February 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Archive for the ‘RouterOS’ Category

Some repositories with Mikrotik RouterOS Scripts (so no repos with API interfaces)

Posted by jpluimers on 2017/07/25

For my own reference:

List of TOR exit nodes and how to disable them in the firewall: openkasnet/Mikrotik
- Probably better done by interfacing to http://torstatus.blutmagie.de/ and their CSV lists at http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv aka http://torstatus.blutmagie.de/ip_list_all.php
Firewall rules for certain regions and malware: kometchtech/mikrotik
Tolaris/mikrotik-dns-dhcp: Tool to syncronise DHCP lease names with DNS hostnames on Mikrotik routers.
Something with queues: chemax/mikrotik: mikrotik’s script
Dynamic DNS mihaiv/Mikrotik: Mikrotik scripts and xpegenaute/Mikrotik: Mikrotik stuff and e4r7hbug/namecheap_routeros: Namecheap dynamic DNS update script for RouterOS
Setup of new router jadiaz/MikroTik: Scripts for use with various Mikrotik routerboards
Auto-upgrade and config backup: massimo-filippi/mikrotik: MikroTik / RouterOS Scripts
TheAntz/RouterOS-Scripts: Various scripts and scripting functions for use in MikroTik RouterOS. function.EmailMultipleRecipients.rsc Add, function.csvIntSum.rsc,
function.getDaysInMonth.rsc, function.getISO8601DateTime.rsc
karrots/ros-ddns-ipsec: Mikrotik RouterOS script for updating IPSEC peer IP addresses from DNS.
jaydio/routeros-scripts: MikroTik RouterOS – Assorted Scripts

–jeroen

Posted in Development, RouterOS, Scripting, Software Development | Leave a Comment »

Mikrotik RouterOS scripting: for loops are a bit of getting used to

Posted by jpluimers on 2017/07/18

Earlier, I wrote “:for loops are a strange beast so I will elaborate on those in a separate post.” so now is the time to do that.

The :for loop documentation is very dense:

Command Syntax Description

for :for <var> from=<int> to=<int> step=<int> do={ <commands> } execute commands over a given number of iterations

Command	Syntax	Description
`for`	`:for <var> from=<int> to=<int> step=<int> do={ <commands> }`	execute commands over a given number of iterations

So a for loop has these elements:

from=
to=
step=
do=

Luckily, the old RouterOS 2.7 documentation on loops (which they’ve revamped after Router OS 2.7 removing many useful examples) has this:

:for – It has one unnamed argument, the name of the loop variable. from argument is the starting value for the loop counter, tovalue is the final value. This command counts loop variable up or down starting at from and ending with to, inclusive, and for each value it executes the do statement. It is possible to change the increment from the default 1 (or -1), by specifying the stepargument.
[admin@MikroTik] > :for i from=1 to=100 step=37  do={:put ($i . " - " . 1000/$i)}
1 - 1000
38 - 26
75 - 13
[admin@MikroTik] >

You might think that from= the start value, to= the finish value and the loop won’t execute when step= a positive value and from= larger than to=. Or that without a step= the loop will always iterate in ascending order.

Wrong! And wrong!

So it’s time for some…

:for loop examples

Read the rest of this entry »

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Mikrotik RouterOS /ip firewall address-list timeout values sort-of documented

Posted by jpluimers on 2017/07/05

Thanks to ZeroByte answering at [Answered] Where are ip firewall address-list timeout values documented – MikroTik RouterOS [WayBack] which I edited a bit here:

I haven’t seen anything specific to the format of these time tokens, but the firewall add-to-address-list timeout is documented here:
http://wiki.mikrotik.com/wiki/Manual:IP … Properties…It seems to take the same format as any other similar duration-related input I’ve encountered:

a raw number is interpreted as seconds

You can specify a number as another duration with tokens:

s = seconds (default)

m = minutes

h = hours

d = days

w = weeks

A few aspects:

Tokens can combine be in any order

Whitespace is ignored

So these are all valid:

2s 2h 2w 1w2d3h4m5s 5s4m3h2d1w

Days and weeks just get added together. If you specify 1w8d, this is the same as 2w1d

The last value specified may be in h:m:s format or in h:m (omit seconds)

Interestingly, if you mix and match, they just get added:

“1d 2h 12:30” -> “1d 14:30:00”

Values larger than 536870911 seconds are stored and tracked but when displayed show as 0sec.
(248 days, 13:13:55)

The maximum value is 4294967295 seconds (which is the maximum 32-bit value)
This decodes to: 7101w3d6h28m15s as the largest value….
(7101 weeks is ~136 years counting for leap years, by the way)

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

middelink/mikrotik-fwban: Use your Mikrotik firewall to do fail2ban like blocking of unwanted IPs. Written in Go

Posted by jpluimers on 2017/06/26

Interesting: middelink/mikrotik-fwban: Use your Mikrotik firewall to do fail2ban like blocking of unwanted IPs. Written in Go.

It might beat these (that just count SSH connections, not failed connection attempts):

Prevent RDP logon brute force in mikrotik router via winbox – Server Fault
Bruteforce login prevention – MikroTik Wiki (though FTP check does ban on failed login, but SSH doesn’t)
Matthew Siemens: Blocking SSH Brute Force Attacks in MikroTik RouterOS
The Mikrotik RouterOS config, tips and tricks thread – boards.ie

Another alternative is to parse one of the logs:

Vuln Info – Block SSH brute force on MikroTik RouterOS

Of course you should have this installed by default as part of your hardening process:

Drop port scanners – MikroTik Wiki

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

URLs for Mikrotik PCC load balancing

Posted by jpluimers on 2017/06/16

PCC load balancing saved my ass; here are some link I used:

Source: Mikrotik Layer3 Gateway Load Balancing « MikrotikUniversity
Source: Egress filtering – Wikipedia, the free encyclopedia
Source: Ingress filtering – Wikipedia, the free encyclopedia
Source: Playing with the Mikrotik’s PCC | Syed Jahanzaib Personal Blog to Share Knowledge !
Load Balancing Using PCC & RouterOS – MUM – Mikrotik
Load Balancing using PCC connected via PPPoE with Port Forwarding – MUM – Mikrotik
Internet Load Balancing •PCC(Per Connection Classifier) •Routing Policy •Spillover (nice examples)
Set the PCC selector from “both addresses and ports” to “both addresses”. This way communication from and to the same IP address always hashes the same and you don’t get broken connections.
Source: PCC side effect on Mikrotik Forum – MikroTik RouterOS

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Mikrotik firewall URLs

Posted by jpluimers on 2017/06/14

Some links that inspired me for various Mikrotik firewall rules:

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

URLs for Mikrotik scripts to block IP addresses after repetitive login failures

Posted by jpluimers on 2017/06/13

For my research list:

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Mikrotik scripting language: a list of questions I had linking to the forum messages having answers

Posted by jpluimers on 2017/06/08

The RouterOS scripting language you can use on Mikrotik device immediately shows it’s origin: the console.

It is a statement oriented language where statement separators can be both semicolons and new-lines.
You can use the \ at the end-of the line as line-continuation character effectively spreading statements over multiple lines.

As promised some links to questions I asked:

What parts of scripts can be ran from the console? – MikroTik RouterOS
The answer teaches about scope and locality on the console.
Difference between `[]`, `{}` and `()` expressions? – MikroTik RouterOS
Their positioning can be tricky:
Bug? How can I create an empty associative array, then fill it to map strings to strings? – MikroTik RouterOS
This is how you do it:
:global convert ({});
Is there a good way to sync a local directory from the scripts that a Mikrotik has? – MikroTik RouterOS
No there isn’t. There is a way to sync /system script entries to the file system, but due to a stupid 4096 length string export issue (causing the dreaded “failure: new contents too long” error), scripts longer than 4096 bytes will not even be written truncated. Since LUA got ditched and never re-introduced, LUA is not a workaround either and splitting into multiple files is impractical.
This one-liner will show you length+name of all your /system script` entries:
:foreach scriptId in [/system script find] do={ :local scriptSource [/system script get $scriptId source]; :local scriptSourceLength [:len $scriptSource]; :local scriptName [/system script get $scriptId name]; :put "$scriptSourceLength bytes: '$scriptName'" }
a

Some questions by others that were also extremely useful:

Functions and function parameters – MikroTik RouterOS
new function syntax, much simpler than the old syntax in Functions in CMD Scripts – MikroTik RouterOS that hopefully someone someday will convert to the new syntax.
Functions and function parameters – MikroTik RouterOS
:typeof can return “nothing”
Functions and function parameters – MikroTik RouterOS
Fragment that adds all scripts named “Function.*” as :global functions upon system startup.
Declare those functions when you need them, just like in the nested-function example.
run script from terminal – MikroTik RouterOS
this is in fact very simple:
it also has the benefit that the terminal does tell you on which line and column your script is wrong (Winbox does not show that during execution):
[Solved] Use of externally defined global variables inside import scripts, – MikroTik RouterOS
It’s better to pass information to functions as parameters (named parameters make code a lot more readable than positional parameters).
Return IP Octet Function – MikroTik RouterOS
Parses an IP octet and returns either a specific or all octets. More elaborate: Mikrotik Scripting – Function to Split an IP Address into an Array | Paper Street Online
Note you can use bitwise operators on octets.
How do you clear a global variable? – MikroTik RouterOS
List all global variables using /system script environment
Unset a variable with a play :set variableName
Array Pop Function – MikroTik RouterOS
Array Push Function – MikroTik RouterOS
Basic XML/string parser function – MikroTik RouterOS
Function getBetween(inputString, betweenStart, betweenEnd)
Using :find command where string is not found – MikroTik RouterOS
:if ([:len [:find "abcd" "x"]] > 0) do={:put "Found";} else={:put "Not Found";};
Manual:Configuration Management – MikroTik Wiki
When you upload a script over ftp and have it end with auto.rsc, then it is automatically being executed and logged. For instance a file called anything.auto.rsc will have the log written to anything.auto.log.
I did it! Script to compute UNIX time! – MikroTik RouterOS
Understanding scripting data types – MikroTik RouterOS
:typeof, nil, nothing, str, :parse vs new-style functions (:parse can be faster!)
Simple HTTP GET? – MikroTik RouterOS
Some escaping required…
It is not possible to exit or break a loop statement – MikroTik RouterOS so if you want to break a :for loop early, you have to recode it into a :while loop. You can :return from a function when inside a loop, but that’s not the same (for instance compare C# break versus return or Delphi break versus exit).
:for loops are a strange beast so I will elaborate on those in a separate post.

And a few observations:

Functions do not need to be global. The RouterOS Scripting Manual paragraph on functions shows an example with :global that works just as fine with :local
```
:local myFunc do={:put "hello from function"} 
$myFunc
 
# output: 
# hello from function
```
a

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 1 Comment »

APC 7xxx models, DHCP Option 43 and Mikrotik DHCP servers

Posted by jpluimers on 2017/06/07

When switching my DHCP to a Mikrotik CCR1009, both the AP7920 and AP7921 failed to get IP addresses. The APC7921 would look bounce between waiting and offered states like this:

The cause is the need of DHCP Option 43 (Vendor Class Identifier) specified in RFC2132 – based on [WayBack] RFC 2131 – Dynamic Host Configuration Protocol and [WayBack] RFC 1533 – DHCP Options and BOOTP Vendor Extensions – which I found first via these links:

Read the rest of this entry »

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 3 Comments »

Next Entries »

	Jeroen Wiert Pluimer… on Pie Comic by John McNamee: Mov…
	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘RouterOS’ Category

Some repositories with Mikrotik RouterOS Scripts (so no repos with API interfaces)

Mikrotik RouterOS scripting: for loops are a bit of getting used to

:for loop examples

Mikrotik RouterOS /ip firewall address-list timeout values sort-of documented

middelink/mikrotik-fwban: Use your Mikrotik firewall to do fail2ban like blocking of unwanted IPs. Written in Go

URLs for Mikrotik PCC load balancing

Mikrotik firewall URLs

URLs for Mikrotik scripts to block IP addresses after repetitive login failures

Mikrotik scripting language: a list of questions I had linking to the forum messages having answers

APC 7xxx models, DHCP Option 43 and Mikrotik DHCP servers

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘RouterOS’ Category

Rate this:

Share this:

:for loop examples

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: