507 private links
MikroWizard is designed to help MikroTik users monitor and manage their routers from an IT administrator's viewpoint. Beyond being merely a monitoring and management tool, it functions as a complete management solution that offers PAM-like capabilities specifically for MikroTik devices.
Before developing MikroWizard, which originated from a customer request, I explored existing central management software for MikroTik devices. While "Dude" and other free or commercial tools are available, they didn’t meet my requirements. Many commercial options looked promising but posed security concerns, as trusting a cloud provider to access our network—or relying on the internet for server access—was not an acceptable risk, also they are not offering what I actually looking for.
Here’s what I was searching for MikroTik Managment:
✔ The ability to manage all users who access MikroTik devices, including coworkers, admins, support center staff, customers, and even IT administrators themselves.
✔ A logging system to track all actions performed by admins, customers, and support operators on the router, with historical data showing who made changes and when—similar to the logs provided in PAM solutions.
✔ Centralized creation and editing of system users and groups.
✔ Scheduled firmware updates without requiring internet access on MikroTik routers.
✔ A syslog grabbing and storage feature with filtering and search capabilities.
✔ A centralized, reliable backup solution with differential backups and scheduling options.
Hi All,
I want to set up WireGuard VPN for remote work with 2 MikroTik routers: “home router” and “travel router”. Could you review my hardware and and config?
Requirements:
- “Home router” is connected to the internet in my home
- “Travel router” will be traveling with me.
- It should be possible to connect a “travel router” to any available internet - phone tethering (most often), another router, WIFI
- Traffic from any devices connected to the "travel router" should be visible as traffic from my “home router”.
- “Home router” will be connected to the router with dynamic public IP
8291/tcp Winbox
band (2ghz-b | 2ghz-b/g | 2ghz-b/g/n | 2ghz-onlyg | 2ghz-onlyn | 5ghz-a | 5ghz-a/n | 5ghz-onlyn | 5ghz-a/n/ac | 5ghz-onlyac | 5ghz-n/ac; Default: ) Defines set of used data rates, channel frequencies and widths.
channel-width (20/40/80/160mhz-Ceeeeeee | 20/40/80/160mhz-XXXXXXXX | 20/40/80/160mhz-eCeeeeee | 20/40/80/160mhz-eeCeeeee | 20/40/80/160mhz-eeeCeeee | 20/40/80/160mhz-eeeeCeee | 20/40/80/160mhz-eeeeeCee | 20/40/80/160mhz-eeeeeeCe | 20/40/80/160mhz-eeeeeeeC | 20/40/80mhz-Ceee | 20/40/80mhz-eCee | 20/40/80mhz-eeCe | 20/40/80mhz-eeeC | 20/40/80mhz-XXXX | 20/40mhz-Ce | 20/40mhz-eC | 20/40mhz-XX | 40mhz-turbo | 20mhz | 10mhz | 5mhz; Default: 20mhz) Use of extension channels (e.g. Ce, eC etc) allows additional 20MHz extension channels and if it should be located below or above the control (main) channel. Extension channel allows 802.11n devices to use up to 40MHz (802.11ac up to 160MHz) of spectrum in total thus increasing max throughput. Channel widths with XX and XXXX extensions automatically scan for a less crowded control channel frequency based on the number of concurrent devices running in every frequency and chooses the “C” - Control channel frequency automatically.
First create an interface list for all user/customer interfaces: //
Last, apply the bridge filter to the forward train to catch traffic moving through the bridge.
#this filter rule will block DHCP servers
/interface bridge filter
add action=drop chain=forward in-interface-list=customers ip-protocol=udp mac-protocol=ip src-port=67If the device has a default or existing configuration that requires replacement, it is necessary to initiate a configuration reset.
This involves applying a clean, empty configuration using the command /system/reset-configuration no-defaults=yes, followed by a device reboot. //
For example, load saved configuration file
[admin@MikroTik] > import address.rsc
Opening script file address.rsc
Script file loaded and executed successfully
[admin@MikroTik] >- verbose Reads each line from the file and executes individually, allowing to debug syntax or other errors more easily.
- dry-run Simulates the import without making any configuration changes. This helps in catching syntax errors. This option is only available in verbose mode.
RouterOS allows resetting configuration with /system reset-configuration command //
The backup file of the existing configuration is stored before reset. That way you can easily restore any previous configuration if the reset is done by mistake.
If the router was installed using Netinstall and had a script specified as the initial configuration, the reset command executes this script after purging the configuration. To stop it from doing so, you will have to reinstall the router.
It is possible to override the default reset behavior with the parameters below:
- keep-users Do not remove existing users from the configuration
- no-defaults Do not load the default configuration, just clear the configuration
Depending on the router model, different Quickset modes might be available from the Quickset dropdown menu:
- CAP: Controlled Access Point, an AP device, that will be managed by a centralized CAPsMAN server. Only use if you have already set up a CAPsMAN server.
- CPE: Client device, which will connect to an Access Point (AP) device. Provides option to scan for AP devices in your area.
- HomeAP: The default Access Point config page for most home users. Provides fewer options and simplified terminology.
- HomeAP dual: Dual band devices (2GHz/5GHz). The default Access Point config page for most home users. Provides fewer options and simplified terminology.
- Home Mesh: Made for making bigger WiFi networks. Enables the CAPsMAN server in the router, and places the local WiFi interfaces under CAPsMAN control. Just boot other MikroTik WiFi APs with the reset button pressed, and they will join this HomeMesh network (see their Quick guide for details)
- PTP Bridge AP: When you need to transparently interconnect two remote locations together in the same network, set one device to this mode, and the other device to the next (PTP Bridge CPE) mode.
- PTP Bridge CPE: When you need to transparently interconnect two remote locations together in the same network, set one device to this mode, and the other device to the previous (PTP Bridge AP) mode.
- WISP AP: Similar to the HomeAP mode, but provides more advanced options and uses industry standard terminology, like SSID and WPA.
This week there was an unfortunate outage on the mynetname.net Dynamic Domain Name Service (DDNS) that MikroTik hosts for free to their customers. Many MikroTik users all over the world rely on this service for remote access to their MikroTik infrastructure. Official documentation is here: https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#DDNS
I thought it would be useful to share what I learned about how RemoteWinBox solves this problem for its customers, so that you too can can roll your own remote access to your MikroTiks!
All MikroTik devices come with some kind of default configuration. There are several different configurations depending on board type:
CPE Router;
LTE CPE AP router;
AP Router (single or dual-band);
PTP Bridge, W60G Bridge (AP or CPE);
WISP Bridge (AP in ap_bridge mode);
Switch;
IP Only;
CAP.
You can run the command /system default-configuration print to see the exact applied default configuration commands.
RouterBOOT can be upgraded from RouterOS by:
Run command
system/routerboard/upgrade
Do you really want to upgrade firmware? [y/n]
system rebootEvery ROS version has a new RouterBoot version included in it, once you perform a ROS upgrade we always recommend upgrading RouterBoot also.
RouterOS allows exporting and importing parts of the configuration in plain text format. This method can be used to copy bits of configuration between different devices, for example, clone the whole firewall from one router to another.
An export command can be executed from each menu (resulting in configuration export only from this specific menu and all its sub-menus) or from the root menu for complete config export and is available for CLI only. //
compact Output only modified configuration, the default behavior
file Export configuration to a specified file. When the file is not specified export output will be printed to the terminal
show-sensitive (yes|no; Default: no). RouterOS version 7 only Show sensitive information, like passwords, keys, etc.
terse With this parameter, the export command will output only configuration parameters, without defaults.
verbose With this parameter, the export command will output whole configuration parameters and items including defaults. //
If the device has a default or existing configuration that requires replacement, it is necessary to initiate a configuration reset.
This involves applying a clean, empty configuration using the command /system/reset-configuration no-defaults=yes, followed by a device reboot.
I have had the same problem with couple of Disc lite5.
After setting device as ap-bridge, it becomes invisible to winbox and ping.
Station side, I could connect to bridge-ap only by MAC.
AP side wise, ap-bridge was completely invisible.
Comparing setups I have found that interface list of station-bridge is fine but interface list of bridge-ap misses "bridge".
Add mannualy "bridge" and set as LAN.
After that, ap-bridge is fully available from both sides by IP or MAC.
o redirect specific requests to a specific address on the internal network, use dst-nat, follow the steps below:
how easy it is to set up an IP tunnel between two locations. This will allow you to access files on a server and share printers between two locations, no matter how far apart. In addition, it enhances data security by encrypting packets as they travel through the tunnel. To accomplish this task, you will need two Mikrotik routers, one at each location, and two public IP addresses.
While having a rugged router at the core of your network is highly recommended, the security settings required to keep the network behind it fully secured can never be over emphasized. In this post, we will look at 9 settings required on a Mikrotik router to keep the network secured.
We can redirect dns requests on Mikrotik to the IP address on the LAN interface of the Mikrotik router, assuming we want the Mikrotik router to serve as the dns server for all connected LAN users, or to the IP address of a locally hosted dns server. There are many reasons for doing this; top most on the list is security.
A. Force Redirect to OPENDNS (without PI hole)
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip nat
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp
B. Force OPEN DNS (via PI hole)
/ip firewall nat
add chain=dstnat in-interface-list=LAN protocol=tcp dst-port=53 action=dst-nat to-addresses=10.0.0.31 to-ports=53
add chain=dstnat in-interface-list=LAN protocol=udp dst-port=53 action=dst-nat to-addresses=10.0.0.31 to-ports=53
add chain=srcnat src-address=10.0.0.0/24 dst-address=10.0.0.0/24 action=masquerade
all the tags from https://b.plas.ml
1st-amendment 2nd-amendment 4th-amendment 5th-amendment 9/11 a8 abortion acl adhd afghanistan africa a/i air-conditioning amateur-radio amazon america american android animals anti-americanism antifa anti-semitism antiv antivirus aoip apollo apple appliances archaeology architecture archive art astronomy audio automation avatar aviation backup bash batteries belleville bible biden bill-of-rights biology bookmarks books borg bush business calibre camping capitalism cellphone censorship chemistry children china christianity church cia clinton cloud coldwar communication communist composed computers congress conservatives constitution construction cooking copyleft copyright corruption cosmology counseling creation crime cron crypto culture culture-of-death cummins data database ddt dd-wrt defense democrats depression desantis development diagrams diamonds disinformation diy dns documentation dokuwiki domains dprk drm drm-tpm drugs dvd dysautonomia earth ebay ebola ebook economics education efficiency electricity electronics elements elwa email energy engineering english environment environmentalism epa ethernet ethics europe euthanasia evolution faa facebook family fbi fcc feminism finance firewall flightsim flowers fonts français france fraud freebsd free-speech fun games gardening genealogy generation generators geography geology gifts git global-warming google gop government gpl gps graphics green-energy grounding hdd-test healthcare help history hollywood homeschool hormones hosting houses hp html humor hunting hvac hymns hyper-v imap immigration india infosec infotech insects instruments interesting internet investing ip-addressing iran iraq irs islam israel itec j6 journalism jumpcloud justice kindle kodi language ldap leadership leftist leftists legal lego lgbt liberia liberty linguistics linux literature locks make malaria malware management maps markdown marriage mars math media medical meshcentral metatek metric microbit microsoft mikrotik military minecraft minidisc missions moon morality mothers motorola movies mp3 museum music mythtv names nasa nature navigation navy network news nextcloud ntp nuclear obama ocean omega opensource organizing ortlip osmc oxygen paint palemoon paper parents passwords patents patriotism pdf petroleum pets pews photography photo-mgmt physics piano picasa plesk podcast poetry police politics pollution pornography pots prayer pregnancy presentations press printers privacy programming progressive progressives prolife psychology purchasing python quotes rabbits rabies racism radiation radio railroad reagan recipes recording recycling reference regulations religion renewables republicans resume riots rockets r-pi russia russiagate safety samba satellites sbe science sci-fi scotus secularism security servers shipping ships shooting shortwave signal sjw slavery sleep snakes socialism social-media software solar space spacex spam spf spideroak sports ssh statistics steampowered streaming supplement surveillance sync tarsnap taxes tck tds technology telephones television terrorism tesla theology thorium thumbnail thunderbird time tls tools toyota trains transformers travel trump tsa twitter typography ukraine unions united.nations unix ups usa vaccinations vangelis vehicles veracrypt video virtualbox virus vitamin vivaldi vlc voting vpn w3w war water weather web whatsapp who wifi wikipedia windows wordpress wuflu ww2 xigmanas xkcd youtube zfs