ROS 6.50-alpha (migrační V7)

okoun · 2025-05-22T21:45:50+00:00

Ahoj, mám od podpory MK speciálně upravenou verzi 6.50 která umí přechod z verze 6 (extra balíky + malá paměť) na verzi 7. Pokud by měl někdo zájem mohu posk...

okoun

hapi no tak znovu
tohle je ten tvůj návod:

upgrade na v6.49.13 a nechat pouze balíčky system a wireless
    buď vložit v6.49.13 extra balíčky system a wireless a restartovat, pokud mám nainstalovanou verzi nižší než 6.49.13
    nebo pokud mám už 6.49.13 tak odinstalovat všechny ostatní balíčky kromě system a wireless
stáhnout 7.13.5 main balíček routeros a extra wireless který je v extra package (v zip) a vložit je do discu
restart
cca 3 minuty čekat
    vůbec neuškodí si vzít kýbl s hadrem na opocené čelo
    plánovat si v hlavě jak moc obtížná bude výměna jednotky
hotovo, main balíček a v7

problém je ovšem už v tom prvním "nechat pouze balíčky system a wireless" což my si nemůžeme dovolit dělat ve velkém protože přijdeme o komunikaci bez pppoe, takže proto mám řešení od MK, které umožní tam nechat všechny balíčky což je podstatná výhoda pro nás.
chlubení? nevím jaké, prostě kdo si napsal tomu jsem to dal, prostě je to neveřejná verze, která nemá co dělat na netu, nevím že to nechápeš 🙁

hapi

postup je potřeba pouze pro ARM. Vše ostatní má menší balíčky a hlavně větší uložiště takže to není třeba.

nikdo nezkoušel skok na v7.19? je tam nový package manager, možná dělá něco jinak a poměr velikosti balíčků systemu a wireless je příznivější.

okoun no a zkoušel jsi to? ppp je jenom o chloupek větší než třeba dhcp a upgrade s dhcp balíčkem na víc projde nebo třeba s ospf také projde.

svestka

poprosím o poslání, píši SZ s emailem. díky

sacnok

okoun Máši verzi pro mipsbe?

Je to jak píšeš, upgradoval SXT klientské jednotky, které mají IP z DHCP, takže bylo potřeba nechat i balíček DHCP, navíc po přechodu na verzi 6.49.13, do SXT nedalo dostat přes SSH, protože chyba certifikátu a byl potřeba ho přegenerovat, takže místo aby to bylo na chvíli, tak to bylo na 3 hodiny, s tím že zvažuji jestli to má cenu upgradovat na 7 verzi

Co používáte na hromadný upgrade FW pro Mikrotik?

petrs_

sacnok Mám. Jestli chceš, pošlu...

selic

Na ne ARM věcech kde jsou jednotlivé balíčky verze 6.49.18 (advanced, dhcp, security, system, wireless, ipv6) stačí přetáhnout balíček routeros 16.1 a wireless 16.1. a pak po upgrade už nahrát poslední verzi přes packages.
Fungovalo to na SXT SA, SXT, RB9xx, RBM11, RBM33.

okoun

hapi ano zkoušel jsem to, proto jsem psal na ten suport aby našli nějaké jiné řešení....
někde mi prošel dhcp a někde také ne, fakt záleželo na každém kB
řekl bych že to časem vydají jako ofíko a bude pokoj...

aahz

Já před týdnem narazil u Cube 60G ac (CubeG-5ac60ad):
Factory FW: 6.47.6
Current SW+FW: 6.49.5
upgrade -> 6.49.13 jen system+wireless
upgrade -> routeros-7.19.1-arm.npk + wireless-7.19.1-arm.npk = no space
downgrade -> routeros-arm-6.49.13.npk = no space
downgrade -> 6.47.6 jen system+wireless
downgrade -> routeros-arm-6.47.6.npk = no space

soban

Například já na hap ac2 nemůžu používat balíček wifi-qcom-ac jednoduše proto že po nainstalování mi zůstane kolem free HDD 50 KiB no a normální provoz to sežere vše a konec, nejde nic nastavit, ani smazat vždy hláška že není místo, a nijak jsem nemohl místo obnovit, netinstall to řešil.

Skoušel jsem to ještě párkrát a pokud tam není nahraná moje konfigurace tak je víc místa na HDD a nahraji ji a rázem nemám místo a to nemám nic složitého.

Takže pokud na starém zařízení není místo asi bych tam nechal poslední verzi 6.

Takže tam mám verzi 7 ovšem balíček wireless a zůstává mi:

[petr@router-bezrucova] > /system/resource/print uptime: 3w37m58s version: 7.19.1 (stable) build-time: 2025-05-23 14:27:17 factory-software: 6.44 free-memory: 39.3MiB total-memory: 128.0MiB cpu: ARM cpu-count: 4 cpu-frequency: 448MHz cpu-load: 1% free-hdd-space: 648.0KiB total-hdd-space: 16.0MiB write-sect-since-reboot: 32971 write-sect-total: 70629 architecture-name: arm board-name: hAP ac^2 platform: MikroTik

hapi

Výhod grafovani ifacu, cpu atd...

Máme na spoustu hAP ac2 qcom-ac a není problém.

soban

hapi Tak to přece funguje i v v6? Aspoň jsem to chvílemi používal.
Akorát tam musíš doinstalovat balíček advanced-tools.

Jinak jak říkám prostě nemám při qcom-ac dost volného místa a prostě časem se to kousne na nedostatek - prostě Free HDD Space = 0 - problém je že vše funguje ještě nějakou dobu, ovšem nejde nic dělat na vše hláška že není místo.

No tak tam mám staré wifi ovladače tam je víc místa na HDD a běží to bez problémů, jako domácí router to netřeba hrotit.

m4rk3J

Tohle je cAP ac používané jako AP řízené kontrolérem s wifi-qcom-ac ovladači. Už takhle je to využití hodně na hraně, takže přepokládám že pokud by to někdo využíval jako router a měl obsáhlejší konfig, narazí hodně brzy.

soban

Přesně mě s wifi-qcom-ac s konfigurací zůstane volné kolem 50KiB co za provozu se prostě dopracuji k 0 :-(

Teď mám volné 668KiB se starým ovladačem, konfigurace routeru (soubor) má 109KiB.

Kdyby tam nechaly nějaké balíčky které by se nemusely instalovat aby bylo místo, třeba routing, hotspot které doma nepotřebuji.

A nebo vyřešit rozšíření HDD u těch zařízení co mají USB a u těch které nemají že by se mohl použít nějaký sdílený HDD v síti.....

hapi

                   uptime: 3w3d4h45m33s       
                  version: 7.19.1 (stable)    
               build-time: 2025-05-23 14:27:17
         factory-software: 6.43.10            
              free-memory: 39.1MiB            
             total-memory: 128.0MiB           
                      cpu: ARM                
                cpu-count: 4                  
            cpu-frequency: 672MHz             
                 cpu-load: 3%                 
           free-hdd-space: 156.0KiB           
          total-hdd-space: 16.0MiB            
  write-sect-since-reboot: 32110              
         write-sect-total: 7314398            
        architecture-name: arm                
               board-name: cAP ac             
                 platform: MikroTik

pouze jako cap. Ale máme i hAP ac2 s qcom balíčkem s natem a chodí. Nechápu co máte v souboru konfigurace o velikosti 109KByte.

soban

Tak ji skoukni.......
`[petr@router-bezrucova] > /export

2025-06-20 00:31:59 by RouterOS 7.19.1

software id = Nxxxxx

model = RBD52G-5HacD2HnD

serial number = Bxxxxxx

/interface bridge
add admin-mac=C4:AD:34:57:E9:1C arp=proxy-arp auto-mac=no comment="Normalni klienti" igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge
add comment=Host igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge-host
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5,6,7 band=2ghz-b/g/n channel-width=20/40mhz-XX country="czech republic" disabled=no disconnect-timeout=10s distance=\
indoors frequency=auto installation=indoor mode=ap-bridge ssid=sofia-bezrucova wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5,6,7 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="czech republic" disabled=no disconnect-timeout=10s distance=\
indoors frequency=auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=sofia-bezrucova wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] comment="spoj k DSL modemu" rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface lte
set [ find default-name=lte1 ] comment="LTE zalo\C5\BEn\C3\AD modem"
/interface pppoe-client
add add-default-route=yes comment="DSL modem" disabled=no interface=ether1 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=T-MOBILE user=adsl
/interface wireguard
add comment="Wireguard VPN" listen-port=33333 mtu=1412 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=host supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=C6:AD:34:57:E9:20 master-interface=wlan1 max-station-count=20 name=wlan3_Host security-profile=host ssid=Host-bezrucova38 wds-default-bridge=bridge-host \
wmm-support=enabled wps-mode=disabled
add disabled=no mac-address=C6:AD:34:57:E9:21 master-interface=wlan2 max-station-count=20 name=wlan4_Host security-profile=host ssid=Host-bezrucova38 wds-default-bridge=bridge-host \
wmm-support=enabled wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr pfs-group=modp2048
/ip pool
add comment=Lan name=Lan ranges=192.168.10.100-192.168.10.200
add comment="Host Lot zarizeni" name=Host ranges=10.1.0.100-10.1.0.254
/ip dhcp-server
add address-pool=Host comment=Host interface=bridge-host lease-time=12h name=Host
add address-pool=Lan comment=Bridge interface=bridge lease-time=1d name=Lan
/ppp profile
set *0 use-upnp=no
set FFFFFFFE use-upnp=no
/queue tree
add max-limit=10M name=QoS_DSL packet-mark=no-mark parent=T-MOBILE priority=6 queue=pcq-upload-default
add name=QoS_LAN packet-mark=no-mark parent=bridge priority=7 queue=pcq-download-default
add name=QoS_LTE packet-mark=no-mark parent=lte1 priority=6 queue=pcq-upload-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/system logging action
set 0 memory-lines=300
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge
/ip smb
set enabled=no interfaces=bridge
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge-host interface=wlan3_Host
add bridge=bridge-host interface=wlan4_Host
/ip firewall connection tracking
set tcp-established-timeout=12h udp-stream-timeout=5m udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=LAN discover-interval=1m
/ip settings
set accept-source-route=yes rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=4096 min-neighbor-entries=1024 soft-max-neighbor-entries=2048
/interface l2tp-server server
set allow-fast-path=yes default-profile=default l2tpv3-circuit-id=Bezrucova l2tpv3-cookie-length=8-bytes l2tpv3-ether-interface-list=LAN max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add comment="Spoj k DSL modemu" interface=ether1 list=WAN
add comment="DSL Modem" interface=T-MOBILE list=WAN
add comment=Host interface=bridge-host list=LAN
add interface=lte1 list=WAN
add comment=Wireguard interface=wg0 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan3_Host list=LAN
add interface=wlan4_Host list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=20 list=WAN
/interface sstp-server server
set tls-version=only-1.2
/interface wireguard peers
add allowed-address=192.168.4.2/32 client-address=192.168.4.2/32 client-dns=192.168.10.1 client-endpoint=router-bezrucova.soban.cz comment="Client_redmi note 13" interface=wg0 name=\
petr_redmi_note_13 preshared-key="Yto=" private-key="8K0M=" public-key=\
"H8WTarTI=" responder=yes
add allowed-address=192.168.4.3/32 client-address=192.168.4.3/32 client-dns=192.168.10.1 client-endpoint=router-bezrucova.soban.cz comment=Notebook interface=wg0 name=HP_Olomouc \
preshared-key="cIUsN3I=" private-key="oUlXA=" public-key="l3U=" \
responder=yes
add allowed-address=0.0.0.0/0,192.168.1.0/24 comment=Olomouc endpoint-address=router-ipv4.soban.cz endpoint-port=33333 interface=wg0 name=Olomouc public-key=\
"DYCc="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.1.0.1/24 comment=LAN-Host interface=bridge-host network=10.1.0.0
add address=192.168.4.1/24 comment="Wireguard Interface" interface=wg0 network=192.168.4.0
add address=192.168.2.2/24 comment=modem interface=ether1 network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d update-time=no
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server config
set accounting=no interim-update=1d store-leases-disk=never
/ip dhcp-server lease
add address=192.168.10.10 comment=Rele1 mac-address=CC:50:E3:37:20:E3 server=Lan
add address=192.168.10.20 comment="VoIP telefon bezrucova" mac-address=80:5E:C0:1E:62:55 server=Lan
add address=192.168.10.30 comment="radio (rpi bezrucova)" mac-address=B8:27:EB:6F:3B:39 server=Lan
add address=192.168.10.200 client-id=1:30:c9:ab:94:bd:5c comment=Tiskarna mac-address=30:C9:AB:94:BD:5C server=Lan
add address=192.168.10.33 comment=ser2net mac-address=60:E3:27:72:6A:E2 server=Lan
add address=10.1.0.101 comment=Topeni mac-address=CC:8C:BF:3C:0E:0C server=Host
add address=10.1.0.102 comment="invertor wi-fi" mac-address=C4:5B:BE:4B:4C:B0 server=Host
add address=192.168.10.41 client-id=1:3c:e9:e:4c:8a:b8 comment=ESP32-1 mac-address=3C:E9:0E:4C:8A:B8 server=Lan
add address=192.168.10.42 client-id=1:d4:d4:da:5e:2d:38 comment=ESP32-2 mac-address=D4😃4😃A:5E:2D:38 server=Lan
add address=192.168.10.31 client-id=1:e8:fd:f8:ea:58:64 comment=modbus1 mac-address=E8:FD:F8:EA:58:64 server=Lan
add address=192.168.10.32 client-id=1:e8:fd:f8:ea:59:7e comment=modbus2 mac-address=E8:FD:F8:EA:59:7E server=Lan
add address=192.168.10.11 comment=Cidlo1 mac-address=84:0D:8E:AB:A1:6B server=Lan
add address=192.168.10.105 client-id=1:c:ee:e6:d7:67:eb comment="compaq notebook" mac-address=0C:EE:E6😃7:67:EB server=Lan
add address=192.168.10.110 client-id=1:74:d8:3e:cf:36:ef comment="notebook HP - Olomouc" mac-address=74😃8:3E:CF:36:EF server=Lan
add address=192.168.10.101 client-id=1:20:b:74:4f:19:f7 comment=Bezrucova-WIFI mac-address=20:0B:74:4F:19:F7 server=Lan
add address=192.168.10.100 client-id=1:74:56:3c:f6:fa:cf comment=Bezrucova-LAN mac-address=74:56:3C:F6:FA:CF server=Lan
add address=192.168.10.34 comment=ser2net_zaloha mac-address=60:E3:27:72:6A:E3 server=Lan
add address=192.168.10.220 client-id=1:0:4f:62:2d:13:da comment="AirLive N.MINI" mac-address=00:4F:62:2D:13😃A server=Lan
add address=192.168.10.201 client-id=1:b4:22:0:18:94:90 comment="Tisk\C3\A1rna_kabel" mac-address=B4:22:00:18:94:90 server=Lan
/ip dhcp-server network
add address=10.1.0.0/24 comment=Host dns-server=10.1.0.1 gateway=10.1.0.1 netmask=24
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24 ntp-server=192.168.10.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=bridge servers=192.168.10.3
/ip dns static
add address=192.168.10.1 comment="router Bezrucova IPv4 (lokalni)" name=router-bezrucova.soban.cz type=A
add address=192.168.2.1 comment="Modem DSL" name=modem.soban.cz type=A
add address=192.168.10.201 comment="tiskarna Bezrucova IPv4 (lokalni) Kabel" disabled=yes name=tiskarna.soban.cz type=A
add address=192.168.10.200 comment="tiskarna Bezrucova IPv4 (lokalni) WiFi" name=tiskarna.soban.cz type=A
add address=2001:1ae9:1009:e400:32c9:abff:fe94:bd5c comment="Tiskarna WiFi" name=tiskarna.soban.cz type=AAAA
add address=192.168.10.11 name=cidlo1.soban.cz type=A
add address=192.168.10.10 name=rele1.soban.cz type=A
add address=192.168.10.20 comment="Voip telefon bezrucova IPv4 (lokalni)" name=telefon-bezrucova.soban.cz type=A
add address=192.168.1.20 comment="VoIP telefon Olomouc IPv4 (lokalni)" name=telefon-olomouc.soban.cz type=A
add address=192.168.1.2 comment="switch Olomouc IPv4 (lokalni)" name=switch.soban.cz type=A
add address=192.168.1.1 comment="router Olomouc IPv4 (lokalni)" name=router.soban.cz type=A
add address=192.168.1.6 comment="NAS Olomouc IPv4 (lokalni)" name=nas.soban.cz type=A
add address=192.168.1.12 comment="HTPC Olomouc IPv4 (lokalni)" name=htpc.soban.cz type=A
add address=192.168.10.30 comment="radio bezrucova (rpi)" name=radio.soban.cz type=A
add address=192.168.51.1 comment="LTE Modem" name=ik40.home type=A
add address=127.0.0.1 comment=localhost name=localhost type=A
add address=::1 comment=localhost name=localhost type=AAAA
add address=192.168.10.41 comment=ESP32 name=esp1.soban.cz type=A
add address=192.168.10.42 comment=ESP32 name=esp2.soban.cz type=A
add address=192.168.10.4 comment="FVE Bezrucova" name=fve.soban.cz type=A
add address=192.168.10.31 comment=modbus1 name=modbus1.soban.cz type=A
add address=192.168.10.32 comment=modbus2 name=modbus2.soban.cz type=A
add address=192.168.10.100 comment="PC Bezrucova" name=bezrucova.soban.cz type=A
add address=192.168.10.105 comment="compaq notebook" name=compaq.soban.cz type=A
add address=192.168.10.33 comment=ser2net name=ser2net.soban.cz type=A
add address=192.168.10.220 comment="AirLive N.MINI" name=nmini.soban.cz type=A
/ip firewall address-list
add address=192.168.1.0/24 comment="lokalni IPv4 Olomouc" list=moje_ip
add address=192.168.10.0/24 comment="lokalni IPv4 bezrucova" list=moje_ip
add address=192.168.2.0/24 comment="Lokalni IPv4 modemu na bezrucove" list=moje_ip
add address=10.1.0.0/24 comment="Moje IP pro Hosty" list=moje_ip
add address=192.168.51.0/24 comment=LTE list=moje_ip
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=192.168.3.0/24 comment=Wireguard list=moje_ip
add address=192.168.4.0/24 comment=Wireguard list=moje_ip
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Wireguard from All" dst-port=33333 protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface=wg0 protocol=udp
add action=accept chain=input comment="akcept IKE VoWIFI" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="akcept ESP" protocol=ipsec-esp
add action=accept chain=input comment="akcept AH" protocol=ipsec-ah
add action=accept chain=input comment="Moje IP OK" src-address-list=moje_ip
add action=accept chain=input comment="Pristup k routeru (ssh)" disabled=yes dst-port=801 protocol=tcp
add action=accept chain=input comment="WWW Mikrotik" connection-state=new disabled=yes dst-port=8585 protocol=tcp
add action=accept chain=input comment="Enable NTP z modemu WAN" dst-port=123 protocol=udp src-address=192.168.2.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="akcept IKE VoWIFI" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="akcept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="akcept AH" protocol=ipsec-ah
add action=drop chain=forward comment="Host nem\C3\A1 p\C5\99\C3\ADstup do LAN" in-interface=bridge-host out-interface-list=!WAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Nen\C3\AD z lan drop" in-interface-list=!LAN
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=wg0 protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VoIP (Telefon)" disabled=yes dst-port=8586 protocol=tcp to-addresses=192.168.10.20 to-ports=8586
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,3des hash-algorithm=sha256
/ip ipsec settings
set accounting=no
/ip route
add comment="Wireguard Olomouc" disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Olomouc disabled=no dst-address=192.168.1.0/24 gateway=wg0 routing-table=main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www address=192.168.0.0/16
set ssh port=801
set www-ssl certificate=Bezrucova_SERVER disabled=no port=8585 tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes tls-version=only-1.2
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=::1 from-pool=Bezrucova interface=bridge
add address=::1 from-pool=Bezrucova interface=bridge-host
/ipv6 dhcp-client
add add-default-route=yes interface=T-MOBILE pool-name=Bezrucova request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=wg0 protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/ipv6 nd
set [ find default=yes ] mtu=1492
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=router-bezrucova
/system leds
add interface=T-MOBILE leds=user-led type=interface-status
/system note
set note="Mikrotik ve Zlatych Horach\r\
\n\r\
\n" show-at-cli-login=yes show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.255,10.1.0.255 enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=2.cz.pool.ntp.org
add address=3.cz.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add comment="Odeslani logu na email" disabled=yes interval=1d name="email log" on-event=email_log policy=ftp,read,write,policy,test,sniff,sensitive start-date=2021-12-30 start-time=\
06:00:00
add comment="Odeslat nastaveni na mail kazdy den" disabled=yes interval=1d name="mail zaloha nastaveni" on-event=mail_config policy=ftp,read,write,policy,test start-date=2021-12-31 \
start-time=01:00:00
add comment="Provede restart mikrotiku v 3:00 a zakaze se." disabled=yes interval=1d name=restart on-event="/system/scheduler/disable restart\
\n/system/reboot" policy=ftp,reboot,read,write,policy,test,sniff,sensitive start-date=1970-01-01 start-time=03:00:00
add comment="Spusteni ddns 1x za den" interval=1d name=ddns on-event=ddns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2021-12-30 start-time=\
02:00:00
add comment="Spusteni ddns 1x za den" interval=1d name="ddns IPv4" on-event=ddns_IPv4 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2021-12-30 \
start-time=02:05:00
add comment="Test PPPoE T-MOBILE" interval=5m name="Test PPPoE" on-event=test_pppoe policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-01 \
start-time=00:48:15
add comment="Provede restart mikrotiku v 3:30 a zakaze se." disabled=yes interval=1d name=restart2 on-event="/system/scheduler/disable restart2\
\n/system/reboot" policy=ftp,reboot,read,write,policy,test,sniff,sensitive start-date=1970-01-01 start-time=03:30:00
/system script
add comment="Smaze log" dont-require-permissions=no name=clear_log owner=petr policy=read,write source=\
"/system logging action set memory memory-lines=1\
\n/system logging action set memory memory-lines=300\
\n"
add comment="Odesle konfiguraci na mail" dont-require-permissions=no name=mail_config owner=petr policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/expor\
t show-sensitive file=zaloha.rsc\
\n:delay 10s\
\n/tool e-mail send from=\"<MikroTik\$[/system/identity/get name]@soban.cz>\" to=xxx@xxx.cz subject=\"Nastaveni MikroTik \$[/system/identity/get name] \$[/system/clock/get dat\
e]\" body=\"\$[/system/clock/get date] zaloha nastaveni MikroTik \$[/system/identity/get name]\" file=zaloha.rsc\
\n:delay 30s\
\n/file remove zaloha.rsc\
\n"
add comment="Odesle log na mail" dont-require-permissions=no name=email_log owner=petr policy=ftp,read,write,policy,test,sensitive source="#read log\
\n:local logcontent\
\n:foreach int in=[/log find ] do={\
\n:set logcontent (\"\$logcontent\r\n\".[/log get \$int time].\" - \".[/log get \$int message])\
\n}\
\n/tool e-mail send from=\"<MikroTik\$[/system identity get name]@soban.cz>\" to=xxxx@xxxxxx.cz subject=\"Log \$[/system identity get name] \$[/system clock get date]\" body=\$log\
content\
\n"
add comment="Update router-bezrucova.soban.cz" dont-require-permissions=no name=ddns owner=petr policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Updat\
e\
\n:local DDNSusername \"xxxxx\"\
\n:local DDNSpassword \"xxxxxx\"\
\n:local DDNSdomain \"xxxx.soban.cz\"\
\n:local DDNSupdatehost \"xxx.soban.cz\"\
\n:local DDNSport \"444\"\
\n:local DDNSupdatepath \"/soukrome/ddns.php\"\
\n:local outputfile (\"DDNS-\" . \$DDNSdomain . \".txt\")\
\n# Internal processing below...\
\n# ----------------------------------\
\n:local DDNSipv6addr\
\n# Get global IPv6 address\
\n:set DDNSipv6addr [/ipv6/address/get [/ipv6/address/find global interface=\"bridge\"] address]\
\n:set DDNSipv6addr [:pick [:tostr \$DDNSipv6addr] 0 [:find [:tostr \$DDNSipv6addr] \"/\"]]\
\n:if ([:len \$DDNSipv6addr] = 0) do={\
\n\
\n :log error (\"Could not get IPv6 global addresss\") \
\n :error (\"Could not get IPv6 global address\")\
\n}\
\n\
\n:log info (\"Updating \" . \$DDNSdomain . \" Client IPv6 address to new IP \" . \$DDNSipv6addr . \" ...\")\
\n\
\n/tool fetch mode=https \\
\n host=(\$DDNSupdatehost) \\
\n port=(\$DDNSport) \\
\n url=(\"https://\" . \$DDNSupdatehost . \":\" . \$DNSport . \$DDNSupdatepath . \"\?hostname=\" . \$DDNSdomain . \"&myip=\" . \$DDNSipv6addr . \"&mtyp=AAAA\") \\
\n user=(\$DDNSusername) \\
\n password=(\$DDNSpassword) \\
\n dst-path=(\$outputfile)\
\n\
\n:delay 5s\
\n:log info ([/file get (\$outputfile) contents]) \
\n/file remove (\$outputfile)"
add dont-require-permissions=no name=ddns_IPv4 owner=petr policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Update\
\n:local DDNSusername \"xxxxx\";\
\n:local DDNSpassword \"xxx1\";\
\n:local DDNSdomain \"xxxx.soban.cz\";\
\n:local DDNSupdatehost \"xxxxx.soban.cz\";\r\
\n:local DDNSport \"444\";\
\n:local DDNSupdatepath \"/soukrome/ddns.php\";\
\n:local WANinterface \"T-MOBILE\";\
\n:local outputfile (\"DDNS-\" . \$DDNSdomain . \".txt\");\
\n# Internal processing below...\
\n# ----------------------------------\
\n:local DDNSipv4addr;\
\n# Get WAN interface IP address\
\n:set DDNSipv4addr [/ip/address/get [/ip/address/find interface=\$WANinterface] address];\
\n:set DDNSipv4addr [:pick [:tostr \$DDNSipv4addr] 0 [:find [:tostr \$DDNSipv4addr] \"/\"]];\
\n:if ([:len \$DDNSipv4addr] = 0) do={\
\n :log error (\"Could not get IP for interface \" . \$WANinterface); \
\n :error (\"Could not get IP for interface \" . \$WANinterface);\
\n}\
\n:log info (\"Updating \" . \$DDNSdomain . \" Client IPv4 address to new IP \" . \$DDNSipv4addr . \"...\");\
\n/tool fetch mode=https \\
\n host=(\$DDNSupdatehost) \\r\
\n port=(\$DDNSport) \\
\n url=(\"https://\" . \$DDNSupdatehost . \":\" . \$DDNSport . \$DDNSupdatepath . \"\?myip=\" . \$DDNSipv4addr . \"&mtyp=A\" . \"&hostname=\" . \$DDNSdomain ) \\
\n user=(\$DDNSusername) \\
\n password=(\$DDNSpassword) \\
\n dst-path=(\$outputfile);\r\
\n:delay 5s\
\n:log info ([/file get (\$outputfile) contents]);\r\
\n/file remove (\$outputfile);"
add comment="Test PPPoE T-MOBILE down distance 5 up distance 1" dont-require-permissions=no name=test_pppoe owner=petr policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local HOST1 \"8.8.4.4\"\r\
\n:local HOST2 \"1.1.1.1\"\r\
\n:local RESPONSE1 [/ping \$HOST1 interval=1 count=3]\r\
\n:local RESPONSE2 [/ping \$HOST2 interval=1 count=3]\r\
\n:local DISTANCE [/interface/pppoe-client/get T-MOBILE default-route-distance]\r\
\n:if (\$RESPONSE1 = 0 && \$RESPONSE2 = 0) do={\r\
\n\r\
\n:if (\$DISTANCE = 1) do={\r\
\n:log error \"T-MOBILE is DOWN\"\r\
\n:log info \"Setting T-MOBILE Default route distance = 5\"\r\
\n/interface/pppoe-client/set T-MOBILE default-route-distance=5 }}\r\
\n:if (\$RESPONSE1 = 3 || \$RESPONSE2 = 3) do={\r\
\n\r\
\n:if (\$DISTANCE = 5) do={\r\
\n:log info \"T-MOBILE is UP\"\r\
\n:log info \"Setting T-MOBILE Default route distance = 1\"\r\
\n/interface/pppoe-client/set T-MOBILE default-route-distance=1 }}"
/system watchdog
set automatic-supout=no
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=MikroTik@soban.czrouter_Bezrucova port=465 server=xxxx tls=yes user=xxxxxx
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=Pi_Hole disabled=no down-script=":log error \"ping 192.168.10.3 test failed\"\
\n/ip dns set servers=193.17.47.1,1.1.1.1" host=192.168.10.3 http-codes="" interval=1m name=DNS startup-delay=1m test-script="" type=simple up-script=\
":log info \"ping 192.168.10.3 test OK\"\
\n/ip dns set servers=192.168.10.3"
/tool sniffer
set file-name=voiptraf filter-operator-between-entries=and`

ef

Tak už druhá RB540Gx4 co nejde upgradovat.

ludvik

ef Ne jen druhá :-) Zjevně systémový problém ... Před pár dny jsem jednu zkoušel dokonce od 6.43.4. A musel jsem po malých krocích. Stejné chyby, rozdílná čísla.

6.43.4 -> 6.49.18 -> 7.6 -> 7.12.1 -> 7.14.2 -> 7.18.2 -> 7.19.1

Poslední krok jsem dělal dokonce dvakrát (na dvou rozdílných kusech!). V logu napsáno, že 7.19.1 installed. Ale nebyla tam! Winbox byl na 7.18.2, v resources také. Po rebootu a znovuinstalaci to už prošlo.

Ale měl jsem také jednu, kde jsem ten krok s 7.14.2 mohl vynechat. Hlava mi to moc nebere.

RB450G (tedy mispbe) ovšem prošel na první pokus 7.5 -> 7.19.1

petrs_

hapi
Hele to je možný... Však to bylo řečeno s nadsázkou. Nicméně po několika mailech, kdy tvrdili, že s tim nic nezmůžou, mi poslali opravu... A důležitej je výsledek...

5nik

Myslím, že zmíněnou opravu začlenily do 6.49.19:

system - fixed v6 to v7 upgrade from separate packages;

system - improved upgrade procedure reliability;

okoun

5nik tak potvrzuji, dnes jsem zkoušel na LHG 60 6.49.7 kde bylo spousta balíků
nahrál jsem tam extra balíky (ty samé) na v 6.49.19, prošlo to OK.
potom jsem tam dal verzi 7.19.1 i s bezdrátovým balíkem najednou, upgradovalo to dlouho, ale prošlo to bez problémů.

takže konečně vyřešeno 🙂

Další stránka »