Feature requests

Wyz4k · Fri Apr 28, 2017 3:58 am

Can we get standard 802.11s support? https://wiki.mikrotik.com/wiki/Manual:I ... e/HWMPplus indicates that the HWMP+ protocol is based on 802.11s draft but is not compatible with it.

kalaposl · Fri Apr 28, 2017 1:00 pm

I would love if I could run a script as a firewall action.

doneware · Sat Apr 29, 2017 12:25 am

I would love if I could run a script as a firewall action.

this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

macsrwe · Sat Apr 29, 2017 2:27 am

I've been waiting over five years for /system upgrade upgrade-package-source to allow specification of its password parameter on the command line instead of demanding it interactively. This one deficiency makes Flashfig entirely useless to us and makes initializing every one of our MikroTik CPEs a multi-step manual process. I've been told this is done for "security," but every other password, encryption key, secret, etc. can be set from the CLI except this one (which is a relatively minor "security" function at best), so I'm not buying that argument. How hard can this be, guys?

nordex · Sat Apr 29, 2017 8:14 pm

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

Wyz4k · Mon May 01, 2017 4:10 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.

You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

Add temperature/voltage graph.
I know it is possible to add it on dude/snmp monitoring, but sometimes it's complicated, and it should not be big problem for you to add it to the existing graphing routines.
Thanks

On that note, it would be really great to have an average cpu value being displayed in the resources tab. At the moment I have to run a script periodically and try to calculate this on my own.

biatche · Mon May 01, 2017 6:07 am

request switch vlan support on RB750Gr3

doneware · Wed May 03, 2017 10:57 am

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.

there are certain "optimised" actions (like add-src/dst-to-address-list) which could have their "script" counterparts, but that doesn't mean they're the same. packet forwarding is not a thing where one want to mess with interpreted code. and running a script (executing a series of routeros commands) is actually running an interpreted code.
where i do see the quite a bit of flexibility, but it is a fundamental change how the PF code is organised. say we're just fine with a serialised code execution on a single core if it comes down to handle a flow, but that doesn't mean that cpu cycles are there to be wasted on unoptimised execution. also for me is not clear whether the script should be run in a non-blocking or blocking manner. all in all, since its just a set of interpretable code, it would be quite unpredictable whether it is to be executed parallelised or not. the result would be varying delay that could potentially affect (read: ruin) TCP throughput.

i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

i think this fulfils your requirements of "hands shall not be bound", but also provides enough safeguarding for the "not so creative/unexperienced" users, whose forwarding performance would be seriously degraded by running code based on firewall rule matches. and for the RouterOS developers its always a give-and-take situation, where to go, what to risk: provide a very versatile toolset where you can do anything, which can (and most probably will) result a thousands of trouble-tickets and sad faces when used inappropriately, or leave it to be solved by the excessive creativity of the few ones who actually do require it. they need to think in the dimensions of megapackets per seconds for a while, and "tinkering" does not fit into the scope no more. and there is a whole world outside of RouterOS, a lots of tools that may be used to contribute to its original functionality, we just need to think outside the box.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

Wyz4k · Wed May 03, 2017 4:54 pm

I would love if I could run a script as a firewall action.
this would degrade the packet forwarding performance in an unpredictable but disastrous way.
but you can log the match with custom tags, parse logs with scheduler, and fire actions as needed.
You mean like inspecting every packet with a level 7 filter does? Sometimes it's nice having the ability to do something and then allowing the engineer to make sure that it does not get triggered excessively. Rather than not allowing the engineer to have the ability to do something he might have a need to do.
i suggested logging and parsing as a workaround, albeit it is far from perfect. but at least you'll get your messages on fw rule match in a deterministic manner, and then its up to you how those elements will be parsed and interpreted by a script or an external entity (like stuff running on syslog server) - so the desired actions could be fired.

on the example you quoted: inspecting packets as level7 filters do. my opinion on this is a bit mixed. L7 filters offer a pretty versatile approach for packet matching, but it is not intended to be used "with every single packet". there are quite well defined guidelines - presented on regular basis on MUMs by Mikrotik folks - how L7 filters are supposed to be used, or even more harsh: shall be used. and they should not be applied to every packet. because what you get is exactly the situation i described above.
https://mum.mikrotik.com/presentations/ ... 948376.pdf (slides 5 - 9)
https://mum.mikrotik.com/presentations/IT14/touw.pdf (slide 13 and on)

I don't see why it's not possible to do the same with a run script on hit rule with some guidelines as you mention exists for the L7 rules. Unfortunately not everybody reads MUM slides.

Yes, the method that you describe of using a firewall rule and logging is an option, but potentially something that can become really messy really quickly.

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

doneware · Wed May 03, 2017 5:52 pm

You do make a good point about whether it should run in the background or block the forwarding of the packet and I would personally argue there that it should be in the background and not delay the forwarding of the packet. Doing it in the background will significantly reduce any knock-on effects on packet throughput providing that it does not get run on each packet and there are cpu cycles to spare.

seems we have to leave it to Mikrotik guys do decide which way to go

Wyz4k · Thu May 04, 2017 7:46 am

seems we have to leave it to Mikrotik guys do decide which way to go

Indupitably

Wyz4k · Wed May 10, 2017 8:11 am

Please add the ability to ping / ssh / telnet / other from the ip dhcp-server screen in winbox. This is already offered from the wireless registration page.

Any chance we could get the ability to form simple socket connections / ssh from the router in a script? Currently it's really one sided in that it's possible to connect to the router, but not possible for the router to automatically connect to other things.

makstex · Thu May 11, 2017 7:25 am

Please add compression for the OpenVPN client.

Wyz4k · Thu May 11, 2017 9:16 am

Could we get a proper AT command + reply interface?

Sending down AT commands in the info string and then having them randomly overwrite some output as a response is far from ideal.

On that same topic, it would be great if the /interface ppp-client info section can be rewritten to go away and read all the data and then come back with the data instead of having to be polled repeatedly hoping to get all the data after x polls.

felipelinkmais · Thu May 11, 2017 4:34 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

teddyhsu · Fri May 12, 2017 2:25 pm

I hope I can create a counter only supout file, that only take process information and count connections and users.

When my routerboard have more then 100K connections and 2000 users, making supout file will take more 2 hours and bigger then 1GB.
The heavy loading reboot is very hard to debug.

Wyz4k · Sat May 13, 2017 3:38 pm

I would like to request the required changes in order to allow 3G/LTE signal strength to be monitored on a continual basis without interrupting the signal - see https://forum.sierrawireless.com/viewto ... 108#p41108

Mon May 15, 2017 12:20 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!

this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

macsrwe · Tue May 16, 2017 10:11 pm

/ip firewall address-list has a creation-time field that is read only, although it appears in the add box. It would be quite handy if that were writeable at add time, such that the entry would take effect at whatever date and time is entered. This would allow us to schedule changes in account behavior at a future date without having to be sure to log in on that date to make it happen.

SiB · Wed May 17, 2017 10:14 am

Now I must create the same few rules in FILTER ICON again and again in many place of WinBox (I use AutoIt to do it like workaround)
PLEASE ADD the SAVE option for filtering rules.
I will be creating prifile filters like, dhcp with dynamic only, Arp static only, Contrack show network1, conntrack show net2 - You gotta idea. Open filters and select own save before filters rules - perfect.

CsXen · Wed May 17, 2017 11:19 am

Hi.
I know, that Mikrotik dropped the mipsle platform support... I know... but..
Please, backport two fantastic changes to mipsle, specifically to RB532.
1. WPS client mode.
2. EAP-PEAP-MSCHAPv2

Please, make a "routeros-mipsle-6.32.5" package with these features to make our old routers happier.

Thanks and best regards: CsXen

Vooray · Tue May 23, 2017 10:39 am

Please, add /31 mask on p2p support (rfc3021).

freemannnn · Mon May 29, 2017 3:12 pm

it would be nice in capsman interfaces tab a column with how many devices are connected per cap.

Murmaider · Mon May 29, 2017 8:46 pm

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers.
It is important to know what is going on with your network, and with the AS included a lot of things can be done.
Thanks!!
this is one of the most highly requested features. It has been promised for the next major release of RouterOS. No ETA...

+1 for this, it makes the current traffic flow implementation 99% complete. It's that 1% we all need to make it useful to anyone using BGP.

5nik · Thu Jun 01, 2017 12:58 pm

Please add support for DHCPInform for PPP link. It is usefull for Windows VPN clients (push additional info such as domain name, classless routes etc.). Now I must redirect DHCPInform request from PPP to external DHCP server.

Pilson · Fri Jun 02, 2017 9:40 pm

Please add support for setup l2tp client source portselection - set port by maunal, or set random port. Something like /interface l2tp-client set l2tp-out1 src-port=port_number, or src-port=random. It would be a very useful feature, especially if multiple l2tp clients + ipsec establishes connections from local network via one NAT address.
Thanks.

aacable · Sat Jun 10, 2017 8:35 am

'Unmetered Content' / to bypass local servers from radius accounting.

maznu · Sun Jun 11, 2017 1:45 am

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

craterman · Sun Jun 11, 2017 11:07 am

Please add:
- Incremental SPF
- IP FRR (RFC5714) and microloops (RFC5715)
- LFA (RFC5286) & Remote LFA (RFC7490)

And it would be really great if you add:
- RSVP FRR (RFC4090)
- MRT (RFC7812)

Sob · Sun Jun 11, 2017 7:13 pm

About the WireGuard idea, are you a time traveller writing to us from future?

I almost got excited, but at present time, things don't look so bright yet:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

So I think I'll stick with wanting better OpenVPN for a while, at least until this happens:

After version 1 is finalized, an RFC will be written and standardized.

maznu · Sun Jun 11, 2017 7:23 pm

About the WireGuard idea, are you a time traveller writing to us from future? :)

Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)

drivebydex · Wed Jun 14, 2017 11:53 pm

Please add in capsman registration table "active host name" and "active address"! THX

ajack46 · Thu Jun 22, 2017 3:51 pm

Providing Compression for the OpenVPN client, would be something i would wish for.

biatche · Sat Jul 01, 2017 10:45 am

1. add /ip route check-gateway-ping-interval
2. ability to customize fasttrack rules a little bit. more dual wan friendly. right now i cannot figure out a way to have fasttrack with both ipsec and multi wan, although it does appear possible if its just one extra feature.

th0massin0 · Sat Jul 01, 2017 4:34 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

biatche · Sat Jul 01, 2017 9:59 pm

1. +1!
2. If your dual wan setup depends on mangle be aware of: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

i made some workarounds to make fasttrack+ipsec+dualwan all work together..but i really wish they'd come up with something better

biatche · Sat Jul 01, 2017 10:01 pm

/tool fetch keep-result (yes | no; Default: yes) If yes, creates an input file.

rename this to save-tofile or something.... from what i am seeing, keep-result appears to save the output to disk. or is it input? i've no idea anymore.

MT could possibly hire an englishman to straighten the terms out.

th0massin0 · Mon Jul 03, 2017 1:22 am

Could you please describe how did you worked out port forwarding in dual wan environment with fasttrack?

platitude · Tue Jul 04, 2017 11:59 pm

DNSCrypt feature request topic has been started in 2012! Your customers waiting it about 5 years and still no support from you. Looks like you are not interested in customer's data privacy at all. Now open your eyes, read the message and satisfy us.

biatche · Sun Jul 09, 2017 2:42 am

add tool: tcp/udp open port tester.

pe1chl · Sun Jul 09, 2017 12:34 pm

Feature request: move all configuration related to one physical interface to another.
E.g. you have a router with two hardware switches or with ports inside/outside switch.
You have configured e.g. ether8 which is on switch2 with all kinds of options (address, dhcp server, firewall config, etc)
and you decide it would be better to move all this to ether4 which is on switch1, e.g. because you want to free up a port
that is on switch2, to do hardware switching to the other ports on that switch. It would be convenient when this could
be done with a single command, just like an interface can be renamed with a single command and it is reflected everywhere
in the config. After issuing that command and plugging the cable from port 8 to port 4, all functionality would remain the same.
For practical purposes (what would happen to the config that was on port 4), maybe the easiest implementation would
be in the form of "swap interface configurations" What was on ether4 will be on ether8 and vice-versa.

msatter · Sun Jul 09, 2017 2:21 pm

When adding an adress in large adress-list is a PITA when an address already exits. The the script is stopped an you can work with on-error to seek sequential through the list use set to update it timeout on the dynamic address. This takes ages when you have to seek each time.

On the moment you get collision it would be a pleasure to be able to directly use set on that entry to set the expire time in the on-error.

cental63 · Sun Jul 09, 2017 6:22 pm

I find that Userman is a really good choice to build a hotspot service for a company, but i think, as installer, that there is something missing, few things like embedded sms verification (and not the script), and the one that i found more interesting, make the userman database readable (just think about a company with a newsletter). All could be added to make userman like a serious radius server (chr would allows more performance for anought clients). more competitive !
Thats all

Regards from an Italian user

schadom · Sun Jul 09, 2017 7:56 pm

Please add the 'Comments' column and the 'Add/Edit Comment Button' which is currently missing in WinBox 3.11 under

Routing =>BGP => Networks
Routing => BGP => Aggregates

Interestingly it is available in Routing => OSPF => Networks, but missing in all of the other tabs
While I personally prefer the CLI for configuration, WinBox is nice to get a quick overview.

Thanks

Wyz4k · Thu Aug 10, 2017 1:39 pm

Please add SMB support to the fetch tool or the ability to limit FTP accounts to specific folders to the FTP server. The SMB server is considerably more advanced than the FTP server on Mikrotik and makes it easier to limit clients to a specific folder.

pe1chl · Fri Aug 11, 2017 12:16 pm

/queue tree elements can now only match on "packet marks", when multiple packet marks are specified they are OR'ed.

Please add the capability to also match on the "packet priority" field, and make it an AND match with the packet marks.
(so if a queue tree element is specified with both packet marks and a priority, it will only be used when one of the specified packet
marks is present AND the priority field of the packet is as specified)

Alternatively, introduce the option of doing an AND match on packet marks. It is already possible (although cumbersome)
to add packet marks based on the packet priority field.

dgrenetz · Wed Sep 13, 2017 2:31 am

We are deploying Mikrotik virtual appliances to centralize and replace several disparate VPN solutions. We need a way to hand out our domain suffix to VPN clients so they won't have to use Netbios broadcast to resolve names. Currently, without domain suffix setting, accessing hosts by hostname takes about 5 seconds longer than it does on our existing legacy VPN solutions. I Googled the issue and see people complaining about this all the way back to 2010. However I do not see it anywhere in this Feature Request thread. Longstanding issue - please help!!
David

diasem · Tue Sep 19, 2017 1:22 am

Normis add /31 address for PTP links.

Chupaka · Tue Sep 19, 2017 10:23 am

Normis add /31 address for PTP links.

/ip address add interface=ether1 address=192.0.2.2/32 network=192.0.2.3

vytuz · Tue Sep 19, 2017 3:09 pm

Do You maybe have in plans to make more detailed user group list? Different user access to i.e. wireless, firewall filter, nat rules, ip addresses, dhcp and etc. I imagine it may be hard to add databases and additional cunfiguration to every configuration field. Maybe any possibility to add at least additional wireless user option. Clients sometimes wants to change wifi name, password, but we do not want to allow to change other options with given password.

nelfou · Fri Sep 22, 2017 1:07 pm

Being able to customize the hAP WPS button behavior, like having it trigger a script.
(our use case would be to easily turn the Wi-Fi on/off)

Vooray · Sat Sep 23, 2017 8:42 pm

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Chupaka · Mon Sep 25, 2017 11:01 am

It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

... and routing table/vrf

OnixJonix · Tue Sep 26, 2017 12:37 pm

Make Address List from DHCP lease table!!
For example - select multiple LEASE entries and put them in address list (then you can use for firewall)!! Something like in wirelless - you can add entries from registration table to access list!!
Thansk!

Tue Sep 26, 2017 1:53 pm

Lease script doesn't work for you in this case?

Chupaka · Tue Sep 26, 2017 3:59 pm

Looks like he needs it in WinBox (one-time context menu like 'Make static' or something)

By the way, if your leases are static, you can just set 'Address List' for them

bajodel · Wed Sep 27, 2017 12:41 am

Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

..and the possibility to set source address (e.g. remote ipsec hosts)

Wed Sep 27, 2017 1:46 am

Hey, Mikrotik team!

Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.

Netwatch can trigger a script.

Example - my netwatch:

/tool netwatch
add comment="Watch Dog" down-script="log info \"Netwatch missed a ping to 192.0.2.254 - starting 5 minute timeout script\" ; /system script run NetWatchBoot-192.0.2.254" host=192.0.2.254 timeout=1s500ms

Example - My script called by netwatch:
/system script
add name=NetWatchBoot-192.0.2.254 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local addresstoping 192.0.2.254;
:local addresstoping 192.0.2.254;
:local interface "wlan1";
#
:local continue true;
:local counter 0;
:local maxcounter 28;
:local sleepseconds 10;
:local goodpings 0;
:log error "-----> Tom's Netwatch-Script-Warning - Netwatch could not ping $addresstoping - Will begin further testing in $sleepseconds seconds - and will continue for $maxcounter times $sleepseconds seconds";
:while ($continue) do={
:set counter ($counter + 1);
:delay $sleepseconds;
:if ([/ping $addresstoping interval=1 count=1] =0) do={
:log info "----->ping to $addresstoping failed on attempt $counter of $maxcounter -- Will try again in $sleepseconds seconds";
} else {
:log warning "-----> ping success on to $addresstoping attempt $counter of $maxcounter <----- No Further testing needed --- Program will exit -----";
:set continue false;
:set goodpings ($goodpings +1);
/interface wireless monitor $interface once without-paging do={
:local status $"status";
:local band $"band";
:local freq $"frequency";
:local wprotocol $"wireless-protocol";
:local noise $"noise-floor";
:local signal $"signal-strength";
:local snr $"signal-to-noise";
:local thruput $"p-throughput";
:log info "-----> Status: $status --- Band: $band --- Frequency: $frequency --- WProtocol: $wprotocol --- NoiseFloor: $noise";
:log info "-----> Optional Info if Available ---> SignalStrength: $signal --- SNR: $signal --- PThroughput: $throughput";
/interface wireless monitor $interface once
:local txr $"tx-rate";
:local rxr $"rx-rate";
:local sstr $"signal-strength";
:local signoise $"signal-to-noise";
:local curdistance $"current-distance";
:local txccq $"tx-ccq";
:local rxccq $"rx-ccq";
:log info "-----> TxRate: $txr --- RxRate: $rxr --- SignalStreng: $sstr --- SignalToNoise: $signoise --- CurrentDistance: $curdistance --- TxCcq: $txccq --- RxCcq: $rxccq";
};
}
:if ($counter=$maxcounter) do={:set continue false;}
}
:if ($"goodpings" = 0 ) do={
:log info "-----> Rebooting in 15 seconds";
:delay 5;
/file print file=ScriptRebootReason
/file set ScriptRebootReason.txt contents="Rebooted by Toms script on $[/system clock get date] at $[/system clock get time]"
:log error "-----> Rebooting in 10 seconds";
:delay 5;
:log error "-----> Rebooting in 5 seconds";
:delay 5;
:log error "-----> Rebooting now";
:delay 1;
/system reboot
/system reboot
/system reboot
/system reboot
}

With the above - a netwatch ping failure will trigger my script "NetWatchBoot-192.0.2.254"
The script will retry the ping for (:local maxcounter 28) 28 times
While pausing (:local sleepseconds 10;) 10 seconds between pings

If the script gets a ping response, the script aborts - and make a log.
If the script loops through the count-down and does not get a ping, the script will reboot the Mikrotik - and make a file named ScriptRebootReason just prior to the reboot.

I am sure this netwatch & script procedure could be modified to do many things you may want when netwatch triggers.

In my case, I have this netwatch & script on all of my Mikrotik client devices and all of my internal core network Mikrotik devices. The IP address 192.0.2.254 is an RFC IP address and is OK to use for in-house (non-external-Internet-Routed). If I want to reboot every Mikrotik everywhere on my network, all I need to do is disable the 192.0.2.254 device a few minutes. Presto - everything everywhere will auto-reboot. This is good for keeping Mikrotiks on-line when the network might have a problem.

North Idaho Tom Jones

Wed Sep 27, 2017 1:57 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

Wed Sep 27, 2017 10:31 am

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1

anv · Mon Oct 16, 2017 3:23 pm

Routeros openvpn server needs a way to push routes to the clients.

CsXen · Sat Oct 21, 2017 6:51 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.

(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

WreckLoose · Tue Oct 24, 2017 11:25 pm

Yes, I think that a great feature would be greater support for Intel network interfaces. Most notably the I218 stuff. I would love top be able to run RouterOS in the Intel NUC.

Wed Oct 25, 2017 6:48 pm

Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)

An please, put a "find" option to log.

Best regards: Xen

It might be nice to have an option for color in the logs.
There is a work-around that I use which gives me three colors in my logs.

In your script that writes to the logs (or at the CLI prompt) you can use this:

log error "This is a log error --- RED"
log info "This is a log info --- BLACK"
log warning "This is a log warning --- Blue"

With the above 3 lines, you will see this in your logs:

This is a log error --- RED
This is a log info --- BLACK
This is a log warning --- Blue

North Idaho Tom Jones

gorec2005 · Fri Nov 03, 2017 6:43 am

Add please shadowsocks server & client ?

safiullahtariq · Sun Nov 26, 2017 2:30 pm

Can you please add a feature in which Hotspot doesn't account the local traffic, or to a specific subnet?

kometchtech · Fri Dec 01, 2017 4:15 pm

Despite being asked before in the past.
It seems that implementation of Wireguard is planned for the future Kernel.

https://www.phoronix.com/scan.php?page= ... d-Features

I would like you to consider implementing this function which has high encryption strength and excellent performance.
It seems that correspondence to several distributions is progressing as well.

Florian · Tue Dec 19, 2017 2:23 pm

I know it's not ready yet, but +1 on Wireguard.

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?

How about instead we look to the future: WireGuard https://www.wireguard.io

Clients for every major OS, modern cryptography, and the performance looks pretty amazing:

Screen Shot 2017-06-10 at 23.44.39.png

pe1chl · Tue Dec 19, 2017 2:36 pm

When you read "it is planned in a future Linux kernel" you know it is not going to happen in RouterOS 6.x and probably not in 7.x either (because a kernel version probably has been decided on).
So, you can put it on the wishlist for RouterOS 8.x

Florian · Tue Dec 19, 2017 2:39 pm

I guess so, but, It's to show the devs my (or "ours") interest in this, if they can find a way to implement it, some people would be very happy.

lavv17 · Mon Dec 25, 2017 2:59 pm

I'd like to have a setting to change ppp aaa order: radius first, then local. The default is now local first.

ege · Tue Dec 26, 2017 6:52 pm

SSL Bump feature for webproxy like Squid-in-the-middle.
Thanks

eccles · Thu Dec 28, 2017 2:10 am

We really need two options which are normally provided with OpenVPN on most Routers:

a) LZO Compression - I suspect that this might be an issue if the CPU doesn't natively support it

b) UDP - We can achieve faster transmission (with less bandwidth) by using UDP instead of TCP. UDP is an OpenVPN option provided on all other routers that I have worked with. Our protocol incorporates all of the required checking to ensure reliable delivery so the additional overhead of TCP isn't required or justified.

The reason is that we are using the wapLTE device at remote sites with 4-G transmission of datalogging records to a central site. Bandwidth is expensive (we pay by the MB/GB). We have done what we can by reducing transmissions to one per day, etc. but with the increasing number of remote sites the cost of traffic is becoming a real issue. It seems that the local ISPs are wanting to capitalise on IoT device traffic, but in any case cellular data transfer is very expensive here.

Eric

pamribeirox · Thu Dec 28, 2017 1:37 pm

It should be very simple to add support for selecting the bits of the IPv6 RA that announce if the router have "High", "Medium" or "Low" preference for being selected as a default router for the terminals in the segment. (RFC4191 2.1 Preference values)
I know VRRP could be used for that, but I think this clean and native solution is better for IPv6 first hop redundancy.
As an example, Cisco does it with the command "ipv6 nd router-preference [High|Low|Medium]" at interface level.
regards.

pe1chl · Thu Dec 28, 2017 1:50 pm

It should be very simple to add support for selecting the bits of the IPv6 RA

I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.

pamribeirox · Thu Dec 28, 2017 2:06 pm

To ease the management of IPv6 networks is useful as a first step to base them on the existing IPv4 network structure.
One of the things that could be done is using some elements embedded in the IPv6 link-local address so the Windows "ipconfig /all" (and alike from other OSs) provide an simple way to verify the terminal are correctly connected/configured.

RouterOS should allow us to change the IPv6 link-local address from the default one (based on EUI-64 logic) to a manual defined address in the block reserved for link-locals in the RFC4291 (fe80::/10)

Then, as an example, the interface with IPv4 address 192.0.2.1 could also have an IPv6 LL fe90::192:0:2:1

regards.

pe1chl · Mon Jan 01, 2018 1:23 pm

Feature request: enable WMM (QoS based on DSCP) for WiFi interfaces (preferably by default) without having to use mangle rules to set priority based on DSCP.
The disadvantage of mangle rules is that they only work when all "fast" options are disabled and when the "use IP firewall" is enabled on the bridge.
Competing products have WMM enabled by default without having to configure anything. In MikroTik it requires settings like:

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes

and deleting the "fast track" rules.
As some of these have quite global effect on performance, it would be preferable to have some way of just doing WMM with a simple checkmark in the Wireless settings.
(there is one, but it does not do the prioritization)

moose999 · Tue Jan 16, 2018 12:49 pm

I am aware I can control access to services (web, winbox, api, etc.) and rights (read, write, sensitive, etc.) but it would be very useful to be able to control access to features (/ip firewall nat for example) as well.

Does anyone know if this is possible?

Thanks,
Justin.

upower3 · Thu Jan 18, 2018 8:59 am

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

ViennaAustria · Thu Mar 01, 2018 9:23 am

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...). A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

If a rinetd-like function would be added to RouterOS it would be GREAT!

Thanks!
Thomas

upower3 · Thu Mar 01, 2018 9:28 am

I might me a bit wrong but why don't you just use NAT?

I'd like to re-request the function of rinetd.

pe1chl · Thu Mar 01, 2018 12:16 pm

I'd like to re-request the function of rinetd.

https://boutell.com/rinetd/
http://brewformulas.org/Rinetd

Never heard of that before, but I did similar things in the past using "netcat" ("nc")

We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).

You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!

A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.

HOW???
A local linux box can be a Raspberry Pi which would be more like $50.

wtm · Sun Mar 04, 2018 2:06 am

Would like to see a Radius tester available for the "Tools section". Something along the lines of Radtest, so you can see that the external radius server is actually getting something from the Mikrotik router, and if not what the problem may be to fix it. Currently there is not enough information available in the Logging to help you on that.

Quasar · Fri Mar 09, 2018 2:45 pm

Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.

Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.

Virtual private networks with WireGuard

gerakon · Wed Mar 21, 2018 3:46 pm

In Winbox I think the Dashboard menu could go away and just have all of it's items enabled by default. Unless there's some reason people don't want to see this information or there is some amount of overhead on the router.

If it can't go away, it would be great if it would at least remember my settings between routers so that I don't have to re-enable them to compare times more easily between routers that are having IPSEC negotiation problems or when the CPU is maxed.

pe1chl · Wed Mar 21, 2018 5:01 pm

it would be great if it would at least remember my settings between routers

This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.
Some other requests have been seen to e.g. allow "set current winbox settings as default for new connections" and/or to simply allow
the sharing of the same settings between all routers in a Group.

Wed Mar 21, 2018 5:07 pm

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

pe1chl · Wed Mar 21, 2018 5:35 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

hackclub · Wed Mar 21, 2018 8:51 pm

urgent request to (for) mikrotik
viewtopic.php?f=1&t=132062

gerakon · Thu Mar 22, 2018 12:26 am

This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as

Next time before connecting to new router pick saved session.

But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.

Unless there's some reason that I'm not seeing?

Thu Mar 22, 2018 12:28 am

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions) ,
The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones

mkx · Thu Mar 22, 2018 11:25 am

The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.

.
Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

Perhaps by giving us possibility to set unit ... e.g. bits/second (default, current setting) or kbps (gives 1000-times higher limits) or Mbps. After all, with Gbps speeds it is not really sensible to set limits with bps resolution. Or is it?

pe1chl · Thu Mar 22, 2018 11:43 am

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.

That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

WirelessRudy · Thu Mar 22, 2018 12:02 pm

- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.

This is what I have been asking for several times over the years. It's good someone else now asks again.
Somewhere some Mikrotik guy decided what the default settings are when on a virgin router a virgin winbox is openend. I would like to be able to just change that 'virgin' setting myself.
By default winbox shows a lot of info I have never interest in. But many other field I need everytime again are not there by default.... Especial when you work with many PC's it would be easy to have one winbox.exe that is everywhere the same to MY like.

Thu Mar 22, 2018 5:09 pm

Seems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidth
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.

Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.

I am pretty sure my CHR-x86-64Bit and my ROS-x86-32-Bit systems have plenty of CPU horse-power. All of my virtual ROS systems can btest to 127.0.0.1 in the 19+Gig ranges. (btest uses only 1-core. Now if you use 8+ cores (hyper-threading disabled for maximum CPU throughput) then I would assume possible system-wide-throughput might be 8x greater.

(My next hyper-visor system I am planning to build soon will allow me to configure 44 Xeon CPU cores to a hosted system - such as a CHR.)

Also , just about all new carrier-grade network equipment has one or more 10-Gig interfaces. Thus another reason for a simple-queue fix/update is needed.

Also - remember the Mikrotik post about "What would you like to see in a future Mikrotik ...something... with a 40-Gig throughput..." Thus another reason for a simple-queue fix/update.

Everything in my server room and my Internet feed uses 10-Gig interfaces. And I need an ability to use simple-queues up to 10-Gig.

artemk · Sat Mar 24, 2018 8:07 pm

Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.

Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.

+1
It works for SSH but it would be really good to make Winbox to be able to authenticate via radius.

ahmedramze · Sun Mar 25, 2018 4:34 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

ivicask · Sun Mar 25, 2018 4:39 pm

Hello

to disable DNS attacking
please add listen address on better from use ip firewall filters

/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y

Regards

Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

Sob · Sun Mar 25, 2018 8:52 pm

... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..

All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.

sarada · Sun Apr 01, 2018 11:03 pm

Hi,

Can you add a feature in User manager which support WPA EAP and add 6to4 tunnel to vlan or bridge, please?

Railander · Thu Apr 05, 2018 7:50 pm

Feature Request:

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.

doneware · Sat Apr 07, 2018 9:32 pm

With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.

Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.

this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.

but i don't really think this is a good idea, as routers are to forward packets and to run web servers. if you want real granular read/write control for defined routeros resources (interface, addresses, queues) you will be better off with an external web server using API integration.

pepek · Tue Apr 10, 2018 1:14 am

I've tried to search this topic, but I haven't found it (hope there are not any duplicates):

NTP Client - Possibility to use server name, not just IP address
exFAT (FAT64) or NTFS support - yes, MT is not NAS (it's slow), but it would be great to use file system capable of handling >4GB file complatible with Windows (you have HDD with big files and you want to share some files - you cannot connect it to MT, you have to reformat it to FAT32, copy everything except for big files back...)
Wireless - move Country and Distance setting to Simple Mode - you can set every other important "basic" setting in simple mode, but you have to switch to Advanced Mode for these two settings.
Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

zappulec · Tue Apr 10, 2018 6:15 pm

Secured DNS
- DNS over HTTPS
- DNS over TLS

pe1chl · Wed Apr 11, 2018 10:34 am

Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)

You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!
It provides an overview of some basic config but it is not showing correct values after you made manual changes (not only this!) and should you later change some
things via QuickSet you will seriously mess up the configuration!
So please don't worry about things like this and don't use QuickSet.

In fact a more appropriate feature request would be: make QuickSet disappear once it has been used and manual changes have been made afterwards.
That would protect a lot of beginners from serious trouble.

miencek · Wed Apr 11, 2018 11:55 am

RAM Disk for temporaty files ex. configuration to/from other devices, scripts

pudjo · Tue Apr 17, 2018 1:04 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You

Miracle · Tue Apr 17, 2018 5:48 am

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You

Do you know dst-nat ?

Chupaka · Tue Apr 17, 2018 5:53 pm

Is there any DNS server on port other than 53?..

Tue Apr 17, 2018 7:52 pm

Is there any DNS server on port other than 53?..

There are some non port 53 DNS configurations/uses.
Example: DNS over TLS is often port 853 -and- I kinda remember something about 135 End-Point-Mapper being used also for DNS

Also - security through obscurity can help prevent some attacks - such as running ssh on non-standard ports , DNS could possibly be remapped to use a non-standard port other than 53 to achieve a security through obscurity.

However , the standard well-known DNS port is 53. I would think if there is a security concern , that a FW configuration would be easier and more compatible method to control DNS access and better prevent attacks against DNS servers.

North Idaho Tom Jones

pe1chl · Tue Apr 17, 2018 8:06 pm

There are some non port 53 DNS configurations/uses.

The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)
but does not have advanced DPI in place. Then just using a different port may circumvent their efforts. E.g. OpenDNS listens on port 5353,
and one could sents the requests there. I don't know if Google DNS and CloudFlare DNS have similar alternate ports.

Of course this works only until the ISP admins know it and block or redirect that port as well. Not worth it to make a change in the router
for that, just use dst-nat.

Sob · Tue Apr 17, 2018 9:48 pm

Not worth it to make a change in the router for that, just use dst-nat.

Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.

pe1chl · Tue Apr 17, 2018 11:10 pm

It may be possible to use a loopback interface and set the DNS server address to the address of this interface, then dstnat that traffic.
(I did not try, but I *do* use dstnat for traffic incoming to a router and that works)

msatter · Tue Apr 17, 2018 11:42 pm

Or you use an local DNS server on a RaspberryPI like DNSmasq, PiHole, etc.and you are able to control it all yourself.

Wed Apr 18, 2018 1:17 am

As stupid as it might sound -almost a lol-
What happens if you add ":XY" to the IP address of the DNS server , where XY is the port #

Say you wanted you mikrotik to use port 5320
then use IP address format of the DNS server of:
a.b.c.d:5320

I remember this working on an old DSL router 15 years ago.

North Idaho Tom Jones

Sob · Wed Apr 18, 2018 2:03 am

@pe1chl: No, dstnat happens in prerouting, so traffic coming to router (no matter if it will end up in forward or input) can be matched by dstnat rule. Traffic from router doesn't come through prerouting in RouterOS.

@msatter: External device would work fine, but sometimes it may not be desired or even possible to add it.

@TomjNorthIdaho: Nope, to quote WinBox: "Error in - non zero ip address or non zero ipv6 address expected!"

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.

pe1chl · Wed Apr 18, 2018 10:38 am

But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.

Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.
But maybe the address is considered local and it does not work then.

Chupakabra303 · Wed Apr 18, 2018 1:39 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!

pe1chl · Wed Apr 18, 2018 2:34 pm

file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!

It is not a limitation of those routines, but of the maximal length of a variable content.
What is needed is an open/readline/close feature so files can be read line-by-line into a variable.
(for completeness also a read(n) to read a fixed number of bytes instead of a single line)

juliokato · Wed Apr 18, 2018 3:44 pm

Is there any DNS server on port other than 53?..

I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.
This also helps in the security of this resolver.
I can give you more details if anyone has an interest.

Chupaka · Wed Apr 18, 2018 4:25 pm

So how do you point your Windows/Linux/MacOS machine to some non-53 DNS port?..

juliokato · Wed Apr 18, 2018 8:32 pm

I was using firewall nat:

add action=dst-nat chain=dstnat disabled=no dst-port=53 log=yes protocol=udp to-addresses=aa.bb.cc.dd to-ports=5353

this forces anyone to use my resolver, even if some user tries to use another different dns server.

This has other implications of redundance and security that is not part of this topic.

fernandolcx · Thu Apr 19, 2018 6:06 pm

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:

1.3.6.1.4.1.9.9.150.1.1.1.0

But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:

/interface pppoe-server print count-only where service=service5

BUT it should be a nice feature to add to SNMP

samsung172 · Fri Apr 20, 2018 12:20 am

Feature Request:

Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:
Code: Select all
1.3.6.1.4.1.9.9.150.1.1.1.0
But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when using
Mikrotik routers as BRAS/BNG/PPPoE Server.

If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.

To workaround we can use this:
Code: Select all
/interface pppoe-server print count-only where service=service5
BUT it should be a nice feature to add to SNMP

You can have this info from the radius server. (if used)

raymondr15 · Fri Apr 20, 2018 1:34 am

Please add the ability to enable or disable successful login attempts for specific users, for example an API user, accounting software logging in and out updating information on the router.

lordcoke · Fri Apr 20, 2018 4:03 pm

Feature request for /tool sniffer. Please make it possible to submit a filter-port range to the sniffer to allow sniffing like this:

/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255

pudjo · Mon Apr 23, 2018 3:16 pm

Is there any DNS server on port other than 53?..

i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.php

pudjo · Mon Apr 23, 2018 6:43 pm

Not worth it to make a change in the router for that, just use dst-nat.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.

vote +1 for dstnat in output chain

pudjo · Mon Apr 23, 2018 6:45 pm

I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533

The purpose is to get DNS service from non default port DNS Server.

Any response is greately appreciated,
Thank You
Do you know dst-nat ?

dst-nat not working in output chain, AFAIK

lugovoyma · Mon Apr 23, 2018 8:20 pm

openvpn UDP

pe1chl · Wed Apr 25, 2018 5:07 pm

Now that ip firewall address-list (and ipv6 firewall address-list) support DNS lookups, add a way to get subnet entries from DNS.
Unfortunately there is no standard DNS record type for subnets. There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
Therefore, I suggest to use TXT records.
Do a query for TXT records for the specified name (after or in parallel to the A and AAAA records already queried) and for each TXT record coming back, check if it conforms to valid subnet notation like 11.22.33.0/24 or 11:22:33:44::/64 and if valid, add it as an address list item.

Sob · Wed Apr 25, 2018 8:12 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.

If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.

So it may sound perhaps a little too optimistic, but I'd say it's almost there. And a gentle push (like MikroTik adding support in RouterOS) might help to move things forward. Some people could start using it right away and others would have motivation to nag their DNS providers to add support.

erebusodora · Wed Apr 25, 2018 8:20 pm

It would be very nice to have a feature to hide rows. Column Hide and Show Footer Works is a great job on the look. Screenshot feature must be implementet too.

pe1chl · Wed Apr 25, 2018 8:28 pm

There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).

I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.
However, if it is supported it would be fine to use APL. Probably with TXT there are less obstacles.

Sob · Wed Apr 25, 2018 10:31 pm

It doesn't seem to be advertised much, but it looks like BIND has it since 2002.

Advantage of using TXT would be instant availability everywhere. Probably even better reliability, at least in short term, because some broken resolvers will surely show up somewhere. But it's reinventing the wheel. Purists might also argue that we don't need yet another thing in TXT, there's enough of them already.

hurymak · Thu Apr 26, 2018 1:54 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.

cis2131 · Thu Apr 26, 2018 11:11 pm

Run a script when a port is closed by loop protect.

PtDragon · Fri Apr 27, 2018 12:08 am

Small feature request:
Please make Syn Cookies tunable!
I explain a bit: right now we can only turn on or off.
I wish we could have cookie timeout tunable in our hands (so if no cookie reply for example in 5 or 10 or 30 sec just drop connection).
That will make defense way easier

Chupaka · Tue May 01, 2018 3:26 pm

Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.

So, you'll need to enter encryption password each time router reboots?

5nik · Mon May 07, 2018 12:29 pm

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.

pedromrocha · Mon May 07, 2018 2:48 pm

Please implement TACACS autentication.

We can't get your equipments certified in a ISP without that feature.

netwpl · Wed May 09, 2018 8:37 am

Please, implement bandstearing for wifi, especially in CAPsMAN.

Please, add support 802.1x for wire interfaces.

1+

psannz · Wed May 09, 2018 9:15 am

Please, add support 802.1x for wire interfaces.

Yes! +1, pretty please?

Wed May 09, 2018 9:29 pm

BUMP - I originally posted this: Wed Mar 21, 2018 3:28 pm

Please increase Simple-Queue limits - they max at 4,294 Meg (aka 4.294 Gig)

ROS Simple-Queue - please increase the possible maximum limits and thresholds.
Currently on v6.41.3 and v6.41.2 (don't know about older versions and I have read nothing in newer versions) ,
The current maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
This presents a huge problem. I have multiple 10-Gig networks and on some networks I must use bandwidth limiters which are much faster than the built-in restricted values.

An example of need: 10-Gig physical Internet connection (using CHR) - Purchased Internet speed need to be maintained by my network equipment. Problem - the Mikrotik ROS will not accept any values greater than 4294M in any of the Winbox Simple-Queue fields

North Idaho Tom Jones

Chupaka · Thu May 10, 2018 11:39 am

Tom, did you write to support@mikrotik.com ? Because this looks not like feature request but like important fix

pe1chl · Thu May 10, 2018 6:45 pm

No this is just established standard functionality hitting limitations as technology proceeds.
The queue mechanism uses 32-bit values (variables) and so the values are limited to 2^32
In fact practical limits are lower because "buckets of data" have to be calculated to be transmitted on each timer tick
and when the datarate gets so high the buckets become very large and those bursts could hit other limits or not play
along with others as nicely as you would like.
So it is not as easy to fix as you might think.

Fri May 11, 2018 6:48 pm

I suspect the simple-queue maximum value settings are going to be a bigger and bigger problem in the near future. - because of the new Mikrotik 40-Gig interfaces and newer/faster CPUs.

I can't help but wonder how much of the 64-Bit CHR software actually uses 64-bit instrustions.
Many 64-bit CPU instructions use fewer CPU clock cycles compared to a 32-bit set of instructions doing the same software function.

If Mikrotik is gonna compete in the router throughput world with the other guys in the faster than 3-Gig enviornment, they need to do everything possible to gain every speed/function/feature advantage possible.

I think I will write to Mikrotik support.

North Idaho Tom Jones

anav · Tue May 15, 2018 1:09 am

EXTRA TAB CHANGE!!

The mere fact of viewing any of the parameters ACTIVATES the parameter and this is WRONG.
All entries should be blank and if you want to offer default settings, GREY THEM OUT.
Suggest putting an apply button or something.

This is not consistent with the rest of the filter rules.
Right now I call it the DANGER DANGER TAB.

Chupaka · Tue May 15, 2018 11:13 am

Huh... Any more details? What do you mean saying 'Activates'?.. Why can't you 'deactivate' it back?

anav · Tue May 15, 2018 2:14 pm

Sorry chupka, I am just a beginner. I didnt know I was changing router settings just by looking at the paramaters in the ExtraTab.
In my limited experience when I clicked on the little arrow tabs, I thought I was simply viewing the default parameters in those selections.
I did NOT REALIZE that I was activating those parameters.
This is not consistent with how we apply items elsewhere in winbox.

Thus suggesting that the default entries be grayed out and one has an implement button when one wants to turn grey into white.
Or it is like every other

Or add a warning at the bottom of the EXTRA TAB. Stating, opening these items ACTIVATES them.
If you do not want them activated CLOSE after viewing.

Chupaka · Tue May 15, 2018 3:54 pm

The same with TCP Flags and ICMP Option in Advanced tab.

Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD

anav · Tue May 15, 2018 4:25 pm

As I stated, I am new to mikrotik.
To have to rely on intuition vice standard methods is a ridiculous way of setting up programming the router.
Every other selection I make on the router is checking a box, typing in a selection, pulling a selection from a pull-down menu.

I am not saying its wrong, just that from my perspective its bad design and terrible for the non-expert.
Would it hurt that much to have a fixed text at the bottom of the EXTRA TAB.....

"CAUTION: Opening up the parameters via the arrow icons, activates the parameters. If the entries are not modified, the default settings are accepted"

OR

"NOTE: Up facing arrow icons indicates an ACTIVE parameter"

If I could add an image here, and not from an URL, I would post one to give you an idea.

EDIT,,,,,,,,, posted in elsewhere for viewing here.............. the llama cannot be stopped.

Well that was less than useful....... argggg Lets try that again....

https://www.dslreports.com/speak/slides ... RhcnQ9MTgw

Bergante · Tue May 15, 2018 5:23 pm

I've posted a message on the forwarding protocols area, linked from here:

viewtopic.php?f=14&t=134423

BFD support for static routes would be extremely useful. Basicly, a static route would have an attribute to use BFD to check gateway availability. It's much better than check-gateway because it's a standard and it will help both a Mikrotik router and a router from a different manufacturer to detect a link down event.

I think it's simple to implement, even!

Wed May 16, 2018 2:00 am

A new added feature I would like to see (when using Winbox to a client Mikrotik) , would be the ability to Tools-->Telnet-->Select (*) telnet and also select a port # to telnet to (and the same for SSH).

Example: Lets say a client Mikrotik has a natted LAN IP address of 192.168.1.1/24 and there is a web server on IP address 192.168.1.20 (possibly not running a non-standard port).
Normally, you can do a telnet to IP-Address:Port# , and when it connects, you can simply type in "GET /" to verify the web server is running. However, if you can't telnet to an alternate port, then it becomes much harder to test out port - which might require a TCP/IP port forward on the outside WAN interface to the inside - then originate you telnet to alternate port from another machine.

Lets say you have a web server locally connected to the same network as your work station - try this: Telnet ip-address:80
At connection , you might not see anything - however type in this: GET /
And you will get some web server information so that you know it is actually running.

North Idaho Tom Jones

Sob · Wed May 16, 2018 2:17 am

I agree that selecting port in Tools->Telnet should be possible, but until it happens, you can do it from Terminal, it already works there:

/system telnet address=192.168.1.20 port=80

GuillermoHA · Tue May 22, 2018 6:30 pm

-Will be great in /ip hotspot active see directly what "user profile" are using without using address-list

WirelessRudy · Tue May 22, 2018 8:22 pm

Those units that have multiple PoE out ports under 'Health' menu the option to read the amps - watts of the input. Thus we can see what the total consumption is for attached devices AND this unit itself.

For many battery/solar operated units it's quit handy to see what the 'real' average power consumption is for a given actual setup.
(It would be even nicer if under 'graphs' a graph could be displayed for the last 24 hours of voltage amp/Watts consumption. Sometimes it is o so handy to know when batteries where charged (= high voltage) and when not (low voltage). The total power consumption also gives us a power budget over a 24 hour period. Power consumption depends on radio usage and that depends on actual data throughput. With a graph we can see if our actual power budget (batteries! Solar panels) are actually up to their task.

5nik · Fri May 25, 2018 12:03 am

It is possible add something like Web Aplication Proxy / redirector for HTTPS (SSL/TLS) trafic? Mikrotik will be able DNAT or redirect HTTPS(generaly SSL/TLS connections with SNI) for specific URL to another IP. It will be usable for hiding more HTTPS servers with diferent URL behind one public IP, or for very simple HTTPS (SSL/TLS) load balancing.

Wyz4k · Fri May 25, 2018 3:48 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.

bdallen · Mon May 28, 2018 3:43 am

no, the list does not influence our priorities, just gives us ideas about what people want to see.

Sorry Normis, and no disrespect to you, but what does influence this list? People screaming for proper vrf seperation, IPSec VTI Support, DHCP Option 82 Snooping in ROS, Proper BNG Features, IPv6 Needs alot of fixing, BFD (YMMV), BGPv4 MIB and many others.

But yet Kid Control turns up on a CCR??

Confused :S

anav · Mon May 28, 2018 5:01 am

Apparently IPSET uses the hdd memory in my HEX for address tables.
I am very low on HDD due to lists being used.
This is despite the fact that Ihave a 16 gig sd card and 16 gig usb stick in the unit.
FEATURE REQUEST: REMOVE IPSET limitation of internal HDD and be able to apply lists to usb or sdc.

As to the question above rather amusing but a good example of something that doesnt make sense.
Typically easy and no usage of capacity wins - or Kid Control is a billioinaire and wants his feature (or significant segment of market) etc......

pe1chl · Mon May 28, 2018 10:37 am

ipset uses in-memory storage to be able to lookup an address quickly. the CPU can just walk along the list (using hashes and/or tree), without reading from SD card first.
when it would be on disk, it would take far too much time to do the lookup to do it in the routing path.
so it does not make sense to request ipset (ip firewall address-list) to be put on disk instead of in memory.
when your ipset uses too much memory, you should back down on the use you make of it and/or buy a router with more memory.
I don't think it makes any sense to have a list that is to be checked in the routing path to be offline on disk. That would only be useful in the proxy service.

anav · Mon May 28, 2018 2:08 pm

Thanks pe1chi, that makes sense.
Oh well I have two hexes, perhaps I could connect them with a vulcan mind meld and have more memory available.
Which model do you suggest for a home owner, who is only trying to keep the dogs away from the home network.

pe1chl · Mon May 28, 2018 2:55 pm

The hEX r3 has 256 MB of RAM which is normally enough for quite large lists.
You should not try to make a dynamic address list to which items are added e.g. upon unexpected incoming traffic, as this makes the list grow very large.
It is better to focus on firewall settings to keep all that traffic out. That should be easy to do on the typical NAT routing config used at home.
Just don't allow remote management (i.e. do not allow any input from internet except for established/related).
When you really have to have remote management, configure some form of VPN service on the router and allow management only from authenticated VPN users.

anav · Mon May 28, 2018 3:36 pm

I understand, I have fixed lists, based on firehol type information, and I do have some spammer,synflooder,scan lists but they are weighted or need x connections so they are rarely entered.
That said I have 3K left in hdd memory. Will see what I can do to reduce fixed lists..........

wfuzatto · Wed May 30, 2018 7:01 am

What about a fixed VHT data rate for AC device? It would be a nice feature!

doneware · Wed May 30, 2018 10:03 am

can we have at least the summary of the sent/received ping probes returned as values? all we have right now in the number of successful responses received.

[me@router] > put [ping 8.8.8.8 count=3]
  SEQ HOST                                     SIZE TTL TIME  STATUS          
    0 8.8.8.8                                    56  57 9ms  
    1 8.8.8.8                                    56  57 10ms 
    2 8.8.8.8                                    56  57 8ms  
    sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=9ms max-rtt=10ms 

3

Wyz4k · Wed May 30, 2018 10:12 am

In the scripts and schedules editor in winbox can we please add the ability to select all - ie ctrl a? At the moment in order to select a big script you have to manually drag from start to finish.

Sob · Wed May 30, 2018 4:14 pm

@Wyz4k: There's also Select All in right-click menu.

adziahel · Thu May 31, 2018 1:31 am

DNS-over-HTTPS or DNS-over-TLS, in that order of preference

Wyz4k · Fri Jun 01, 2018 3:18 am

@Wyz4k: There's also Select All in right-click menu.

There is indeed. Thanks Sob, you are a legend!

anav · Wed Jun 06, 2018 4:34 pm

The same with TCP Flags and ICMP Option in Advanced tab.

Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD

Hi Chupakha I just wanted to say thanks for your patience, I am just a tad slow and finally get what you are saying.
Yes, without even knowing it I was using the up and down arrow functionality everywhere and thus should have realized what I was in effect doing on the extra page.
I still would like a note at the bottom of the page (text is cheap right?) for new users "Opening a field activates shown parameters, if Apply or OK is selected."

eroberts9 · Fri Jun 08, 2018 5:15 am

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
Not WDS AP/Slave where the bridge is wireless as it currently can work but having all radios connected Ethernet.

Chupaka · Fri Jun 08, 2018 1:11 pm

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.

So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.

pe1chl · Fri Jun 08, 2018 1:54 pm

So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.

That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens when the signal has
become too weak to maintain the connection, so before that the client already experience bad performance.
There are other competitors (Aruba networks, Ruckus, Zyxel and maybe others) who offer true seamless roaming where all your access points have the
same MAC address and the client connects with a "virtual" access point (a controller or a function in a master AP) and remains connected to that, only
the radio layer solves the location issue (all access points try to receive the client, the one who receives it strongest is used to send data to the client).
Indeed it is a nice feature, of course it has drawbacks but it performs best when clients are wandering around in a building or park.

Fri Jun 08, 2018 6:00 pm

When using multiple WiFi systems with the same SSID and wireless security settings, you should NOT have the APs perform NAT , but instead those APs should bridge the wireless wlan to an Ethernet network. Then have central core router perform NAT & DHCP on the inside LAN that the AP wireless clients are bridged to.
This will then permit client seamless roaming from AP to AP. When a client roams in your network of APs, the client maintains the same IP address.

If your APs are all doing NAT, then when a client roams to a different AP, you can experience all kinds of problems and end up with of two of the same IP address on the same network.

North Idaho Tom Jones

Chupaka · Fri Jun 08, 2018 6:27 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...

Fri Jun 08, 2018 6:45 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...

One of the problems with RFCs and standards is that often 90% of manufacturer network devices only follow RFCs and standards by only 90%.
When you think about it - it's amazing that the Internet even works with all of the different connected brands of devices

pe1chl · Fri Jun 08, 2018 10:51 pm

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...

There are standards for fast handover but they weaken the security. Also there are standards to provide roaming information so the clients know what other AP's to look
for, still there is trouble all the time. Those seamless roaming networks do not have those problems because the controller decides how it operates and it has complete
knowledge of the topology. However, MikroTIk does not have products in that segment (and neither does Cisco, for that matter).

eroberts9 · Fri Jun 08, 2018 11:50 pm

I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.

There is only one association, a client does not reassociate if they move from one AP to another. There is not a loss of service when a client moves to a closer AP.

Somewhat like WDS works now via WDS AP -> WDS Slave except backhaul isnt wireless, its via ethernet.

lesnikov · Sat Jun 09, 2018 4:22 pm

Hey,

Probably posted before but here goes again. We need 802.1x integration on routerOS for wired ports.
Been looking for this feature for years now...

anav · Mon Jun 11, 2018 3:24 pm

Due to SIP issues, a friend pointed out this thread.
viewtopic.php?t=129048

So requesting that mikrotik address the issues discovered .
Best to let the experts read and absorb just provided the following quotes....

The issue is stated as...... " A limitation of the UDP + NAT schema" in the mikrotik engine.
or stated another way......
"the conclusion is that the connection tracking engine's architecture on RouterOS is the root cause of this"
"The issue here is that Mikrotik's acceleration tactic of skipping the nat table for packets found in the connections list is the fault"

DanielJB · Mon Jun 11, 2018 5:21 pm

By default, RouterOS pings all idle wireless clients every 60s. With many associated clients over a larger area (therefore low bitrates) with 1-2 active at any given time, network efficiency is reduced and client battery life is reduced.

Disabling keepalive-frames causes issues wherein clients are listed in the registration table, but the wireless interface goes down.

Please make "/interface wireless set keepalive-frames" an adjustable delay, so we can set eg 300s rather than enabled at 60s or disabled.

Thanks!
Daniel

DummyPLUG · Fri Jun 15, 2018 10:10 am

Please add port redirect in IPv6 firewall, will much easier to force all http/https redirect to proxy and redirect all free/public DNS server access back to local dns server.
p.s. newer linux kernel and ip6tables already support this, hope routeros will have this feature as well.

craterman · Sun Jun 17, 2018 12:34 pm

OSPF and BGP Graceful Shutdown

Wed Jun 20, 2018 9:34 pm

I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).

Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).

Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)

If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.

The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.

North Idaho Tom Jones

WirelessRudy · Thu Jun 21, 2018 12:41 pm

I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).

Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).

Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)

If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.

The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.

North Idaho Tom Jones

Sounds interesting. But is part of the evolution in wireless also not that now the spectrum is saturated where 10 years ago is was hardly used? I mean, my first Mikrotik 2,4Ghz 802.11b outdoor AP on a 8dBi omnidirectional had no problem to communicate with my laptop at some 300-400 meters away. And that communication was the sending of an e-mail.
Now I am glad my new dual chain 802.11a/b/g/n/c laptop still has a connection to a 18deBi dual chain 90º sector with Netmetal 30dBm radio some 50 meters away. And I am not interested in sending an e-mail, it needs to be a 4K streaming full duplex Skype video conversation (I am a bit exaggerating).....
10 years ago in a 2,4Ghz scan I'd performed all I saw was my own AP..... Now a scan reveals some 100+ radios..... Ok, we have 5Ghz now, but that is sort of similar. My 5Ghz AP's easy pickup 20 other AP's.... and there must be several hundreds of CPE's communicating with them.

I must mention though we have one 'alien brand' AP working on a village that is also full of 5Ghz AP's and users, but they work with their own protocol on the 5Ghz band. They work with 4 antenas on one AP and then each of these 60º sectors are overlapping to get some 200º reach. The AP works on 10Mhz wide channels but each antena has its own frequency slightly different from the others. Now the OS switches connected CPE's to that sector with a good enough signal to supply the top PHY rate achievable that carries the least traffic. The result is that each of the connected clients have no issue to reach the OS limited top download of just over 30Mbps and sustain that for prolonged times. Basically each sector can sustain a full 30+Mb download to a single client thus the AP can do 4 at once.... in a 10Mhz channel! Low latency, sustained speed...... Try that with a Mikrotik 20 or even 40Mhz normal Wifi solution....
Over the same village we have 2 more AP's, both Netmetal and working 5Ghz NV2 or plain 802.11ac but 30Mbp is only possible if that client is the only one using the AP and only peak speeds. This is with -45dB signals all duo chain 20Mhz wide channels.....

So yeah, there are better ways of doing wireless.....

Thu Jun 21, 2018 6:48 pm

WirelessRudy
un-releated to this forum topic ...
Back in 2002, I did a site-survey in all areas we now service (20+ towns/citys). I found zero APs.
Earlier this year , I did a site-survey using 1,000 customer Mikrotiks I manage (I used a Linux script). I found several thousand different APs.

datajerk · Fri Jun 29, 2018 4:02 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.

If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.

Wyz4k · Fri Jun 29, 2018 4:46 am

The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.

This is the feature requests channel. I am requesting a very basic feature that will take all of 30 seconds for somebody to add.

New request:
[admin@MikroTik] > { :put [:resolve www.example.com]; :put "lala";}
failure: dns name does not exist

Please add a way to read the error ("failure: dns name does not exist" in the error above) when using the on-error catch below.

:do {
:put [:resolve www.example.com];
} on-error={ :put "resolver failed"};

raymondr15 · Mon Jul 09, 2018 9:39 pm

Please add support for USB booting on RouterBoards so we can have the ability to install RouterOS onto a USB drive.
Maybe in NetInstall also make it possible which device RouterOS should be installed to if there is more than one. ie: nand, USB...

Reason 1: In case something happens to the nand chip on the RouterBoard.
Reason 2: For testing purposes to test RouterOS releases without making changes to the nand config/software.
Reason 3: In case someone is doing heavy changes all the time that will put undue strain on the nand.

Wyz4k · Tue Jul 10, 2018 6:33 am

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.

Chupaka · Tue Jul 10, 2018 12:34 pm

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.

This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you set

/ip ssh set always-allow-password-login=yes

Wyz4k · Tue Jul 10, 2018 1:03 pm

Hi everyone,

Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.

Also then please add a way to disable username / password logins.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you set
Code: Select all
/ip ssh set always-allow-password-login=yes

Not for winbox though.

genesispro · Tue Jul 10, 2018 1:19 pm

I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!

Chupaka · Tue Jul 10, 2018 1:27 pm

Not for winbox though.

Yeah. Also not for WebBox, not for Telnet, not for API...

Anyway, your initial message was not about WinBox. If you need WinBox - use SSH with port forwarding for WinBox

Chupaka · Tue Jul 10, 2018 1:31 pm

I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!

Not a script, but in a Terminal:

{
  /interface bridge port remove [find interface=ether1]
  /ip dhcp-client add disabled=no interface=ether1
}

or

/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1

genesispro · Tue Jul 10, 2018 1:50 pm

Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection

I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.

If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.

To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!

So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
Not a script, but in a Terminal:
Code: Select all
{
  /interface bridge port remove [find interface=ether1]
  /ip dhcp-client add disabled=no interface=ether1
}
or
Code: Select all
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1

Chupaka · Tue Jul 10, 2018 2:18 pm

Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection

Just press Terminal on the left of WinBox. If you use "{ }" - commands inside of brackets will be executed when you press Enter after the bracket. Like this:

[admin@s.internal] > {
{... :put "here"                                 
{... :put "we"  
{... :put "go!"
{... }         
here
we
go!
[admin@s.internal] >

nicutdk · Mon Jul 16, 2018 1:27 pm

Hi,

I want to make a suggestion for IP cloud
So...

Will be nice to have feature to associate IPcloud from routerOS with Mikrotik Account to manage all mikrotik router.

For Example I have many clients and I make my own structure to manage. If I forgot to add is to hard to put again.

Regards,