Feature requests

Jotne · Tue Sep 27, 2022 6:46 pm

I would like to have a possibility to create a crc hash for local file. This way I can make a backup file every day. If the file today is has a different hash than yesterday, I know some has changed and then send the file to external server.

pe1chl · Tue Sep 27, 2022 7:07 pm

It would have to be more intelligent than a simple hash, because the backup includes a stamp of the date/time it was made, so each time the hash would be different.
(unless the hash function would be smart enough to skip that timestamp)

Znevna · Tue Sep 27, 2022 7:22 pm

Weird, they look the same here.

PS D:\Temp> Get-FileHash .\GW-R4-20220927-1916.backup
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          9732B4DD495D13E49B875D3C2862F5AC606DAE6349C1A1AE6A0128542F1D99D0       D:\Temp\GW-R4-20220927-1916.backup

PS D:\Temp> Get-FileHash .\GW-R4-20220927-1917.backup
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          9732B4DD495D13E49B875D3C2862F5AC606DAE6349C1A1AE6A0128542F1D99D0       D:\Temp\GW-R4-20220927-1917.backup

pe1chl · Tue Sep 27, 2022 7:27 pm

Ok you mean a .backup file... I never use that because it is impossible to restore it on a new device when the old one breaks.
I use .rsc files and they do include a timestamp.

Jotne · Tue Sep 27, 2022 11:42 pm

@Znevna You are 100% that some config has changed, not just the file name?

Znevna · Tue Sep 27, 2022 11:46 pm

I was just proving that backup files don't contain a timestamp inside.
But pe1chl was referring to rsc files, and not to the backup files that you were talking about.
Try to keep up.

eworm · Wed Sep 28, 2022 11:05 am

I would like to see the functionality to create checksums as well. But please do not limit this to file, but support it via parameter:

:put [ :sha256 input="foo bar" ];
:put [ :sha256 input=[ /file/get content your-file name ] ];

That way you can also strip the timestamp from export files to check for differences.

pe1chl · Wed Sep 28, 2022 11:25 am

There is a separate topic about suggesting new features for the scripting language: viewtopic.php?p=913066
Maybe this fits better in there...
However, it was started in 2018 by mrz but it does not look like any of the useful suggestions made in there has ever been implemented...
One problem with the scripting language is the fixed 4096 byte limit on string values, even within expressions, which means that a file larger than 4K cannot be processed this way. It would have to be processed in a "open/read records in a loop/close" fashion, but the scripting language does not support that.

akakua · Wed Sep 28, 2022 12:38 pm

Create dynamic vlan entry with added tagged bridge to it in "interface/bridge/vlan/" when i set interface vlan on bridge with vlan filtering enabled, like you alredy doing it with pvid.

MikeTkatchouk · Fri Sep 30, 2022 7:30 am

A very simple element will help make it easier to put things in order in the winbox window. Attached design example.

Screenshot 2022-09-30 122747.png

Keljian · Mon Oct 03, 2022 1:50 am

Would love to see some of the CAKE functions offloaded to the packet filtering engines on various low/medium range devices.

arnaudf92 · Mon Oct 03, 2022 12:28 pm

Dear Mikrotik,

Is it possible to fix the vlan priority tagging issue concerning firewall or bridge rules ?
Pls see this forum topic : viewtopic.php?t=189628

Regards.

colin · Tue Oct 18, 2022 8:26 pm

Add Support for "Virtual Interfaces"
-MACVLAN
-IPVLAN

More info
https://developers.redhat.com/blog/2018 ... networking

+1

pe1chl · Fri Oct 21, 2022 5:14 pm

Please implement PPPoE hardware offloading on devices with chip that supports it.
PPPoE data packet processing should not load a CPU core.

ahmedramze · Wed Dec 21, 2022 11:02 pm

Hi
Can add comment on view list of columns ? its easy to view/edit/sort by comment some time need it specially in ip firewall address list

access.png

rextended · Thu Dec 22, 2022 12:51 am

Hi
Can add comment on view list of columns ? its easy to view/edit/sort by comment some time need it specially in ip firewall address list

It already exists

Don't you read what appears in front of you?

Instead of clicking "Show Columns..." it's just the top row option... "Inline comments"

May the peace be upon you.

ahmedramze · Thu Dec 22, 2022 12:57 am

ah done I think I need to renew my mikrotik certificate very old

acc2.png

p3rad0x · Thu Dec 22, 2022 11:34 am

Not sure if this is supported or I am being an idiot.

Handing out /32 dhcp leases using radius and unnumbered interfaces.

currently using dhcp lease script to add the correct address and network in the address table of the dhcp server

ajgnet · Thu Dec 22, 2022 7:35 pm

Would love the ability to specify a DoH server but also FWD entries to specific DNS servers. Currently, enabling DoH disables all FWD entries.

eworm · Thu Dec 22, 2022 10:39 pm

Would love the ability to specify a DoH server but also FWD entries to specific DNS servers. Currently, enabling DoH disables all FWD entries.

Me too... But all comments here in forum are ignored by Mikrotik.

pe1chl · Thu Dec 22, 2022 10:59 pm

The DNS resolver is a joke... just see how many new bugs there are in every v7 beta/rc release.
The fact that a DoH server should just have been another server in addition to the plain servers (keeping the same functionality for the static entries) is just the most obvious problem.

Amm0 · Fri Dec 23, 2022 12:35 pm

There is a separate topic about suggesting new features for the scripting language: viewtopic.php?p=913066

I just wish there was some clarity when folks should use the "Feature Request" in the new-ish help.mikrotik.com. I'd like to think some the items here and above link are at least being tracked by them – but hard to know.

Just for example, should everyone who needs JSON support, file a feature request in Jira / help.mikrotik.com? That seems a bit silly. At the same time, it be good to know an item is "on the list" with some ACK in forum to some of the reoccuring themes.

spippan · Wed Dec 28, 2022 5:53 pm

Create dynamic vlan entry with added tagged bridge to it in "interface/bridge/vlan/" when i set interface vlan on bridge with vlan filtering enabled, like you alredy doing it with pvid.

+1

oeyre · Mon Jan 02, 2023 10:04 pm

Are there plans to add support for additional LACP hashing algos? encap2+3 and encap3+4 would be greatly appreciated

Rpopas · Wed Jan 04, 2023 12:21 pm

Hi,

Happy new year everyone and great Mikrotik Tip shared today:
https://www.youtube.com/watch?v=BbDnBxlBTdY

Feature Request:
Possibility to disable the anti-replay protection

Description:
This feature request is probably very specific, however don't think it would be hard to implement, at the moment the replay value seems to be always ON and hard-coded to 128B:

/ip ipsec installed-sa> print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0x70426F0 src-address=162.159.65.18:4500 dst-address=192.168.1.100:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="<REDACTED>" enc-key="<REDACTED>"
add-lifetime=24m19s/30m24s replay=128

This anti-replay protection it's actually a problem when trying to use the Mikrotik IPsec with anycast networks like Cloudflare:
https://developers.cloudflare.com/magic ... rotection/

Many devices allow disabling the anti-replay protection but i wasn't able to find a way to do it on Mikrotik, which is why i mentioned above it's hard-coded, if there is one way to do this please let me know.
While i'm not able to make the IPsec work, the alternative will be to set up GRE tunnels, which due to the lack of encryption not everyone is willing to use.

sirpkc · Fri Jan 20, 2023 5:31 pm

Feature request is to move the "Disable" button away from other common actions such as "Comment" or to add a "Confirm" dialogue. Too easy to disable an interface accidentally by being a few pixels off target when you are trying to click on "Apply" or "Comment".

disable-button.jpg

volkirik · Mon Jan 23, 2023 6:16 pm

[feature request]

pppoe-relay

and broadcast-relay

could be extra package possibly bundled with other relay daemons

[feature request]

ipsec alg (helper)

[feature request] dhcpv6 server - address (/128) distribution

[feature request] dhcpv6 client: ability to change DUID manually

would be useful if you have lots of links from same provider.

[feature request]

configurable looking glass package for ROSv7

[feature request]

Please add routing-table support for ping and traceroute

[feature request]

Please add clear-DF and strip-IPV6-options actions for IPv6 firewall (mangle)

[bug report]

4 uplink with 4 VRF

each had add default route feature with distance:10

VRF confuses and one pppoe interface has TX drops and shows RX bytes/bps: 0

thanks for reading hope it can be fixed.

changing default route distances fixes the problem temporarily. i guess VRF conflicts with ECMP. fyi.

[feature request]

please add wireless DTIM and beacon interval setting.

[feature request]

please add TCP_RTO_MIN, TCP_RTO_MAX and the tcp_retries2 settings

[feature request]

Please add target and destination to queue tree rules

Please add 'any' packet mark matcher to queue tree.

[feature request]

Please add;
expired DNS cache size
and
expired DNS cache TTL

and fallback to expired storage when resolver is unable to resolve something.

something like recycle bin

[feature request]

regarding wireless ANI feature; add one another choice line below: REQUIRED or just ENABLED.

thanks for reading and considering, regards

spippan · Wed Jan 25, 2023 2:35 pm

[feature request]

WinBox Keyboard hotkey navigation
to be activated for example pressing [ALT] twice

then the menu items could, for example, be iterated through a-z and on submenus (like MPLS, etc.) the iterations could move over to the submenu
so navigation could be much faster, hence one can navigate with the keyboard anyways for adding entries ( [INS] key) or de/activating items ( [STRG]+[D] / + [E] )

MT-featReq_winbox_keyboardShortcutNav.png

imager · Tue Feb 14, 2023 8:13 pm

Add to Winbox a menu section with commands for automatic arranging multiple windows (cascade, side by side, in a stack) !

imager · Tue Feb 14, 2023 8:18 pm

I suggest in Winbox program implement the ability to display two additional columns in the window of the "IP - Firewall - Connection" section: the first should display the number # of the rule line from the "Filter Rules" section, which allowed packets to pass, and the second column should display that " comment" which is recorded for the corresponding rule with line number # from the "Filter Rules" section. This functionality will make it possible to significantly simplify the process of debugging firewall rules, i.e. it will become similar to modern Next-generation firewalls.

Amm0 · Tue Feb 14, 2023 8:21 pm

WinBox Keyboard hotkey navigation
to be activated for example pressing [ALT] twice

Wow. That's a good one! +1 for #HotLockWinbox

pe1chl · Tue Feb 14, 2023 10:38 pm

This functionality will make it possible to significantly simplify the process of debugging firewall rules, i.e. it will become similar to modern Next-generation firewalls.

You can already do some of that yourself! In the firewall you can apply connection marks and you can see them in the connections window.
Also, in the firewall you can enable "log" (+ optional tag) and see the matching packets in your log window.

benel · Thu Feb 16, 2023 12:05 pm

[feature request]

Hi all,
On my Tik I am using few VLAN's, multi Wireless networks and about 10 DHCP servers due to a need of splitting the connection to different sectors that should not communicate one to the others.
I also need a way of seeing in one place all the connected devices for all the network's , and the best way of seeing this closer to my need is similar to Quick Set - WISP AP - Local Clients (but the Quick set is intended for other purposes, and not for "viewing things, or so).
I would like to see something similar on the main menu, maybe on the Interface menu would be a good place for this; to create a tab about "Connected devices", or maybe a dedicated place on the main menu for this would do the trick.
I would like to see over here:
- All the local clients listed (IPv4 and IPv6)
- The type of the client connection (wifi / ethernet)
- The total number of clients connected via Wifi / Ethernet - if possible listed also by each network (VLAN / VPN / each Wifi network), e.g 2 clients VLAN 22, 3 clients Wireguard, 22 clients VLAN 33, 1 client IPSec
- The MAC of the device
- The IP of the device
- The VLAN, VPN (Wireguard, IPSec or whatever) and the DHCP server used
- The comment of the DHCP Lease for the static IP's (i am using this for naming the clients in case of the client does not have a defined name - some IoT and not only IoT devices does not have a device name on the network provided by the device itself for the identification)
- For the Wifi devices - the signal straight and the 2.4 / 5 GHz, whatever connection it uses
- The up-time
- The current up/download speed, the average rate, the Bytes and the packages, the top up/download speed on the last hour / day / week / month
- The Brigde used for the client
- The Interface used for the client
It would be also nice to be able on this screen to enable/disable the view of the entire DHCP leases that uses a static IP that are not connected at the current moment and to see the last connection time..

Amm0 · Thu Feb 16, 2023 12:43 pm

I would like to see something similar on the main menu, maybe on the Interface menu would be a good place for this; to create a tab about "Connected devices", or maybe a dedicated place on the main menu for this would do the trick.

You do some of this in webfig with the Status page. Any of the controls in webfig, from any page, can be add as an element on a Status page. See https://wiki.mikrotik.com/wiki/Manual:W ... tatus_page

benel · Thu Feb 16, 2023 3:24 pm

When you start the phrase like "You do some of this into other whatever" you troll me.
My request was:
1. for Winbox
2. more complex than what the Webfig offer's on that cripy interface for your own puzzle that puzzled you from the start
If you cannot add value, or, if you do not understand the request, please keep your words for yourself.

pe1chl · Thu Feb 16, 2023 3:43 pm

You did not mention that your request was for Winbox! How can anyone know that?
Of course it is possible to do what you want using an external program and scripting and/or API calls.
Maybe a useful feature request for Winbox would be to have some capability for user-defined menu entry that opens a form (or even a generic terminal window) that can be populated using a script.
I have seen uses for that as well. And it would be more generic than to have them implement exactly what you need in that much detail.

benel · Thu Feb 16, 2023 4:08 pm

Sorry, my bad, i had lost some text and missed that; the request was for Winbox indeed, even if it is not mentioned

.
It would be a huge effort to make the Winbox able to be manage a sort of lego screen composed with whatever you like as columns from the entire RouterOS available screen's, i do not think that this is a bad idea; but the first thing to do is a "Status page" that may be used to see all the connected devices from all the network's in one page. I have just made a list of what i consider, but the software architect and the Mikrotik team will be the ones that will decide if this is manageable, if this is required and what should contain. My feature request and my list is just a start for whatever may be, if it may be anything on this side.
The first step is to have something like this build in into Winbox from the start; API's, script's, lego and puzzle's may be developed afterwards.
Not to have something so basic into Winbox is worse than having something that does not satisfy all the client's. Scrip't and API's are not for the basic users of Tik's (e.g. soho users)but i agree that are a good ideea; but, let's nail them one by one.

In fact, they got all they need to do this, is that screen from the Quick Set that may be improved a little bit and placed as independend window or a tab, is not so difficult i assume.

pe1chl · Thu Feb 16, 2023 4:41 pm

Well, I hope that (but I have never researched that) winbox, webfig and command operate using some form of table that defines how a dialog is presented (layout) and what data it shows.
I.e. that this is not in code, but it is data-driven. The capability should already be there, it just isn't exposed to the user.
Similarly I would like to have the possibility to add an extra field in a form, especially on the Status tab of some items, where it can show the output of a user script.
I have worked with a Windows application that has that capability, and it is very convenient to have that. It also reduces the number of feature requests a supplier has to implement, because users can resolve some of them on their own without bothering the supplier.

benel · Thu Feb 16, 2023 11:57 pm

You do some of this in webfig with the Status page. Any of the controls in webfig, from any page, can be add as an element on a Status page. See https://wiki.mikrotik.com/wiki/Manual:W ... tatus_page

Not any controls, and by the way, the Design is extremely buggy, slow, crashes with Firefox and even with Chrome, log's you out random sometimes. I never manage to add more than few things (basic). You were never able to add the mentioned list and status of the Local client's (the one that i was referring to). To be honest...could that feature be ever used by the users that want a Status of the clients, interfaces, VPN connections, signal and other real time data; or is it only for static fields data meant to be usable ? No, to honest, not even if I try (i have just tried now to do my setup on Webfig), I could not get what I need from that functionality, because you simply cannot.

Amm0 · Fri Feb 17, 2023 1:28 am

I'm not the target. Especially as someone who design configs so they don't break "QuickSet as a status page" & too familiar with limitations of the webfig. All I was saying it's not like they are starting 0% on a "status page" & more trying to be helpful to readers here who may not even know the webfig status page part existed – it is useful, but could be better for sure.

<rant>
But I'll be honest it's the talk of "Multiplatform Client" I fear (in "WinBox for MacOS" from @Normis (in 2021)):

We do have plans for true multi platform Winbox. Finally. Let this be a teaser for 2022 No ETA and no promises though.

I even use a Mac, and I want winbox fixed up rather than some new client... Maybe with 60+% of internet traffic mobile users (and growing), fixup the existing, languishing mobile apps? So this Mac user wants the same incremental progress on winbox as the "Desktop solution".

Anyway, this forum is littered with reasonable and somewhat smallish feature-ettes and/or "bugs" – some more trivial than others no doubt. But progress on some of the small items here (and other threads too), but especially on the tools like Winbox, Dude, etc. is extreme slow or non-existent. Obviously I'd like them working innovative new things. But so many good features...that are missing a few minor things that really make them shine. Instead I get the impression they get lumped into future/mythical "new multiplatform winbox". For what? to solve theoretical concerns about wine...
</rant>

pe1chl · Fri Feb 17, 2023 11:37 am

It is still my opinion that effort spent on a MAC-specific Winbox (and then a Linux-specific one? What about *BSD?) is better spent on making a modern web-based config tool that has the same functionality as Winbox but runs in a browser like Webfig.
It would have been difficult in the days when Webfig was first created, but nowadays other companies show what is possible and it is way more than what Webfig does.
The advantage is that there is no more need for specific client OS support, there would be only some simple "agent" that can perform tasks like MAC-level connect, RoMON, and Netinstall, and that you can run only when you want to do that (and which you manage via your browser to a port at localhost).

benel · Fri Feb 17, 2023 1:29 pm

The advantage is that there is no more need for specific client OS support, there would be only some simple "agent" that can perform tasks like MAC-level connect, RoMON, and Netinstall, and that you can run only when you want to do that (and which you manage via your browser to a port at localhost).

But wait, there will be no more Mikrotik way of being in that case. There will be no more pain all over the place and obscure tools and settings that only the Mikrotik guy knows and then Mikrotik will be more and more like all the others and there will be nothing special about them, they probably will just work without bug's and so and you will forget them at all.
It is so fun to discover the wheel all and all and all. I must agree that they are doing a lot of things in a very particular way (very advanced and a high modularity) and they are so good of creating their own ecosystem that they go sometimes to such complicated things that lead them to discover the AX standard or the WPA 3 after such a long time after low end companies and the entire planet; and lead them to create an ecosystem (v7) that still does not have a long term version after few years of development and another one year and (almost half) of releases (not to count that there was 17 !!! official releases from the v7.1.1 launch until now).
No, "simple" is not a good word to place in connection of your Mikrotik.

pe1chl · Fri Feb 17, 2023 2:42 pm

The advantage is that there is no more need for specific client OS support, there would be only some simple "agent" that can perform tasks like MAC-level connect, RoMON, and Netinstall, and that you can run only when you want to do that (and which you manage via your browser to a port at localhost).
But wait, there will be no more Mikrotik way of being in that case. There will be no more pain all over the place and obscure tools and settings that only the Mikrotik guy knows and then Mikrotik will be more and more like all the others and there will be nothing special about them, they probably will just work without bug's and so and you will forget them at all.

To make my point clear: in that proposal I do NOT intend to indicate that the entire management interface of RouterOS should change towards what a home router is!
What I propose is that Webfig is upgraded to supply what Winbox now does (interface with child windows, selectable columns, dialogs with tabs, etc). But the function of the dialogs in that revamped Webfig would be exactly what it is now in Winbox. So the same "knowledge about obscure config" would be required, only it could be applied from any device with a modern internet browser, with no software to be installed or run except in cases where low-level access is required. (e.g. to rescue a device where one has been locked out, or that has been bricked)

Amm0 · Fri Feb 17, 2023 3:05 pm

I guess I'm saying fix up the existing tooling for advanced users. A few small things would go a long way... AND, give some breathing room for MT to create some great new tools, even if that meant whatever "multiplatform client" came in years (like V7 ended up taking)...

For home users, fix up the mobile apps. They already do setup (for a single WAN), status, and port forwarding, so starting in a reasonable place. But things like adding device notifications, would avoid needing scripts for what is obvious need. Or use the mobile OS to store passwords, etc. Or having some "multi WAN" or "VLAN" wizard that do the [cleaver+ridiculous] recursive routes for the user. Sure there are others that make it easier for a neophyte to setup/use Mikrotik. Put those in the mobile apps.

Bundling up everyones needs into some great new thing is why there isn't a more keyboard shortcut, status page in Winbox, or important things like BFD.

benel · Fri Feb 17, 2023 3:16 pm

Bundling up everyones needs into some great new thing is why there isn't a more keyboard shortcut, status page in Winbox, or important things like BFD.

^^^ Best way of saying where Mikrotik lose themselves. Totally agree with you previous post as entity, not only the quote.

pe1chl · Fri Feb 17, 2023 3:27 pm

Bundling up everyones needs into some great new thing is why there isn't a more keyboard shortcut, status page in Winbox, or important things like BFD.

To be clear: I don't propose a great new thing, I propose reworking of an existing tool and after that is finished, end the maintance of another existing tool.
(including ongoing requests to port that tool to another OS, incurring more and more development work on what is essentially a dead end)
I agree that "feature parity of v7 relative to v6" (including support for BFD at least with the features it had in v6) should be the #1 priority, but all recent release notes show that MikroTik (unfortunately) does not see it that way.

Sob · Fri Feb 17, 2023 4:03 pm

Who decided that everything in web browser is the right way? I for one say it's not. Don't touch my toys!

stevester · Mon Feb 27, 2023 4:54 pm

Add Support for "Virtual Interfaces"
-MACVLAN
-IPVLAN

More info
https://developers.redhat.com/blog/2018 ... networking

+2, a little rediculous that RouterOS doesn't already have this.

phistrom · Wed Mar 01, 2023 8:04 pm

Multiple Connection Marks and/or Packet Marks
Would help a ton for people who want to use policy routing and QoS. As it is now, the number of connection marks you need is a cartesian product of (# of interfaces) X (# of things you want to QoS). For example, wan1-voip, wan2-voip, wan1-data, wan2-data, wan1-game, wan2-game, ...

Maybe rename it from "marks" to "tags"?
Or even just let me have 2 connection marks per connection.
Or allow me to have one connection-mark and one... conn-queueing-mark or something.
Or let me match by wildcard? connection-mark=wan1-* or connection-mark=*-data?

Port Lists
Similar to /ip firewall address-list but for ranges of TCP/UDP ports.
It would be very handy to specify a list called "http" for instance, and make it contain 80,443, and "ssh" containing 22, and "winbox" containing 8291, and then create a firewall raw rule that had something like port-lists=http,ssh,winbox to target all the ports in those lists. I think it makes it more readable with friendly names, and hopefully would be just as performant as the current way of specifying port=22,80,443,8291.

Fix the initial normis post for this thread
Here normis says to email Mikrotik with your feature requests. Maybe that can be expressed in the original post? or the dead link removed? Just for folks who aren't aware that the page was taken down in 2014 and don't waste time looking for it?

pe1chl · Wed Mar 01, 2023 11:23 pm

Multiple Connection Marks and/or Packet Marks

I agree with that! And I proposed it before, too.
At some point it seemed that in RouterOS v7, things were going to change. Suddenly there was a max of like 256 different marks, suggesting that they had now split the 32-bit field that is used for this in Linux into 4 bytes for 4 separate marks.
But the UI to put the marks in them has not appeared yet.
In theory, with a max of 32 different marks, you could have each possible combination of them, and with 4 classes of 256 different marks, for purposes like you describe it would work well too.
I guess they are busy with other things at the moment, but one time it could appear.

MakroTok · Thu Mar 02, 2023 6:58 pm

I'd like to suggest a dedicated "Feature requests" sub-forum. A sub-forum would allow one feature request per topic and discussion on this specific topic alone.
Having all feature requests thrown into one thread is not helpful on discussion or working out details on a solution which would work for most peopl. It's also very cumbersome to follow up on a specific feature request.

I would love to have a way address shortcomings / missing features though, but, and I apologize beforehand as I surely don't want to offend anybody, right now this thread looks a bit like a convolute of ideas where they let people play with ideas so that they don't bother support...

Thu Mar 02, 2023 7:39 pm

Feature request for Winbox ( this is NOT a feature request for ROS )

I suggest an updated version of Winbox that includes the Mikrotik btest.exe functions.

Currently without this new feature:
Winbox can only btest ( speedtest ) between any two Mikrotik devices.
Currently , the btest results indicate nothing about how fast the Windows PC computer running Winbox is performng.

With an updated Winbox with a built-in btest.exe ( btest speedtest ) function - you gain these new features & abilities:
A Windows computer running Winbox can now btest ( speedtest ) from the Windows computer to a Mikrotik.
These btest ( speedtest ) results would now indicate the users Windows computer network speed to the remote test Mikrotik device.

*** Some background information to support this new feature request in Winbox:
Most of the text below is from a posting I previously made in the forum section --> Public-Mikrotik-Bandwidth-Test-Server(s)

When , you are using a Windows computer that is running a Windows Winbox program. Your Winbox is then controlling a Mikrotik ROS device ( router or switch ) - and your winbox has opened the btest functions on the Mikrotik ROS device.
If/when you run a btest , you are speed testing ( btest ) the TCP and/or UDP throughput of your Mikrotik ( to another Mikrotik ROS device ). When the btest is running , the Mikrotik is performing the btest ( speedtest ) and the CPU on the Mikrotik is doing all of the work. Your Windows computer itself is not speed-testing anything.

Here is an enviornment where a btest function in Winbox that is running on a Windows PC computer can provide much more useful information :
- 1) You have a nice/new/very-fast Windows computer
- 2 ) Your computer has a 10-Meg Ethernet connection ( or a wireless connection ) to your Mikrotik ROS router device
- 3 ) Your Mikrotik ROS router device has a 10-Gig fiber link to another 2'nd Mikrotik ROS device

* When your Windows PC computer running Winbox sends commands to btest between both of your Mikrotik devices , you should get very close to 10-Gig ( if both Mikrotik devices have a fast enough CPU ). This does not imply that your Windows computer can talk at 10-Gig.
* If Winbox had a built-in btest function -- then you could btest ( using Winbox ) on your computer to either Mikrotik ROS device and you would get 10-Meg ( nothing faster ). So why only 10-Meg instead of 10-Gig ? --- Because you only have a 10-Meg Ethernet connection ( or wireless connection ) to the Mikrotik ROS device your PC computer is connected to.

*** If you have multiple Windows PC computers/servers ( all running a Winbox with built-in btest functions ) , then you can btest ( speedtest ) from any of your Windows computers through your network(s) to another Windows PC computers/servers ( or Mikrotik ) and then get a better picture of how fast your network really is ( not just Mikrotik to Mikrotik ).

***** If somebody can run 1 mile in 10 minutes ( Mikrotik btest to another Mikrotik ) , the speed that somebody can run has nothing to do with how fast you or I can run.
( AKA - the current btest speedtest results do not indicate anything about how fast the Windows computer is performing )

Currently , there is a Mikrotik btest.exe ( x86 based ) btest ( speedtest ) program that runs on a Windows computer. Few end-uses know anything or use this Mikrotik program and have never used it.
I would think it would be somewhat easy to append the btest.exe x86 program/code to the end of the Winbox.exe x86 program/code ( combine both programs into one program ) , and then add some new/additional GUI buttons in Winbox which can then allow Winbox itself on the Windows computer to perform a btest ( speedtest )
* It might also be desirable to hard-code limit the maximum time best can run ( 10 to 60 seconds ) , to prevent users from creating a sustained I/O saturation of their network(s).
.

Also - add a new GUI button in Winbox ( Check for Winbox updates ). The current method to update Winbox is semi-hidden and you have to know where to look to update Winbox.

Does this sound like a good feature idea to everybody else ?

North Idaho Tom Jones

Amm0 · Thu Mar 02, 2023 7:59 pm

Feature request for Winbox ( this is NOT a feature request for ROS )
I suggest an updated version of Winbox that includes the Mikrotik btest.exe functions.

So if I understand this, you're suggesting winbox.exe "embed" btest.exe so it can be used without having to download it? And some UI to winbox that launch it as a window within (or outside) Winbox...

It been long recommend to run btest's NOT from the router your testing & you're right, this would make that easier to do.

That be useful since there isn't a btest.exe for Mac....

Amm0 · Thu Mar 02, 2023 8:09 pm

Also - add a new GUI button in Winbox ( Check for Winbox updates ). The current method to update Winbox is semi-hidden and you have to know where to look to update Winbox.

I used RouterOS/winbox for YEARS before I noticed winbox could update itself (e.g. it's ONLY in the initial "Discovery"/"Login" windows menus, NOT the main "session" window).

I'd like this more automatic to check on launch if there is a new version and prompts to update. Dude essentially already does this today. With some "Enable/Disable Update Check" hidden in the menu.

rextended · Fri Mar 03, 2023 1:37 am

North Idaho Tom Jones

You really care about your name, it's always the most prominent thing in each of your posts and it's repeated in a completely useless way,
since it's also the nickname and on the avtar...

Fri Mar 03, 2023 1:47 am

North Idaho Tom Jones
You really care about your name, it's always the most prominent thing in each of your posts and it's repeated in a completely useless way,
since it's also the nickname and on the avtar...

North Idaho Tom Jones
is that better ?

rextended · Fri Mar 03, 2023 2:00 am

You couldn't wait to do it.
What a narcissist…

mozerd · Fri Mar 03, 2023 2:01 am

North Idaho Tom Jones
You really care about your name, it's always the most prominent thing in each of your posts and it's repeated in a completely useless way,
since it's also the nickname and on the avtar...

I see that you as a moderator are attacking North Idaho Tom Jones because he like to see his name prominently …
I 41 like his sig … an attack of this nature is not becoming of a fine Italian person like yourself…

rextended · Fri Mar 03, 2023 2:04 am

Thanks, but I didn't delete or edit his message...
I got bored like all those who let appear "Sent from my device using Tapatalk" and similar repetitive message,
but in his case he also gave him more emphasis than the whole topic......

rextended · Fri Mar 03, 2023 2:08 am

why this wiki pade have been removed ?

Because exist this topic....

Fri Mar 03, 2023 2:33 am

One of the reasons I use "North Idaho Tom Jones" is that in the past when I simply use "Tom Jones" I will always get the following?

"Do you sing ? "
"Any relation ? "
"I bet you wish you had his money ? "
"Theeee Tom Jones ? "
"Do you know him ? "
... and about a million other repeating comments ...

No , No, Yes, No, No
Best I can say is that I have actually had my checking account mixed up with his ( my paychecks going into his account. Also, I've had Las Vegas hotel reservations totally botched up and given keys to a luxury hotel room he would be using ( way way way way above my pay grade ).

In this industry, you got to have a slightly sick twisted sense of humor and be able to survive light humorous criticism .

North Idaho Tom Jones

rextended · Fri Mar 03, 2023 5:14 am

All junk, your nick and your picture does not say Jones, only you are obsessed with adding it at the bottom, otherwise people would not even know.

ivn · Fri Mar 03, 2023 3:46 pm

SSTP AES hardware acceleration please!
SSTP is the only standard protocol for Windows road warriors (but also can be used on other platforms with additional software) which works nearly anywhere. All other options like l2tp, ikev2, wireguard etc. are sometimes blocked in public or hotel networks.
Now we have pretty poor speeds and high cpu load with sstp on Mikrotik.

spippan · Fri Mar 03, 2023 5:13 pm

All junk, your nick and your picture does not say Jones, only you are obsessed with adding it at the bottom, otherwise people would not even know.

what does it bother you?
does it hurt someone?

way less offensive than many of your posts anyways. just leave it be, fgs

rextended · Fri Mar 03, 2023 5:16 pm

I already wrote it a little while ago, just re-read.
I feel it is useless to continue the discussion.

gabacho4 · Fri Mar 03, 2023 5:46 pm

I feel it is useless...

Like so many of your posts. No wonder your mod powers were revoked. You've contributed nothing to this thread today other than to attack someone. Now I've contributed negatively as well but after watching your interactions with forum users over the past year or so I finally cracked. If you are going to just take pot shots at others please STFU.

Fri Mar 03, 2023 7:06 pm

Re: Feature requests ( AP log connection nv2 signal strength )

Years ago , Mikrotik added the ability for an AP to log " connected, signal strength " when a client connects to an AP.
Below is a log example of Mikrotik AP logs AP using the wireless Protocol: 802.11 :

mar/02 09:04:31 wireless,info A6:CE:45:00:11:93@wlan1: disconnected, registered to other interface, signal strength -62
mar/02 09:25:37 wireless,info A6:CE:45:00:11:93@wlan2: disconnected, extensive data loss, signal strength -62
mar/02 11:33:54 wireless,info A6:CE:45:00:11:93@wlan2: connected, signal strength -73
mar/02 11:34:15 wireless,info A6:CE:45:00:11:93@wlan2: disconnected, received disassoc: sending station leaving (8), signal strength -73
mar/02 11:34:16 wireless,info A6:CE:45:00:11:93@wlan2: connected, signal strength -63

However , a Mikrotik AP using the wireless Protocol: nv2 does not have this AP logging feature.
Example below:
mar/01 10:21:27 wireless,info B8:69:F4:E5:30:49@wlan1: connected
mar/01 12:54:30 wireless,info 6C:3B:6B:DF:16:04@wlan1: connected
mar/01 12:54:31 wireless,info 6C:3B:6B:0E:5E:61@wlan1: connected
mar/01 12:54:32 wireless,info B8:69:F4:E5:30:B8@wlan1: connected

I would like to suggest that Mikrotik add this logging feature into APs using nv2.

Background supporting information for this feature request:

- The current AP Registration table that shows the current Tx/Rx Signal Strength has little relation to the original connection Tx/Rx Signal Strength when the client first connected.
- A wireless Client device will normally connect to an AP using a lower/slower connection rate. At slower connection rates , wireless cards almost always have a higher transmit power and a better more sensitive receive capability. At the initial wireless connection, both the AP and the Client will have better stronger signal strength for both tx and rx and a slower connection rate.
- After a Client is connected to an AP , both the Client and the AP connection rates will begin to up-shift to the fastest stable connection rates the wireless link can communicate at. Almost all wireless cards have a lower transmit power at faster connection rates -and- also have lesser receive sensivity at faster connection rates. Thus , the original signal connection strength can easily be 15-dB to 27-dB stronger or more than the current Registration table shows.

Here is a partial example of the wireless specifications for a 5-GHz DISC Lite5 :
Connect rate Transmit (dBm) Receive Sensitivity
6MBit/s 25 -96
MCS7 19 -75

After the initial wireless connection at 6MBit/s and after the connection has rate upshifted to MCS7 , the transmit power on the AP and client have both gone down by 6 dBm and the receive sensitivity on the AP and the client have both gone down by 21 dB.
Thus , an original connection strength may of actually been +27 dB stronger in both directions than what the Registration shows.

This information should be logged when an AP is configured to use Access-List Signal-Strength-Range setting ( strength required to connected and signal strength to force a disconnect ). If/when these settings are incorrectly configured , you can easily have your wireless clients connecting and disconnecting over and over again and repeating this loop forever. Hense - the reason a logging of wireless nv2 connection strengths is needed.

North Idaho Tom Jones

lol

petkodmitriy · Fri Mar 03, 2023 8:31 pm

It would be great to implement a ``routing table lookup'' . it is described in the WIKI, but there is no way to use it.
https://help.mikrotik.com/docs/display/ROS/IP+Routing

IN Extreme XOS thehe is this feature.

Screenshot_1.png

Screenshot_3.png

Amm0 · Fri Mar 03, 2023 8:52 pm

It would be great to implement a ``routing table lookup'' . it is described in the WIKI, but there is no way to use it.
https://help.mikrotik.com/docs/display/ROS/IP+Routing

In V6 there was /ip/route/check that gave a definitive routing result, but V7 removed it. See viewtopic.php?t=164150&hilit=route+check

I too like to see that back (or similar), it was a quick way to know your routing tabling was doing what you'd expect.

petkodmitriy · Fri Mar 03, 2023 9:06 pm

It would be great to implement a ``routing table lookup'' . it is described in the WIKI, but there is no way to use it.
https://help.mikrotik.com/docs/display/ROS/IP+Routing
In V6 there was /ip/route/check that gave a definitive routing result, but V7 removed it. See viewtopic.php?t=164150&hilit=route+check

I too like to see that back (or similar), it was a quick way to know your routing tabling was doing what you'd expect.

yes, it can be used in version 6, but I want a better implementation, and to see which route is active.

rextended · Sat Mar 04, 2023 2:19 am

North Idaho Tom Jones lol

Finally someone with just spirit....

@gabacho4 calm down, it was already over there, it's normal to disagree or send yourself to hell,
I'm not the hypocrite of the moment who gets along with everyone just to please.
Continuing to continue to continue is useless.

volkirik · Sun Apr 02, 2023 4:35 pm

IPv6 Fasttrack support, please

prawira · Fri Apr 14, 2023 7:57 am

hello,

i would like to request dynamic queues like dhcp for dot1x.
so every devices connected will create dynamic queues according to the parameter given on radius.
do not forget others parameter like insert before, parent queues, etc

cheers

P

volkirik · Fri Apr 14, 2023 12:13 pm

hello,

i would like to request dynamic queues like dhcp for dot1x.
so every devices connected will create dynamic queues according to the parameter given on radius.
do not forget others parameter like insert before, parent queues, etc

cheers

P

+1 for this one.

flydvorkin · Sat May 27, 2023 1:03 pm

console

It would be useful if "add" command (in all menus) return to script id of created entry.
Sorry, my mistake, add already returned ))

emunt6 · Sat May 27, 2023 5:52 pm

OOB interface:
> IPMI/Redfish - management (no more "Netinstall")

https://www.dmtf.org/standards/redfish

qwerty77 · Thu Jun 01, 2023 12:42 am

Hello,
Feature request:
Add button to log entry so one can create firewall rule to remote address.

Log is seen by admin to reveal some undesired activity. Copypasting is time consuming.
Consider adding a button which will call New Firewall rule, with pre-filled IP from Log entry. This is supposed to improve usability.

Thanks.

Thu Jun 01, 2023 1:43 am

Hello,
Feature request:
Add button to log entry so one can create firewall rule to remote address.

Log is seen by admin to reveal some undesired activity. Copypasting is time consuming.
Consider adding a button which will call New Firewall rule, with pre-filled IP from Log entry. This is supposed to improve usability.

Thanks.

FYI - PfSense has this feature, and it works well - The feature you are asking for might be very useful in Mikrotik ROS

North Idaho Tom Jones

rextended · Thu Jun 01, 2023 3:18 am

1) Why leave SSH open to the world (these are the consequences, if not also attract DDoS attacks),
2) Why don't you already have a script that blacklists the IP after the second failed attempt in not even 4 seconds?

pe1chl · Thu Jun 01, 2023 11:29 am

Log is seen by admin to reveal some undesired activity. Copypasting is time consuming.
Consider adding a button which will call New Firewall rule, with pre-filled IP from Log entry. This is supposed to improve usability.

Of course you would not want to make a "new firewall rule" for that!
First learn a bit more about firewall rules. To block random IP addresses, make a SINGLE rule that blocks some traffic referencing an "address list".
Then put the address you want to block in the address list. You can add many addresses in the address list and they will all be blocked by a single rule. Better for CPU usage!
Also, you can have a timeout on an address list entry, so it automatically gets removed after some time.
And of course, what you want is already possible! You can write a script that reads the log, finds messages like the above, extracts the address from it and adds it to the address list.
No new feature required for that.

qwerty77 · Fri Jun 02, 2023 4:00 pm

Thanks rextended & pe1chl, the script idea looks reasonable. Will consider this.

flydvorkin · Fri Jun 02, 2023 11:06 pm

Request scripting feature.

Modify commands
:local <name> <value>
:global <name> <value>
to make it possible set <name> from other variable.
also add $$ construction for access to such dynamically-named vars.

Example:
:local varname "newVar";
:local $varname "test";
:put $newVar;
test
:put $$varname;
test

rextended · Fri Jun 02, 2023 11:18 pm

I don't think it's a matter of implementing useless things or not,
but a question of knowing how to use what already exists...

Example:
:local varname "newVar";
:local $varname "test";
:put $newVar; <<== this do not have any logic, if you already know the varname inside the script, no need to create it dinamically
test
:put $$varname;
test

working example code

{
:local localvars [:toarray ""]
:local varname "newVar"
:set ($localvars->$varname) "test"

:put ($localvars->"newVar") ; # the same as on previous comment, is illogic, but for example...
# previous :put wire "test" on terminal

:put ($localvars->$varname)
# previous :put write "test" on terminal

:local testip "newipvar" 
:set ($localvars->$testip) 127.0.0.1
:put "Local variable $testip value is $($localvars->$testip) and the type is $[:typeof ($localvars->$testip)]"
# previous :put write "Local variable newipvar value is 127.0.0.1 and the type is ip" on terminal
}

And if the variable must be global, just create

:global globalvars [:toarray ""]

etc.
Or use another method:
viewtopic.php?f=9&t=178435&p=879152#p879152

flydvorkin · Sat Jun 03, 2023 10:03 pm

knowing how to use what already exists

All this examples i understand and i know how to use it.
Feature request desire to simplify a lot of work.

pe1chl · Sun Jun 04, 2023 11:21 am

Simplify a lot of work?
I would say it is just a niche case that is mainly a trick, and associative arrays (as in the example by rextended) are the proper way to do what you want.
Sure there are some things that can be improved in the scripting language, and especially in its parser, but I don't consider this one of them.

rextended · Sun Jun 04, 2023 1:00 pm

[…] there are some things that can be improved in the scripting language […]

For example, decimal division...
RouterOS: 3 / 2 = 1 must be done (3 * 1000) / 2 = 1500, then split the string "1" + "," + "500" and remove last zeros at the end...

pe1chl · Sun Jun 04, 2023 6:18 pm

For me, the most important is to add a BNF definition of the language and make the parser adhere to it.
I have found many times that when combining various constructs that each are supported into a complicated expression, it does not work.
You need to break up complicated expressions into various steps. In a decent language that is not required, anything derived from the simple examples goes when combined in a complicated expression.

Amm0 · Sun Jun 04, 2023 6:57 pm

For me, the most important is to add a BNF definition of the language and make the parser adhere to it.

Not BNF, but there is a "table" of the syntax in /console/inspect

/console/inspect input=":put \$" request=completion 

Columns: TYPE, COMPLETION, STYLE, OFFSET, PREFERENCE, SHOW, TEXT
TYPE        C  STYLE        O  PR  SH  TEXT                         
completion  [  syntax-meta  6  75  no  start of command substitution
completion  (  syntax-meta  6  75  no  start of expression          
completion  $  syntax-meta  6  75  no  substitution                 
completion  "  syntax-meta  6  75  no  start of quoted string

/console/inspect request=syntax 

Columns: TYPE, SYMBOL, SYMBOL-TYPE, NESTED, NONORM, TEXT
TYPE    SYMBOL         SYMBOL-TYPE  N  NONORM  TEXT                                                                    
syntax                 collection   0  yes                                                                             
syntax  beep           explanation  1  no                                                                              
syntax  blink          explanation  1  no                                                                              
syntax  certificate    explanation  1  no      Certificate management

It's turtles tables all the way down.

pe1chl · Sun Jun 04, 2023 7:14 pm

The problem is that there is no BNF definition of the language that corresponds with the behavior of the parser.
So you cannot make arbitrarily complex nested expressions that would be valid in almost any language. At some point it just issues an error.
And of course, the indication and handling of errors also leaves a lot to be desired...

optio · Mon Jun 05, 2023 9:21 pm

Please add syntax error / bad command messages into log file (same messages when commands are executed from terminal like bad command name egdfg (line 2 column 1)) for uploaded autorun script (<something>.auto.rsc), into "<something>.auto.log" or "<something>.auto.err" if .log file is meant to be only for successful execution.
I'm trying to create IDE (VSCode) task configuration which uploads working script over SFTP and reads output from log file or error over SSH, but I'm unable to catch error for exact executed script, it is not possible to exactly match script error log with that uploaded script execution (ex. if other script is executed with error in that time) but it will possible if is error logged into file with same basename.

depth0cert · Fri Jun 09, 2023 5:58 pm

Please add sstp - authentication process using EC digital signature

AdruKO · Sat Jul 01, 2023 10:50 pm

Greetings. The feature request I recommend is that the host used to detect the Internet in interface/detect-internet can be customized to any other host (domain or IP).

spippan · Tue Jul 11, 2023 3:00 pm

[FEATURE REQUEST]
- Firewall History Log

could it be possible to implement a firewall connections log (a seperate TAB for example directly in the ip>firewall window/section)?
with maybe some settings like "max-conn-count", "max-lines" and/or "max-history-timeframe" (which could define for how long it is possible to look back)

something like CHECKPOINT or BARRACUDA NG Firewalls do have.

cheers

pe1chl · Tue Jul 11, 2023 4:15 pm

You can create that yourself by adding the proper /system logging definition...

pe1chl · Thu Jul 13, 2023 11:54 am

When adding a bridge filter to a vlan-filtering bridge, it would be nice when you could specify the VLAN id AND the MAC protocol.
As it is now, when you filter on a VLAN id you cannot filter on any other MAC protocol.
I would like to filter "ARP on VLAN 2", for example. So I want to specify MAC protocol ARP and at the same time VLAN id 2.
(of course the filter would match on the string of MAC protocol 8100, VLAN 2, MAC protocol ARP)

Thu Jul 13, 2023 12:22 pm

Bridge filter rules have limited matching options for L3, L4 headers when a packet is VLAN-tagged (contrary to switch ACL rules). But there is a special "vlan-encap" matcher that will look for MAC protocol.

/interface bridge filter
add chain=forward mac-protocol=vlan vlan-encap=arp vlan-id=2

msatter · Thu Jul 13, 2023 12:26 pm

Now the 4096 byte limit on variables is lifted and variables are now limited by the amount of available memory.

https://help.mikrotik.com/docs/pages/di ... ersions=28

:too fetch is still limited to 64512 bytes when using user->data and it then depends to the target server supporting chunked transfers. My request is to able to also read download larger than 64512 bytes directly into a variable.

To avoid stuff more data into a variable/internal memory a check could be done in advance with: [/tool fetch url=$url keep-result=no as-value] or have an extra parameter indicating the expected amount of data to be stored. So that a unintended big download does not bring the router in any problems.
This could be automatic like ((available memory / 3) * 2) limiting to 2/3 of available memory to be used by one variable.

Preferred or even enforced is using :local for big variables over/instead of :global.

msatter · Thu Jul 13, 2023 1:23 pm

Second request on bigger variables.

Using fetch I can write a bigger file to disk in one go. But then I can't read those back when the file is bigger than 4KB, despite the variable in not a limiting factor anymore in ROS.

This could be first one, so the request above for direct download in variable can be done on a later moment. Then a work around situation is created by first saving to disk and then read the file back to a variable.

https://help.mikrotik.com/docs/display/ ... remotehost

There is stated that the limit for variables is still 4KB and that is limiting reading the file.

pe1chl · Thu Jul 13, 2023 2:14 pm

Bridge filter rules have limited matching options for L3, L4 headers when a packet is VLAN-tagged (contrary to switch ACL rules). But there is a special "vlan-encap" matcher that will look for MAC protocol.
Code: Select all
/interface bridge filter
add chain=forward mac-protocol=vlan vlan-encap=arp vlan-id=2

Ok thanks! I saw that vlan-encap parameter but I mistakenly assumed that it would select the type of vlan encapsulation...
Unfortunately, when configuring it like that, it does not allow filtering on the ARP parameters as it does when mac-protocol=arp
Is that a bug or is it just impossible to implement?

Thu Jul 13, 2023 2:35 pm

Right, the arp-* matchers require mac-protocol=arp/rarp to be set. I believe it is a bridge filter (ebtables) limitation.

pe1chl · Fri Jul 14, 2023 9:06 pm

Pity... now I still need to have a dummy bridge on the VLAN CPU port on the main bridge. Then I might as well drop the entire VLAN filtering bridge on this config (it is the one where I tried to hw offload the bonding interface)...

On to the next (unrelated) feature request:
I would like to see an option in /routing/table to have connected routes automatically added to a user-created routing table.
Ideally it would be a pulldown selector similar to what is in the firewall for "interface list", where you can select "none" (default), "all", or a user-defined interface list. But when that is impossible, just a checkmark to enable this (for all interfaces) would be nice as well.
This function will put "C" routes (as seen in table "main") into the user-created table as well.

I think it is already available in VRF, but VRF is often too restrictive for what I want to do (overlay networks, balance/failover between ISPs, etc).

pe1chl · Sat Jul 15, 2023 11:29 am

The "Input accept NLRI" filtering in BGP would be more usable when there is an extra "accept default route" option.
As it is now, you can accept prefixes in certain subnets (as present in the address-list parameter of "Input accept NLRI"), but once you want to accept the 0.0.0.0/0 route, everything is accepted. It would be great when you could accept some networks in the address-list, and not the networks outside that, but still accept the default route.

spippan · Sat Jul 22, 2023 2:54 pm

The "Input accept NLRI" filtering in BGP would be more usable when there is an extra "accept default route" option.
As it is now, you can accept prefixes in certain subnets (as present in the address-list parameter of "Input accept NLRI"), but once you want to accept the 0.0.0.0/0 route, everything is accepted. It would be great when you could accept some networks in the address-list, and not the networks outside that, but still accept the default route.

+1 for that.
would be really useful

expo · Thu Sep 14, 2023 3:33 am

bump for RFC 2439 / route dampening

Kraken2k · Thu Sep 14, 2023 1:20 pm

I understand the need to restart interfaces/processes/policies/etc. on change, but it is possible to exclude Comments field from this rule? They does not affect the actual configuration of the item in any way.

It's a bit annoying if I want to change a comment for IPsec Policy or Netwatch Host and the item turns off and on again, causing connection reset / execution of Up/Down scripts etc...

Kraken2k · Thu Sep 14, 2023 1:34 pm

Please add sstp - authentication process using EC digital signature

Also updating ciphers available for MT SSTP server would be a good idea, because the only ones offered now are TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_256_CBC_SHA

ammaree · Fri Sep 15, 2023 2:25 pm

Some Winbox related requests from me:

#1 I often use Winbox to support IOT devices behind a firewall. Access is based on Telnet or SSH using Tools->Telnet menu access. If this menu option could be accessed from the DHCP Server->Leases screen, possibly using Right click with the device highlighted it would save a LOT of time.

#2 Certain operations such as a firmware upgrade cause the device to reboot and the connection to be Disconnected. If a "Reconnect" option (or better keyboard shortcut) can be added to automatically reconnect using same protocol and credentials it would be wonderful.

#3 Ability to hide/remove certain columns from some of the screens would be wonderful. This will allow support staff to reduce the clutter by having fewer but relevant columns displayed on some mobile devices such as small laptops.

#4 If the above custom configuration can be saved as part of a user profile this will be wonderful and save time having to remove the same columns again.

pe1chl · Fri Sep 15, 2023 2:34 pm

#3 Ability to hide/remove certain columns from some of the screens would be wonderful. This will allow support staff to reduce the clutter by having fewer but relevant columns displayed on some mobile devices such as small laptops.

#4 If the above custom configuration can be saved as part of a user profile this will be wonderful and save time having to remove the same columns again.

This has been available for ages! You need to click the small triangle at the rightmost edge of the column titles and use "show columns".
This is also saved to the profile for that router when you click "session->save" or have "session->autosave on close" enabled and neatly close the session.
(does not save when you lose the network connection e.g. because the router reboots)

seriquiti · Fri Sep 15, 2023 2:36 pm

Ability to choose specific archive version in packages to downgrade/upgrade to.

RouterOS stable versions have proved to be unstable regularly. Having the option to just choose a version to install will be very helpful on devices with small flash storage where you can't just drop the file in and reboot.

pe1chl · Fri Sep 15, 2023 3:24 pm

Sure the System->Packages menu could have some very simple improvements! Not only selection of a version, but also selection of packages to install.
The packages are available from the update server, so why do we have to download them on a computer, finding the correct architecture, unzip the file, upload the npk to the router? There could be an Install button that shows the packages available for the installed version, and download and add one.

ammaree · Fri Sep 15, 2023 3:57 pm

#3 Ability to hide/remove certain columns from some of the screens would be wonderful. This will allow support staff to reduce the clutter by having fewer but relevant columns displayed on some mobile devices such as small laptops.

#4 If the above custom configuration can be saved as part of a user profile this will be wonderful and save time having to remove the same columns again.
This has been available for ages! You need to click the small triangle at the rightmost edge of the column titles and use "show columns".
This is also saved to the profile for that router when you click "session->save" or have "session->autosave on close" enabled and neatly close the session.
(does not save when you lose the network connection e.g. because the router reboots)

Thanks, havent seen the right most side because we have always reduced the size of windows to fit in....

ammaree · Fri Sep 15, 2023 3:59 pm

And another (much repeated request) for a NATIVE MacOS Winbox version. Currently have to start VMWare Fusion just to start Winbox....

Amm0 · Fri Sep 15, 2023 4:29 pm

Sure the System->Packages menu could have some very simple improvements! Not only selection of a version, but also selection of packages to install.

100% agree. It comes up when a "stable" release isn't actually "stable" for a particular configuration/router/hardware/whatever. "Rollback" to another version is quite tedious/manual & requires a good how understanding of package management. e.g. you have to align the specific packages previously installed to manually copy the same set of "extra-packages" & knowledge of the "file copy" method of upgrade in first place.

Amm0 · Fri Sep 15, 2023 4:34 pm

And another (much repeated request) for a NATIVE MacOS Winbox version. Currently have to start VMWare Fusion just to start Winbox....

I use a Mac, just use wine, it works "natively enough". Now they should release a 64-bit Dude, because there you do need Fusion (or similar VM), which is annoying.

IMO Mikrotik should focus on fixing these little things, not worrying about multi-platform clients. And if they made their iOS app more functional, it work on newer Macs.

memelchenkov · Fri Sep 15, 2023 5:23 pm

And another (much repeated request) for a NATIVE MacOS Winbox version. Currently have to start VMWare Fusion just to start Winbox....

WinBox works perfectly under CrossOver for ages, you do not need virtualisation software to run it.

kwagga · Tue Sep 19, 2023 5:56 pm

Pity... now I still need to have a dummy bridge on the VLAN CPU port on the main bridge. Then I might as well drop the entire VLAN filtering bridge on this config (it is the one where I tried to hw offload the bonding interface)...

On to the next (unrelated) feature request:
I would like to see an option in /routing/table to have connected routes automatically added to a user-created routing table.
Ideally it would be a pulldown selector similar to what is in the firewall for "interface list", where you can select "none" (default), "all", or a user-defined interface list. But when that is impossible, just a checkmark to enable this (for all interfaces) would be nice as well.
This function will put "C" routes (as seen in table "main") into the user-created table as well.

I think it is already available in VRF, but VRF is often too restrictive for what I want to do (overlay networks, balance/failover between ISPs, etc).

+1 to this!!
automatically add local routes to additional route tables

sas2k · Thu Sep 28, 2023 2:49 pm

I need either shadow socks or some kind of obfuscated vpn protocol (v2ray, vless, xtls reality, etc...).
Shadow socks seems to me more preferable, as it operates separately tcp-tcp , udp-udp, plus socks5 already in ROS.
UNFORTUNATELY nowdays most if restictions cannot be resolved with wireguard/ipsec, as these protocols are blocked easily and effectively.

LouisVisagie · Fri Sep 29, 2023 2:39 pm

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.

Yes please. With RouterOS 6 this could be managed with scripts and email, but I've yet to find a way to get a report of a router's voltage health for the duration of a day on RouterOS 7.

Fri Sep 29, 2023 9:09 pm

IMO - if you want to graph your network , consider using something like Cacti, or Zabbix , or LibreNMS ( or any other Network Monitoring software ).

I prefer a fast non-bloated switch/router that is not also using disk space or cpu processes or memory processes to capture and store graph into.
Then you can also keep your graphs much longer ( years or more ) on everything ( cpu, mem, I/O throughput , voltages , temperature , connected users ... and/or anything your switch/router will allow your NMS system to SNMP read.

Normally , on a Mikrotik , I disable/turn-off all graphing to avoid tasking the CPU , consuming flash disk space to get the maximum throughput performance possible.

North Idaho Tom Jones

gfunkdave · Fri Sep 29, 2023 10:45 pm

What is the current correct way to submit feature requests to Mikrotik?

pe1chl · Sat Sep 30, 2023 4:02 pm

Make a ticket on the customer support portal at https://help.mikrotik.com/servicedesk

pedja · Sat Sep 30, 2023 5:24 pm

I stumbled upon "cannot run, not enough permissions." error while trying to run script from scheduler (MT 6.48.6). For years is worked fine and it seems with some upgrade it stopped working as something with permissions was changed.

While searching for a solution, I found out numerous issues reporting with NetWatch. People were unaware WHAT permissions are needed for script to be executable by NetWatch.

I resolved an issue. In my case I had to allow all permissions but romon and dude to both schedule and script to make it work. with less permission, although it was the same for schedule and script, it still reported permission error, but not what permission is required and missing.

I have a feature suggestion: When permission error is reported, post what exact permissions are not fulfilled. It would really help finding issue in quicker and easier manner, and with less frustration.

mickdoev · Fri Nov 03, 2023 1:50 am

When creating a GRE tunnel using IPsecret - the dynamically created IPsec peer uses exchange mode MAIN. It would be great if there was a way for the dynamic peer to use IKEv2 (without having to manually create the peer and identity under IPsec)

pe1chl · Fri Nov 03, 2023 11:36 am

+1! It would be great to be able to select a profile other than default (but I see exchange mode is not part of the profile)
It would be great when these settings would be moved into the profile, e.g. also "passive".

spippan · Fri Nov 03, 2023 2:59 pm

+1! It would be great to be able to select a profile other than default (but I see exchange mode is not part of the profile)
It would be great when these settings would be moved into the profile, e.g. also "passive".

how would you like to move phase1 settings to phase2 around or vice-versa?

mutluit · Fri Nov 03, 2023 4:09 pm

We need wildcard searching (*) in address-list searches:

[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.3
[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.0/24

[xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128.*
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT

pe1chl · Fri Nov 03, 2023 4:15 pm

+1! It would be great to be able to select a profile other than default (but I see exchange mode is not part of the profile)
It would be great when these settings would be moved into the profile, e.g. also "passive".
how would you like to move phase1 settings to phase2 around or vice-versa?

No need for that. I would (like the other request) just want to specify an initial phase1 profile.

pe1chl · Fri Nov 03, 2023 4:16 pm

We need wildcard searching (*) in address-list searches:

[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.3
[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.0/24

[xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128.*
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT

This has been asked several times before by people who do not realize that it already exists.
print where address in 192.168.128.0/24

mutluit · Fri Nov 03, 2023 4:38 pm

We need wildcard searching (*) in address-list searches:

[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.3
[xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.0/24

[xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128.*
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
This has been asked several times before by people who do not realize that it already exists.
print where address in 192.168.128.0/24

Ah, cool!
Should be added into the documentation.

BUT: what about wildcard searching after domain names in such address lists, for example searching all related to "google", ie. "*google*" ?

rextended · Fri Nov 03, 2023 4:48 pm

This has been asked several times before by people who do not realize that it already exists.
print where address in 192.168.128.0/24
Ah, cool!
Should be added into the documentation.

You should read the documentation. Is already present, on both old and new.
https://wiki.mikrotik.com/wiki/Manual:S ... _Operators
https://help.mikrotik.com/docs/display/ ... lOperators

The documentation cannot provide all the examples of what can be done with scripting.
Simply (of what) it says 1+1=2, then (4 * 6 + 2 - 7 / 22) = 26 you have to do it yourself...

rextended · Fri Nov 03, 2023 4:54 pm

Added during previous reply:

BUT: what about wildcard searching after domain names in such address lists, for example searching all related to "google", ie. "*google*" ?

literally where address have inside "google" on any point
(literally is not one script instruction)
/ip firewall address-list print where address~"google"

Still you do not read the already available documentation....
https://wiki.mikrotik.com/wiki/Manual:S ... _Operators
https://help.mikrotik.com/docs/display/ ... rOperators

So your "Feature requests" would be: "Someone read the documentation for me"...

rextended · Fri Nov 03, 2023 5:04 pm

In conclusion, for this:

[xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128.*

The correct way is to use "in" but for paragonable/regex syntax is:

/ip firewall address-list print where address~"^192\\.168\\.128\\.*"

Amm0 · Fri Nov 03, 2023 5:53 pm

The GRE IPSec profile suggestion is good one. Never thought about this approach:

When creating a GRE tunnel using IPsecret - the dynamically created IPsec peer uses exchange mode MAIN. It would be great if there was a way for the dynamic peer to use IKEv2 (without having to manually create the peer and identity under IPsec)
+1! It would be great to be able to select a profile other than default (but I see exchange mode is not part of the profile)
It would be great when these settings would be moved into the profile, e.g. also "passive".

+1 too. The "Use IPSec" checkbox is so handy, just limited today – a profile selector be useful .

I just add equally or more useful on EoIP too.

pe1chl · Fri Nov 03, 2023 6:41 pm

Why is this then not working?


[xxxxx@yyyyy] /ip firewall address-list> print where list=TEST
Flags: X - disabled, D - dynamic 
 #   LIST                                                         ADDRESS                                                                           CREATION-TIME        TIMEOUT             
 0   TEST                                                         play.google.com                                                                   nov/03/2023 15:43:46
 1 D ;;; play.google.com
     TEST                                                         172.217.16.78                                                                     nov/03/2023 16:28:30
 2   TEST                                                         www.google.com                                                                    nov/03/2023 16:52:02
 3 D ;;; www.google.com
     TEST                                                         142.250.181.196                                                                   nov/03/2023 16:52:02

[xxxxx@yyyyy] /ip firewall address-list> print where address~"*google*"                  
Flags: X - disabled, D - dynamic 
 #   LIST                                                         ADDRESS                                                                           CREATION-TIME        TIMEOUT             
[xxxxx@yyyyy] /ip firewall address-list>

because you did not read the documentation and the examples above. *google* is not a valid regexp.

pe1chl · Fri Nov 03, 2023 6:45 pm

+1 too. The "Use IPSec" checkbox is so handy, just limited today – a profile selector be useful .

I just add equally or more useful on EoIP too.

Yes, of course when that is implemented for GRE/IPsec it should be added for *all* cases where automatic IPsec config is possible.
(IPIP/IPsec, EoIP/IPsec, L2TP server, L2TP client)

spippan · Fri Nov 03, 2023 11:25 pm

how would you like to move phase1 settings to phase2 around or vice-versa?
No need for that. I would (like the other request) just want to specify an initial phase1 profile.

oh sorry, misunderstood
got it. indeed would be favourable

emunt6 · Sun Nov 05, 2023 12:44 am

Add Support for "Virtual Interfaces"
-MACVLAN
-IPVLAN

More info
https://developers.redhat.com/blog/2018 ... networking
+2, a little rediculous that RouterOS doesn't already have this.

Finally
What's new in 7.12rc1 (2023-Oct-05 08:46):
*) interface - added "macvlan" interface support;

emunt6 · Sun Nov 05, 2023 12:46 am

Feature request:
- SOC/ASIC Hardware accelerated multi-bridge/interface support
(example: Microchip SparX-5 / Marvell OCTEON TX2 CN9670 + RouterOS)

eworm · Tue Nov 07, 2023 1:35 pm

I've ask support to modify ssh public keys (/user/ssh-keys) to expose a read-only property with the key's fingerprint (SUP-132909). Actually public key authentication works quite well, but there is no way to verify that a key is the one you expect it to be.

Imagine you import a certificate "ISRG Root X1" to verify websites, but there is no way to verify its fingerprint, which should be "96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6". Pretty bad, no?

Support answered:

If there will be more requests, we will consider implementing this feature.

So if you think this is useful (or even mandatory) please open your own request!

kryztoval · Thu Nov 09, 2023 10:48 pm

Winbox Feature Request
In Container

when using copy put the "tag" value into the "remote-image" field. so you can effectively duplicate the entry when required.
allow to use a log prefix to easily identify which container is actually reporting the thing to the long

In IP / Firewall

Add the "log_prefix" as the "comment" to the "add ___ to address list" action. This would help tracking which firewall rule added the address to the list and could potentionally reduce the number of lists. For instance there would be no need for an ssh_stage# list and a winbox_stage# list if I could just use stage# and now where each address got added from.

In Files

Collapsible folders

maxten · Fri Nov 10, 2023 6:52 am

Add select kernel congestion to bbr
after container is stable, router os has can take more service function in network. It's worth to support BBR congestion control for internal service such as VPN, storage, although it has no effect as a switch or router.

spippan · Fri Nov 10, 2023 7:11 pm

Winbox Feature Request
In Container

when using copy put the "tag" value into the "remote-image" field. so you can effectively duplicate the entry when required.

allow to use a log prefix to easily identify which container is actually reporting the thing to the long

+10

In Files

Collapsible folders

+1

Amm0 · Fri Nov 10, 2023 7:50 pm

In Container

when using copy put the "tag" value into the "remote-image" field. so you can effectively duplicate the entry when required.

+10

I filled a feature request bug a couple months ago (SUP-128652) on copy problem and that it :export doesn't actually create a usable "/container add" with remote-image= set.

mywayteam · Sun Dec 03, 2023 7:07 pm

SSTP AES hardware acceleration please!
SSTP is the only standard protocol for Windows road warriors (but also can be used on other platforms with additional software) which works nearly anywhere. All other options like l2tp, ikev2, wireguard etc. are sometimes blocked in public or hotel networks.
Now we have pretty poor speeds and high cpu load with sstp on Mikrotik.

Totally agree!
Hardware acceleration for sstp is very much needed.

spippan · Tue Dec 05, 2023 11:43 am

SSTP AES hardware acceleration please!
SSTP is the only standard protocol for Windows road warriors (but also can be used on other platforms with additional software) which works nearly anywhere. All other options like l2tp, ikev2, wireguard etc. are sometimes blocked in public or hotel networks.
Now we have pretty poor speeds and high cpu load with sstp on Mikrotik.

would help implementing standard windows clients by a LOT

mszru · Sat Dec 09, 2023 12:35 am

Wouldn't it be cool to have signal strength graph in the Wi-Fi Registration table like in Quick Set?
Having that column one can easily identify problem clients at a glance.

Signal Strength Graph - Quick Set.png

Signal Strength Graph - Registration.png

optio · Mon Dec 18, 2023 1:13 pm

Please implement non persistent (no flash write) change configuration possibility. This could be implemented through some global command like

:nonpersistent do={ ... }

any command that is performed inside that command context block should not persist change in configuration.

Some practical usages:

disabling/enabling interfaces or VPN servers to force reconnect used by netwatch or schedulers

any short interval configuration change in loop where persistence is not needed, like LED light show script that turns on/off different leds in short intervals (it is possible on some routers), I know router is not Christmas tree, but it could be used for presentation, eg. on stores shelf

Benefits:

reduced flash writes

avoiding possible edge case scenario when netwatch script disables WAN (internet connection) interface to force reconnect (eg. lte) and while it's disabled power loss occurred, on next boot, because of persistence, internet connection is no longer available and can be an issue if user is not at home and wants to use for eg. BTH VPN - this is solvable with additional startup script that checks enabled states of interfaces, VPN servers, etc., but it just complicates things where it could be simpler with non persistent commands

kevinds · Tue Dec 19, 2023 7:47 pm

Export with "show-sensitive" to include users and their hashed passwords. Also the ability to import users and include pre-hashed passwords.

pe1chl · Tue Dec 19, 2023 9:17 pm

Export with "show-sensitive" to include users and their hashed passwords. Also the ability to import users and include pre-hashed passwords.

YES! The export should be expanded to (at least optionally) include all of the configuration, including users, certificates etc.

pe1chl · Tue Dec 19, 2023 9:21 pm

Please make IKEv2 roadwarrior split-include functionality actually interwork with other people's software.
As it is now, it only works with other MikroTik devices. Standard IKEv2 client software only gets the first split-include entry, not further entries (i.e. you can route only a single local network using this mechanism).

gunther01 · Tue Dec 19, 2023 9:30 pm

Ability to color the winbox header differently per device type. Or somehow allow the changing of the color and keep it persistant once changed..

This would allow me to make sure I don't "grab" the wrong window when I have 20 of them open and make a change in the wrong one. ie, green for cpe's, red for core devices, etc...

chuq · Wed Dec 20, 2023 5:44 pm

extended logging for scripts etc, with ability to specify the topic
like this

/log/write topic=script,info message="Doing fine!"

and to create a user defined topic

/system/logging/add topics=my-scripts action=memory

chuq · Wed Dec 20, 2023 10:26 pm

script errors (syntax, runtime) must be notified somehow
with a log message I suppose

infabo · Mon Jan 15, 2024 3:22 pm

Winbox: I am requesting automatic window tiling like done in linux tiling window managers. Not as feature blown but at least some control over the window-sizes and the split mode (horizontal/vertical).

I am disgusted by the floating alignment of the windows as it is now. I am aligning and resizing windows so I am fine with it. But want to add another window? Hell no. Resizing again. It is a real pita.

rextended · Mon Jan 15, 2024 3:30 pm

Use session / windows layout:
viewtopic.php?t=203402

anav · Mon Jan 15, 2024 3:50 pm

Busy cat this morning, check emails ;-P
When you do perhaps give me a hint on how to use sessions windows or why it would be good for me.

rextended · Mon Jan 15, 2024 4:01 pm

(done)

give me a hint on how to use sessions windows or why it would be good for me.

Just for memorize windows positions, colum size, colum order, filed present on colums and tab open...

sadjoe · Wed Jan 17, 2024 11:15 am

@normis please check

viewtopic.php?p=1049302

infabo · Wed Jan 17, 2024 12:09 pm

Use session / windows layout:
viewtopic.php?t=203402

Yes, but I still have to fiddle around with sizing the windows inside winbox. "Right-click -> auto-layout windows" I am aiming for.

pe1chl · Wed Jan 17, 2024 3:33 pm

Well, I would not know how it could meaningfully auto-layout different windows with a so much varying content and optimal size...
For a window with "IP addresses" or many other similar windows you can use a tiny window. For something like routes or firewall you need a much larger window.
And, I always put "log" as a full-size window as a backdrop of all other windows, so that I can keep an eye on what is being logged.

sadjoe · Tue Jan 23, 2024 1:16 pm

It would be great if this is implemented.

viewtopic.php?p=1050972

Fri Jan 26, 2024 10:54 pm

Feature requests - CHR on Bare Metal for faster Network throughput

Note: This topic is about achieving very fast network/Ethernet throughput ( as in 10-Gig and faster network routing throughput)

I would like to see a CHR that can be installed on a Bare Metal server.
Here is my reasoning and justification why I would like to see a CHR that can be installed on a Bare Metal server.

Mikrotik's CHR ROS runs on a Hypervisor ( such as VmWare or ... ). This is a 64-Bit operating system and also does not have the ability to be directly installed on a Bare Metal computer/server
thus:
- CHR , does not run on Bare Metal
- CHR , no install ISO ( or any procedure ) to install CHR on a Bare Metal computer
- CHR , can be installed as a 64-bit operating system in many Hypervisor environments

Mikrotik's x86 ROS can be installed on most Bare Metal computers and under most Hypervisor environments. However, x86 ROS is a 32-Bit operating system.

-
When a virtual CHR sends an Ethernet packet out through the virtual Ethernet interface, the packet is first delivered to the Hypervisor virtual vSwitch , which will always require at least one ( 1 ) physical CPU clock-cycle - thus so far , the packet has not actually been sent to anything yet.
Now that the hypervisor's vSwitch has the packet , the hypervisor will always require at least one ( 1 ) physical CPU clock cycle to send the packet out through the physical network interface card.
* So far , we have consumed at least two ( 2 ) CPU clock cycles or more to get the packet from the CHR out on the physical network switches.
if the packet is destined for another CHR on another different hypervisor , then there is at least one ( 1 ) CPU clock cycle to get the paket from the physical Ethernet interface and place the inbound packet on the vSwitch , and one ( 1 ) more CPU clock cycle to move the packet from the vSwitch to the CHR.
The effective throughput result is that when a CHR is sending or receiving packets out or in through physical network interfaces, we are running at half CPU speed. Thus , it is almost impossible for a CHR to achieve sustained network speeds of 6-Gig or faster ... because of the hypervisor CPU clock cycle overhead to transfer packets.
Depending on the physical CPU processor GHz clock speeds that the hypervisor is running on , it is easily possible to have a wall of 6-Gig or 8-Gig that the CHR is limited to in throughput. This wall is there because of hypervisor CPU clock cycle overhead when moving packets. Even if you have 100-Gig physical network cards on the hypervisor , the packet transfer throughput wall is still there. ((( And - there is also the CPU consuming clock cycle resources of the hypervisor which may also be slowing down the CHR throughput - because the hypervisor is also doing other things at the same time)))

ROS x86 32-Bit does not have this hypervisor CPU overhead when installed on a bare metal box. However, this is a 32-Bit ROS router and may not have enough RAM memory for large RAM needs such as multiple BGP tables and multiple OSPF tables and/or other RAM consuming things such as firewall rules and large address-list tables.

I think CHR might support SR-IOV interfaces ( which should eliminate the hypervisor CPU clock cycle overhead) , but I do not know if a SR-IOV driver is in the CHR ROS software. Also , not all hypervisors and network cards and BIOS configurations have SR-IOV support.

If Mikrotik were to support a CHR install on a bare metal install, the packet throughput should be possibly double the speed or more.

To backup my claim of packet speeds and hypervisor CPU clock speed overhead, there is a VyOS open-source router that can be installed on bare metal and also has SR-IOv support. There are many reports of VyOS router installs sustaining 40-Gig and much faster (nearly up to 100-Gig) network transfer speeds.

My ISP network CHRs are hitting that wall. I am currently upgrading my physical servers and switches to 100-Gig. I am also upgrading my four BGP Internet feeds to 100-Gig. My current CHRs can sustain 6-Gig but it's impossible to layer-3 route faster than 10-Gig.

So , I ask ... Would Mikrotik please consider creating a CHR platform that can be installed on bare metal - and have drivers for 40-Gig, 100-Gig, 200-Gig and 400-Gig network cards -and- also include support for SR-IOV network interfaces?

If the future of CHR will not include bare metal install features, then I will be forced to migrate my layer-3 CHR routers to something else.

North Idaho Tom Jones

pe1chl · Sat Jan 27, 2024 10:49 am

The problem with that idea is that for every network card some user has, and for every new network card on the market, the whining about "can you please include the driver for my card??" will begin. And not only for network cards, but also for all other hardware in the system (disk devices etc).
We have already seen that in the x86 release...
Running CHR on a Hypervisor neatly separates the RouterOS from the hardware at hand.
And SR-IOV is indeed supported.

Larsa · Sat Jan 27, 2024 11:10 am

As I mentioned in another comment, in terms of CHR performance using today's modern drivers supporting DirectIO/DirectPath/SR-IOV, it's as fast as bare metal and the overhead of the supervisor is barely measurable. A properly configured virtual system can easly push many hundreds of gigabits without significant CPU load.

IMO, one of the major advantages of CHR is that the platform becomes hardware-agnostic and enables live migration including network sessions to new hardware without any downtime (aka Hyper-V/vSphere live migration). It's a perfect fit for data center solutions like virtual BNG's etc I might add.

Thus from a purely operational and production perspective, CHR has almost nothing but advantages.

EDIT:
Forgot to mention that CHR is in no way dependent on or related to DirectIO/DirectPath/SR-IOV.

Instead, these features are managed by the host virtual machine and implemented through the network card's drivers, and they are available from most manufacturers for mid-end to high-performance solutions (though I've seen support for cheaper NICs nowadays).

Jotne · Sat Jan 27, 2024 12:38 pm

I am still waiting for RouterOS logging in RFC 5424 standard. Requested this for more than 5 years???
viewtopic.php?t=124291

emunt6 · Sun Jan 28, 2024 12:57 am

So , I ask ... Would Mikrotik please consider creating a CHR platform that can be installed on bare metal - and have drivers for 40-Gig, 100-Gig, 200-Gig and 400-Gig network cards -and- also include support for SR-IOV network interfaces?

Let me explain, you start digging by hand you hit a rock, you get "new shovel", but you stuck again, cant pass through - you asking what improvements needed on the "new-shovel" to break the rocks - the answer is simpe: You can't - you need heavy-duty equipment for that job

CPU PCI-E lanes can't handle/sustain that speed - other factors will be problem too ( example: LATENCY ).
The ASR9K/NCS series can do that kind of job.

jp · Sun Jan 28, 2024 11:23 pm

It could be handy to have a VLAN setup script just like the DHCP server setup script...

Was reviewing the different ways of doing common VLAN setups on mikrotik router+switch hardware. It seems to differ based on the switch chips, etc..

e.g..

/int/vlan/setup
what is the VLAN ID you'd like to use? (1-4095)
5
what interface(s) should be tagged with vlan 5? /* tab completion would be welcome */
spfplus1
what interfaces(s) should be vlan5 without tags?
ether2, ether3, ether4
/* perhaps display a humanreadable summary and press enter to complete or control-c to cancel */

pe1chl · Mon Jan 29, 2024 11:19 am

RouterOS is not for the users that require wizards for everything...

infabo · Mon Jan 29, 2024 11:36 am

Could be added to QuickSet

gigabyte091 · Mon Jan 29, 2024 11:53 am

You can forget about that... Quickset is not good for simple things, let alone VLANs that are whole different story on Mikrotik.

Larsa · Mon Jan 29, 2024 2:06 pm

CPU PCI-E lanes can't handle/sustain that speed - other factors will be problem too ( example: LATENCY ). The ASR9K/NCS series can do that kind of job.

ASR9x and similar models nowadays act more like "regular" linux blade servers with Cisco Linux (IOS XR). Blade cards mainly utilize standard buses including PCIe as interconnects. FPGA/ASIC switch fabric cards used for backplane intercomms currently yield approximately 230 Gbps per fabric with up to seven per backplane, totaling 1.6 Tbit/s.

Current PCIe 6 has a latency of a few nanoseconds and a transfer rate of approx 60 Gbit/s per lane. An internal fabric interface card using standard 16 lines provides about 960 Gbit/s and a blade card using 4 buses 3.8 Tbit/s. Even an old server from 2010 using PCIe 3 and a Xeon CPU can achieve over 200 Gbit/s line speed using a single bus.

CXL (explained) enhances the standardization with faster and broader utilization of interconnects based on PCIe for example within and between interfaces, backplanes, and servers.

Modern drivers with no-copy support operate solely with pointers to network data through DMA, meaning that the CPU only initiates the communication.

For standard systems, network cards generally constitute the main bottleneck.

Amm0 · Mon Jan 29, 2024 2:29 pm

RouterOS is not for the users that require wizards for everything...

That may be true. But request is not far off from /ip/dhcp-server/setup which does prompting (and supports <tab>). So doing a /interface/vlan/add, /ip/address/add then /ip/dhcp-server/setup gets you a working VLAN in three steps (outside port assignment, and firewall which may solved with a another step by adding it to the LAN interface-list).

Bigger issue WRT VLANs is the port assignment – that's wouldn't be helped by a wizard. Better UI is what's needed there.

You can forget about that... Quickset is not good for simple things, let alone VLANs that are whole different story on Mikrotik.

QuickSet could be improved. But the default configuration could just include "vlan-filtering=yes" as a default, so a router be "VLAN Ready™". It doesn't break normal case & safe to set if done as part of initial boot.

pe1chl · Mon Jan 29, 2024 2:38 pm

Probably instead of adding even more of these "QuickSet" and "setup" hacks it would be better to develop a newbie-friendly GUI tool that allows configuration of the router in the same way as modern consumer routers are configured (wizards, task-oriented screens) and configures the router accordingly via API/WINBOX. With the express warning that once you configure the router directly, that tool can no longer be used.
(preferably also with some real guard against that, which should also be added to QuickSet itself)

miller443 · Mon Jan 29, 2024 7:25 pm

If the router does not have a public IP address (4G connection), all traffic is routed through MikroTik servers, right?

gigabyte091 · Mon Jan 29, 2024 7:27 pm

Great idea, especially for routers that targets home users. I mean you have Mikrotik Home app and BTH app and those are nicely designed and user friendly.

Mikrotik should make RouterOS lite, just for home lineup of routers IMHO. And if you want you can netinstall full version. It's just the matter of licensing in that case.

pe1chl · Mon Jan 29, 2024 8:06 pm

It would not require a different RouterOS do do that, just an application that has many wizards and knowledge of the hardware (how many ports, what are they called, what kind of WiFi, etc). The application asks the users what he wants to have, and sends the correct configuration commands to the router.
Once you make changes outside that application, you are on your own.

This is basically how Cisco did it on their IOS routers.

gigabyte091 · Mon Jan 29, 2024 8:38 pm

I never really saw Cisco GUI, last time i had interaction with Cisco was in high school 11 years ago and that was through CLI.

What I meant when I said that Mikrotik should consider RouterOS lite is that they should maybe create stripped down version without for e.g all that routing protocols that home user will never use. So leave functions that home user will use (VLANs, VPN and so on) and create nice GUI and maybe cloud management app like ubiquiti and TP - Link for eg.

Also I would like to see PPSK.

pe1chl · Tue Jan 30, 2024 11:47 am

I never really saw Cisco GUI, last time i had interaction with Cisco was in high school 11 years ago and that was through CLI.

I don't know how it works today, but in the past we had Cisco routers and at some point a new router came with a package
that could be used to configure it. Written in Java to be executed inside your browser. It presented a web page with some
use cases and parameter fields similar to QuickSet, but if I remember well there also was a little more advanced configuration.
It resembled the UI of a consumer NAT router.
As I did not require this I de-installed it and used CLI, which is what all our other routers had and for which I already had a
configuration file (where only IP addresses had to be changed).
MikroTik (or an independent developer!) could write such a thing and cover the most frequent use cases in it.
The unfortunate thing is that once you require one single feature that is not covered by that program, and you start changing
things on the router itself, it then becomes unreliable to change other things via the GUI program. Same as with QuickSet.
So it better be very advanced and cover almost everything. A lot of work to make.

Kedare · Tue Jan 30, 2024 2:26 pm

I never really saw Cisco GUI, last time i had interaction with Cisco was in high school 11 years ago and that was through CLI.
I don't know how it works today, but in the past we had Cisco routers and at some point a new router came with a package
that could be used to configure it. Written in Java to be executed inside your browser. It presented a web page with some
use cases and parameter fields similar to QuickSet, but if I remember well there also was a little more advanced configuration.
It resembled the UI of a consumer NAT router.

Omg not this one. Cisco Configuration Professional.

That .hta file that would start a tomcat via an ActiveX component then show a Flash/Flex applet that will itself also embed a Java Applet. WHY would you do that.

pe1chl · Tue Jan 30, 2024 4:49 pm

Yeah, the implementation was sort of sub-optimal, and it would no longer work today.
But the idea in itself is apparently what a lot of people want: manage the router at "application" or "task" level, not at "VLAN config" or "firewall rule" level.
When there is demand for that, someone could write it and maybe make some money.
(although it is doubtful that people would want to pay money to overcome their lack of RouterOS knowledge, so probably that would have to work via in-app advertisement)

Amm0 · Tue Jan 30, 2024 5:31 pm

Omg not this one. Cisco Configuration Professional. That .hta file that would start a tomcat via an ActiveX component then show a Flash/Flex applet that will itself also embed a Java Applet. WHY would you do that.

And I must be old... because I recall cisco IOS's "ip http server" being a rather limited, style-less UI in times roman font that let you get a config or type a command using old-school HTML forms.

The original feature request that prompt this discussion was a "wizard for VLANs". Given VLANs are both pretty "popular" & non-trivial to setup – seem reasonable request. IMO, "wizards" belong in the smartphone apps.

But do think some visual "VLAN configurator" be handy to both newbies and pros. e.g. It's a lot of config-reading to know if VLAN are configured as expected.

pe1chl · Tue Jan 30, 2024 5:59 pm

VLAN configuration is tricky in many different products. Often there is no good overview of what you are doing.
It can be done VLAN-centric (you define VLANs and specify which ports are tagged members and which are untagged members) or it can be done port-centric (for each port you can set which VLANs it has tagged and which VLAN it has untagged).
And then you can do it MikroTik-way, which is a mix of these two, and very confusing. That PVID setting has to go, and should be put in the VLAN untagged member list only.
But MikroTik is not the only supplier that does that... in my Netgear switch at home (GS108T2) it is done the same way and even worse: you need to set BOTH the PVID and the untagged VLAN. At least in RouterOS setting the PVID automatically sets the untagged VLAN (which I discovered only much later).
This mixed config allows the "flexibility" of having different config in upstream and downstream direction, but I would not know a valid use-case for that.

Tue Jan 30, 2024 7:56 pm

VLAN configuration is tricky in many different products. Often there is no good overview of what you are doing.
It can be done VLAN-centric (you define VLANs and specify which ports are tagged members and which are untagged members) or it can be done port-centric (for each port you can set which VLANs it has tagged and which VLAN it has untagged).
And then you can do it MikroTik-way, which is a mix of these two, and very confusing. That PVID setting has to go, and should be put in the VLAN untagged member list only.
But MikroTik is not the only supplier that does that... in my Netgear switch at home (GS108T2) it is done the same way and even worse: you need to set BOTH the PVID and the untagged VLAN. At least in RouterOS setting the PVID automatically sets the untagged VLAN (which I discovered only much later).
This mixed config allows the "flexibility" of having different config in upstream and downstream direction, but I would not know a valid use-case for that.

Re: ... and very confusing ...
IMO - I agree , extremely confusing - - - and not the same configuration procedures across all Mikrotik past and present products.
IMO - I would like to see all Vlan and switching features and functions completely removed from ROS - and replaced with a SwOS package that is part of ROS. Then instead of a Mikrotik ROS software product and also a Mikrotik SwOS product , to just have one ROS software system with built-in SwOS. Then , if you have any Mikrotik product with a newer ROS release ( with built-in SwOS ), all routing functions and all Vlan configurations and all switching functions could then be all configured one common procedure. AKA - make it KISS ( Keep It Simple Stupid -- and the same across all Mikrotik products ).

well - that's my opinion.

spippan · Tue Jan 30, 2024 9:29 pm

If the router does not have a public IP address (4G connection), all traffic is routed through MikroTik servers, right?

no. why would you think that?

jp · Thu Feb 01, 2024 1:10 am

But do think some visual "VLAN configurator" be handy to both newbies and pros. e.g. It's a lot of config-reading to know if VLAN are configured as expected.

More than I suggested, but that would be a game changer way to go!

I might be showing my age.... The Cisco 2501 CLI had an awful little wizard to set things up if you did not choose "conf t"

The very easiest hardware to do VLANs with is the old HP Procurve managed switches... 4000m, 2524, 2848, 5300 series...
Rows were ports. Columns were VLANs. play battleship. Every switch worked the same. You could use their text interface like this, or use the CLI which was formatted in the way the text configuration is written.

Every switch's web interface since has not matched the HP text interface.

We eventually moved more to Mikrotik for power savings, as battery run time at tower sites is very important. And noisy hot switches run down battery backups quick. Now, how vlans work in mikrotik depends on which mikrotiks because they differ in cpu/switch chips. e.g.. things ideally program different for vlans between a crs124 and crs326 I think.

spippan · Thu Feb 01, 2024 3:36 am

imagine a world/dimension where there is routeros feature richness and customizability and a GUI like from that "UB.." company

jp · Fri Feb 02, 2024 8:01 pm

imagine a world/dimension where there is routeros feature richness and customizability and a GUI like from that "UB.." company

It is already more feature rich and customizable. I think the other company's GUI is good for central monitor and easy admin tasks (like updates and wireless settings), but difficult for things I might consider advanced.

hoboristi · Mon Feb 05, 2024 10:50 pm

Please make dynamic vlan assignment possible for wifi-qcom-ac wireless driver

spippan · Tue Feb 06, 2024 1:14 am

Please make dynamic vlan assignment possible for wifi-qcom-ac wireless driver

do you mean via RADIUS?

rplant · Tue Feb 06, 2024 8:27 am

Bridge-To-Bridge joiner.

To be assumed it will not be high performance.

Uses:

- Legacy PPPoE pass through (My ISP uses PPPoE...)
- Natting Mac addresses from devices to the CPU. (Multiple devices with the same Mac Address)
- mDNS and SSDP pass through in a single router.
viewtopic.php?t=194842&sid=9823878ca8fa ... 9452b2a5de
- Bridging items with different MTU's

Notes:
- An item that has 2 interfaces.
- Can (only) use the interfaces as a bridge port.
- Transparently transfers ethernet frames between interface 1 and interface 2 (bidirectional)
including any vlan tags, low level bpdu's, etc.
- Allows both ends to connect to same bridge (eg. for mDNS between 2 vlans)
- Maybe loop detect option (for when accidently join both ends to same bridge and same vlan)
- All filtering done using existing bridge filtering functionality
- Each interface gets the MTU of the bridge it is attached too.
(Don't have to be the same on each end)

pe1chl · Tue Feb 06, 2024 11:21 am

Please make dynamic vlan assignment possible for wifi-qcom-ac wireless driver
do you mean via RADIUS?

Via RADIUS or via access list. I also want to have that, I use it in the old wireless driver.

pe1chl · Tue Feb 06, 2024 11:23 am

Bridge-To-Bridge joiner.

You can do that with two local EoIP interfaces.

infabo · Tue Feb 06, 2024 7:46 pm

Wouldn't it be cool to have signal strength graph in the Wi-Fi Registration table like in Quick Set?
Having that column one can easily identify problem clients at a glance.

It would be even cooler to have the "hostname" in the wifi registration table (like it was available in the wireless registration table). But unfortunately Mikrotik seems not to be interested to add it anytime soon.

rplant · Tue Feb 06, 2024 11:52 pm

Bridge-To-Bridge joiner.
You can do that with two local EoIP interfaces.

Whenever I have tried this it never allows me to have 2 with the same tunnel ID.
Also quite a lot of overhead.

goodbye · Wed Feb 07, 2024 2:07 am

Please make dynamic vlan assignment possible for wifi-qcom-ac wireless driver

This, a trillion times, this.
Also, make the vAPs for secondary SSIDs auto-populate and map on local bridges correctly.

There really should be "configuration parity" between wifi-qcom-ac and wifi-qcom.
Configuring and managing wifi-qcom-ac CAPs is a process that's entirely too manual right now in a way that the AX-generation driver doesn't seem as bad.
CAPSMAN is supposed to mitigate the challenge of managing a growing and/or complex infrastructure, not simply "dampen" the the linear increase of time/labor a bit.

UpRunTech · Thu Feb 08, 2024 12:17 am

Bridge-To-Bridge joiner.
You can do that with two local EoIP interfaces.

You can't as the tunnel number can't be the same for 2 interfaces.

It's the same story for VLAN interfaces - it's the networking equivalent of the Pauli exclusion principle - you aren't allowed to have more than one VLAN interface with the same bridge and VLAN ID.

Mikrotik: Request - allow more than one VLAN interface to share the same bridge and VLAN ID. It will allow for some interesting modes mixing bridge filtering and routing.

<edit> Holy crap MACVLANs solves this problem! Cancel request!

rolling · Thu Feb 08, 2024 8:46 am

Hi!

I try access to link in fisrt post but it's broken.
Perhaps this has been requested before, sorry.

A printer server for share a printer connected to a USB port of devices i think it would be very useful for many users.

Regards.

jp · Thu Feb 08, 2024 4:12 pm

A printer server for share a printer connected to a USB port of devices i think it would be very useful for many users.

Regards.

The Mikrotik would be an excellent place for a print server!

I used to have to use a SSL vpn on my PC for work, and it broke local lan access which included printing I needed to do for work breaking network printing. It did allow access to my gateway IP, so that would have been ideal place for a printserver that's not affected by the PC VPN that routes everything except default gateway. Because I had a Mikrotik router, I setup a port forward to my network printer, internal accesible only, so that I could print.

A print server should be configurable to be blocked from the outside by default.

Amm0 · Thu Feb 08, 2024 4:22 pm

The Mikrotik would be an excellent place for a print server!

I don't know about that. I'd think some mDNS support be more useful, than a print server, in 2024?

pe1chl · Thu Feb 08, 2024 4:43 pm

The Mikrotik would be an excellent place for a print server!
I don't know about that. I'd think some mDNS support be more useful, than a print server, in 2024?

Indeed! This is just a general "VPN setup in the wrong way" issue. Put your VPN range in a different IP range and it all works fine.
Maybe the "automatic discovery of the printer" would be more difficult but mDNS support would improve that.