MikroTik

optio

If you want to make script more flexible for dynamically handling connect SSIDs depending by ROS configuration without need to edit script - you could create wifi configuration ( /interface/wifi/configuration ) for each SSID with certain comment for finding in script (eg. "[connect config]"...

optio

@jonjm that cannot be true, unless you removed script error logging, :error command aborts script with error which is logged unless script is executed from CLI.

error-scheduler.png

error-scheduler-log.png

optio

Still IMO rsc is missing then quit/exit command to abort execution without error(:error) to avoid workarounds putting code into function just to exit script by some condition.

optio

@jonjm this :return issue is still present as I described above, so your script will produce error log on return if script is not executed from CLI (Terminal), eg. directly from Winbox/WebFig GUI or scheduler.

return-scripts.png

script-logs.png

optio

If you did not realize it either, then we were together on that, so you can join the club.

He knows that, for sure

optio

Hmm, and there is no script error in logs if :return is called from code that is not in function scope? I can bet that was happening before and I needed to decuple code into functions to avoid that. Maybe it is fixed in some later ROS ver...

optio

IMO point is here to exit script without producing error and avoid deep condition nesting (guard conditions)... As I recall :return <sometning> did not produce error (or just script error wasn't logged) up to some 7.x version when called outside function, but now does. Simple workaround without chan...

optio

It was a bug up to some 7.x version as @rextended mentioned in linked topic. One usually expect that variable is assigned by value, not reference, in scripting languages (as opposite in Java for eg.), and MT fixed that, so there is no need to manually create new array with copy of elements of other ...

optio

Try to put some delay (eg. :delay 10) before executing lte commands on startup, can be that modem firmware was not initialized yet when command is executed. See in ROS logs when first lte log message appears and adjust delay accordingly.

optio

I’m disabling wifi interface to force clients to disconnect when bssid is changed, but I will check how client behaves when bssid is changed while connected…

optio

Not using CAPsMAN, but it think it is more complex than just set random mac on CAP device, I think script executed on CAP will need also to update new mac on CAPsMAN device, over API for eg. Also maybe better solution will be to run script on CAPsMAN which will randomize macs for each CAP client and...

optio

Here is my approach which I'm using (on ROS 7.16.2): :local randBssid do={ :local macOctets [:toarray ""] :local oct "" :for i from=0 to=[:len $bssid] do={ :local chr [:pick $bssid $i ($i + 1)] :if ($chr = $macDelimiter) do={ :set macOctets ($macOctets, $oct) :set oct ""...

optio

@S8T8 for adding members to interface list :range is not useful as @Amm0 mentioned because interface param for adding list interface member doesn't accepts array (and IMO it will be wrong usage to build interface names list with :range even if is accepted), just find interfaces with proper condition...

optio

Also socket adapter for WSON8 can be used, like this https://vi.aliexpress.com/item/1005005261973767.html . This will simplify soldering, but particular adapter from link doesn't look robust and not sure is it reliable when board is shaked when transfering device. Maybe adapters with better quality ...

optio

https://www.youtube.com/watch?v=fT4s5ZdmIY8

optio

@Amm0, yes issue is with enabled QEMU Hypervisor for aarch64 CHR, it should be disabled, I had same issue as @monk when I was setting this up before, for X86_64 doesn't have affect since it's different architecture. Regarding RNG device, it is also working when it is enabled, maybe it will approve p...

optio

Yes, you are right, I did not test it properly (I did't flush connections), I don't think @anav routing solution can work in this case when IPsec gateway is dynamic IP. @rextended solution with scheduled script is currently easiest workaround. Also maybe to try implementing like in this topic https:...

optio

@darkman I misunderstood packet flow diagram regarding IPsec, did not work much with it, yes it won't work with just firewall filter rule, it not possible to distinct IPsec traffic like that... I see you already have proposed solutions from @rextended by disabling src nat rule for IPsec with schedu...

optio

It seems I will need to setup on my device this and see what is happening…

optio

@darkman do you see packets counts on ipsec rules (defconf: accept in/out ipsec policy) above it? They should accept ipsec traffic before this drop rule. Also set NordVPN DNS addresses (from here ) as ROS DNS upstream DNS (Servers in IP->DNS), maybe it is just your current DNS blocked. If you need c...

optio

Well, it will work like that until googleadservice changes IP, this is not uncommon if is behind some load balancer and some service node becomes unavailable, not really good solution for whitelisting hosts IMO. @Rox169 use Pi-hole or AdGuard instead ROS DNS if you need any even slightly more featur...

optio

I changed the first topic. NO I do not use PiHole as DNS. I only took the adlist StevenBlack which is used in PiHole by the way....I use adlist in roteros only. Ah ok... I was confused by mentioning Pi-hole in context, yes StevenBlack adlist is used by default in Pi-hole... Not sure if you can over...

optio

Why is the text in this post is struck through ? And what does <peer_name> stands for ? What should I put there ? Because it is not a solution for your "killswitch" as I realized and written in my post after that, it's just a command to disable VPN connection. See what is written in post ...

optio

So if the VPN connection drops, the router will cut off everything from the internet. Ah, that you mean by "killswitch"... Above command is for disable/enable VPN connection. Ok, personally I will done it with firewall filter rule and drop all forward from LAN interface list to WAN interf...

optio

/ip/ipsec/peer/set [find name="<peer_name>"] disabled=<yes|no>

optio

EDIT: Well dip me in tar and feathers, Wireshark doesn't show any connection from Winbox, sounds like the changelog really arrives from ROS... It is fetched from ROS and transferred to WInbox. Using packet sniffer on ROS is visible... Here is TCP stream to upgrade.mikrotik.com:80 when checking for ...

optio

A lot of stuff above.. @darkman I have NordVPN setup (IPsec) on ROS just for fun and was pretty straight forward to setup based on their article -> https://support.nordvpn.com/hc/en-us/articles/20398642652561-MikroTik-IKEv2-setup-with-NordVPN , sometimes (most times) it is better to search web befor...

optio

I also use adlist with StevenBlack from PiHole.

Do you use PiHole as DNS which uses ROS DNS as upstream DNS?

optio

Best way is then to report bug ticket to MT support service desk (uses different account than forum) if over CLI works but not over API.
Describe issue with example and attach autosupout.rif file if is generated after crash.

optio

What happens if you update same property (name) over CLI with set for same interface? Is this property actually possible to update or is just read-only property when interface is added? Did you try update other property over API like link-monitoring like in doc.

optio

Here is simple global function for fetching changelog: :global changelog do={ :local version :if ([:typeof $1] = "str") do={ :set version $1 } else={ :onerror e { :set version ([/system/package/update/check-for-updates as-value]->"latest-version") } do={ :error "Unable to ch...

optio

Great work. I will try them on Silicon Mac when I find some time and report back.

optio

I think even Winbox is fetching from "crafted" url:

https://download.mikrotik.com/routeros/<version>/CHANGELOG

Why not using it with fetch tool from CLI?

Simple script with global function for it can be made if you want to avoid typing it every time.

optio

Yes, I wrote "It depends" :) But from my experience I didn't detect much false positives, only P2P torrents are hard to detect. But at least they are falling under unknown traffic with lowest prio so it is big deal for QoS in my case. Also my understanding is that modern apps exhibit strat...

optio

It depends, websites IPs can be resolved with address lists unless are shared with other site by reverse proxy, also apps have their server/port ranges which are using and connections to these IPs/ports can be marked in firewall mangle. For eg. I created queue tree for QoS based on such mangle rules...

optio

Yes, because there will no be additional logic in ROS script for processing lists to create aggregated list, just commands for adding / removing address list items.

optio

My original intention was to do the heavy job of comparing IPs from two different lists rather on a utility device instead of my router. I understand, hybrid solution will work in this case, comparing lists and generating new one can be done outside ROS (CPU load will not be on ROS device), but imp...

optio

@An5teifo Generally calling API requests as replacement for ROS script which performs many config updates is bad idea, especially using many API requests in loops. Difference in CPU load is because there is much more overhead on API request vs local command, CPU is used for firewall, networking, API...

optio

I cannot ping it from a PC, nor can I open the Pi-hole page. I can ping the container bridge .1 from the PC (and the terminal, obviously). add action=accept chain=forward comment="Allow Containers Anywhere" in-interface=containers this forward rule only allows packet forward to containers...

optio

Ah, forgot it's under Linux, maybe with plistutil for conversion + some XML edit tool like xmlstarlet ? plistutil comes with libplist-utils package. plistutil is not even needed if .plist is not in binary format or it can be used to convert to JSON format and such can be modified with jq tool (inste...

optio

Ok, to follow up my post, @rextended was probably thinking in direction for having fake admin user with very strong password and other user with less strong password, but still, brute force attack can be performed in parallel tasks which one task tries to brute force admin user and other which tries...

optio

But with this analogy what is difference to brute force fake admin user or changed admin user with strong password which takes "a billion years to 100 years"? After billion years or 100 years when changed user is compromised you will realize that it was better to have fake admin user?

optio

I also want to figure out how to update the UUIDs in the .plist per build too. I'll hopefully get it this week.

You can try to automate with PlistBuddy (/usr/libexec/PlistBuddy) in script. PlistBuddy is macOS provided CLI tool for editing .plists

optio

How many years can brute force continue undetected with a random 254 characters password???

Depends how lucky attacker is, just mentioned as possible edge case, from 7.18 without possibility of user enumeration it is even lesser probability for brute force.

optio

Nice work.
FWIW, ARM64 CHR can run in QEMU with image provided by MT without modifications if no additional space on it is needed.

optio

With 16Mb flash device you can only watch new release notes and cry :) $ stat --format="%n: %s" * container-7.16.2-arm.npk: 98449 routeros-7.16.2-arm.npk: 11608772 wifi-qcom-ac-7.16.2-arm.npk: 2740369 = 14447590 bytes $ stat --format="%n: %s" * container-7.18-arm.npk: 118929B rou...

optio

https://mikrotik.com/supportsec/cve-2024-54772 Can be a way to trick brute force attack to leave admin user without rights. If is cleverly crafted attack it may not be enough, when admin user is compromised, after performing API request with its credentials which only admin user can perform and API...

optio

Disconnect/block internet/untrusted network to the router when performing netinstall until proper firewall rules are created (if netinstall is done without config) and admin user strong password is set or admin replaced with other user. For LTE routers disconnect means remove SIM or netinstall with ...

optio

I never managed to boot ARM64 ROS image using AVF, only with QEMU in UTM, same UTM QEMU setup

config.plist.zip

works on Intel and Silicon Mac with unmodified CHR image. I would also like to know if anybody succeed to boot ARM64 ROS with AVF on Silicon.

optio

See viewtopic.php?t=214564

optio

I have feeling someone is just creating users on forum to create such topics to pissoff @rextended

optio

On SSH server only client public key must be imported for certificate based authentication, also just password can be used. OpenSSH (not in ROS) server also supports PAM module which supports various authentication mechanisms. If you want it to compare with P2P Wireguard connection between 2 hosts, ...

optio

Also it can be used just to change source IP (hide actual client IP) for connection to remote host where remote host is not controlled by client connection initiator. For eg. when creating SSH dynamic forwarding to some WAN remote host, then SSH client side creates local SOCKS proxy to remote host, ...

optio

Just to follow up regarding Docker image save bug https://github.com/docker/cli/issues/5476 , using Podman works and saved image is successfully added as container in ROS. Tested on Linux , probably works same on other OS where Podman can run. Since currently on ROS versions <7.18 only way to add co...

optio

can someone clarify what is the difference between: IP -> SSH -> Forwarding and the normal IP -> Filter -> NAT DNAT-forwarding? Difference it that SSH forwarding creates encrypted connection tunnel between ssh client and server which tunnels connection to remote host, while DNAT it is just packet f...

optio

You can pull and save image to file with Docker : https://docs.docker.com/reference/cli/docker/image/save/ , then upload saved image to ROS and create container from it by using file parameter, not remote-image . But here is a bug in Docker when saving image https://github.com/docker/cli/issues/5476...

optio

Check if you have accept firewall rule on input chain for OVPN port and protocol for WAN in interface (list). Also some other rule above it can block connection... There is also possibility that network where your device is connected is filtering some ports, like some public network, library, etc. S...

optio

it seems to work, I had to do it myself :( Best way to learn new things. Is there another way to create a file and write the contents in a way that is not as stupid as "print", "set" in a file? On which ROS version? There is file add command introduced in some 7.x ver., see doc:...

optio

It will be nice that they explain how did achieve this and state directly that swap is used only for containers. Here is interesting reading for Open Containers regarding containers memory management and comparison between cgroup1 and cgroupv2.

optio

@Liiina Did you try how your current copy script works with large files (eg. 1GB file size)? See here for possible workaround if you gonna go into this endeavour.

optio

It is possible to run CHR with QEMU inside Docker container and in such way provided ROS kernel is used, that is probably doing container posted in #4. Still, I bet performance is be poor on such setup.

optio

Now is confirmed

optio

Swap is not for the host system. Please read the manual about it before complaining: https://help.mikrotik.com/docs/spaces/ROS/pages/91193346/Disks#Disks-Swapspace This is not how is mentioned in documentation: ... This is useful when using containers on RouterOS to be able to run containers that r...

optio

This not related specifically to 7.17.x version, is seems it doesn't work on all versions <7.18 due to DockerHub API changes.

optio

Then indicator is working fine, you have L3HW offload as @mkx mentioned which doesn't consume CPU.

optio

Execute this in terminal and check your CPU load then:

:execute {:for a from=1 to=5000 do={:rndstr length=9999}}

optio

I can't tell exact from memory, but it think when you send certificate (or provisioning profile) over AirDrop and accept it, in Settings app on top new section will appear to install it, just follow instructions from there.

optio

Other option is to build GLIBC 2.29 and use: patchelf --set-interpreter /<glibc_229_lib_path>/ld-linux.so.2 (or whatever is named when custom builded) --set-rpath /<glibc_229_lib_path>/ <winbox_binary> But as @mkx mentioned there can be other older linked libraries which will not be compatible. In s...

optio

Try with:

patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 <winbox_binary>

optio

Try with patchelf, could work or not, depends if used functions exists in both versions.

optio

It seems something is charged on Docker Hub API side, it no longer works also on ROS 7.16 which I'm using and probably on all lower versions than 7.18. Maybe because of Docker Hub API issues MT decided for 7.18 to switch default repository url to https://lscr.io which is not working on lower version...

optio

I found out that the file is send to RAM instead. How can I change the destination to Flash? Set dst-path="flash/newfile.rsc" to save file on flash. Also as @rextended mentioned, mode=https can be removed, it is deprecated by scheme in url, url="https://..." to avoid potential i...

optio

Depends which operations are performed by these actions, some optimizes such actions and do not perform changes if nothing is changed on UI.

optio

@mheber I'm connecting to ROS OpenVPN with self signed certificate from iPhone by using official app from Appstore. Needed to add CA certificate exported from ROS into iOS as @MickeyT mentioned, full trust on iOS system level is not needed in my case (maybe OpenVPN app asked me about certificate tru...

optio

For fetching latest tagged remote image is not mandatory to specify tag, it will be added by default, you can see when container is created that it has :latest tag even it is not specified. At least it is behaving like that up to 7.16, not tried on newer versions.

optio

It seems new ROS version issue if for same containers fetch command is not failing, maybe it is building docker hub API url wrong. Container debug logs did not help? Maybe there is a debug log from which url is trying to fetch when building container.

optio

Dusty place it is, there a ways to handle that also

Ok, let's be on topic... <nothing from me to add more on that>

optio

That's strange, unless your devices are placed in area where earthquakes are common, affected with other ambient vibrations or in rooms with high moisture, but then I will be generally worried about devices health, not just connections.

optio

Some reading about SSD's lifespan: https://www.ionos.com/digitalguide/server/security/ssd-life-span/ . Regarding unreliable connections, that could happen if you often connect/disconnect drive from device, but I guess that should not be the case for non portable device like router, unless it is some...

optio

Check with this, try to execute from Terminal: :put ([/tool/fetch url="https://registry.hub.docker.com/v2/namespaces/{namespace}/repositories/{repository}/tags/{tag}" output=user as-value]->"status") You should get: finished Where url placeholders can be get from remote image for...

optio

You can add log topics debug,container and see if something more is logged related to this error.

optio

I'm aware of your request and somehow sceptic that it will be implemented, that's why I'm tring to figure out reasouns why you cannot use persistant storage and find workarounds. 20-30 GB/day is not much for external SSD/NVMe drive, for USB thumb drive can be. Yes, connection can be issue if this is...

optio

Which registry url is set in containers config?

optio

Why is such issue to write files on persistent storage? How many writes per sec you have for such files? For eg. I have USB thumb drive for container sotrage, Pi-hole in container is doing log writes, adlist db refresh every day, etc. It's running for years w/o issues, when it fails I will buy anoth...

optio

It's 100% loss of UDP packets, that's why UDP results are empty. Either server does not expose UDP ports for test or are filtered somewhere on route, eg. on ISP side. Not sure that this can be also caused due to MTU issues.

optio

Yes, forgot to mention to do that before downgrading, and it is better to do downgrade after if router needs to be functional, because who knows when ticket will be reviewed and resolved if is ROS bug.

optio

Revert to some previous ROS stable version, 7.17 or better 7.16 using netinstall and set config from exported config (not backup) and see if same issue is appearing again. If not, then you know it is related to current ROS version.

optio

For ROS Bandwidth Test you can use Tom Jones (from North Idaho :)) public test server, see: https://forum.mikrotik.com/viewtopic.php?t=104266 Or you can setup your own on remote site with public access to Bandwidth Test ports, for eg. on CHR running somewhere on VM. Also MT Bandwidth test Windows ap...

optio

Currently to avoid any manual job you can when creating/modifying/deleting file on persistent storage, copy it to or delete from tmpfs from same script, it is redundant operation but it will work, it will have more write operations on persistent storage FS than only doing it only on shutdown, but is...

optio

Still with this approach you will have issue when ROS is not soft rebooted/shutdown due to power loss for example. If you have data which needs to be available on boot in any reboot/shutdown case then it must be on persistent storage, use external or network drive if you are concerned about internal...

optio

@Stopwatch9 also check LTE connection latency grade on https://www.waveform.com/tools/bufferbloat . My experience related to LTE latency since I'm also connecting to internet over LTE 4G but with much worse signal (1.3km from cell in urban area with many devices around) where having max. 120Mb/s in ...

optio

Personally, I'd prefer WebDAV to newer custom protocols to mounting files, since WebDAV is an RFC Yes, WebDAV would be much better for usage compatibility if is implemented, but as I see from your HTTP requests analysis in later post, MT cloud file share functionality is lacking basic things - crea...

optio

Next step - creating MT cloud mountable FS with FUSE, something like https://github.com/fangfufu/httpdirfs

optio

On Nginx there is a possibility to handle that by using rewrite or sub_filter rules. Probably other proxies have similar. But I agree, web resources should be loaded by relative path to avoid unnecessary complexity for such setups.

optio

Thanx!

optio

Can you write some steps how did you do it? Did you use 8-PIN SOP or 8 PIN WSON?

optio

I would never buy a new 16MB device. Others can do what they like...

Neither will I anymore, but new customers not experienced with MT devices and ROS (as I was when purchased my device) will not know about this trap.

optio

Chateau 5G R16 was introduced last year, also 16MB disk device. Now you can just throw it away? A $485.00+ device still available on sale

optio

Actually it does perform some clean up, when I tried to upgrade from 7.16->7.17 it failed but some space was released and on 2nd attempt was successful without any manual cleanup or config change. Some small space was released just enough for new ver. to fit, but free space was too small and I rever...

optio

I will not mind if new software id will be generated permanently (per replaced drive), but it is a issue if is generated after each reboot like @kuzma2000 mentioned. I have no problem with buying additional licence if it will stick. By this post https://forum.mikrotik.com/viewtopic.php?t=174182#p108...

optio

Great work. Personally I would prefer terminal UI to be something like Midnight Commander where navigating through ROS sections can as navigating through directories in MC and in it rules listed like files list with configurable colums to show per row (like in Winbox). Entering the rule some dialog ...

optio

Maybe just drive that have OTP area, even empty, will do

optio

Could be that Software-ID changes then because of blank OTP area because it is generated by data in it. If this is the case, then it is an issue unless MT choose to offer flash drives for purchase as spare part or someone reverse engineer data in OTP for programming it on new drives.

optio

I was thinking to do same for my device Chateau LTE12 to be upgradeable for future releases. But I will stick with same MTD vendor (Winbond) same drive series W25Q128*, like 128Mb W25Q128FV just to dismiss potential compatibility issues. If Software-ID changes on each reboot after drive replacement ...

optio

optio

Yes, there is no copy/move file commands for CLI, only move over GUI can be done. For now only solution (without fetch command copy hack) is that backup script creates files directly on mounted disk path without need for copy/move. To copy file locally over SSH using fetch command: /tool/fetch url=s...

optio

@kauedg Just by having same superbock in both images it doesn't mean that other data in image isn't corrupt. By log it is corrupted inode table. Analisis by trace log and source: 8 bytes for inode table positions are read and stored in id_index_table from position 0x57a1e4, call stack: https://githu...

optio

I always perform netinstall without config and restoring it from export to be sure that ROS is completely clean with my config.

optio

Yes that's true about swap and disk space reclaim, as I mentioned, disk space varies in small amounts, up and down, could be temp files or swap if used.
It seems you have some different issue.

optio

I know about netinstall disk space reclaim, doing that occasionally, but not sure how much it will help, I'm sure less than 100KB will be free. I did netinstall after reverting to 7.16 version, backup file was reduced about 40KB with same config for same ROS version. How large is you config file whe...

optio

Does ROS maybe uses swap file for VM on flash and it's changing depending on RAM usage? :) My device is with similar specs (Chateau LTE12) but it has more RAM - 256MB. Also I'm seeing dynamic some small disk usage changes, but much smaller. disk_usage.png It is visible that is not straight line, cou...

optio

It grows, but not much in my case running ROS 7.16.2. I have several schedulers that changes configuration, one for eg. performs changes by adapting 25 Queue tree rules several times at day. I didn't monitor how much space is reduced by day, but when creating backups occasionally they are getting a ...

optio

Use function (global or pass it as argument of another function) for reuse in find command instead c/p same code in worker functions, but I agree some additional operator (or in to work for arrays too) to find value in array would be much cleaner. 1337 code is here to trick interpreter to get variab...

optio

Same disk space issue is with similar specs device Chateau LTE12 #152 . Discussions regarding disk space was already made in several topics when ROS 7.13 was introduced with new wifi drivers, disk space usage was reduced with 7.15 when wifi-qcom-ac package size was optimized and it was possible to u...

optio

Maybe this helps: [find dynamic=no vlan-ids=[:if ([:len [:find $"vlan-ids" <VLAN_ID>]]) do={:return $"vlan-ids"}]] or with function for reuse: :local inArray do={:if ([:len [:find $1 $2]]) do={:return $1}} ... [find dynamic=no vlan-ids=[$inArray $"vlan-ids" <VLAN_ID>]]

optio

OK, still you can advise them how to handle it.

optio

MikroTik did not delete that topic, it was one of the volunteer moderators, because it was a duplicate post. It still exists in the other post. Didn't noticed that other duplicate/similar topics are such quickly deleted, mostly there is a post in it like "see -> <url_to_other_similar_topic>&qu...

optio

I saw that topic, maybe there is a way to handle this more transparent and trustworthy, for example eather MT staff respond that reported vulnerabilities are false positive or edit OP post, remove sensitive info, respond that they are investigating it and lock topic. This looks like they are ignorin...

optio

Security topics deserve some docs/blog/help/KB/etc, not just two-way trolling messages in the forum. Look at cloudflare /others, their security blogs are full of real discussion of problem/solution/effected things/workaround. I'm not that expecting much, but for example device-mode should have been...

optio

I have 32KB script and it is not possible to add/edit it over Winbox, crashes it on save, but over WebFig works.

optio

Yes, but is not necessary to implement it when you have language which already supports functions.

optio

IMO still same coding principles should apply. There is nothing fancy when creating functions in code.

optio

From my experience regarding DNS privacy DoH/DoT is somewhat faster and much safer than recursive DNS on internet connection with higher latency like LTE. I have setup where Unbound is used as upstream DNS for Pihole and ROS DNS, both running in its ROS container. First Unbound was configured to be ...

optio

You made me to ask and see what is its actual answer for it :D : The `goto` command, once a staple of early programming languages, has fallen out of favor in most modern languages for several key reasons: 1. **Readability and Maintainability**: Code that relies heavily on `goto` can become tangled a...

optio

If you ever wrote serous code for some application you will know that code will contain several hundreds or thousands of functions. If you have some code complexity it should be splitted into functions for code reusability and readability, mostly always unless is some short POC code or simple script...

optio

Ok, I misread not having Google apps on their phones, which includes Google Play store :) Probably you mean Google Drive cloud storage for sharing files. As I see Mikrotik Android app have option to save file from Files section locally in some folder, but only as manual action. But I'm not sure what...

optio

You can use "Aurora Store" (available on F-Droid) to download app apks from Google Play.

optio

@abbio90 1st - issue is that as-value is missing for wireless scan command used in :foreach and you don't need to use find command, just put interface name as argument: :foreach result in=([/interface wireless scan wlan1 background=yes duration=8 as-value]) do={ ... 2nd - what you are trying to achi...

optio

Docker registry API v2 uses Oauth2 Token Authentication with Bearer access token not Basic , that could be the reason why ROS is not sending authorization header with Basic auth data. You can remove authorization in own registry service if you don't have Oauth2 implementation and restrict access to ...

optio

You have public IP but ISP is filtering incoming connections to your router? Or by "hole punching" you mean which ROS NAT rule is needed for port forward to LAN client? - for this there are plenty examples on this forum, also there is help page from MT -> https://help.mikrotik.com/docs/spa...

optio

Some older topic https://forum.archive.openwrt.org/viewtopic.php?id=70636 , but here is stated 16-byte OOB but for different MTD model of same brand with same size. Also as I see here https://openwrt.org/docs/techref/flash OpenWrt has nanddump which prints mtd info, like "Block size 131072, pag...

optio

Could be that MT uses non-standard Squashfs for devices or it was not correctly dumped or fs is corrupted on flash. I know for sure that from CHR image Squashfs can be extracted with binwalk, done it many times.

optio

Regarding licence there is no point activating it locally, only when is deployed on cloud after regenerating system id. Regarding ROS startup config, why don't you try on some VM and check this? It can be easily tested. We will all know then, I think it will work, you don't, best way is to test and ...

optio

Try with extract binwalk command line option:

binwalk --run-as=root -e OpenWrt.mtd5.bin

This should extract any supported extractable data found in image including Squashfs.

optio

Not sure that licence system ID will block booting on different HW, did you try it? There is possibility in ROS to generate new licence id: > /system/license/generate-new-id guessing this is exactly for this case when image is migrated so that new ID can be manually generated upon first boot on diff...

optio

If anything, the web interface should mimic the desktop one, not the other way around.

True, but creating and implementing such graphics elements for Web to mimic desktop creates greater costs and at the end it is all about money (unfortunately)...

optio

Regarding the stuff like "shadows, bevels, etc." in most cases it's all done on OS-level or on a library level. For an average developer it doesn't matter, he just places a button from a library on a form and chooses its style, color and other properties. Yes, this stands from perspective...

optio

IMO design changes to flat interface elements is related to reducing design costs and implementation in general for modern IT industry interfaces, designers can faster produce graphic elements without additional layers like shadows, bevels or 3d effects and development implementation is usually less...

optio

See https://wiki.mikrotik.com/Manual:Config ... Management, section Automatic Import. Script file must be named <something>.auto.rsc and it will be executed after upload.

optio

From my experience and Linux knowledge nothing is automatically personalized to HW upon first or any boot. Also I doubt that ROS configuration is personalized to HW if nothing is configured on it related to HW devices, but this needs to be confirmed.

optio

@optis I am sure trying to migrate that configuration to another ARM Mikrotik would fail unless you make sure the devices are named the same, however on a similar VM with similar devices it would work Local VM is booted from CHR raw image downloaded from MT site without modifications, kernel driver...

optio

Generally by restricting physical access to device, using cabinets with locks, security guards on premises...

optio

See https://blog.redcrowlab.com/dumping-firmware/, https://ivanorsolic.github.io/post/hardwarehacking1/

optio

This was quite easy to setup and run locally: chr-arm-qemu.png Even without using scripts from github.com/ayufan-research/mikrotik-qemu-arm64, running arm64 raw disk image with QEMU over UTM (Mac). After first login when password is changed, shut down ROS and modified image by VM can be used for clo...

optio

Depends on cloud provider and which disk image formats it supports.

optio

github.com/ayufan-research/mikrotik-qemu-arm64

optio

Well, crap... 19:24:07 system,error upgrade failed, free 57 kB of disk space > /system/package/print Columns: NAME, VERSION, BUILD-TIME, SIZE # NAME VERSION BUILD-TIME SIZE 0 container 7.16.2 2024-11-26 12:09:40 96.1KiB 1 wifi-qcom-ac 7.16.2 2024-11-26 12:09:40 2676.1KiB 2 routeros 7.16.2 2024-11-26...

optio

viks.gif

optio

I figured out why, ROS v6 will only read files up to 4kb in size, any larger than that they just return blank

If such is the case you will still have issue printing it after is generated from export command. Use :parse command as @Amm0 suggested.

optio

Put file=ConfigOutput.txt argument for export command in C variable instead for :execute . Idk why output to file for :execute on v6 is not working (not having v6 for checking it), but since you need only config export then it is more appropriate to use file argument for export command than for :exe...

optio

viewtopic.php?t=211182

optio

You can mount some external drive over NFS with ROSE storage package and use it for container root dirs and mounts.

optio

You can temporally set container config cmd="tail -f /dev/null", this should start container without starting Zabbix and then from running container shell you can examine what's the issue with fs permissions.

optio

If requests are from IPv6 create input chain rule in IPv6 firewall filter to drop packets for port 53. If comes from v4, not sure you can filter it without additional DNS in the middle, for eg. in container, and such feature has sense, dnsmasq also has such feature.

optio

https://azure.microsoft.com/en-us/support/create-ticket

optio

Which DNS server is used for resolving? If is ROS router IP and it has ISP DNS IP set as upstream then probably ISP DNS is refusing connections outside its network. TV can be using some public one, like 8.8.8.8 on which can connect and resolve hosts for IPTV. Try with NordVPN DNS servers or some pub...

optio

I'm using similar script without issues to refresh IP on No-IP, but in my script URL has https scheme, also mode=http param is not needed for fetch in this case. Try over Terminal if works: /tool fetch url="https://dynupdate.no-ip.com/nic/update?myip=<PUBLIC_IP_ADDRRESS>&hostname=<NOIP_HOST...

optio

Why is CHR necessary just for Wireguard peer? It can be setup on Linux running on cloud server and save some money for CHR licence. Once setup on Linux is created, image can be made of it for reuse. Initially some time will be spent to create setup, but later it should be more faster and charge more...

optio

From this note in tutorial https://openvpn.net/as-docs/tutorials/t ... allow_body - OpenVPN 2.3 and older.

optio

This is on my device with wifi-qcom-ac and container packages + large configuration with many scripts: free-hdd-space: 360.0KiB total-hdd-space: 16.0MiB free space is stable, but I'm using additional thumb drive attached to USB for other files, nothing is saved on flash from my side. Regarding ROS v...

optio

Ah v6... https://wiki.mikrotik.com/Manual:Interface/OVPN#Server_configuration , they are all CBC ciphers... Then yes, only OpenVPN client downgrade can help if ROS upgrade to v7 is not an option. I have device with similar specs, Chateau LTE12, and ROS v7 works fine, but depends which packages are n...

optio

First line from your log: 2024-12-19 15:54:03 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. You are using unsupported cipher AES-256-CBC for your client OpenVPN version (2....

optio

Also there are different approaches for setup Xray, like using some tun2socks solution and adding routes for such interface inside container ( https://forum.mikrotik.com/viewtopic.php?p=1105243 ); or like example from this topic with tunneled WG using unmodified Xray container which is easier to mai...

optio

Don't have mentioned issue after upgrading Xray container for server side on ROS to version 24.12.15 # xray --version Xray 24.12.15 (Xray, Penetrates Everything.) Custom (go1.23.4 linux/arm) A unified platform for anti-censorship. still my client version on Mac is older, 1.8.24, MacPorts package is ...

optio

Thank you. Would be helpful to put that information in the manual as I didn't find it anywhere. Apologies in advance if it already exists there.

Already exists here: https://help.mikrotik.com/docs/spaces/R ... gIPAddress

optio

Yes but ROS has binary at path /nova/bin/net, probably script is executed by its process, for which service is unknown... Can be also some exploit, like script being injected into some config value.

optio

Yes, it's a mess with this returns in blocks... Eather it should be always without :return command in blocks and :onerror should return true or false value respectively: :local res [:onerror e in={<do someting without retrun>} do={<do someting without retrun>}] :put $res false or true or (preferred)...

optio

Any exploit in attached docx file?

optio

Yes, that's was my thought. No need to have mandatory return value when is not needed while handling error or when processing in={}.

optio

I agree for consistent behavior for block returns. Also if block has no :return command, then :onerror is should return :nothing so that :return command is optional in blocks.

optio

Actually :onerror returns value from do={} block if executed when error occurs or false if no error. This is not correctly stated for :onerror command in doc : ... :onerror can return false (if there is no error) and true (if there is an error) values, so it can be used in :if condition statement sc...

optio

People wants to penetrate DPI firewalls in few clicks while using containers it is already possible, but requires more clicks and keyboard presses...

optio

Or just create recursion like here...

optio

Trial version? Or you mean beta/rc version?

optio

Could be, but also can be just simple admin password easy to guess and breach was done from LAN.

optio

If you are using admin user device is probably hacked. Netinstall device and restore config from export (not backup!).

optio

Above discussion: https://www.youtube.com/watch?v=9Gt3QY2Aa2I

optio

I didn't yet updated to latest version so I'm not familiar with issue, see in release notes where XHTTP is mentioned and link to its github issue, there is a config example as I see in issue maybe it helps.

optio

As long as TLS 1.2 is still considered secure and ROS supports secure ciphers, I couldn't care less. Everything else is compliance BS.

It's is not just about security, TLS 1.3 have more optimal handshake, less round trips.

optio

Here is script which I'm using if you want to use it: :local toEmail "<EMAIL_ADDRESS>" :local commandReg "^:cmd .*" :local statusInProgress "in-progress" :local statusSucceeded "succeeded" :local emailSendTimeoutSec 30 :global smsToEmailRunning :local smsInbox...

optio

Try adding --verbose param on mount command to see if any message appears that can be helpful for troubleshooting. Also try with adding -o sys=sec param to mount if error is related to security permissions, on most distributions this is default option.

optio

By example from doc : nfs root directory should be content of usb1 , not root with usb1 dir inside. mkdir /mnt/usb1 mount -t nfs4 192.168.105.1:/ /mnt/usb1 ls -l /mnt/usb1 Edit: or not... (then it should not be possible to have multiple disks mounted over nfs) Did you try with mount -t nfs4 192.168....

optio

:local hello 123 :local hellos [:toarray ""] :set ($hellos->"$([:tostr $hello])") $hello :set ($hellos->"$([:tostr $hello])456") $hello :put ($hellos->"123") :put ($hellos->"123456") :) Similar what @rextended did in #4 just value type and naming ad...

optio

It's clear: the name of the final variable should be :123456

optio

Maybe OP did not hear for key-value arrays (maps/dictionaries) where to some dynamically created key (identifier) some value can be assigned, only logic I can think of for such request...

optio

Look here

optio

I meant currently, but yes, more standards more life is easier.

optio

This shuld not happen if Pi-hole configuration is not touched before and after creating container. I'm using Pi-hole in ROS container, never had such issues and also having some config in custom.list file. Check FS for errors on Linux, maybe there are some FS issues.

optio

https://en.wikipedia.org/wiki/Apple_Icon_Image_format

Windows ICO file also supports multiple resolutions for icons, for Linux single SVG icon file should be enough because it is supported by common desktop environments.
There is no universal icon file type to be used for any OS.

optio

But as soon as I update the default (empty) config, the mounts config is overwritten. What does this means? Reset Pi-hole to default config with its Teleporter feature or directly on fs? If is that, this is expected, mount just holds files (in this case current Pi-hole config files) which will not ...

optio

Could we have an SVG icon for the Winbox? The beta comes with one png icon, and due to my screen resolution it gets kinda ugly. And SVG icon would solve it for Linux users (o/), and (I think) MacOS ones. Unfortunately MacOS doesn't support SVG for app icons, but it supports multiple app icon PNG im...

optio

Maybe it was not obvious, I proposed like that not to decide on ratio between yes/no, ofc. yes will win in most cases, but there is a count of votes which can replace these +1 posts, no will be is in most cases useless, not seeing much -1 vote posts on feature request topics, still MT can see number...

optio

IMO forum should have separate section for feature request topics, topic created by @normis https://forum.mikrotik.com/viewtopic.php?t=45934 growed and it is hard to track what is requested or not, it is mix of feature requests and per request discution, better to have requests segmented into separa...

optio

Hmm seeing replays and quotes for posts that are no longer exist in this topic. Some profiles writing these posts removed/banned or is forum issue?

optio

As any other file in some directory, for tmpfs and other mounts without partitions directory where drive is mounted is named by slot name - if slot=tmp , directory is /tmp :local readFile do={ :if ([/file find name=$1]) do={ :return [/file get $1 contents] } :return [:nothing] } :local writeFile do=...

optio

Try with this script

sms-read.rsc

instead using /tool/sms/inbox for reading. It concatenates splitted long messages to single one and supports UCS-2 encoded messages with conversion to Utf8 encoding and email will have in body correct characters outside Ascii encoding, like cyrillic, diacritics...

optio

How it works with long messages (+1600 chars) using maxMessages=10 limit?

optio

Yes, but It seems more complicated and bloats log, also log has limit so there is a chance that record can be lost for reading. ROS config is easy to create for tmpfs mount, eg. to create on /tmp path: /disk add media-interface=none media-sharing=no slot=tmp tmpfs-max-size=1M type=tmpfs Files stored...

optio

When variables are stored in such way (like layer7) data is persisted after reboot, while for variables defined as :global is not. When data is stored in ROS config it is stored on disk which rises sector writes, this can be issue if is frequently written, depends on case. To behave as :global , alt...

optio

Chenge "listen":"127.0.0.1" to "listen":"0.0.0.0" for "dokodemo-door" protocol as mentioned, you can also for "socks" if you want to use xray sock server from network. 127.0.0.1 is localhost interface address it cannot be accessed outside s...

Search found 1157 matches