Feature request for v7.x

jansat · Sun Feb 09, 2014 9:30 pm

Need a setting in routeros and userman to change the log writing.
I have setup a hotspot and userman but when a user connect to the hotspot userman write every minut a log I want to have the possibility for some logging to change the write time to disk or usb disk.

rickfrey · Sun Feb 16, 2014 7:18 am

Directions for changing the settings for the log can be found here:
http://wiki.mikrotik.com/wiki/Manual:System/Log
Unfortunately, you can move the log to a USB device and that is documented here:
http://wiki.mikrotik.com/wiki/Manual:Store

You can move the log to a remote log server and you can use the not (!) feature (i.e. not the hotspot).

tfn220189 · Wed Mar 12, 2014 12:41 am

Have a chance to read more than 4096B of files using command strings

Wed Mar 12, 2014 1:27 am

Let me just start my broken record...

It would be great for RouterOS 7 to have:
- IPSEC Virtual Tunnel Interfaces (Like Cisco/Juniper/Fortinet/Vyatta/Ubiquiti)
- Xauth + RADIUS support
- Encrypt/IPSEC Policy action
- VRF aware PPP
- VRF aware services (WinBox, SSH, DNS)
- RIPv2 as a PE-CE protocol (RIP instances)
- Make IPv6 loopback/ospf behavior the same as Cisco/Juniper
- Equivalents of the Cisco/JunOS commands:

show ip bgp vpnv4 vrf vrf-blah-wan neighbors 172.16.95.1 advertised-routes       (Routes advertised)
show ip bgp vpnv4 vrf vrf-blah-wan neighbors 172.16.95.1 received-routes (Routes received)
show ip bgp vpnv4 vrf vrf-blah-wan neighbors 172.16.95.1 routes          (Routes inserted)

- MPLS Fast Re-Route capability
- Routing filter action "Add to Address List"

Im sure the great team at Mikrotik are going to give us at least a couple of the above features

phil · Fri Mar 14, 2014 8:25 am

Can extend format of EOIP remote-address be a FQDN, not only IPv4?

Many thanks!!

crtee · Fri Mar 14, 2014 9:40 am

It would be great for RouterOS 7 to have:
- IPSEC Virtual Tunnel Interfaces (Like Cisco/Juniper/Fortinet/Vyatta/Ubiquiti)
[...]
- Encrypt/IPSEC Policy action
- VRF aware PPP
- VRF aware services (WinBox, SSH, DNS)

+1 for all of those and I may add:
- Ability to create PPP interfaces in a specific VRF via RADIUS-Attribute
- full L2TP LAC functionality (for forwarding PPPoE sessions via L2TP)
- OSPFv3 for IPv6 and IPv4 address families
- maybe a longer evaluation period, 1 week or so, 24h just aren't enough sometimes for evaluation of some features.

EMOziko · Sun Mar 16, 2014 7:29 pm

EAP-TTLS\EAP-PEAP
http://forum.mikrotik.com/viewtopic.php?f=1&t=70426
Please add DNSSEC Support:
http://forum.mikrotik.com/viewtopic.php?f=2&t=42558
BGP ASN In Traffic flow:
http://forum.mikrotik.com/viewtopic.php?f=14&t=43853

Mon Mar 17, 2014 3:54 am

- Ability to create PPP interfaces in a specific VRF via RADIUS-Attribute
- full L2TP LAC functionality (for forwarding PPPoE sessions via L2TP)
- OSPFv3 for IPv6 and IPv4 address families
- maybe a longer evaluation period, 1 week or so, 24h just aren't enough sometimes for evaluation of some features.

Haha, great minds. I should have been more specific on the PPP stuff, yes there should be support for specifying which VRF via a RADIUS VSA.

Im all for the longer eval period, but Mikrotik should introduce and enforce support contracts so they can make some money off RouterOS. They could offer 3 months support with each RouterBoard purchased and then require a valid support contract per device to be able to download updates, and to log tickets. Just like Cisco, Juniper, Fortinet do.

This would allow them to hire more developers, more support staff, and generally kick more ass.

enc · Wed Mar 19, 2014 1:24 pm

Interfaces für IPSEC-Tunnels. So that the IN-Interface in the Firewall-rules is not the WAN-Interface and we could better match the ipsec-traffic

dfroe · Thu Mar 20, 2014 12:59 am

BGP option like Juniper "advertise-inactive".
At the moment it is not possible to advertise learned BGP routes to other BGP neighbors if that particular route is not in the active routing table because it is overriden by OSPF with better administrative distance.
Other bgp impementations (Cisco, Fortinet, Quagga) always advertise all learned BGP routes unless they are explicitly filtered out.
This advertise-inactive option is vital for setups where you run OSPF and iBGP within your AS and redistribute BGP into OSPF.

szastan · Thu Mar 20, 2014 1:08 pm

BGP option like Juniper "advertise-inactive".
At the moment it is not possible to advertise learned BGP routes to other BGP neighbors if that particular route is not in the active routing table because it is overriden by OSPF with better administrative distance.
Other bgp impementations (Cisco, Fortinet, Quagga) always advertise all learned BGP routes unless they are explicitly filtered out.
This advertise-inactive option is vital for setups where you run OSPF and iBGP within your AS and redistribute BGP into OSPF.

+1, apart from that, in my opinin MikroTik should complement its BGP implementation, for example on displaing routing paths. Without that, operators wouldn't be happy to put CCR's in core.

maxspeed · Mon Mar 24, 2014 1:45 pm

Hi,

It would be a must for mikrotik products ....

please could you add 6RD (ipv6 rapid deployment) available for many ISP

Thank you

maxspeed

NathanA · Tue Mar 25, 2014 6:37 am

Im all for the longer eval period, but Mikrotik should introduce and enforce support contracts so they can make some money off RouterOS. They could offer 3 months support with each RouterBoard purchased and then require a valid support contract per device to be able to download updates, and to log tickets. Just like Cisco, Juniper, Fortinet do.

I strongly, strongly disagree. Although things are far from perfect in MikroTik land and there are clearly some shortcomings with the current support infrastructure and things they could do to improve it, I would argue that the fact that MikroTik doesn't do business "just like Cisco (*gak!*), Juniper, Fortinet do" is exactly one of the reasons why they already "kick ass". Mandatory support contracts would remove one of MikroTik's core competitive advantages. MikroTik should not aspire to be like Cisco (gag me with a spoon), but rather to disrupt Cisco's own business model and perhaps eventually make them irrelevant.

Here's the thing: enterprise support sucks. And we all know it, so why do we enable businesses to practice this sleazy model by rolling over for them instead of challenging it at the customer level (vote with your wallets, people) and at the business level (as MikroTik, thankfully, seems to be doing)? The reason why it sucks is because it lumps in bug reporting and bug fixing with "how do I use your product?" type questions, even though these two types of support tickets are fundamentally different things. Now, I know why most of these companies do it: it is an additional (and often lucrative) revenue stream, it locks the customer in even more, and 90% of the time, people who think they've found a bug are wrong and are just being idiots and not using the product correctly, so these companies might as well charge everybody for support and assume most tickets are not going to be defect reports to start with. Also, companies like Cisco et al. make 99% of their sales to enterprises that need their product in order to even run their business (ISPs, etc.), so it's worth it to them to pay whatever it takes to ensure that Cisco is responsive to them and their needs.

But as a customer, it makes me livid when companies do this, because it essentially penalizes customers who have been legitimately impacted by an actual software bug. It essentially amounts to extortion. Now of course end-users are responsible for their own idiocy, so, sure: go ahead and charge customers to answer their non-defect-related tickets. That's fair game. But charging me, the customer, to fix your own error? That's low. Bug fixes should be free: I bought and paid for this product that you advertized as being able to do X, Y, and Z, but Y is broken because of something wrong that your engineers did and which got shipped because of a lack of sufficient testing and QA on your part, and you're telling me that I now need to pay an additional sum on top of what I already paid in order to gain access to the update that fixes the problem and which actually makes feature Y usable? Where I come from, that's called "bait and switch", and if I bought your product specifically because it had feature Y in it, then you can bet I'm going to be mad as hell when a company responds this way. It also pisses me off to no end when a company tells me that I need to have a paid support contract in place in order to talk to anyone, even if what I'm doing is trying to help both them and myself by demonstrating to them a defect in their own product. You're going to charge ME for the privilege of telling you about YOUR mistake? I don't think so.

MikroTik doesn't pull this kind of crap, and it's one of the reasons why I continue to find myself an advocate for them and their products even when we hit rough patches (and, believe me: we have had our share of them). In fact, not only is MikroTik good about not doing this very thing, but they take the exact opposite approach: they often reward people who report legitimate issues! Imagine that! The last time I found a bug, I spent a good deal of time (hours) replicating the problem in a lab environment, putting together an absolute minimum config that the bug can be reproduced with along with a detailed description of the symptoms, the underlying problem, and how to reproduce the issue, and sent that to MikroTik support, and after they verified my findings, they rewarded me with a gratis RouterOS license key! Now that's a class act! (Oh, and they didn't try to charge me for the fix they developed for the problem, either.)

This would allow them to hire more developers, more support staff, and generally kick more ass.

I have no problem with MikroTik making money, or wanting to find additional ways to make money. In fact, I very much want them to make money and grow their staff and generally be successful and keep on "kicking ass": after all, given how much we use their product, it's in my interest that they be successful, since when they are successful, we are also successful. However, enforcing mandatory support contracts for any kind of communication with your staff or access to any software updates is absolutely not the right way to increase revenue, nor is it a way to endear yourself to me.

There are a lot of legit not-scummy-and-yet-untapped ways of making additional money that I can think of for MikroTik to pursue. Some of them seem painfully obvious to me, and I have to think that these ideas have also occurred to MikroTik but that they have decided not to pursue them for one reason or another. Here are a couple of off-the-top-of-my-head examples:

1) Start charging people again for major version upgrades (e.g., 6.x -> 7.x). I actually have no problem with this: I should be paying for new features. It's just the minor point-releases within a given series (6.1 -> 6.2) that I have a problem with being charged for, since 99% of these are strictly maintenance/bugfix releases. I think that officially, it is MikroTik's policy that you can only upgrade so far before you need to pay for a new license, but ever since they switched from the time-based licenses (remember those?) to the version-based ones, which happened around the end of the 2.9.x series, they have (to my knowledge) never enforced this licensing policy: every time (and I mean EVERY time) we have upgraded to the next major version on a router where the "upgradeable-to" field of the license says that this should be the last major version series we can use, after the upgrade has finished, that number has ALWAYS gone up. So ever since the 2.8.x days have passed, we have never needed to purchase new licenses on any of our routers to upgrade to the next major version that I can remember. I think it is crazy-generous of MikroTik to do this, and I don't take it for granted, and I'm surprised it has gone on for this long, to be honest.

2) Offer support contracts for premium, PRIORITY support, but don't require them of anybody or make having one mandatory to access software updates you are entitled to/licensed for (minor point-upgrades). If MikroTik offered this, believe it or not, we would be first in line to buy! I have no problem with the concept of paying extra for priority/front-of-the-line support, with guaranteed rapid response and faster ticket turnaround times (or even prioritizing my defect reports and fixes above defect reports filed by people who don't have a priority support contract); I just have a problem with feeling like I'm being coerced into paying somebody to correct their own errors. Several years back, there were a couple of show-stopping RouterOS bugs that we were being severely impacted by and which caused us to lose a lot of goodwill with our own customers on account of the network instability that they caused. We filed ticket after ticket, but responses were slow to come and the problems weren't really being addressed in a timely manner. I understand why today MikroTik can't prioritize our needs above those of other customers when they don't have such a product, but if some customers are willing to pay extra to be helped first, I don't think that's something that MikroTik should ignore. There is a legitimate need for that kind of thing, and companies that can't afford the downtime caused by a software defect absolutely will go to Cisco instead because they will be able to get that kind of support from them (the one advantage to that model).

MikroTik actually used to have a paid support contract option SEVERAL years ago, and it even included support by telephone! But for unknown reasons that they never (to my knowledge) bothered to explain, they got rid of it. It was called the Extended Support Program (ESP), and they killed it around the time they started their certification program...now they just point you at certified MikroTik consultants in your area instead if you need "same-day support", but of course certified consultants don't have greater access to the engineering teams to file bug reports with than I do already as a regular customer. So having certified consultants is not really a sufficient replacement for this program. I'd love it if MikroTik were to bring back the ESP, or something like it.

-- Nathan

kellogs · Tue Mar 25, 2014 2:07 pm

multi core bgp
"show ip bgp route" command and process it faster than the current one

Tue Mar 25, 2014 2:24 pm

Thanks for the great post, Nathan!

As for the ESP program. We don't outsource our support staff, so when people called us, they were calling our Latvian office, not some guys in a 3rd world country. We decided that questions are much quicker answered if we have the config in front of us, and when the customer has summarized his issues. The average phone call took more than an hour. Not many people could be helped with this approach.

nosovk · Tue Apr 15, 2014 2:10 pm

It would be good to upgrade linux kernel, to have betetter support on VMware ESXi, and to start work in HyperV.
Nowdays we often connect offices via vpn+ospf, but there is no WINS server support in ROS to connect samba shares seamless between offices.

Zorro · Wed Apr 16, 2014 3:52 pm

MacSec and SecureID support in RouterOS for future products with compatible interfaces/PHY.
as mainstream "a must" L2 security thing for both copper and wireless interfaces.

timteka · Fri Apr 18, 2014 2:10 pm

Firewall based url filtering - the only thing I lack in Mikrotiks.
Up to 36 cores with plenty of RAM and still the need to have Squid for that. Are you kidding on me?

andersonlich · Tue May 06, 2014 12:50 pm

i hope release v7.x it will be support for:
# RFC 4818, was RFC-ietf-radext-delegated-prefix-05.txt
ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix

fernandolcx · Thu May 08, 2014 1:17 am

Allow grouping/categorization of stuff (NAT rules, static routes, etc) in WinBox for better organization. Searching for specific rules in middle of dozens/hundreds takes a lot of time (with the risk of picking up the wrong one). Rule comments only worsens the situation.

Fil0sOFF · Sun May 11, 2014 11:59 pm

Please add ND Proxy support (RFC 4389) in v7.
It is the essential feature for ipv6 users.

radman3000 · Mon May 12, 2014 2:35 pm

Policy Based Routing for IPv6.

Seriously how is this missing?

AlexS · Tue May 13, 2014 5:25 am

2) Offer support contracts for premium, PRIORITY support, but don't require them of anybody or make having one mandatory to access software updates you are entitled to/licensed for (minor point-upgrades). If MikroTik offered this, believe it or not, we would be first in line to buy! I have no problem with the concept of paying extra for priority/front-of-the-line support, with guaranteed rapid response and faster ticket turnaround times (or even prioritizing my defect reports and fixes above defect reports filed by people who don't have a priority support contract); I just have a problem with feeling like I'm being coerced into paying somebody to correct their own errors. Several years back, there were a couple of show-stopping RouterOS bugs that we were being severely impacted by and which caused us to lose a lot of goodwill with our own customers on account of the network instability that they caused. We filed ticket after ticket, but responses were slow to come and the problems weren't really being addressed in a timely manner. I understand why today MikroTik can't prioritize our needs above those of other customers when they don't have such a product, but if some customers are willing to pay extra to be helped first, I don't think that's something that MikroTik should ignore. There is a legitimate need for that kind of thing, and companies that can't afford the downtime caused by a software defect absolutely will go to Cisco instead because they will be able to get that kind of support from them (the one advantage to that model).

-- Nathan

Yes, yes

It would be good to upgrade linux kernel, to have betetter support on VMware ESXi, and to start work in HyperV.

yes yes yes yes please please please, there is an open source package, just compile against your source tree. and support vmxnet3.

Then I can get my 10G

EnigmAX · Mon May 26, 2014 4:12 pm

Hi,

It would be a must for mikrotik products ....

please could you add 6RD (ipv6 rapid deployment) available for many ISP

Thank you

maxspeed

I've sent an e-mail to support@mikrotik.com asking for more information.
The official reply I got was:

from: MikroTik support [Janis Krumins] <support@mikrotik.com>
date: Fri, May 23, 2014 at 3:34 PM

Hello,

currently RouterOS does not support 6rd. It is not scheduled anytime soon.

Regards,
Janis Krumins

nexgenappliances · Wed May 28, 2014 4:52 am

+1 to the kernel upgrade. We need support for Intel i210 network interfaces!

marrold · Thu May 29, 2014 4:02 am

Mikrotik should introduce and enforce support contracts so they can make some money off RouterOS. They could offer 3 months support with each RouterBoard purchased and then require a valid support contract per device to be able to download updates, and to log tickets. Just like Cisco, Juniper, Fortinet do.

This would allow them to hire more developers, more support staff, and generally kick more ass.

I would genuinely consider this if it was affordable.

presianbg · Wed Jun 04, 2014 4:00 pm

My suggestion for the future release is that :

OpenVPN client whith options for only certificate authentication. Many Linux OpenVPN servers are based only on certificates.

GOOD LUCK AND CHEERS !

infused · Wed Jun 11, 2014 12:27 pm

I disagree that enterprise support sucks.

Support can make or break your business. I'm willing to bet that if you are this way inclined, your business is rather small.

IMO Mikrotik need to offer some type of enterprise support. Otherwise it makes products like their 'carrier grade' products worthless.

Thanks for the great post, Nathan!

As for the ESP program. We don't outsource our support staff, so when people called us, they were calling our Latvian office, not some guys in a 3rd world country. We decided that questions are much quicker answered if we have the config in front of us, and when the customer has summarized his issues. The average phone call took more than an hour. Not many people could be helped with this approach.

That's why you charge for it and hire more people.

VMware and Cisco ring me in a matter of minutes if it's a critical failure. Hours if it's just high priority.

I couldn't run my business without this, why is why Mikrotik is not really used within our core, only at customer sites.

Don't get me wrong. I love the gear, it just needs better support. Generally it takes Mikrotik two weeks to come back to me with a support request. The answer is pretty much always "update to the newest version". Then I never get a response back. That's fine when I'm not paying for support, but there needs to be an option.

Wed Jun 11, 2014 12:35 pm

Such things take time. You want us to grow from a 100 people company to Microsoft in a matter of weeks.

infused · Wed Jun 11, 2014 12:44 pm

Not at all...

It would just be nice to know it's on the cards somewhere down the line. Mikrotik are getting in to Juniper and Cisco territory now with the CCR's. It seems only fitting.

Wed Jun 11, 2014 12:50 pm

Such thinks take time. You want us to grow from a 100 people company to Microsoft in a matter of weeks.

Nobody expects that (well maybe a few people)

Changing the whole company overnight is not possible, but maybe incremental steps towards a better support model will keep people happy.

Wed Jun 11, 2014 1:31 pm

Of course we always keep improving in all areas. It's only a question of "how" we will improve, not "if"

docmarius · Wed Jun 11, 2014 8:15 pm

It's only a question of "how" we will improve, not "if"

Normis, that last statement is fit for a corporate motto.

Wed Jun 11, 2014 9:54 pm

It's only a question of "how" we will improve, not "if"
Normis, that last statement is fit for a corporate motto.

+1

pilman · Fri Jun 13, 2014 6:02 pm

1. RouterOS 64Bit version for x86

2. Powerfull Web Proxy ( HTTPS and Video Caching)

rextended · Fri Jun 13, 2014 8:33 pm

1. RouterOS 64Bit version for x86

2. Powerfull Web Proxy ( HTTPS and Video Caching)

1

not 64bit version for x86, but 64bit for 64bit...
64bit for what do more than x86? Memory limit 2GByte (RouterOS) or 4GByte (x86) is not sufficent for work...?

2 use squid or other, actual model of routerboard are not good for proxy, but for routing...
I made some research about caching on HTTPS, on my country (and I think obviously some others) are illegal because you broken SSL security and the users and the destination server do not know that...

andlommy · Sat Jun 28, 2014 12:14 pm

I know what the answer for this is going to be, but it's just to show that the issue is not getting anywhere even if you pretend it does not exist and people still need it.

OpenVPN version update
OpenVPN support for UDP
OpenVPN support for LZO

In openWRT running in MetaRouter it's way too slow

sinisa · Fri Jul 18, 2014 8:37 pm

I know what the answer for this is going to be, but it's just to show that the issue is not getting anywhere even if you pretend it does not exist and people still need it.

OpenVPN version update
OpenVPN support for UDP
OpenVPN support for LZO

In openWRT running in MetaRouter it's way too slow

+1000 for UDP

Best regards,
Siniša

iluvar · Sat Jul 19, 2014 9:25 am

ojsa · Sat Jul 19, 2014 1:17 pm

I haven't read all suggestions, but a simple way of filtering the log view on routeros would be nice. A way to only see a curtain PREFIX f.ex from the logfile while its running.

in linux something like this.

tail -30f /var/log/syslog | grep -i FW-DROP-LOG-PREFIX1

or even better to see several things

tail -30f /var/log/syslog | egrep -i 'FW-DROP-LOG-PREFIX2|FW-DROP-LOG-PREFIX3'

23q · Sun Jul 20, 2014 11:40 am

RouterOS Login Welcome Message

WinBox background suggestion

kometchtech · Fri Jul 25, 2014 10:12 pm

We were also wrote below, please support IPv6 environment in Japan.
I am not even able to get for a hand to the user without this.

http://forum.mikrotik.com/viewtopic.php ... 88#p438726

We understand that it's a special situation, but please realize whether.

After that, I want you to also update the Kernel as SDN future measures.
And I want you to correspond to OpenvSwitch and OpenFlow1.3. OpenFlow is now very popular in Japan, to be able to use OpenFlow in CCR and cost-effective, because you can appeal strongly to the user.

Best regards.

kometchtech · Fri Jul 25, 2014 10:15 pm

Please add ND Proxy support (RFC 4389) in v7.
It is the essential feature for ipv6 users.

+1

This function is mandatory in IPv6 environment in Japan.

cheeze · Sat Jul 26, 2014 5:10 am

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP

adrianlewis · Thu Oct 16, 2014 6:22 am

- Ability to create PPP interfaces in a specific VRF via RADIUS-Attribute
- full L2TP LAC functionality (for forwarding PPPoE sessions via L2TP)

BIG +1 from me on these two.

CCR Update presentation from MUM US '14 suggests improvements (complete rewrite?) to VRFs which sound like my other main request so hopefully with this effort we'll see VRFs given better support with regards to RADIUS VSAs.

Just need a bit more effort with L2TP to make it work better with Mikrotik customers that buy wholesale PPPoE/PPPoA DSL services from aggregators delivered as L2TP.

elgrandiegote · Sun Nov 16, 2014 8:52 pm

I know what the answer for this is going to be, but it's just to show that the issue is not getting anywhere even if you pretend it does not exist and people still need it.

OpenVPN version update
OpenVPN support for UDP
OpenVPN support for LZO

In openWRT running in MetaRouter it's way too slow

+1000000

Mon Nov 17, 2014 12:47 am

DHCP/RADIUS Improvements

- Use dhcp.dictionary for DHCP-Radius

- On DHCP renew check "running" settings against returned VSA's. If any VSA's have changed then update/add/remove relevant FIB/Queue/AddressList entries. On RouterOS 5/6 entries are added on a Request, then during renews only additional VSA's are actioned, any updated/removed ones are not reflected in the running configuration of the router.

- When running redundant DHCP servers/gateways (Authoritative Delay/Delay Threshold/VRRP), allow the option to have BOTH Authoritive and Non-Authoritive DHCP insert running settings from VSA's, this will allow the primary to fail and have the secondary take over with the same FIB/Queue/AddressList entries. Currently this does not work, if the primary DHCP Server/Gateway fails the Backup will become Master but none of the VSA settings will exist, and due to the above issue will never be created, causing a potential lack of service when running from the Backup router due to lack of FIB entries, or potential other issues due to lack of Queues or Address-List entries.

- Make default behavior of RADIUS VSA's on RouterOS compliant with RFC2865

conecting · Tue Nov 18, 2014 3:17 pm

Zero handoff roaming between capsman units,
Also wolud love to see load balancing also between bands from 2,4ghz to 5ghz as on aruba networks becouse now I have to buy really expensive Aruba acess points to do this.

riaanmaree · Fri Nov 21, 2014 12:06 am

I also vote for more Radius-Attributes/Replies such as:
- local-address
- dns-server
- VRF/routing-table

Glaster · Wed Nov 26, 2014 1:27 am

IKEv2 for IPSec

Starxcn · Thu Nov 27, 2014 10:14 am

It would better if we can make the Webfig skins work better in V7.

Now there are bugs on particularly the Quick Set page.

I was configuring a RB951 for a client and I wanna give him only the right to change his guest network password on the Quick Set page when he logs in from Webfig. So I tick off all other pages. But then on the Quick set page there are ton of stuff to tick off. And they seem to come from different mode settings of the router. And even I tick them off, the page still wouldn't work properly.

Not sure if this is the right place to post about this. My apologies if I'm wrong...

Bonz123 · Wed Dec 03, 2014 9:29 pm

Queues.
will be nice if in simple queue be possible add ip ''from-to'' like 192.168.3.10-192.168.3.64

Thanks.

Zvjer · Thu Dec 04, 2014 6:28 pm

IKEv2 for IPSec

I need this too for easy VPN from Windows Phone 8.1

Fri Dec 05, 2014 8:50 am

It should be possible everywhere where ip address field is used as condition or restriction.

marcof · Tue Dec 09, 2014 12:59 pm

I actually just miss one "feature" in RouterOS 5/6 and it would be awesome to have this in 7: IPv6! .
The current state of IPv6 in RouterOS 6 is maybe partly usable for home users, soho applications, etc. But in no way is it safe or depending on the configuration even possible to use MirkoTik for service provider applications with more than one router.

The reason I put feature in "" is because you cannot name it feature when they officially support ipv6 and 50% of all protocols and services are not or only partly working for ipv6, then those are bugs!

Just to name some missing "features" / bugs in IPv6.

IPv6 bgp recursive next-hop. This is a must for any redundant IPv6 service provider backbone! static routes are no alternative!
ipv6 blackholing - there must be a way to blackhole the prefix I announce to my upstreams. I simply don't want any TTL exceeded and routing loops! unreachable routes are no alternative!
efficient ipv6 routing table lookups on cli (e.g. /ipv6 route print where dst-address=8.8.8.0/24)
testing of ipv6 functions and protocols prior to release! basic stuff like VRRP working in one release and then totally unusable in the next release.... come on...

besides IPv6 it would be really great to have working VRF implementation and be able to use it to separate the management plane from the production / customer traffic. currently there aren't any really VRF aware management services like ntp,netflow,ssh,winbox,etc.

In general, I really suggest that MikroTIk reconsider their strategy about software releases and pricing. I would be happy to pay 50% more for the bigger routers like CCRs and in return have a more stable software, means that they differ between bug fix releases and feature releases and also test and bugfix before a release. I mean I totally understand that new features sometimes show bugs not before production use, but stuff that's there for years and suddenly don't work in a 6.x release, come on, you can do this better!

2dfx · Tue Dec 16, 2014 2:00 pm

Pls Add functionality to NetWach like this:

Down script, if not available within X times.
Up script if available within Z times.
Now X and Z = 1.

mavin · Tue Dec 16, 2014 2:53 pm

- Support for SHA2 Hashs.
CAs starting to only hand out SHA2 certificates and browsers will drop SHA1 soon. I'm kinda wondering why this hasn't already been brought up...

- Openflow 1.3
This might be a bigger problem, but it would really be a big advantage being able to integrate RouterOS in SDN environments. I don't know anything about the code-base but maybe it's possible to add an ovs client and help them with the OF development?

Wed Dec 17, 2014 6:42 pm

You can already use sha256 and sha512 in ipsec phase1. Depending on requirements can be added to other facilities as well.

jocover · Thu Dec 18, 2014 1:23 pm

MAC Address List Support

mavin · Fri Dec 19, 2014 9:54 am

thanks mrz for the info.
I will give that a try. Since I won't have time this year I will give it a look next year.

What I currently need this (SHA2) for is for VPN connections (sstp, pptp, openvpn). Since October my CA only hands out SHA2 certificates.

piyokos · Mon Dec 22, 2014 12:47 am

General - Updated Linux kernel with better support for new SoCs (Celeron J1900 barely works), updated drivers, etc
General - 64-bit x86 builds, it's 2014, going on 2015... no performance benefit to routing, but throw KVM users a bone
KVM - USB passthrough, so guests can act as bridges for USB peripherals that RouterOS does not support
DNS - Flag similar to DNSMASq's bogus-nxdomain, for misbehaving service providers
UPNP - Allow server to report a 'fake' external address to clients, for complex routing setups
SSH - Fail2ban equivalent, too much log spam
OpenVPN - UDP support, with fragment and mssfix, requested so many times the devs must think we're a broken record!

phil · Mon Jan 26, 2015 5:42 am

Please extend routing-mark amount limit more than 250.

wagguRQ · Tue Feb 03, 2015 7:07 pm

I would like that you will add a counter of errors (crc,drop,oversitse,collisions, e.t.c.).

JanezFord · Wed Feb 04, 2015 10:23 am

I would really like to see graphing show comments with interfaces, queues on web.

JF

roli · Thu Mar 12, 2015 12:44 pm

Functionality such as DNETMAP in xtables

volga629 · Mon Mar 16, 2015 6:23 am

Hello Everyone,
Will be nice to see for RouterOS7

1. 802.11k 802.11r Fast Transition Roaming. Really useful in MAN areas.
2. Routed based vpn ipsec0 klips with libreswan. Better control over vpn traffic.

Mon Mar 16, 2015 9:52 am

2. Routed based vpn ipsec0 klips with libreswan. Better control over vpn traffic.

AKA IPSEC VTI (Virtual Tunnel Interface) support.

This one has been MUCH requested over the years. Hopefully we see it in RouterOS 7

amindomao · Thu Mar 26, 2015 10:05 am

"Add ARP For Leases" option in dhcp relay would be cool

eavictor · Sun Mar 29, 2015 9:58 am

ADD admin announcement page in USERMAN

then we don't have to send e-mails to notice users every time we made changes.

Bas15 · Mon Mar 30, 2015 7:23 pm

Would like to see SIIT support, which basically allows to remove IPv4 from internal networks and do DNS64/ NAT64 stateless translation on your edge devices.

https://tools.ietf.org/html/draft-ander ... c-2xlat-00
http://fud.no/talks/20150317-V6_World_C ... entres.pdf
http://jool.mx/

Also in: http://forum.mikrotik.com/viewtopic.php?f=2&t=95377

killersoft · Wed Apr 01, 2015 12:13 pm

+1 for 6rd support .

My isp only supports that at this point and I don't want a tunnel service like HE.
Regards

hngjared · Wed Apr 01, 2015 5:17 pm

It would be nice if there was an option for duration in the "traffic monitor" feature.

Be a great way yo automatically adjust b/w queues.

Also need to start allowing SSH and telnet to be run via scripts or schedulers. Would really make life a little easier on those of us who are administrating thousands of routerboards.

Make it happen MikroTik!

willbur · Wed Apr 01, 2015 6:10 pm

MAC address lookup built in router
Improved Webfig customization (i.e. debranding, etc.)
Tiny web browser built into Mikrotik ROS?
Better Speed Test functionality (i.e. Netgear has speedtest.net functionality built in)
Better script to email functionality for password rotations in hotspot..... (i.e. once again customization, etc.)
The Dude update.....

I might be asking for too much, but that along with many other items are on my wish list.

Wed Apr 01, 2015 6:40 pm

Just to name some missing "features" / bugs in IPv6.

IPv6 bgp recursive next-hop. This is a must for any redundant IPv6 service provider backbone! static routes are no alternative!

ipv6 blackholing - there must be a way to blackhole the prefix I announce to my upstreams. I simply don't want any TTL exceeded and routing loops! unreachable routes are no alternative!

efficient ipv6 routing table lookups on cli (e.g. /ipv6 route print where dst-address=8.8.8.0/24)

testing of ipv6 functions and protocols prior to release! basic stuff like VRRP working in one release and then totally unusable in the next release.... come on...

+1

Years ago, Mikrotik was the first platform available to me and my company for alpha testing any IPv6 deployment strategies. (the Adtran CPE we were using previously didn't support it at all)

These days, though, ROS feels behind-the-curve on the IPv6 side of things.

My question for you Marcof - why is host unreachable an unacceptable alternative to blackhole routes?
Is it because this reduces ICMP "backscatter" from scans and such?

rextended · Sat Apr 04, 2015 2:26 am

Please add TCP traceroute

troffasky · Sun Apr 05, 2015 1:27 am

Control+W in the CLI to delete last word.

'Search engine' in Winbox/Webfig. Eg, you search for '192.168.13', and it will return every route, firewall rule, ARP entry, log entry, *everything* that matches that string.

23q · Thu May 14, 2015 11:31 pm

http://forum.mikrotik.com/viewtopic.php?f=9&t=40650

pochbba · Sat May 23, 2015 9:21 pm

I would strongly suggest that you add a "Test config for x seconds" function that brings config back to where it was before applying it.

It's necessary for production equipment when (we all aggree on this) some times certain configs seem to work in test benches but out in the field they totally don't. So having something like:

Wireless station working at 20-40mhz width:
/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee test-time=1m

Which would reset to previous config if something goes wrong. I mean.. this station could be 50 km away from you.

Would be extremely helpful for us all.

Thanks in advance.

EDIT: After i posted this something came back to my mind.

Another suggestion would be having zoomable and/or exportable traffic/resource graphing system. It's already there.. just needs that option.

Sun May 24, 2015 12:17 am

I would strongly suggest that you add a "Test config for x seconds" function that brings config back to where it was before applying it.

It's necessary for production equipment when (we all aggree on this) some times certain configs seem to work in test benches but out in the field they totally don't. So having something like:

Wireless station working at 20-40mhz width:
/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee test-time=1m

Which would reset to previous config if something goes wrong. I mean.. this station could be 50 km away.

FYI this feature already exists.
Look up Safe Mode. http://wiki.mikrotik.com/index.php?titl ... #Safe_Mode

aigarslv · Mon May 25, 2015 11:26 pm

Please add openconnect package for accessing Cisco SSL VPNs
http://www.infradead.org/openconnect/

So we don't have to run MetaROUTERs

Tue May 26, 2015 12:58 am

Please Mikrotik is a simple one:

Detailed track of configuration changes on logs.

I hope is not that difficult.

That is very usefull to track and audit changes specially when are multiple administrators.

petrisimo · Thu May 28, 2015 4:16 pm

Hi Mikrotik,

to be honest, I would highly recommend to fix all bugs before you move to new features (please show some respect to your customers)

once you finish with bugs:
1) DHCP snooping
2) IP source guard
3) dynamic arp inspection
4) IGMP snooping

... and one more very important thing - to fix VLAN performance (drops by 45% just with 2 vlans on tile 6.28)

cusco · Tue Jun 09, 2015 8:23 pm

Virtual interfaces....
By this I mean the ability to have the following scenario:

ISP equipment --- rj45 ---> ether1 mikrotik

Now I would like to have several dhcp clients with different MAC addresses to be able to obtain more than one IP address

Fri Jun 12, 2015 6:18 pm

Virtual interfaces....
By this I mean the ability to have the following scenario:

ISP equipment --- rj45 ---> ether1 mikrotik

Now I would like to have several dhcp clients with different MAC addresses to be able to obtain more than one IP address

will be great but, mikrotik its not the only brand who has that limitation because dhcp is mostly used to give access to clients its some kind of trend and too specific scenario to address

the.max · Sun Jun 14, 2015 8:09 pm

Also join in asking for support 802.11r.

In the foreseeable future will be in our country, the law on electronic records of payments. Very few restaurants it ready for us and they will have to buy new technology. In larger restaurants is not enough for one AP coverage and rapid movement between AP waitress with a payment terminal failures are undesirable and wait for logging in to another AP is unacceptable.

davidnvega · Sat Jul 25, 2015 11:59 pm

I need Skins for Winbox, just like Webfig. And a Test Button, for apply changes during X seconds.

ibm · Sun Jul 26, 2015 12:22 am

I need Skins for Winbox, just like Webfig. And a Test Button, for apply changes during X seconds.

+1 for the apply changes for X seconds.
More precisely like a Safe mode but with a custom timeout.

Sun Jul 26, 2015 8:02 am

I need Skins for Winbox, just like Webfig. And a Test Button, for apply changes during X seconds.
+1 for the apply changes for X seconds.
More precisely like a Safe mode but with a custom timeout.

Sounds like "commit confirmed X" on JunOS. If you dont do another "commit" within "X" minutes it will automagically roll back the config changes.

ibm · Sun Jul 26, 2015 9:43 am

I need Skins for Winbox, just like Webfig. And a Test Button, for apply changes during X seconds.
+1 for the apply changes for X seconds.
More precisely like a Safe mode but with a custom timeout.

Sounds like "commit confirmed X" on JunOS. If you dont do another "commit" within "X" minutes it will automagically roll back the config changes.

Exactly

vortex · Sun Jul 26, 2015 12:54 pm

- Multicast forwarding between subnets
- Decrease routing slowdown for ports in a bridge, if possible.
- DNS Tool

Mon Jul 27, 2015 1:54 pm

What about "dummy" rule or anything elsa what could be "separator" for firewall rules.
I am testing: http://forum.mikrotik.com/viewtopic.php ... 6b#p492407
and the rules flow will be simpler to read when "subroutines" could be separated with rows which will show comment connected with it.
Here it is simulated with new rules chains' names.

Attacks.PNG

cREoz · Mon Jul 27, 2015 2:50 pm

DNS: forward zones

cusco · Tue Jul 28, 2015 3:20 pm

Virtual interfaces....
By this I mean the ability to have the following scenario:

ISP equipment --- rj45 ---> ether1 mikrotik

Now I would like to have several dhcp clients with different MAC addresses to be able to obtain more than one IP address

will be great but, mikrotik its not the only brand who has that limitation because dhcp is mostly used to give access to clients its some kind of trend and too specific scenario to address

Hi, I don't understand what you mean by "some kind of trend"
Is it really so difficult to address? Today it is already working with VIF, if you have a metarouter.

You can add a VIF interface in a bridge. Basically one would just need to extrapolate that functionality to be able to use VIF interfaces outside metarouter.

tetecko · Tue Jul 28, 2015 11:25 pm

+1 for 6rd support .

My isp only supports that at this point and I don't want a tunnel service like HE.
Regards

http://forum.mikrotik.com/viewtopic.php?t=99030

pmosconi · Sat Aug 01, 2015 4:12 pm

Back in v6 Feature Request forum thread there was a a lot of debate about better config export and import for router cloning.
It seems to me that nothing has really been implemented - at least when working with hotspots, firewall rules and remote logging - but apparently nobody is making this request any more.
Have all others given up? I still need this desperately...
Thans

dmcken · Sun Aug 02, 2015 9:55 pm

efficient ipv6 routing table lookups on cli (e.g. /ipv6 route print where dst-address=8.8.8.0/24)

I would like this expanded for both IPv4 and IPv6, lookups on my BGP routers take minutes to complete.

jspool · Thu Aug 06, 2015 7:00 pm

1. Failed login email alerts SSH,Telnet,Web,Etc like everyone else does.
2. I would like to see a country blocking option in the firewall.
3. The ability to load large DNS lists for blocking purposes. Currently all Mikrotiks cannot take whole categories worth of lists.
4. It would be nice to see the IP that made the request in DNS Cache.

23q · Fri Aug 07, 2015 11:03 am

e-mail headers - Content-type: text/html
http://forum.mikrotik.com/viewtopic.php?t=62481

Fri Aug 07, 2015 11:43 am

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP

It is like you read my mind!

Also add MPLS TE Auto-Tunnel

I also requested to Mikrotik support that they implement RFC7130 https://tools.ietf.org/html/rfc7130 for BFD + Bonding(LAG), this runs a BFD session per bond member, and can detect problems with packet flow via an individual link in a bond. This is very useful when you are running a Leaf/Spine switch architecture between routers and there is a problem with packet flow via one path, the bond + LACP to the Mikrotik will stay up, yet a path beyond the direct LACP link may have a problem and currently this would go unnoticed and cause issues.

RFC7130 aims to prevent such situations.

khaled11 · Sun Aug 09, 2015 2:01 am

USER manager :-refill option client side "like code recharge " on local hotspot page.
- Daily Quota

JanezFord · Fri Aug 21, 2015 1:46 pm

Usermanager EAP authentication support, so we can use Usermanager for WPA2 Enterprise configurations.

JF.

kaleruka · Sun Aug 23, 2015 11:42 am

what about socks 5 support?

magnavox · Wed Aug 26, 2015 7:01 pm

Implementation in ROS of MLPPP Server side (for ISPs installation).

tnx

radman3000 · Fri Sep 25, 2015 3:21 pm

IPv6 PBR

zojka · Mon Oct 05, 2015 8:13 am

Authenticaton by RADIUS for http proxy and socks

mezzovide · Fri Oct 23, 2015 2:08 pm

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

andersonlich · Tue Nov 03, 2015 10:46 am

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

Wed Nov 04, 2015 9:01 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

+1

We need these too

StubArea51 · Wed Nov 04, 2015 9:39 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.

+1 for us too!

samsung172 · Thu Nov 05, 2015 1:49 am

VRF support to features is sooooo missed. The support to choose what routingtable to use for what service. Ability to choose web configuration troug one vrf - and ssh by another. (just as example) . Best would be to support more than one per service.. Also stuff like ospf or bgp - inside a vrf.

Thu Nov 05, 2015 10:26 am

It is already possible to run OSPF and BGP as CE-PE protocols.

mezzovide · Fri Nov 06, 2015 3:14 pm

BGP feature : advertise-inactive routes please. Its important for route collector services to receive all known routes even if its inactive!

PtDragon · Thu Nov 12, 2015 5:29 pm

I would like to see IP list optimization routines.
I'm often facing massive botnet attacks, in normal mode (adding attackers to list to block them for 60 days) I'm facing GIANT CPU load(all 36 cores are at 100% from just 50Mbit of traffic(SynFlood type traffic).
In some minutes I got around 1.4million of IPs to block.
Surely that list can be optimized by setting "n IPs from subnet means to block subnet" so for example if i got "8.8.8.1 8.8.8.5 8.8.8.10 8.8.8.30 8.8.8.80 8.8.8.99 8.8.8.251" as attackers and in rule I set block subnet /24 if 5 or more IPs on that subnet in list it would transform to IP list entry 8.8.8.0/24 (just single entry instead of many).
And also i wish that option to use rules for /24 /16 /8 subnets.
Similar function I have in CSF on my server in datacenter and it helps nicely against botnets.

Skyder · Thu Dec 03, 2015 6:09 pm

Hello!
+1 IGMP snooping.
In Russia, in particular, it is very necessary for IGMP snooping. Popularity equipment soared to at all levels from byudzhenyh Hap summer to expensive models. All of our providers are using IGMP snooping. From me personally - to all its customers happy equipment installed Mikrotik and would advise all familiar.
So far, because of the absence of such functional distribution in Russia is questionable. We are not afraid even places without technical support RouterOS.

I very much hope that you will listen.
While I did not find any answer on the forum: whether to wait for IGMP snooping or leave for other equipment manufacturers. Mixing equipment from different manufacturers to achieve the desired functionality is not always a rational decision.

bronx · Sat Dec 05, 2015 12:35 pm

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP
It is like you read my mind!

Also add MPLS TE Auto-Tunnel

I also requested to Mikrotik support that they implement RFC7130 https://tools.ietf.org/html/rfc7130 for BFD + Bonding(LAG), this runs a BFD session per bond member, and can detect problems with packet flow via an individual link in a bond. This is very useful when you are running a Leaf/Spine switch architecture between routers and there is a problem with packet flow via one path, the bond + LACP to the Mikrotik will stay up, yet a path beyond the direct LACP link may have a problem and currently this would go unnoticed and cause issues.

RFC7130 aims to prevent such situations.

+1

alexjhart · Fri Dec 18, 2015 2:32 am

Few things:

I haven't read all suggestions, but a simple way of filtering the log view on routeros would be nice. A way to only see a curtain PREFIX f.ex from the logfile while its running.

in linux something like this.

tail -30f /var/log/syslog | grep -i FW-DROP-LOG-PREFIX1

or even better to see several things

tail -30f /var/log/syslog | egrep -i 'FW-DROP-LOG-PREFIX2|FW-DROP-LOG-PREFIX3'

While you can achieve this with

/log print follow where message~"^prefix1|^prefix2"

I see the benefit of having grep for the complete output as well. It would be nice to have many Cisco/Juniper pipe commands such as match, begin, exclude, etc.

I would love to see tail. Often times I want to see the last few lines of the log, but not print the entire thing.

Since I brought up Juniper, it would be nice to have a better commit, compare, rollback system. I know you can batch commands and use undo/redo and/or safe mode, but it just isn't quite the same.

More detail in /system history please. "device changed" what specifically? maybe show the command or something.

printing (and ideally searching with ctrl+r) the command history would be handy too. Scrolling up one line at a time is a bit tedious.

real-time syntax painting in editor

save without quit in editor

inline comments in terminal (instead of normal ;;; comment on different line, perhaps by adding a column in standard print view and comment= in detail view so that each item uses oneline). Additionally, I think comment should be the last column or item listed. terse view could be updated to list comment last as well and could also benefit from syntax coloring. the comment value should be quoted in terse view as well.

margusl · Sun Jan 17, 2016 12:38 pm

IKEv2 for IPSec

jspool · Sun Jan 17, 2016 10:39 pm

1. Full cURL support. We need the ability to send data to REST API's with cURL POST and the tool fetch is getting pretty limited for our current times.

2. DHCP-Client needs to have a script that can be executed when it gets an IP address. Would make it way more efficient then running a scheduler constantly looking for a change when the script could actually be executed only when ther eis an actual change.

b0m8er · Mon Jan 18, 2016 10:44 am

+1 for IGMP snooping support.
Much needed for IPTV in Russia!

brunoviviani · Tue Jan 19, 2016 9:53 pm

Team, please, make the Radius attribute Delegated-IPv6-Prefix to work.. we have more than 100 mikrotik boxes, and we need of this funcionally.

Devil · Mon Jan 25, 2016 10:19 am

Ability to exclude some source/destination hosts/subnets from hotspot traffic counter.
And for the love of god, OVPN UDP support.

satish143 · Thu Feb 04, 2016 6:21 pm

When it is going to release?

Please in v7 make max-entries adjustable. so we can limit connection so kernel won't get crash

I have notice in v6.35rc3 kernel crashing when limit reach to max

I want to reduce max-entires but don't know how to

[admin@MikroTik] > /ip firewall connection tracking print

max-entries: 524288
total-entries: 234041

SDFadfasdfadsf · Sun Feb 07, 2016 2:25 am

MVRP to sync VLAN information

mycket · Mon Feb 08, 2016 2:03 pm

yes yes!
Mikrotik-IPv6-Address-List
IPv6-Framed-Route - RFC6911
IPv6-Delegated-Prefix - RFC4818

Mikrotik-ipv6-address-list radius attributes please. This is the only thing blocking us from ipv6 deployment to user, as we used it to separate QoS between users.
+1 for us too!

+1 for me too
and PPPoE IPv6 Accounting
The only two things blocking us from using MK

pants6000 · Wed Feb 24, 2016 7:40 am

A source-address option for bandwidth test would be nice!

Wed Feb 24, 2016 7:43 am

You should read the forum: http://forum.mikrotik.com/viewtopic.php?t=104266

mukkelek · Sun Feb 28, 2016 3:15 pm

user manager for ARM system

vortex · Fri Mar 18, 2016 12:40 am

Single connection routing @ 2 Gbps on 1036 and up.

vortex · Fri Mar 18, 2016 5:56 pm

Single connection routing @ 2 Gbps on 1036 and up.

Make it 5 Gbps.

vortex · Fri Mar 18, 2016 6:00 pm

Automatic dynamic power and cooling management for CCR.

dallas · Fri Mar 18, 2016 7:36 pm

I am requesting for the most basic spectrum analyzer for AC chipset. I will beta test for you. What version can I test on?

vortex · Sat Mar 19, 2016 11:23 pm

Realtek WiFi support.

Arcticfox · Thu Mar 31, 2016 1:16 pm

LLDP support is highly required.

DmitryAVET · Fri Apr 01, 2016 3:31 pm

1. Load balancing mode in QuickSet (simple settings, step by step configuration manager). Actual for all home users (old rb951, and new hAP and hEX series).

2. More userfriendly step-by-step configuration managers, like L2TP Server conf. etc.

3. More powerfull Graphing, like Cacti etc. New graph design, like Google Analitycs

4. Built-in wireless link calculator, that use current device specifications (tx power, modulation, sensitivity).

5. Step-by-step configuration manager for QoS: select WAN-port, enter WAN capacity, enter total users, press 1 button and get configuration. Actual for most small offices.

6. That same as #5, but traffic prioritization for applications (skype etc)

nishadul · Fri Apr 01, 2016 4:38 pm

NEED HTTPS WITH PROXY

satish143 · Mon Apr 04, 2016 5:50 pm

When v7 coming out? is there any beta or testing version available?

basic833 · Wed Apr 06, 2016 12:01 am

OVPN feature need!!!!!
UDP mode
LZO compression
TLS authentication
authentication without username/password

topperh · Fri Apr 08, 2016 11:43 pm

NEED HTTPS WITH PROXY

I second this request

mgiammarco · Sun Apr 10, 2016 9:31 am

I know what the answer for this is going to be, but it's just to show that the issue is not getting anywhere even if you pretend it does not exist and people still need it.

OpenVPN version update
OpenVPN support for UDP
OpenVPN support for LZO

In openWRT running in MetaRouter it's way too slow

I agree. Please finish existing feature before adding new ones.
And in CRS models LACP is missing too.

BeNoZo · Mon Apr 11, 2016 3:38 pm

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .

doneware · Mon Apr 11, 2016 8:24 pm

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .

all of those can be put in place using scripting and ros api right now

BeNoZo · Tue Apr 12, 2016 8:32 am

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .
all of those can be put in place using scripting and ros api right now

But it's still not TR-069 isn't it . Scripting is per device , and time consuming . Consider managing thousands of RouterBoard , Scripting is good if you have a few CPE , but when your talking about mass deployment you need TR-069, no help desk is going to take a support call and put a customer on hold while you script something up .

doneware · Tue Apr 12, 2016 11:12 am

TR-069

For auto provision , remote real time diagnostics, quick fast mass upgrades, quick fix roll outs and general monitoring .
all of those can be put in place using scripting and ros api right now

But it's still not TR-069 isn't it . Scripting is per device , and time consuming . Consider managing thousands of RouterBoard , Scripting is good if you have a few CPE , but when your talking about mass deployment you need TR-069, no help desk is going to take a support call and put a customer on hold while you script something up .

you're right, it's not TR-069. scripting is a lot more powerful stuff.
of course it needs a head start of coding, it's not something out of the box. but auto-provisioning can be
done using different approaches.

no one stops us to actually create a similar environment/ecosystem with ROS scripting, to provide the same
look & feel as TR-069. if you need it right now, let's make one. when you have to deal with 1000s of devices
it (the home-brew approach) will be a lot more efficient than doing everything manually while waiting for MTIK to implement TR-069

BTW, i would not compare the average TR-069 governed CPE feature set to something that ROS offers right now.

BeNoZo · Wed Apr 13, 2016 1:54 am

TR-069

you're right, it's not TR-069. scripting is a lot more powerful stuff.
of course it needs a head start of coding, it's not something out of the box. but auto-provisioning can be
done using different approaches.

no one stops us to actually create a similar environment/ecosystem with ROS scripting, to provide the same
look & feel as TR-069. if you need it right now, let's make one. when you have to deal with 1000s of devices
it (the home-brew approach) will be a lot more efficient than doing everything manually while waiting for MTIK to implement TR-069

BTW, i would not compare the average TR-069 governed CPE feature set to something that ROS offers right now.

That is just re-inventing the wheel. Why develop new ecosystem when one already exists . ISP already have TR-069 asset in the business and interfaced with OSS/BSS systems, re-inventing (home-brew) is not feasible.

At the end of the day , this is a feature request , end user should have the option to choose what best fits the network and business. TR-069 is my feature request for V7.

doneware · Wed Apr 13, 2016 12:05 pm

At the end of the day , this is a feature request , end user should have the option to choose what best fits the network and business. TR-069 is my feature request for V7.

fair enough

sterling · Thu Apr 28, 2016 6:05 pm

Not sure this one has been mentioned, but I really need fastpath in VPLS endpoints for VPLS faster than 1Gbps.

I've had to switch back to basic OSPF routing to obtain the 8-9Gbps speeds i used to have before implementing end to end MPLS/VPLS.

th0massin0 · Mon May 02, 2016 9:56 am

Small thing: for multiple WAN envoronments it should exists some kind of predefined policy or on/off switch, about incomming and outgoing traffic. When something goes in from WAN1 should go out by WAN1, when something goes in frome WAN2 should go out by WAN2 and so on...

Mon May 02, 2016 10:08 am

It's easy. Mangle the connection and route the packets back according to the routing marks.

th0massin0 · Mon May 02, 2016 10:54 am

When combining PPPoE Client WAN and static IP address WAN it's not so easy, look

/ip firewall mangle
add action=mark-connection chain=prerouting comment="WAN1 FWD" in-interface=ppp-WAN1 new-connection-mark=wan1_conn passthrough=no
add action=mark-routing chain=prerouting comment="WAN1 FWD" connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no
add action=mark-connection chain=prerouting comment="WAN2 FWD" in-interface=ppp-WAN2 new-connection-mark=wan2_conn
add action=mark-routing chain=prerouting comment="WAN2 FWD" connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no
add action=mark-connection chain=input comment="WAN1 IN OUT" in-interface=ppp-WAN1 new-connection-mark=wan1_conn
add action=mark-routing chain=output comment="WAN1 IN OUT" connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no
add action=mark-connection chain=input comment="WAN2 IN OUT" in-interface=ppp-WAN2 new-connection-mark=wan2_conn
add action=mark-routing chain=output comment="WAN2 IN OUT" connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no

/ip route
add check-gateway=ping distance=2 gateway=ppp-WAN1 routing-mark=to_wan1
add check-gateway=ping distance=3 gateway=ppp-WAN2 routing-mark=to_wan2
add check-gateway=ping comment=MAIN distance=1 gateway=10.1.0.1
add distance=1 dst-address=10.0.0.11/32 gateway=eth6_WAN1
add distance=1 dst-address=10.0.0.12/32 gateway=eth7_WAN2

... and when I tried to set up routing mark for address 10.1.0.1, the route fails.
Could you help me please?

th0massin0 · Mon May 02, 2016 12:16 pm

Also usable will be some kind of checkbox for hairpin NAT in NAT rule creation.

alphalt · Wed May 04, 2016 12:05 am

Hi,

Maybe very old request, but... Metarouter support on microSD card.

Wed May 04, 2016 11:39 pm

... and when I tried to set up routing mark for address 10.1.0.1, the route fails.
Could you help me please?

Your problem is that the connection-marking rules need to also have the criteria: connection-mark=no-mark
If not, then you can re-mark connections and break the routing policy.

th0massin0 · Fri May 06, 2016 4:37 pm

Login by ssh key in WinBox will be really helpfull too.

radman3000 · Wed May 11, 2016 6:21 am

Requesting IPv6 policy based routing.

isolnet · Wed May 11, 2016 7:54 am

Dear MT Team

I think User manager is most power full tool in future because every isp need radius with accounting, country wise payment gateway, sms api integration, plans flexibility etc.

So Kindly improve in further upcoming updates.

hkaiser · Fri May 13, 2016 6:02 pm

Hello!

802.11ad cards support, and GPS syncing would be great!

maara · Sat Jun 04, 2016 5:38 pm

Ovpn tls-auth and improved ovpn client in general so the connection compatibility is better..

craterman · Sat Jun 18, 2016 3:47 pm

MPLS TE Fast Re-Route
MPLS TE Link Protection
MPLS TE Link-Node Protection
MPLS TE behavior similar to Cisco Class Based Tunnel Selection
MPLS TE Diffserv-Aware tunnels

MPLS Segment Routing extensions to OSPF/ISIS

ISIS

Multicast separation of RPF table calculation into individual routing table and all things involved with that
Multicast BSR fixes
Multicast Anycast-RP
Multicast MSDP

64-bit for x86

Fast-Path indicator on each interface. Which traffic handlers are enabled or not enabled.

Graceful Restart for OSPF/BGP/PIM/ISIS (if ever implemented)

BGP multicast address family

Cisco IP SLA/Juniper RPM functionality

LLDP and LLDP-MED with integration into SNMP

These functions need definitely. And they need not only to us but also to you - mikrotik team, for that would have a more competitive product and a more extensive sales geography. I think when you had MUM tour in Asia have often been asked about the ISIS protocol. Oh Asians very love it

riaanmaree · Sat Jun 18, 2016 7:07 pm

AS & BGP info in Netflow v5 export.

Sent from my SM-G925F using Tapatalk

Sun Jun 19, 2016 1:02 am

I think when you had MUM tour in Asia have often been asked about the ISIS protocol. Oh Asians very love it

ISIS is very common in large provider networks the world over. It will be great to see ISIS support in RouterOS.

But for now I will be happy to just see RouterOS v7 beta get released

borisk · Wed Jul 06, 2016 3:04 pm

The very simple feature we need right now is: ability to delete bgp communitied from prefix by rege. Cisco like:

route-map xxx permit 10
match ....
set comm-list XXXX delete

Wed Jul 06, 2016 10:53 pm

The very simple feature we need right now is: ability to delete bgp communitied from prefix by rege. Cisco like:

route-map xxx permit 10
match ....
set comm-list XXXX delete

+1

Being able to delete communities based on a regex would be perfect !

mmabob · Thu Jul 14, 2016 6:53 am

Multi Core BGP to speed up receiving a full BGP routing table

paoloaga · Thu Jul 14, 2016 6:44 pm

The major missing feature of ROSv7 that I think would benefit everyone is to be available in the download page.

I apologize for the cheap humor, but I couldn't resist...

Fri Jul 15, 2016 7:52 am

Yep. Wondering why none mentioned the torrent client yet... That would be something really widely used. Also tor package would move the ros to new level.

Sob · Fri Jul 15, 2016 6:46 pm

You're making fun of it, but ability to have some unusual software could be nice. Not necessarily from MikroTik, some form of custom packages. Probably with limited environment (chroot, user permissions), to prevent them from messing up the router.
There was MetaROUTER, but it was a little heavy and not very easy to use. And it's no longer an option anyway, since MikroTik continues to successfully fix the "excessive storage problem" for more and more devices.
But few small binaries would still fit. So yeah, why not torrent, tor or whatever...

Fri Jul 15, 2016 10:31 pm

Sure, I do.

You know very well that there are still basic gaps in functionality that should be filled first. After that, there will be some space for similar requests, like torrents, tor, speach synthesizer, different magic wands and whatever else. But this will never happen as the resources are scarce and the competitors are still moving forward providing some parts of functionality on better level. It will be never ending story to keep the tempo with them and trying to provide something really useful and special above that.

We are just mortal beings, what we can do more than to try to have fun?

maltris · Sat Jul 16, 2016 10:17 am

I just had an idea which I would like to share with the community and maybe someone else also likes it.

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting because it will save time required for setting up other ways of automated backups.

Further information can be found here: https://github.com/joeyh/etckeeper

cusco · Wed Jul 20, 2016 5:13 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!

Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)

Wed Jul 20, 2016 5:17 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)

Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.

pe1chl · Thu Jul 21, 2016 9:48 am

There is this small, not-well-known but very useful tool called "etckeeper" for Linux, which automatically commits all changes you do on your configuration to the version-control-system of your choice (git, svn...). An implementation of that for MikroTik would be interesting because it will save time required for setting up other ways of automated backups.

I fail to see why.
MikroTik does not make the contents of /etc visible to users. They use a frontend that processes all user commands and makes changes to the underlying Linux configuration in a manner that is not public.
There is no way they will export the contents of /etc outside the router!
When you want to save your exported configs in a version control system, go ahead and do so. You don't need assistence from MikroTik for that.
Just setup a directory (tree) where you keep your exported configs and check this in to your favority version control system. I do this all the time.
This "etckeeper tool" can be done in a single "git add -A /etc" command, all the fluff you find in there is just to make it easily installable and configurable for different environments.

net365 · Tue Jul 26, 2016 1:46 pm

IPv6 Hotspot would be very nice to offer. Not sure if anyone elase has suggested it yet?

cusco · Tue Aug 02, 2016 8:05 pm

+1 for IGMP snooping support.
Much needed for IPTV in Russia!
Don't we already have IGMP support?
Just over the weekend I managed to configure IPTV box with IGMP proxy, and 2 firewall rules (one to allow IGMP, another to allow UDP to specific subnets used by my provider)
Can you post the exact rules? Yes, we do have IGMP proxy and it should be enough in most cases. Some people refuse to try it, so a complete example would be nice, to make it easier.

Hello Normis. In my case, I also struggled, read on the web that i should allow ALL UDP traffic on the firewall. Then I read about my provider (MEO in Portugal) and other people making similar configurations in other equipment, so I found out the addresses I needed to allow UDP.

here follows:

 > /routing igmp-proxy export compact 
# aug/02/2016 17:58:59 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan12 upstream=yes
add interface=bridge-lan

 > /ip firewall filter export compact 
# aug/02/2016 17:59:54 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=Attacks comment="Drop connections FROM blacklisted hosts" src-address-list=blacklist
add action=drop chain=Attacks comment="Drop connections TO blacklisted hosts" dst-address-list=blacklist
add chain=input comment="Allow Established and Related" connection-state=established
add chain=forward connection-state=established,related disabled=yes
add action=drop chain=input comment="Drop INVALID" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=output comment="Allow LAN" src-address-list=INTERNAL
add chain=input comment=SUPPORT src-address-list=support
add chain=input comment="Allow VPN's" protocol=gre
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add chain=input comment=L2TP dst-port=1701 protocol=udp
add action=reject chain=input comment="prevent ping" disabled=yes in-interface=vlan12 protocol=icmp reject-with=icmp-admin-prohibited
add chain=input comment="Allow Ping" log=yes log-prefix="PING_ " protocol=icmp

#add action=add-dst-to-address-list address-list=MEO-IGMP address-list-timeout=1w3d chain=input comment="IGMP (iptv)" protocol=igmp
add chain=input comment="IGMP (iptv)" protocol=igmp
add chain=input comment="UDP (iptv)" protocol=udp src-address-list=MEO-IPTV
add chain=forward protocol=udp src-address-list=MEO-IPTV

add action=drop chain=input comment="Drop Everything else" log-prefix=DROP_

 > /ip firewall address-list export
# aug/02/2016 18:04:28 by RouterOS 6.35.4
# software id = ADSD-BZLV
#
/ip firewall address-list
# ... other stuff ...
add address=194.65.46.0/23 list=MEO-IPTV
add address=10.173.0.0/16 list=MEO-IPTV
add address=213.13.16.0/21 list=MEO-IPTV

CyB3RMX · Fri Aug 05, 2016 8:05 am

- TDD on wireless
- improvements on wireless side like beam forming
-

mtuser666 · Thu Aug 18, 2016 4:02 pm

+1

Multi Core BGP to speed up receiving a full BGP routing table

But for first v7 need any Ether RING protocol : ITU-T G.8032 Ethernet Ring Protection Switching (ERPS) there is also EAPS(like extreme networks), EPSR(allied telesis)
Without ring every accident takes too long time and don't tell me RSTP is a good solution, because it is not.

Yekver · Wed Sep 07, 2016 10:47 am

Here is some useful features that would be great to see!

capsman
- speed per client in registration table tab
- show speed in interfaces tab even for that configurations where Local Forwarding option is enabled!

queue
- show notification if queue couldn’t be processed because of fasttrack

graphs
- ability to save graphs
- draw graphs for the following wireless interface settings (this is very helpful to detect long time problems with wifi links):
- tx/rx signal strengh
- tx/rx CCQ
- noise floor
- signal to noise
- make static graphs for retina displays, now they look awful
- total upload/download statistics

web interface
- new svg icons for retina
- create mobile device friendly web interface
- delete/add table columns while designing skin
- more default skins
- quick search through whole amount of options
- reduce the CPU usage (now from 10-15%)
- log filterable by topics
- fix "ERROR: Internal Server Error" shown on login screen. Error comes with not expected logout

capsman
- show "Active Host Name" in "Registration Table" tab (like in DHCP - Lease)

firewall
- save bytes/packets counters after ROS upgrade or reboot

PS: winbox for MacOS pleeease

PastuhMedvedey · Wed Sep 07, 2016 2:41 pm

Multi Core BGP to speed up receiving a full BGP routing table

A very important feature.

kleinem · Tue Sep 20, 2016 4:37 pm

Definitive must:
Locator Id Separation (LISP) support

Nice to have:
Conditional DNS forwarding, so you don't have to fiddle with L7 inspection and NATing...

ivicask · Tue Sep 27, 2016 3:38 pm

Would be possible to implement option to enable IP firewall per bridge?
So BRIDGE A has ip firewall enabled and i can control fully its traffic (for example controlling ADSL traffic between bridget ports 1-2)
And for example BRIDGE B which would just pass traffic between LAN port3 and WIFI interface/s on which i dont need IP firewall which kills CPU.

andreiroos · Sat Oct 01, 2016 8:26 pm

Not sure if this have been mentioned, I would like the ability to change exclusive settings for the LTE wireless cards, eg. Sierra cards. Settings like the LTE band selection and more. Not sure what the card capabilities are, but if all settings are available through winbox it would be fantastic.

ErfanDL · Sat Oct 01, 2016 10:22 pm

Please add GPS webui (remotlly find router location in webfig)

Sent from my C6833 using Tapatalk

crumb · Tue Oct 04, 2016 1:12 pm

Hello! I would really like to see in a future version of the RouterOS possible to install Metarouter to external storage such as a USB-flash. It is very important for hAP AC owners, where the free HDD space is very small.

pe1chl · Tue Oct 04, 2016 3:15 pm

Hello! I would really like to see in a future version of the RouterOS possible to install Metarouter to external storage such as a USB-flash. It is very important for hAP AC owners, where the free HDD space is very small.

I'm sure that will never happen, as it would open the door to breaking into RouterOS...
(you can remove the flash card and look what is on there, modify it, and place it back)

hurymak · Tue Oct 04, 2016 3:42 pm

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.

Sivics · Mon Oct 10, 2016 4:45 pm

OpenVPN CRL

pe1chl · Mon Oct 10, 2016 5:01 pm

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.

Secure Routerboot is already available - maybe that is what you wanted?

jandafields · Tue Oct 11, 2016 3:53 am

Please add some type of device / tracking protection.
That when thief will steal it, it will have some code with ability to track, even after hard reset or with remote code activation,
to work in the way as apple icloud lock - unusable without code.
Secure Routerboot is already available - maybe that is what you wanted?

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration. You can easily reset the router if it has Secure Routerboot and it erases the configuration and then you can use it like it is brand new.

Directly from the Secure Routerboot Wiki:
"As an emergency recovery option, it is possible to reset everything by pressing the button at power-on for longer than reformat-hold-button time. Even if reformat-hold-button time is forgotten, holding the reset button for more than 300s will allow you to perform reformat."

harvey · Thu Oct 13, 2016 3:47 pm

I would like to voice my agreement with all the requests for enhanced OpenVPN support including:-

UDP support
auth-tls support
Enhance 'auth' algorithms such as SHA512.
Enhance 'cipher' support.
The ability to push configurations to clients.

Thanks for all the hard work.

vonsete · Thu Oct 13, 2016 6:39 pm

ONT password authentication

Sob · Thu Oct 13, 2016 7:15 pm

UDP support

UDP was already confirmed for RouterOS v7, no need to keep requesting it. Buy a nice bottle of champagne with long expiration date and be ready!

The other goodies, that's a different question, I don't remember seeing anything else confirmed by MikroTik, and I'm affraid to ask. One thing is clear, it would be real shame to end up with "please add <some still missing OpenVPN feature>" thread(s) after RouterOS v7 gets out.

pe1chl · Fri Oct 14, 2016 11:38 am

it would be real shame to end up with "please add <some still missing OpenVPN feature>" thread(s) after RouterOS v7 gets out.

Hopefully the change will just be "update the OpenVPN binary to the most recent release".
But, note that OpenVPN has serious (and nonsensical) limitations itself!
For example, the server can only listen on TCP or UDP, not on both at the same time.
So when you want to migrate your existing OpenVPN-over-TCP network to UDP once that becomes available,
you "will be facing interesting times".

Fri Oct 14, 2016 11:49 am

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration.

Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th second

jandafields · Fri Oct 14, 2016 4:38 pm

No, Secure Routerboot does not protect the hardware at all. It only protects the configuration.
Currently true, but we will implement a specific second interval for the reset, so that it will be impossible to reset, unless you know that it is triggered between the 85th and 90th second

So, you have to know the number within a 5 second range? Up to 300 seconds, divided by 5 = 60. So, worst case scenario is that someone could reset it with 60 tries, and most likely within 30 tries.

pe1chl · Fri Oct 14, 2016 7:44 pm

Of course it would cost several hours to try all those options. When someone is that persistent, just give him the router.

jandafields · Fri Oct 14, 2016 8:50 pm

A few hours does not equal "impossible".

Some people spend a few hours setting up the router anyway.

Fri Oct 14, 2016 10:07 pm

My philosophy has always been: "physical access = root"

Sat Oct 15, 2016 3:41 pm

Who really suffers by devices being regularly stolen? I have not ever heard of it.

jandafields · Sat Oct 15, 2016 4:25 pm

Who really suffers by devices being regularly stolen? I have not ever heard of it.

Maybe not stolen, but reused by a competitor... giving the competitor an advantage because they don't have to provide one.

Anyway, the point is that this "Secure Routerboot" feature should be advertised as a configuration protector only, which is seems to be very good at, instead of also a hardware protector, which is currently very easy to reset and in the future will just take longer.

pe1chl · Sat Oct 15, 2016 5:46 pm

Maybe not stolen, but reused by a competitor... giving the competitor an advantage because they don't have to provide one.

That will probably be not a professional competitor, but merely a bunch of hobbyists.
I cannot think of a professional company making a living providing service using left-over routers of competitors and resetting
and re-configuring them (or having their clients do that).
How do you ever want to support such a network?
When you don't want that to happen, provide your routers only on loan with obligation to return them at end of subscription
so you can exercise that right when there appears to be something going on.

likid · Sun Oct 16, 2016 6:46 am

OpenVPN LZO compression
OpenVPN TLS-Auth