March 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Archive for the ‘routers’ Category

IPv6 on Mikrotik URLs

Posted by jpluimers on 2017/06/15

I need to really put some effort in this:

–jeroen

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Mikrotik firewall URLs

Posted by jpluimers on 2017/06/14

Some links that inspired me for various Mikrotik firewall rules:

Source: Dstnat rules – server logs reporting access from router’s IP – MikroTik RouterOS
Source: Securing New RouterOs Router – MikroTik Wiki
Source: Hardening of Mikrotik devices | ServeTheHome and ServeThe.Biz Forums
Securing RouterOS router EASY GUIDELINE TO PROTECT YOUR MIKROTIK ROUTEROS ROUTER
Mikrotik Security – GregSowell.com
- Source: Mikrotik Tutorials | Greg Sowell Consulting
- Source: Mikrotik Border Router Firewall Script | Greg Sowell Consulting
- Source: Mikrotik Video Tutorial | Greg Sowell Consulting
Source: Manual:IP/Firewall/Address list – MikroTik Wiki (does not work from Manual:IP/Services – MikroTik Wiki)
Source: .baratev | Optimization and Hardening Mikrotik RouterOS

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

URLs for Mikrotik scripts to block IP addresses after repetitive login failures

Posted by jpluimers on 2017/06/13

For my research list:

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Mikrotik – splitting your local LAN so you can assign different gateways and DNS servers by the DHCP server

Posted by jpluimers on 2017/06/09

When you want your Mikrotik DHCP Server handout different gateways (or DNS/WINS/NTP/.. servers and other settings), many of the answers tell you to fiddle with the DHCP networks like DHCP Server different gateways – MikroTik RouterOS [WayBack] but lack concrete examples, so here we go elaborating a lot on DHCP server with static leases – MikroTik RouterOS [WayBack]:

Read the rest of this entry »

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Mikrotik scripting language: a list of questions I had linking to the forum messages having answers

Posted by jpluimers on 2017/06/08

The RouterOS scripting language you can use on Mikrotik device immediately shows it’s origin: the console.

It is a statement oriented language where statement separators can be both semicolons and new-lines.
You can use the \ at the end-of the line as line-continuation character effectively spreading statements over multiple lines.

As promised some links to questions I asked:

What parts of scripts can be ran from the console? – MikroTik RouterOS
The answer teaches about scope and locality on the console.
Difference between `[]`, `{}` and `()` expressions? – MikroTik RouterOS
Their positioning can be tricky:
Bug? How can I create an empty associative array, then fill it to map strings to strings? – MikroTik RouterOS
This is how you do it:
:global convert ({});
Is there a good way to sync a local directory from the scripts that a Mikrotik has? – MikroTik RouterOS
No there isn’t. There is a way to sync /system script entries to the file system, but due to a stupid 4096 length string export issue (causing the dreaded “failure: new contents too long” error), scripts longer than 4096 bytes will not even be written truncated. Since LUA got ditched and never re-introduced, LUA is not a workaround either and splitting into multiple files is impractical.
This one-liner will show you length+name of all your /system script` entries:
:foreach scriptId in [/system script find] do={ :local scriptSource [/system script get $scriptId source]; :local scriptSourceLength [:len $scriptSource]; :local scriptName [/system script get $scriptId name]; :put "$scriptSourceLength bytes: '$scriptName'" }
a

Some questions by others that were also extremely useful:

Functions and function parameters – MikroTik RouterOS
new function syntax, much simpler than the old syntax in Functions in CMD Scripts – MikroTik RouterOS that hopefully someone someday will convert to the new syntax.
Functions and function parameters – MikroTik RouterOS
:typeof can return “nothing”
Functions and function parameters – MikroTik RouterOS
Fragment that adds all scripts named “Function.*” as :global functions upon system startup.
Declare those functions when you need them, just like in the nested-function example.
run script from terminal – MikroTik RouterOS
this is in fact very simple:
it also has the benefit that the terminal does tell you on which line and column your script is wrong (Winbox does not show that during execution):
[Solved] Use of externally defined global variables inside import scripts, – MikroTik RouterOS
It’s better to pass information to functions as parameters (named parameters make code a lot more readable than positional parameters).
Return IP Octet Function – MikroTik RouterOS
Parses an IP octet and returns either a specific or all octets. More elaborate: Mikrotik Scripting – Function to Split an IP Address into an Array | Paper Street Online
Note you can use bitwise operators on octets.
How do you clear a global variable? – MikroTik RouterOS
List all global variables using /system script environment
Unset a variable with a play :set variableName
Array Pop Function – MikroTik RouterOS
Array Push Function – MikroTik RouterOS
Basic XML/string parser function – MikroTik RouterOS
Function getBetween(inputString, betweenStart, betweenEnd)
Using :find command where string is not found – MikroTik RouterOS
:if ([:len [:find "abcd" "x"]] > 0) do={:put "Found";} else={:put "Not Found";};
Manual:Configuration Management – MikroTik Wiki
When you upload a script over ftp and have it end with auto.rsc, then it is automatically being executed and logged. For instance a file called anything.auto.rsc will have the log written to anything.auto.log.
I did it! Script to compute UNIX time! – MikroTik RouterOS
Understanding scripting data types – MikroTik RouterOS
:typeof, nil, nothing, str, :parse vs new-style functions (:parse can be faster!)
Simple HTTP GET? – MikroTik RouterOS
Some escaping required…
It is not possible to exit or break a loop statement – MikroTik RouterOS so if you want to break a :for loop early, you have to recode it into a :while loop. You can :return from a function when inside a loop, but that’s not the same (for instance compare C# break versus return or Delphi break versus exit).
:for loops are a strange beast so I will elaborate on those in a separate post.

And a few observations:

Functions do not need to be global. The RouterOS Scripting Manual paragraph on functions shows an example with :global that works just as fine with :local
```
:local myFunc do={:put "hello from function"} 
$myFunc
 
# output: 
# hello from function
```
a

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 1 Comment »

APC 7xxx models, DHCP Option 43 and Mikrotik DHCP servers

Posted by jpluimers on 2017/06/07

When switching my DHCP to a Mikrotik CCR1009, both the AP7920 and AP7921 failed to get IP addresses. The APC7921 would look bounce between waiting and offered states like this:

The cause is the need of DHCP Option 43 (Vendor Class Identifier) specified in RFC2132 – based on [WayBack] RFC 2131 – Dynamic Host Configuration Protocol and [WayBack] RFC 1533 – DHCP Options and BOOTP Vendor Extensions – which I found first via these links:

Read the rest of this entry »

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 3 Comments »

Reminder to self: when your PPTP server is behind a NAT, forward both GRE protocol and TCP port 1723

Posted by jpluimers on 2017/06/06

The WAN sides of my Mikrotik CCR1009 are partly behind Fritz!Box routers that do NAT and contain a truckload of port-forwards.

A while ago, I wanted the CCR1009 to do PPTP as Fritz!Box 7360 and 7490: static routes over VPN don’t work (so I could only VPN to the WAN side of the CCR1009). However, it would not pass through the Fritz!Box from the outside.

It appears you need to forward both:

TCP Port 1723 for the authentication/control part of the connection
GRE protocol to encapsulate the actual tunnel

Maybe one day I will ditch the Fritz!Box 7490 and directly hookup the Mikrotik to the NTU: xs4all ftth en Mikrotik router – Google Groups.

But preferably I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)

–jeroen

via: VPNs einrichten mit PPTP – administrator.de: Achtung mit PPTP VPN Servern hinter NAT Firewalls !

Forward both PPTP TCP port 1723 and the GRE protocol

Posted in Fritz!, Fritz!Box, Fritz!WLAN, Internet, IPSec, MikroTik, Network-and-equipment, Power User, PPTP, routers, VPN | Leave a Comment »

This is why nobody upgrades their consumer IoT, router, etc firmware…

Posted by jpluimers on 2017/06/02

Just one example; it applies to virtually all consumer IoT and routers I know: upgrading is hard especially if it’s undocumented on how to keep your configuration.

Can someone please explain upgrading tomato firmware? | LinksysInfo.org
RT-N66U: Upgrade Shibby 95 to 97 howto – TomatoUSB [WayBack]:
- Download the one you want to upgrade to. Go to the upgrade menu from the one you already installed. Browse to where you downloaded the one you want to upgrade to and select it. Also make sure you check “erase NVram” and then click upgrade. When it is done, your “user name” and “password” will be “admin”. Then configure by hand/manually to what you want. Hope that helps.
Tomato by shibby – upgrade procedure and cfg backup | LinksysInfo.org

–jeroen

Posted in Internet, IoT Internet of Things, Power User, routers, TomatoUSB | Leave a Comment »

Mikrotik – Choosing your SFP/SFP+ modules and direct access cables

Posted by jpluimers on 2017/05/09

For hooking up SFP and SFP+ ports on Mikrotik devices you basically have two options:

Direct Access Cable (passive and affordable for 1 and 2 meters; active and more expensive for more than 3 meters)
SFP/SFP+ modules with LC-LC optic fiber cable in between them (pairs of modules are more expensive than passive DAC, but the fiber is a lot cheaper)

Choosing the SFP/SFP+ modules is a bit intimidating as the MikroTik SFP module compatibility table – MikroTik Wiki has very few details.

Then I found sfp_all-150601132341.pdf (archived) which lists many of the SFP and SFP+ modules including their specifications.

Since neither the matrix nor the PDF contains links to the products, here is a small list of what I could source last year and is compatible with both the CCR1009 routeres and CRS226 switches:

DAC allowing for two-way traffic compatible with both SFP and SFP+:
- S+DA0001: SFP+ 1m direct attach cable
- S+DA0003: SFP+ 3m direct attach cable
10G SFP+ modules (I think they are compatible with SFP as well):
- S+2332LC10D: bidirectional kit of 2 modules (a pair of S+23LC10D and S+32LC10D)
- S+85DLC03D: compatible with LC optical fiber cable
- S+31DLC10D: compatible with LC optical fiber cable
1G SFP modules:
- S-85DLC05D: compatible with LC optical fiber cable
- S-31DLC20D: compatible with LC optical fiber cable
- S-3553LC20D bidirectional kit of 2 modules (a pair of S-35LC20D and S35DLC20D)
- S-RJ01: compatible with RJ45 copper

–jeroen

via: Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Some links for MikroTik tips and scripts

Posted by jpluimers on 2017/04/25

MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.

So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.

Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- When you import a configuration, those settings are added to your current configuration.
- If your configuration gets more complex, it pays to split the textual exports into logical blocks so you can import each of them individually.
- You can even put the downloaded exports into a version control system like Git or SVN.
- The exported configurations are stored in the file system. You cannot manually rename these files, but there is a scripting trick to perform the rename.
- You can download the exported configurations from the UIs in webfig, winbox or through sftp after configuring certificate logon.
Choosing ports for WAN and LAN
- On the CCR1009, the first 4 ports can be used for switching (see also other ref), so it makes sense using those for LAN and others for WAN as it can increase speed: CCR 1009 switch chip menu – MikroTik RouterOS
  - Just look at the block diagrams of the various CCR1009-8G-1S models (currently CCR1009-8G-1S-PC, CCR1009-8G-1S-1S+, CCR1009-8G-1S-1S+PC) as they all have the first four ports connected to an Atheros 8327 Gigabit Switch chip.
  - All ports of the CRS226 models (CRS226-24G-2S+RM and CRS226-24G-2S+IN) are connected through the combined QCA8519-AC2C switching and CPU chip).
  - Note that the switching chips won’t allow for Torch. But you can find the MAC addresses per physical switch ports in the unicast FDBs: Switch -> Unicast FDB shows you every mac and the physical port it is connected to.
Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- .local is a reserved dns domain by the apple os and should not be used if you expect apple devices to work as expected.
Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Windows Winbox: MikroTik Routers and Wireless: Downloads
- Mac OS X Winbox: “Winbox” by MikroTik with Wine in order to make it usable on Mac – Joshaven.com
Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
  - Assign fixed / static IP address via Mikrotik DHCP server
  - Notes:
    1. the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
    2. usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
  - /ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
  - Client DNS issue (reddit)
  - Firewall filter rules for DNS – MikroTik RouterOS
  - /ip firewall filter add chain=input protocol=tcp dst-port=53 action=drop in-interface=!bridge_lan add chain=input protocol=udp dst-port=53 action=drop in-interface=!bridge_lan
  - If you run your internal DNS servers for the outside world, modify the rules to forward non non-LAN ports; see https://www.youtube.com/watch?v=X-wkLYKYaj8: How to redirect DNS to own DNS server using mikrotik routerboard
  - You can add statis DNS entries to your caching server; see https://www.youtube.com/watch?v=zDEx7TxCm1s: Mikrotik Training- Static DNS Entries (With Closed Captioning)
nslookup on the Mikrotik itself is called put[: resolv ...] syntax: nslookup on Mikrotik – MikroTik RouterOS
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
  - put [:resolve shell.xs4all.nl]
  - put [:resolve shell.xs4all.nl 8.8.8.8]
  - put [:resolve 194.109.21.9]
tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- via MikroTik – Automatically creating DNS record for each DHCP lease/client – GeekTank
- alternatives:
  - Mikrotik DHCP to DNS hostnames | BLOG.MESOUUG.COM
  - Setting static DNS record for each DHCP lease – MikroTik Wiki
Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Router Hardening — Manito Networks
- Not sure if disabling Neighbour discovery is a good thing, as it will disable this from the console as well
  /ip neighbor print;
  - Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
- Blacklist Filter update script – MikroTik RouterOS
  - As the above is much better maintained it is preferred over Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS! – MikroTik RouterOS
Manual:Upgrading RouterOS – MikroTik Wiki
- http://web.archive.org/web/*/http://www.mikrotik.com/download/CHANGELOG_6
Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell): /system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
  After a few seconds the Winbox will update the SNTP Client dialog and a few seconds later, the Clock dialog will also update itself.
Manual:IP/Firewall/NAT – MikroTik Wiki
- dstnat: Forwarding a port to an internal IP – MikroTik Wiki and https://www.youtube.com/watch?v=8sGL58AhQCQ:
  Mikrotik Training- Port Forwarding (With Closed Captioning)
- srcnat: getting NAT to work
- Hairpin NAT – MikroTik Wiki
- netmap vs srcnat/dstnat: IP Firewall rules, need help with optimization – MikroTik RouterOS
I like these ones as they use Winbox:
- Mikrotik – Setup – Powered by Kayako Help Desk Software
- Manual:Initial Configuration – MikroTik Wiki
Sharing Ideas … Mikrotik with Kannel/playSMS
- via: Mikrotik Related | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts
Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS
Using staged address list to perform Bruteforce login prevention – MikroTik Wiki

Very advanced stuff:

Packet flow (maybe the toughest part to wrap your head around):

Manual:Packet Flow – MikroTik Wiki (with diagrams on RouterOS 6.x and 3.x can flow).
Manual:Packet Flow v6 – MikroTik Wiki (with updated RouterOS 6.x diagram).
New Packet flow diagram – Page 2 – MikroTik RouterOS (Visio / PDF version of an even newer diagram)

Scripts:

Load balancing:

Syntax highlighting:

Syntax highlighting and completions for Sublime Text – MikroTik RouterOS
- See also: mikrotik/editors/Sublime3 at master · martinclaro/mikrotik and mikrotik/editors/Sublime2 at master · martinclaro/mikrotik and Kentzo/MikrotikScript: Syntax highlighting and completions for the Mikrotik Scripting language for the Sublime Text editor
external editor syntax highlighting – MikroTik RouterOS (Notepad++, Textpad, VIM, EditPlus – look for the word Download and the .zip, .rar and .gz extensions)
- See also: mikrotik/syntax at master · olejor/mikrotik
Atom: language-routeros-script and ofstudio/atom-language-routeros-script: MikroTik RouterOS script language support in Atom
TextMate2: tiktuk / RouterOS.tmbundle — Bitbucket
GEdit: webpagetech/gedit-routeros: Mikrotik RouterOS code syntax highlighting for .rsc Files
Notepad++: jtroybailey/RouterOS-Notepad—Syntax-Highlighting: Syntax highlighting for routeros exports in notepad++

Pictures

CCR1009-8G-1S-1S+ General info & Questions – MikroTik RouterOS

Very well written blog:

Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.

Source: Mikrotik — Manito Networks

Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.

Source: Mikrotik-1 — Manito Networks

–jeroen

Posted in DNS, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN | Leave a Comment »

« Previous Entries

Next Entries »

	Jeroen Wiert Pluimer… on Pie Comic by John McNamee: Mov…
	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘routers’ Category

IPv6 on Mikrotik URLs

Mikrotik firewall URLs

URLs for Mikrotik scripts to block IP addresses after repetitive login failures

Mikrotik – splitting your local LAN so you can assign different gateways and DNS servers by the DHCP server

Mikrotik scripting language: a list of questions I had linking to the forum messages having answers

APC 7xxx models, DHCP Option 43 and Mikrotik DHCP servers

Reminder to self: when your PPTP server is behind a NAT, forward both GRE protocol and TCP port 1723

This is why nobody upgrades their consumer IoT, router, etc firmware…

Mikrotik – Choosing your SFP/SFP+ modules and direct access cables

Some links for MikroTik tips and scripts

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘routers’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: