MikroTik

Tal

Cool - thanks

Tal

Just to confirm, according to your post, as well as this link: http://wiki.mikrotik.com/wiki/Manual:CHR#CHR_Licensing If we choose to use the free license on our CHR User Manager, it will be limited to 1Mbit of traffic. We can also either do a trial of the other licenses for 60 days, which would giv...

Tal

If I download the Cloud Hosted Router image from http://www.mikrotik.com/download and install User Manager on it, what will the default license limit me to? Is there a limit on the number of users I can create? A limit on the number of users that can login simultaneously? A time limit after which, e...

Tal

Tested - it appears that the second theory was correct. On the User Manager: User Manager --> Routers --> YOUR NAS --> Radius Incoming --> CoA port This is the UDP port the User Manager will send the CoA packets to (destination port) On the NAS: Radius --> Incoming --> Port This is the UDP port that...

Tal

I don't suppose Radius Accounting Port is the same thing as CoA, is it? On a NAS, under Radius --> New Radius Server, you can set 2 things: 1. Authentication Port 2. Accounting Port Is it possible that the "Radius Incoming" port is setup on the server, and the Accounting Port is setup on t...

Tal

At work, for the past few weeks, we have been looking into using the User Manager for managing hotspots on customer premises. There is a lot we have figured out, but one thing we aren't sure about is the "CoA support" option in the User Manager under "Routers". 1. What does it do...

Tal

Thanks for the links. I read through them - very informative. Sounds like in order for this to happen we can do this on the master AP: Set the Queue count for NV2 to 2 Set QoS to "Frame Priority" Under "Bridge --> Filters" Create a Rule in the "forward" chain that match...

Tal

Hey guys. We have a master AP that has several client APs connected to it over 5.8 GHz nv2. One of our client APs is used exclusively for VoIP. When there is heavy usage of the wireless on all the APs, the VoIP calls start getting choppy. Is there any way to tell the master to prioritize the wireles...

Tal

I'm dealing with a CRS125

I'll check out those links - thanks.

Tal

I mentioned the words "as expected" because not being able to communicate across VLANs was expected. The example was meant to illustrate that everything WAS working when NOT using the VLAN tab. The question was what the VLAN tab was for if everything works without it, not how VLANs work. T...

Tal

I know you can setup VLANs through bridging, but I'm trying to set them up through the switch chip on RouterOS just to figure out how to do it. When I login to my router through Winbox, under the "Switch" menu, there is a menu for: VLAN VLAN Tagging In VLAN Trans Eg VLAN Trans Please corre...

Tal

Here's what I figured out, in case anyone else finds this useful: In its most basic form, if you have an external page, you need 3 pages on the mikrotik: rlogin.html: Redirects to your login page when client tries to access any other page, and is not logged in. <html> <head> <title>Login...

Tal

When the user creates an account, they specify a password for that account. At this stage, the password goes through the bcrypt hashing algorithm, which does a few things: It generates a unique salt It generates a hash of the salt + password It returns a single string, consisting of the salt, and th...

Tal

Client side hashing probably makes sense if you expect to have thousands, or millions of users so you don't need to waste your own processing power hashing passwords, but with as few users as I'm expecting, it probably doesn't matter too much if hashing is done on client or server. In fact, one adva...

Tal

Mikrotik HTTP chap uses MD5 to hash passwords. A relatively affordable setup of GPUs can generate 200 billion MD5 hashes per second : https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 On my external login page, I can use bcrypt, which is configurable in its slowness of computation, bu...

Tal

How would one transmit and store passwords securely with this setup? Does this make sense? Use HTTPS on MikroTik Use HTTPS on External Login Page When someone creates a user, hash their password and store it in the RADIUS MySQL table as a hashed value When user tries to login on external page, immed...

Tal

I think I just realized my problem: what I made was a login page that talks to a MySQL database, where it stores its usernames and passwords. The idea of an external login page however is that the user enters his username and password into that page, and the page sends that info directly to the mikr...

Tal

According to this: http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot the form that gets sent from the external page to the mikrotik looks something like this: <form name="redirect" method="POST" action="http://MIKROTIK_IP/login" target="_self"> <inp...

Tal

Interesting...

I'll be taking a closer look into this.
Thanks for pointing me in the right direction.

Tal

Got it - thanks guys

Tal

So it looks like a device should always have either the routeros-mipsbe package installed (assuming mipsbe is its CPU) or the system package installed. My rsc code now checks for both packages - if either one exists, it checks the version on that to determine the running RouterOS version. Sounds lik...

Tal

So what's the difference between that screenshot, and this one?
Both are 6.27, but one has the routeros-mipsbe package, and the other does not.

Tal

During an update from an older version of RouterOS to a newer one, one of our field techs put all the extra packages onto the MikroTik 493 but did NOT put the RouterOS-mipsbe package, and after a reboot, the top of the winbox window says that the router is at the new version, but /system/packages do...

Tal

Anyone know how this happens?

Tal

I get that if you want to use an external login page for your hotspot, you can simply create a form with hidden fields on the mikrotik, and set those to send info to your external page. This is outlined here: http://wiki.mikrotik.com/wiki/HotSpot_external_login_page Perhaps my question is also answe...

Tal

You're probably right. Thanks for the help.
It's always interesting to see how two seemingly unrelated things (your cool job, and programming) are related more than we would think.
Now I just gotta figure out how to work around this.

Tal

MST (-7).
17:00:00 + 7h = 24:00:00 (or 00:00:00)
Good catch.
Is this somehow expected behavior?

Tal

Further testing appears to show that if the current time is 16:59:59 or earlier in the day, all of today's logs only show the times - not the dates. If the current time is 17:00:00 or later, all of today's logs show the date and the time. Is this somehow expected behavior? Does anyone else see this ...

Tal

I just changed the my MikroTik's date to Jan 26th (one day ahead), and ran the same foreach loop again. I get: > /system clock print time: 23:13:20 date: jan/26/2016 ... > /foreach i in=[/log find] do={ /global TIME; :set TIME [/log get "$i" time]; /put "$i: $TIME"} ... *113: jan...

Tal

Not a great system, as it breaks scripts that do not account for this, as it did for me, but I guess that makes sense.
As long as I know about this feature, I can work around it.
Thanks

Tal

Is there a reason running this: /foreach i in=[/log find] do={ /global TIME; :set TIME [/log get "$i" time]; /put "$i: $TIME"} on RouterOS 6.27, I get: *0: jan/01/2002 01:00:02 *1: jan/01/2002 01:00:05 *2: jan/01/2002 01:00:07 *3: jan/01/2002 01:00:25 ... *7E: dec/31/2001 18:00:5...

Tal

Fixed with a workaround. In case anyone else comes across the same problem: Basically I have 3 scripts on the 493: vpn_enable vpn_disable vpn_watcher vpn_enable sets a flag on the 493 that indicates that the admin wants the vpn configured. vpn_disable sets a flag on the 493 that indicates that the a...

Tal

Adding a policy to send igmp through the tunnel seems to help, but does not fix the problem entirely.

Tal

It seems that if the ipsec connection is already established, changing the ipsec policy from 0.0.0.0/0 to 172.16.16.1/32 works great. If I reset the connection with that in place however, it fails to establish the tunnel. The logs on the remote end say "System did not accept any proposal receiv...

Tal

I have a mikrotik 493 that establishes a site-to-site tunnel with another appliance. The mikrotik 493: Public IP: 10.10.10.10 LAN IP: 192.168.1.1.24 Remote Appliance: Public IP: 11.11.11.11 LAN IP: 172.16.16.1/24 This is what my mikrotik ipsec config looks like: /ip ipsec proposal add name=My_Prop a...

Tal

It's about the number of bytes really, AFAIK. It was 4096 (4k) last I heard, but I haven't tested this ever. You can work around this limit by keeping the script as an ".rsc" file, and from the script, just "/import" it. My large script used to be 49K, and worked great. The addi...

Tal

I'm using RouterOS 6.27, and I'm running into a bit of a problem. I have a .rsc file that creates a very large script using: /system script add name=LARGE_SCRIPT policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive source=" VERY LARGE SCRIPT " The script is close to 1500 lin...

Tal

My company uses 52HPn devices a lot. We normally either configure multiple of these devices to talk to each other around a camp using 5GHz, or set one up as a WAP to have user devices connect to them directly using 2.4GHz. Can one of these devices be configured to do both? Talk to a master 52HPn dev...

Tal

I have 2 WAN links connected to my 493 - one on ether1 and one on ether3 My IPs: WAN IP on ether1: 1.1.1.10 Gateway on ether1: 1.1.1.1 WAN IP on ether3: 3.3.3.10 Gateway on ether3: 3.3.3.1 IP I'll be managing the 493 from (HQ) through winbox: 5.5.5.5 I'm trying to set it up so that: 1. I can connect...

Tal

I know it's been a while since this thread was started, but this is the only thread I've seen when I googled for the 30,000 MikroTik character limit, so in case anyone else comes across this, I thought I'd update it. Basically, I doubt that there is a setting anywhere to disable the limit, but it ap...

Tal

My previous post seems to work :) For LAN, I have a single default route in the main routing table. There's a script I have that uses a separate routing table to check if the 2 WAN links are up. If both are up, it uses the one I set as the primary one. If only one is up, it will delete the current d...

Tal

Actually, it seems like if I mark the connections, and then mark the outgoing packets with a routing mark, they automatically get sent through the routes with that same routing mark. That basically means all I need is: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=WAN1...

Tal

Really all you're going to do is mark the new connections coming in on WAN1 and WAN2 and then you're going to look for that Connection Mark and, based on that, you'll be adding Routing Marks to outgoing packets. Then you'll some routes which use those same Routing Marks to route the packets back ou...

Tal

Thanks, but I already have similar code in my script. This only tells me if the router config is clean though - not if it's running from terminal or using the "run after reset" feature, which is what I need to know. Any other ideas?

Tal

When one of the WAN links is not available however, it seems to work about half the time. That means it is doing exactly what you told it to do. You have effectively setup ECMP routing. Half the time, the reply packets to you are going through WAN1 and the other half, WAN2. Once that decision is ma...

Tal

I have a 493 connected to 2 WAN links. This 493 will be located on a remote site. I need to be able to access the 493 for management purposes (through winbox) through either public IP. I setup a route with 2 gateways like this: /ip route add gateway=1.1.1.1,2.2.2.2 dst-address=9.9.9.9 1.1.1.1 - the ...

Tal

Is there any way to tell if an rsc file is being imported from the terminal using the "import" command, or by using the "Run After Reset" feature of the "Reset Configuration" tool?

The only thing I can come up with right now is using uptime, but that's not very accurate.

Tal

I used $VALUE instead of \$VALUE, but it worked perfectly. Hi Tal, Without "\" it works for most values. But If VALUE contains, for example, a string with spaces or special characters, "$VALUE" won't work while "\$VALUE" will... :wink: BTW, a warning: I may have missed...

Tal

Using ":execute" instead of ":parse", it works :
Code: Select all
:foreach varname in={"VAR1" ; "VAR2" ; "VAR3"  } do={:execute ":global $varname \$VALUE" }

I used $VALUE instead of \$VALUE, but it worked perfectly.

Thanks guys.

Tal

Is there any way to catch a Ctrl+C and clean up before exiting a script?

I tried:

do { :delay 2 } on-error={ :put "Test" }

But that didn't work - when you interrupt the command with Ctrl+C while it's running, there is no output.
Any proper way to do it?

Tal

Is there any way to use dynamic names for variables? Ex: :global VALUE true :foreach varname in "VAR1\n\rVAR2\n\rVAR3" \ do={ :global "$varname" $VALUE } I would think that the above code should work, but it doesn't, because :global doesn't like taking a variable name from a vari...

Tal

Ok, I'll try to simplify the problem. This is a simple configuration with 2 WAN interfaces and 2 LAN interfaces. There is no intervlan routing going on here - one WAN link is for ports 2-5, and one WAN link is for ports 6-9. Both WAN interfaces are on ether 1, which is a trunk. The only thing that h...

Tal

I have a MikroTik device that I setup like this: ether2-ether5: Native VLAN ether6-ether9: VLAN 10 ether1 - Trunk port carrying both VLANs - the Native VLAN is untagged and VLAN 10 is tagged This is how I set it up: #Create vlan10 and attach it to the trunk port (ether1) /interface vlan add name=vla...

Tal

Thanks!

Tal

Awesome! Thanks!

Tal

How do I use a variable that is immediately followed by a string?
If this is my variable:

:global TEST "192.168.0.1"

and I want to use it like this:

:put $TEST/24

to write "192.168.0.1/24" to the screen, it fails.
Is there a right way to do this?

Tal

I have a variable that stores an IP with a subnet: :local IPADDR "192.168.1.1/24" If I want another variable set to just the first part of that (just the IP, without the "/24"), is there a way to do this? Related, but sort of separate question: I noticed that MikroTik supports re...

Search found 57 matches