to help. First step is to po...

Josephny

Is the fact that there are 2 routes with 0.0.0.0/0 destinations a problem? DAd dst-address=0.0.0.0/0 routing-table=main pref-src= gateway=100.38.160.1 immediate-gw=100.38.160.1%ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 suppress-hw-offload=no IsH dst-address=0.0.0.0/0 routing-ta...

Josephny

Depends, If you are assigned a static WANIP, its often easier just to set the IP yourself. If assigned a dynamic WANIP a dhcp client setting can make sense for route, but it depends on the ISP provider. Same with ppppoe type connection... Typically if doing something funky with routes its often bet...

Josephny

Nothing is 'normal, there are default rules for the very basic setup and the rest are ADMIN decisions. Okay, so it having the DHCP client configured to set up a route on its own the default setting? And, would you recommend changing it? More importantly, do you think that this automatically added r...

Josephny

Your complete export has revealed that there is a DHCP client attached to ether1 of the 5009 that is allowed to add a dedault route. So which port of the 5009 is connected to FIOS, ether1 or some other one? What does /ip route print detail show on the 5009? Isn't it normal/recommended/needed for th...

Josephny

Here is a screenshot of last night's log, in case it is useful.

There is only 1 device using this Guestwifi now -- my own iPhone, which works very well with this configuration.

Screenshot 2024-10-06 061750.png

Josephny

If you do /export hide-sensitive, secrets aren't exported that way. Dynamic entries aren't exported with /export too. I wish that worked, but it doesn't. I issued: /export hide-sensitive terse and the following came out. I replaced all the sensitive informaiton with XXXXX (5 capital letters X). The...

Josephny

What process does everyone follow for sanitizing their exports? Mine are full of sensitive information such as wireguard keys, passwords, email address, local and dynamic dns entries/hostnames, serial numbers, mac addresses, dyndns login info, ftp upload info, ip-sec secret, and probably more. I alw...

Josephny

Okay, here are the full configs. I sure hope I redacted all sensitive info -- there are many, many instances of mac address, email addresses, dynmanic dns names, passwords, wireguard keys, etc. that have to be manually removed. RB5009 # 2024-10-05 10:02:23 by RouterOS 7.14.2 # software id = 2KBD-7ZZ...

Josephny

In case the firewall mangle and nat rules might help: RB5009: # 2024-10-05 10:02:23 by RouterOS 7.14.2 # software id = 2KBD-7ZZB # # model = RB5009UPr+S+ /ip firewall mangle add action=mark-connection chain=prerouting comment=\ "Mark connection for hairpin" disabled=yes dst-address-list=dy...

Josephny

that is such a fantastic explanation and analysis! [...] It sure seems like it is your #2 explanation: timed out connection resulting in connection-state=new Unfortunately, your conclusion suggests that the explanation wasn't as fantastic as I would like it to be :) Let me reiterate - since the sou...

Josephny

To be precise, it actually is a problem, but for sure adding a permissive rule would not be a solution to it. As in IPv4, the majority of user endpoints have private addresses, there are not many useful scenarios where endpoints in the internet would initiate connections to them, as they could only...

Josephny

Do not allow. If everything seems to be working do not touch that rule. It could be a leftover of any unexpectedly closed connections etc. It is not suprising that your router is scanned by Apple. I have an issue that my router cut me off the Google services as there were scans initiated from 8.8.8...

Josephny

I have the following config: FIOS -> RB5009 -> ax3 LAN is 192.168.2.0/24 RB5009 is 192.168.2.2 ax3 is 192.168.2.5 ax3 has its own DHCP server for its guest wifi clients at 10.0.0.0/24 that provides guests access only to the internet. It seems to work very well but I am discovering surprising log ent...

Josephny

While I'd love to master VLANS, it seems to be beyond me. @tangent solution works for me (thank you @tangent!). These are the config entries I used (I'm sure you'll want to customize to your environment): /interface wifi configuration add datapath.client-isolation=yes disabled=no name=guestcfg secur...

Josephny

Thanks Amm0. So (in simple language), the script can be run on a group of routers and: 1) Removes any wireguard interfaces, ip addresses, firewall mangle fules, ip routes, dhcp-servers, wireguard peers, interface lists, and routing rules that have "PROTON" in the comment 2) Adds new entrie...

Josephny

The scripting, and the concepts behind it, are way beyond me, but I am curious what this script does?

What problem does it solve?

Josephny

I am finally at a place where monitoring the log outputs of 16 different MT devices across 8 different physical locations is reasonably efficient. The specific problem I was having is that I am also using Splunk with @jotne scripts that create a lot of log entries every 5 minutes and did not want to...

Josephny

Wow, thank you Amm0. I now have a much better understanding of the log topics "fetch" and "raw" Unfortunately, I did not do a good job of communicating my goal. I maintain: /system logging set 0 topics=info,!script add action=remote prefix="192.168.2.2 " topics=info,!sc...

Josephny

That loud silence....

Josephny

I have logging set to !script but would like more details logged for a particular fetch command within the script. Here is the script: /system :local cdate [clock get date] :local yyyy [:pick $cdate 0 4] :local MM [:pick $cdate 5 7] :local dd [:pick $cdate 8 10] :local identitydate "$[identity ...

Josephny

forget action dudelog, you don't need it. Somebody else could maybe help. I'm not going to write dedicated cookbook recipes, nor give exact and verified commands to copy/paste With Mikrotik, you better understand what you are doing, or get stuck every time something changes Expected you to do as I ...

Josephny

I can imagine very few things as "static" as cameras, you have to go there, bring near the spot an ethernet connection, drill holes in the wall or ceiling, screw them tightly, they won't likely change. I agree that it makes sense to use static addresses for cameras, but more for the abili...

Josephny

Send the logs to DUDE with action "remote" as you do now send them to action "dudelog", forget action dudelog, you don't need it. Make another log entry for the logs now with topic DUDE, and send that to memory buffer, with action "memory" Topic "X" -> action...

Josephny

Did you send anything to the syslog server (DUDE) ? Seems like you did not DUDE set to active? (well actually we do not use any other element of DUDE, only it's syslog function) Topic DUDE in the Sytem Logging rules should show the loggings sent to the syslog server (typical action for sending logg...

Josephny

Having a hard time getting Dude's syslog filtering (using Syslog Rules) to work. Using /system/logging, without an entry that includes certain topics with an action of DUDELOG, the only entries in the dude log are dude-generated entries such as "syslog: Service ssh on 192.168.2.5 is now down (t...

Josephny

What are you doing that you need to be actively making changes to that many routers at the same time?
Personally I don't think i have ever needed more than two open at the same time.

Improving, learning, experimenting, maintaining, monitoring -- that's the whole point.

Josephny

Do like this

Love it!

Josephny

Not only for looking at logs.

How do you manage multiple MT devices if not by keeping multiple instances of Winbox open?

I'd prefer not to do something foolish, so kindly share how the more experienced people do it.

Josephny

Wow! That's wonderful! I need to try Dude again.

Thank you.

Screenshot 2024-09-21 180926.png

Josephny

Or send your log to syslog [action=remote] (you can add a Prefix also) (eg DUDE has syslog functionality and Syslog Rules that filter on source and Regexp content) (this filtered syslog content can be logged as log topic "dude") I've played with the Dude, and I have Splunk set up, but I c...

Josephny

Devices purchased in the U.S. or Canada cannot be unlocked to use WiFi regulations from other countries, otherwise FCC would not allow them to be sold on those markets.

Thanks.

That is disappointing and surprising.

Josephny

How do you all deal with keeping winbox connections open to multiple devices?

There's got to be a better solution than how I do it:

toomanywinboxes.png

Josephny

You could have the two added cameras on a small, completely different, network, with only three devices in it, let's say 10.0.0.0/29 (ok, six addresses). Then you could use the Hex (or a hap Ax lite) placed near the Windows PC to route or netmap them to 192.168.5.x addresses, but of course this dev...

Josephny

Does anyone know of a good tutorial (preferably a video) that explains how to use the find command? I am particularly confused with these types of usage: :foreach i in=[/ip addr find] do={ and :foreach i in=[find] and /ip firewall address-list find list="fwaddlist" Thank you.

Josephny

I have an ax3 and can only select country Canada and United States. I would like to experiment with different power outputs and need to select a different country. How can I unlock it? (I am completely rural, so no chance of interfering with others, and have an amateur radio license for experimentin...

Josephny

It is indeed not possible to filter the messages on their way to be logged by contents, nor to tell the processes generating them (dhcp, wireless in your case) to filter them by some parameters of the object being processed. You can only filter them when watching the log.

Thank you.

Josephny

Is this not possible?

Josephny

I get no data showing up for Wireguard errors. But, when I put the following in a search, I see many messages: index=mikrotik module=wireguard | eval host_id=host_name."-".host | fields _time host interface public_key error host_name host_id serial | eval data=serial | stats count by data ...

Josephny

Howmany megabit/sec is each camera doing ? 2Mbps ? 4Mbps ? 6Mbps In *theory* you can "split" your CAT6 cable into 2 sets of connection, but limited to 100Mbps !! However this *might* not be a problem is you have 4-6Mbps per cam and 12 cams < 100Mbps. The other 100Mbps "channel" ...

Josephny

A switch is L2. IP addresses are L3. For all it matters to the switch you could connect to one of its ports a device with *any* IP address, it is a connection on another level. The issue (or non issue) is only that the two networks won't be anymore physically separated, i.e. the two added cameras w...

Josephny

I have a location as follows: Cable modem -> Ubiquiti UDM Pro -> (1) hex providing DNS, DHCP, and Wireguard server; (2) Home Assistant server; (3) Proxmox server; (4) Ubiquiti POE switch; (5) Windows PC. The Ubiquiti POE switch has a bunch of Ubiquiti access points connected to it. LAN uses 192.168....

Josephny

CHR is intended for deployment as a virtual machine - where you need a virtualized router you are familiar with rather than a bare Linux for production, or where you need to simulate some complicated setups, or where you just need a Mikrotik router running on a public IP for some training, which wa...

Josephny

Would some kind person explain to those of us far less knowledgeable what exactly is the situation or use-case for installing ROS in this way?

Do I understand correctly that we are talking about installing ROS on a PC (x86 architecture)?

Josephny

Does anyone know how to accomplish this?

Josephny

I have 1 iOt device (a fuel oil tank level monitor) that (I believe by design) connects and disconnects intentionally on a regular and frequent basis. My log fills up with connection and dhcp assignment messages. I like to keep logging these those types of events, but I would like to ignore this one...

Josephny

I am having a problem with the Netwatch reporting. For me the netwatch script do works fine. It should send a log line each time one device goes up and down. Since the script is very simple, it may be a config error or a bug. Try take som up/down manually and see in the logs. The problem is when mo...

Josephny

Ye, the wifi/wireless mess. Not sure how to handle that. One of my problem is that I do not have both types. But will try to look inn to it.

Any news on this?

Sure would be nice to have a table of all connections and disconnections showing the details of each client.

Thank you.

Josephny

Yes you need a Linux server Debian based (Ubuntu recommended) I was confused about the docker install -- I thought it meant installation as a container on an MT device. I just tried the docker install and it failed as follows: Debian GNU/Linux 11 debian tty1 raw/b1fc4e0f283fd48d78861fa1a665fd1cb19b...

Josephny

I am having a problem with the Netwatch reporting. I have 8 Netwatch hosts that I am watching on an RB5009 running 7.14.2 If I cycle through disable/enable on each, only 3 are reflected in Splunk. These are the Netwatch entries: /tool netwatch add comment=Netwatch-8.8.4.4-Splunk disabled=no down-scr...

Josephny

I was confused about the docker install -- I thought it meant installation as a container on an MT device. I just tried the docker install and it failed as follows: Debian GNU/Linux 11 debian tty1 raw/b1fc4e0f283fd48d78861fa1a665fd1cb19b734d/installer.sh)" rootsercontent.com/s265925/84f8fdc90c8...

Josephny

I am not well versed in linux. I tried to install this in a Debian LXC under Proxmox and failed. There are too many steps in the installation, and while I appreciate the detail and effort that went into creating the instructions, they did not work for me. I got as far as: psql -U your_username -d yo...

Josephny

I can't say I understand why there is a need in my case for inventing mac addresses. I understand how ROS needs to invent mac addresses for virtual interfaces. I don't know how Ubiquitis are configuired for additional SSIDs on same radio, but the end result is the same as on Mikrotik. And that is m...

Josephny

AA:16:9D is actually A8:16:9D and is a roku tv 1E:1E:E3 is actually 1C:1E:E3 and is also a roku TV 9E:05:D6 is actually 9C:05:D6 and is a U6+ AP The addresses on the left are all "locally administered addresses" (see wiki article on MAC addresses ) where the second most significant value ...

Josephny

BSSID is usually MAC address of a particular radio. So if you somehow create an inventory of all (real and virtual) radios in your network, then you should be able to figure out which SSID is transmitted by which AP. I was able to find them. Most were falsely identifying the MAC addresses because o...

Josephny

I ran a search within wireshark using only the first 3 octets: eth.addr[0:3] == aa:16:9d or eth.addr[0:3] == 9e:05:d6 or eth.addr[0:3] == 68:d7:9a or eth.addr[0:3] == f4:92:bf or eth.addr[0:3] == 6e:d7:9a or eth.addr[0:3] == 9c:05:d6 And see the packets. They are all coming from UI APs. I suspect th...

Josephny

I am trying to identify the HIDDEN wifi networks shown below. I tried Wireshark on the same PC that WinFi is running, searching by MAC address, but it did not capture any packets. Is there a way to get more details about these devices? Interestingly, this environment is all mine (very remote) -- the...

Josephny

This is not strictly Mikrotik related, but there are so many extremely knowledgable people here, I hope it's okay to ask. I have a public /24 network (issued by ARIN) under my control/ownership for many years now. I have a number of sites, one served by Verizon FIOS and the others by Spectrum Cable....

Josephny

Short: better use "/" just when you need to change actual path or call functions not directly on root. Just some examples: https://forum.mikrotik.com/viewtopic.php?t=177551 About spaces or / Since 7.x it's all than really done, and for other reasons, better use space for thing shared with...

Josephny

I think I will add this to my Mikrotik Club Rules :
1) You do not use VLAN1
2) You DO NOT use VLAN1
3) You do not use detect internet
4)...

I want to join!

I think I've successfully passed the hazing period....

Josephny

Thank you OP for asking this quesiton, and thank you @ammo and @rextended for the answers! I hope it would not be considered hijacking the thread if I added a related question: When would you use a slash ("/") vs. a space (" ")? For example: /tool ping 1.1.1.1 vs. /tool/ping 1.1....

Josephny

I just discovered that some of my wifi devices are populating Splunk with the wifi connections and some aren't. It seems the "/interface/wireless" vs. "/interface/wifi" is the issue. If we take the "wireless" section of your script and replace the 2 occurences of the wo...

Josephny

Script updated to 5.7 Fixes when a pool is used in more than one DHCP server. Since the pool is the same for one or more DHCP server we only take the first find. Change from: :local dname [/ip dhcp-server get [find where address-pool=$poolname] name] to: :local dname [/ip dhcp-server get [:pick [fi...

Josephny

@Josephny To start over/delete the device db, or just edit it, install "Splunk App for Lookup Editing". Open it and find device_kvstore. Here you can mark all and just remove rows or edit them. Thank you. I will look into this. In the meantime, I think the scheduled reindexing solved the ...

Josephny

This requires /ip/services/www-ssl to be enabled. Is there any downside? Security risk? As with every ROS service, if enabled it's important to protect it from being available too widely. And that's achieved using firewall. Default firewall allows access to (all) router services from LAN. If firewa...

Josephny

I just discovered that I can run a batch file (Windows) to call a series of powershell scripts to remotely run ROS scripts -- and am loving it! This requires /ip/services/www-ssl to be enabled. Is there any downside? Security risk? FYI, this is the thread that helped me: https://forum.mikrotik.com/v...

Josephny

I have a script scheduled to run and it generated a log entry that I like to be able to see in the logs. It initially logged to "info" but keeping logging enabled to memory for info produced too many log entries from the Splunk script. I changed my script to log to "warning" just...

Josephny

Also had to comment out this section of the script to eliminate the error: # Get detailed command history RouterOS >= v7 # ---------------------------------- #:if ($train > 6 and $CmdHistory) do={ # :global cmd # :local f 0 # :foreach i in=[/system history find] do={ # :if ($i = $cmd) do={ :set f 1 ...

Josephny

Using an ax3 running 15.3 and the script fails to run with this error: script error: error - contact MikroTik support and send a supout file (10) I traced it to this section of the script causing the error: # Test if pools is used in DHCP or VPN and show leases used # :local dname [/ip dhcp-server f...

Josephny

Just getting Splunk set up and I think I messed something up.

I have over a dozen devices and yet only 2 devices are showing up, but repeated/duplicated.

Is there a way to tell Splunk to completely rebuild the database? Or empty it and start over?

Thanks

Screenshot 2024-09-06 192557.png

Josephny

You can also use "/system/script export where name=XXXX" to get the "escaped form" of any script (and then cut-and-paste that as needed).
Good to know, thanks .

That is super useful!

Josephny

I think I solved my problem. In order to use single (or double) quotation marks we need an "escape" character. The following, for example, works: \n:local ntpstatus \"\"\r\ And, the following code entered in a terminal creates the script. One trick is the use of \n and \r\ on eac...

Josephny

Does anyone have a solution to take a script and convert it so it can be be added in a terminal window? For example, if I have the following script named "script1": # Get NTP status # ---------------------------------- :local ntpstatus "" :if ([:len [/system package find where !d...

Josephny

Got it.

I re-enabled ND, which I do indeed like.

And I will ignore the !LAN FW log.

Thank you!

Josephny

If I remove lo from LAN list, the firewall log captures the same message. Running Packet Sniffer with filter set to interface=lo, I see that the packet is: Source: 127.0.0.1 Direction: tx Dst. mac: FF:FF:FF:FF:FF:FF Src port: 5678 Dst port: 5678 Protocol: 2048 IP Protocol: UDP I see that 5678 is the...

Josephny

You didn't specify for which device this is but for most there should already be an input accept for 127.0.0.1 from default firewall. That covers lo. In case you removed that rule, I suggest you put it back. It's an ax3, but it's just my testing/learning/modeling MT device. I do indeed have the def...

Josephny

For me it doesn't look ok, because lo doesn't actually represent LAN. Eventually you could have some case when you have to have it separate. So my suggestion is to make an explicit accept rule for lo interface and place it before drop rule: /ip firewall filter add action=accept in-interface=lo I ca...

Josephny

I have this drop all !LAN input: /ip firewall add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=not-coming-from-LAN But packets from the "lo" interface was getting dropped. So I put "lo" in the LAN inte...

Josephny

I was wondering if you had any updates, refinements, suggestions, or comments on this solution? It's still working here, as originally presented. Were you hoping for some change, or just confirming the article's published history , that nothing has changed in half a year? I was not hoping for any s...

Josephny

I hope it is okay to resurect this old thread. I, too, have struggled with VLANS (and have been unsuccesful) and have wished for a non-VLAN way to create guest wifi networks. I read your very well thought out and well written article here: https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%...

Josephny

I failed and put on hold my attempts to understand and learn VLANS, but am now trying again. Yes: I did read (about 100 times) @pcunite's wonderful thread. I have an extra hapAx3 that I just set up, wired by ethernet to a minipc that is connected via wifi to my main network (so I have internet acces...

Josephny

I don't know is GRE, IPIP, or L2TP would be an alternative to EoIP that would satisfy the needs above, or if there is a better alternative (something without the unnecessary broadcast/multicast traffic problem). I'd suggest you study a bit of the networking basics, like the meaning of L2 and L3 in ...

Josephny

There are some users "advertising" the solutions they made for MikroTik monitoring, but of course it is always a bit different from what you would have wanted. As a programmer, I wrote these things using Perl and a Perl Library for MikroTik API use. But of course, Perl is already consider...

Josephny

For that function I use API to retrieve things like ARP table, DHCP leases. On a central Linux system I run scheduled jobs that connect to all routers in the network to collect this information and store it in a database, and have a webpage where I get a list of all IP addresses, MAC addresses, hos...

Josephny

Sure it is convenient that EoIP transports L2 and thus it may be attractive that routers appear in the Neighbors list or in RoMON, but you should be aware that EoIP is still dependent on IP and so when you do something that would make your router inaccessible in an IP network, would probably still ...

Josephny

That's where selective thinking comes into play - the change (addition of the first EoIP interface to the bridge) was made so long before the issue with access to Yahoo got spotted that the relationship did not pop up immediately, and when thinking back, it was "just adding EoIP to the bridge,...

Josephny

Still, doesn't explain the "ALL of SUDDEN". If it was working all this time with EoIP interfaces, what flipped the switch so to speak ??? sindy knows about another thread of mine where I was asking about (and therefore playing with) EoIP connections, so he correctly deduced that changes w...

Josephny

Mysteries like this one often happen if the MTU in your network becomes smaller than the "usual" 1500 for some reason and PMTUD (Path MTU Discovery) is broken (google up "criminally braindead ISP" to learn the details) on the path between the client and the server. So knowing ab...

Josephny

I even changed the DNS on the PCs to use 1.1.1.1 in case it was a DNS problem.
did it work?

No.

Nothing has fixed this problem.

And I've checked dozens of web sites and they all work except yahoo.com and finance.yahoo.com

Josephny

I'm pulling my hair out here. I have an RB5009 connected to Verizon FIOS internet for years now and it's been working great. All of a sudden, none of the computers on the LAN can access yahoo.com or finance.yahoo.com in any web browser. This includes hardwired (cat6) computers to the 5009 as well as...

Josephny

Advice? You can use EoIP just like any other L2 ("ethernet-like") interface without adding it to a bridge. And as an alternative (to Wireguard) way to access devices, there is also SSTP, L2TP/IPsec*, IPIP/IPsec* or even bare IPsec*... those marked with an asterisk can be set up using a pr...

Josephny

I obviously don't have a firm grasp of what is going on, but I am concerned about this unnecessary DHCP traffic over the Wireguard and/or EoIP connections. That is why I am concerned about your network design involving many EoIP connections in a bridge. This DHCP issue is only the first one you not...

Josephny

I created 2 bridge filters: One INPUT and one FORWARD to block ports 67-68 on the interface list DHCPdisabled. It appears that the DHCP servers from each location (with MT device at each location) broadcasts (i.e., 255.255.255.255) on the bridge the DHCP requests that come into it. The bridge filter...

Josephny

The bridge filter also uses chains, so if you block the server responses in forward , the Mikrotik itself will receive them, whilst other devices on the same bridge will not. Does this mean that using a bridge filter will not block traffic to/from ports 67/68 getting to/from the Mikrotik device? I ...

Josephny

Wow, that is powerful.

I'm still struggling with the DHCP ROGUE server detected, so I need to put this on the back burner for now.

You are, as always, a generous fountain of help.

Josephny

Hmm... It seems the filter is working: forward: in:eoip-tunnel-to-212 out:ether4, connection-state:invalid src-mac 18:fd:xx:xx:xx:xx, dst-mac ff:ff:ff:ff:ff:ff, eth-proto 0800, UDP, 192.168.2.2:67->255.255.255.255:68, len 328 But I still get a log entry from the DHCP ALERT: dhcp alert on bridge: dis...

Josephny

Is there a way to add all eoip interfaces to a bridge without specifying each interface name? That is, is there a way to add an interfaces to a bridge by type? I have multiple eoip interfaces, and would like to add them to a bridge and add them to an interface list. This is what I have now: /interfa...

Josephny

Make an interface list for dhcp-enabled or dhcp-disabled interfaces and create an appropriate rule for the specified interface list (rule template above).

That works -- thank you.

Josephny

/interface bridge filter add action=drop chain=forward comment=dhcp dst-port=67-68 ip-protocol=udp mac-protocol=ip Use bridge filter. Also you may try to use a specific in/out interface in this rule. My concern is that the bridge has many interfaces, and I need to block DHCP on only some of which. ...

Josephny

Does anyone know the best way to drop DHCP requests and offerings across an EoIP connection?

I assume a firewall rule. If so, by port? Or is there a better way?

I have a bunch of EoIP interfaces, and they are all members of the bridge.

Thanks.

Josephny

Should be doable if you enable neighbor discovery for eoip in IP->Neighbors and add your eoip to bridge

Perfect!

neighbor discovery was already enabled, but I didn't have the eoip interface in the bridge.

Thank you very much!

Josephny

I'm sure I have huge gaps in my understanding, so hopefully you good folks could help. I have a number of physical locations each with an MT device and all devices are connected with both Wireguard and EoIP. When running Winbox on a Windows PC at one location, I can see in Neighbors the local MT dev...

Josephny

I figured it out: "http-auth-scheme=digest" made it work. The following command works: :tool fetch http-method=get user="admin" password="<my_password>" url="http://192.168.0.144/relay/0?turn=on" http-header-field="Content-Type: application/x-www-form-url...

Josephny

In a Windows command prompt, curl does not work with the Shelly authentication enabled. It works fine with the Shelly authentication disabled. Post the exact CURL command you are using. No error provided when it fails? Under Windows, try running. curl -v -u "user" http://192.168.0.144/.. ...

Josephny

In a Windows command prompt, curl does not work with the Shelly authentication enabled.

It works fine with the Shelly authentication disabled.

Josephny

The user:password actually works from a browser. Very likely because the browser itself manages to encrypt/encode/hash/whatever the username/password before sending it to the Shelly. https://reqbin.com/req/c-fkj7kdqi/curl-request-with-credentials Try with curl: curl http://192.168.0.144 --user &quo...

Josephny

The user:password actually works from a browser. This is the capture: GET /relay/0?turn=on HTTP/1.1 Host: 192.168.0.144 Connection: keep-alive Cache-Control: max-age=0 Authorization: Digest username="admin", realm="shellyplus1-b8d61a886a74", nonce="1724241354", uri=&quo...

Josephny

What I had in mind was to capture (sniff) the communication with Shelly when the request is sent from the browser and when it is sent from the Tik and use Wireshark to "find 10 differences" between the two cases. "Plaintext" means that the communication is not encrypted (you use...

Josephny

I actually tried it without content-type and the result was the same.

Not sure what I should be looking for in the Shelly’s response.

As for plain text, I tried using http://user:pass@<ip> and got a 401 error

Josephny

I am trying to using Netwatch to call a script that will turn a Shelly relay off and then back on when internet connectivity is lost. This will power-cycle a cable modem. The Shelly 1 uses an http-post with an ON or an OFF: http://192.168.0.144/relay/0?turn=off When issued from a web browser, it ret...

Josephny

Any way to create a log entry that persists a reboot when watchdog is about to reboot?

Or send an email with date/time?

Josephny

I'm batting around .500 (my usual), which in baseball is fantastic, but in programming, not so much.... Here's my down script: /system :local cdate [clock get date] :local yyyy [:pick $cdate 0 4] :local MM [:pick $cdate 5 7] :local dd [:pick $cdate 8 10] :local identitydate "$[identity get name...

Josephny

Send email on status up instead of on status down.
When go down memorize the datetime in a global variable,
when up send mail with the global variable value

Fantastic solution!

Will attempt to create.

Thank you.

Josephny

No solutions?

Josephny

I have Watchdog set up as shown below. I notice that when a Watchdown timeout occurs, the MT device reboots but (1) I don't get a supout emailed and (2) I get the following in the log upon booting up: System rebooted because of ping watchdog timeout How can I either get a log entry that persists a r...

Josephny

I use the script below and I notice that when Netwatch runs it's "Down" script and tries to send the notification email, it fails due to a "timeout." I understand that it can't send an email if the connection is down, but I'm wondering what the solution is for getting notified (v...

Josephny

The technical benefit was well explained above, but another benefit (does not apply in your case) is that BTH is easy to set up, if you do not know how to configure Wireguard and would like to avoid learning RouterOS. BTH app does it in a few steps, all you need is the router password. No need to c...

Josephny

Thank you guys!

Josephny

I think I understand. In all locations I have ever worked at, there has been a public IP -- FIOS, Cable, cell phone. Do you mean an environment where access to the WAN router is not available, so that ports cannot be opened or forwarded? This sounds like desktop remote control solutions where the ap...

Josephny

Can someone please explain (in simple terms) if there is any benefit or reason one would set up BTH is one already has a Wireguard vpn set up?

Thanks.

Josephny

*) console - replace reserved characters in file and script names with underscores;

Wow, as if the proper usage of "$" and "[" weren't complicated enough in filenames/variable-names.

Josephny

I don't know what sanitize means in this context?

I'm sure there was no version that would have given be a health problem (except maybe psychological problems).

Josephny

I just cannot get this to work. identify of MT device is: 125-hAP The script creates the file: _125-hAP_2024-04-07_.txt Including the underline characters at the beginning and end of the file But the fetch command cannot find the file. /system :local cdate [clock get date] :local yyyy [:pick $cdate ...

Josephny

Because if you have lots of users, its easier to give them and have them remember a name than a number. I do understand that it is easier to remember BlueIris:81 than 192.168.0.1:81; but he doesn't want this accessible from the internet, so I don't see any advantage to using the public ip. So why n...

Josephny

Is there a way to make it so that I can browse to A.dyndns.org:81 There are many things that can be done, but I have to ask; what is the advantage of accessing it via the "external" A.dyndns.org ip address? To me, this just seems like added complexity with no real benefit. That's an easy ...

Josephny

Trying to understand, but it will take time. In the meantime, I'm using these 2 rules. Port 81 points to the internal to LAN A BI server at .101 Port 8123 points to the internal to LAN A Home Assistant server at .162 /ip firewall nat add action=dst-nat chain=dstnat comment=a.dyndns.org:81 dst-addres...

Josephny

Is there a way to make it so that I can browse to A.dyndns.org:81 It may be possible to construct a DST-NAT combination on router of site B which would work most of time ... except in time periods after change of A public IP address (because A.dyndns.org has to be updated and TTL of the old record ...

Josephny

Thank you for your help. Your explanation is not complete or maybe just lacks some clarity. Are you saying that a. Users at Device B, via wireguard, successfully access the Iris Server on the LAN at Device A? Note: Assuming the users simply put in their APP or browser 192.168.0.1 : 81 and the connec...

Josephny

I have multiple locations, but for the purpose of this question, let's just call them A and B. A and B get a public IP from their upstream provider and we use dyndns.org for dynamic DNS. A's LAN side is at 192.168.0.0/24 B's LAN side is at 192.168.2.0/24 A and B have a nice reliable Wireguard and Eo...

Josephny

Great, thank you.

Now I've got to go and google IPIP -- so I can have a clue (;-)

Josephny

Just read the manual section for the SMTP Server:

"send-smtp-server (string; Default: )
SMTP server address to send the support output file through. If not set, the value set in /tool e-mail is used."

Will try it with empty field for "smtp-server"

Josephny

Having recently set up EoIP, I'm curious about the regular log entries (below). Is this normal? Should I change the timeout/retries in the EoIP tunnel configs (they are now the default 10 seconds/10 retries)? 04-02 21:21:03 ipsec,info ISAKMP-SA dying 100.38.xxx.xxx[500]-67.245.xxx.xxx[500] spi:xxxxx...

Josephny

I have watchdog set up and it appears to be working except for the "auto send supout" I'm guessing gmail doesn't like me (even though I'm a google workspace (formerly google apps) subscriber). /system watchdog set auto-send-supout=yes ping-start-after-boot=10m \ ping-timeout=10m send-email...

Josephny

So I don't need the script at all, right?

Josephny

I've had the script below (reload the endpoint's DNS) set in scheduler to run every 30 minutes. Lately I've noticed that the "if...do" is triggered (i.e., the "if" resolves to "yes") every time the script is run, despite $LastHandshake being less than 5m. Pretty sure $L...

Josephny

I'm an idiot.

I'm scouring the exports to compare 355 and 255 MT device's configs and I see that the GRE FW rule was set to FORWARD (instead of INPUT).

Sorry for the false alarm.

Josephny

More info:

On the 355 device, under IP | IPSEC | ACTIVE PEERS, both tunnels show as ESTABLISHED, with both tx and rx bytes and packets.

If I'm reading this correctly, the IPsec tunnels are established between the 355 device and the 212 (and 371) device(s) but the EoIP tunnel is not.

Any ideas?

Josephny

Still working on this, but no success yet. I even tried removing the IPsec secret on both sides of the EoIP tunnel and still could not get a Running status on the 355 side. Does that change the analysis about the UDM not allowing IPsec through? I don't see any differences in between the UDM at 255 a...

Josephny

I just set things up here so the router I call 212 has an EoIP connection to a bunch of others (76, 125, 629, 371, 255, 355). All but 255 and 355 are MT devices and work great. 255 and 355 are Ubiquiti UDM-Pro routers with hEX's behind them (essentially providing WG services; and now EoIP connectivi...

Search found 667 matches