Skip to content
Nov 1 / Greg

Bulk Mikrotik Usermanager Import

The Mikrotik Usermanager is a radius package you can optionally install on a router. This gives you the ability to locally or remotely authenticate users for: Hotspot, PPP, DHCP, Wireless, or RouterOS logins. It has some paypal/ integration, but the features are so limited I’d personally look at a different solution.

It is actually a decent system for small standalone VPN authentication(you can allow users to create/modify users without having to login to the router itself). I recently had need to bulk import users, but ran into some issues.

Customers are actually admins that login to the administrative backend. Users are created to allow login to your various systems. When adding users you must specify a profile, and one doesn’t exist by default.

First create a default profile. After you have a profile, it will automatically be applied to new users created through the webpage…but what if you want to bulk import via CLI? When adding users via CLI there is not direct method to add a profile to a user, which means anyone added will be unusable(just fantastic).

The workaround I found is to create a template user via the web interface, then use the “copy-from” command via CLI. The copy-from command will copy the profile setting and apply it to your new users:

/tool user-manager user
add customer=admin disabled=no shared-users=2 username=MyUserName password=MyPassword copy-from=0

I think usermanager is good as a simple standalone manager that gives a web interface for simple administration. Any of you guys have opinions, thoughts, questions, let me know in the comments.

Oct 15 / thebrotherswisp

TheBrothersWISP 35 – Blocking ICMP, Wireshark/Mikrotik Packet Sniffer, Open Compute Networking

Greg, Tomas, and Alex do their best to pretend WISPAPALOOZA didn’t happen(since they were the only ones who didn’t get to go). This one is less news and more conversation/speculation.

This cast we talk about:
Budapest MUM
Unimus in open beta
Blocking ICMP
Using wireshark with Mikrotik Packet Sniffer
Using prefix-length in your route filters
Open Compute Project – Networking
Open Compute on packet pushers

    Keep contacting us

! or contact (at)

To see the video please visit the link below!!!

Oct 1 / thebrotherswisp

TheBrothersWISP 34 – 10Gb Wireless, Mikrotik Vs Ubiquiti Marketing/Use-case/User Experience, Breaches And DDoS

Greg, Tom, Tomas, Alex, and Andrew Cox talk about soooo many things. We get in a spirited debate about who uses Mikrotik and the ease of interface vs how marketing plays into the decision making process. It’s pretty amazing I gotta say. Warning, the end of days may be upon us…Tomas actually promoted QuickSet hehehehe.

Topics Include:
UBNT AircontrolV2 released out of beta
Vubiq HaulPass v10G
ELVA-1’s PPC-10G (10 Gbps Ethernet) millimeter wave radio links
Mikrotik 6.38rc7 LLDP support & Hardware STP on CRS
Mikrotik website redesign
Mikrotik V7 alpha 134
Mikrotik Scripting with SNMP
Yahoo hack
LeekedSource – useful for leak checking
Krebsonsecurity ddos

    Keep contacting us

! or contact (at)

To see the video please visit the link below!!!

Sep 28 / Greg

Mikrotik RouterBOOT Changelog

A lot of us often forget that there is boot firmware on a Mikrotik router also. To upgrade, you go to:

/system routerboard upgrade

To view the changelog you can go here.

Sep 23 / Greg

Mikrotik Changelog 6.37

What’s new in 6.37 (2016-Sep-23 08:20):


There will be only one “wireless” package starting from RouterOS v6.37.


DFS configuration in RouterOS has been redesigned, now device looks at specified country settings (/interface wireless info country-info), and applies corresponding DFS mode for each frequency range automatically, making dfs-mode setting unnecessary.

Please, check that your frequencies work with corresponding DFS settings before upgrade.

*as you can see above they are making things far more clear these days.

!) console – dfs-mode setting does not exist any more and all scripts with such setting will not be executed;
!) dude – (changes discussed here:; – *Thrift reports some good things about the new version
!) dude – from now on dude will use winbox port and it will be changed automatically both in client loader and agent configuration;
!) ethernet – added new loop-protect feature for ethernet, vlan, eoip, eoipv6 interfaces, ; – *Need to do a little testing. Looks like”If I see my mac come back on the port, shut it down”
!) wireless – “wireless” package included in bundle “routeros” package;
!) wireless – “wireless-cm2” discontinued;
!) wireless – “wireless-rep” renamed to “wireless”; – *Everything has collapsed into a single package, very nice!
!) wireless – DFS option is removed, corresponding DFS mode for each frequency range applies automatically;
*) capsman – fixed kernel crash on cap while changing client-to-client forwarding;
*) capsman – report radio-name in registration table;
*) certificate – do not allow to remove certificate template while signing certificate;
*) console – hotspot setup show wrong certificate name;
*) defconf – fixed default configuration restore if virtual wireless interface were present;
*) defconf – fixed default configuration when wireless package is used;
*) defconf – using caps button now forces all wireless interfaces in caps mode;
*) dhcpv6 – improved interface status tracking;
*) dhcpv6 – reworked DHCP-PD server interface and route management;
*) dhcpv6 – update DUID when system-id changes (solves problem when cloned VM retains the same DUID);
*) dns – fixed crash when using regexp static dns entries; – *I didn’t realize you could use regex in DNS entries, need to look into it.
*) ethernet – added support for LAN9514 ethernet dongle;
*) ethernet – allow to force mtu value when actual-mtu is already the same;
*) ethernet – fixed loop-protect on bridged ports;
*) ethernet – fixed never ending loop in CDP packet processing;
*) ethernet – fixed rare kernel failure on non-switch ethernet reset;
*) ethernet – rb44ge now have disabled-running-check=no by default;
*) firewall – added additional matchers for firewall raw rules;
*) firewall – fixed time based rules on time/timezone changes (again);
*) gps – always check NMEA checksum if available;
*) health – do not show psu and fan information for passive cooling devices;
*) hotspot – show comments from user menu also in active menu;
*) ipsec – fixed crash with enabled fragmentation;
*) ipsec – fixed dynamic policy not deleted on disconnect for nat-t peers;
*) ipsec – fixed fragmentation use negotiation;
*) ipsec – fixed kernel crash when sha512 was used;
*) ipv6 – fixed RA and RS processing on new interfaces after many interfaces have lost link during prolonged operation;
*) ipv6 – improved system responsiveness when ipv6 routes are frequently modified;
*) ipv6 – show multiple neighbors with the same address;
*) kvm – fix add/remove of disabled interfaces;
*) kvm – fixed guest crashing when using mtu bigger than 1504;
*) l2tp – fixed kernel failure when fastpath handles l2tp packets;
*) leds – added option to disable all leds on RBcAP2n;
*) lte – added ability to send/receive sms using ‘/tool sms’;
*) lte – added dlink dwm-157 D, dwm-222 support;
*) lte – added huawei me909s variant;
*) lte – added initial deregistration only for bandrich modems;
*) lte – added logging for usb config switching;
*) lte – added Pantech UML295, Vodafone K4201-Z, ZTE MF823/MF831 support;
*) lte – added rndis for ZTE MF8xx;
*) lte – added support for more dlink dwm-222 configurations;
*) lte – added switch for Huawei K5160;
*) lte – added zte K5008-Z back; – *a lot of new devices added.
*) lte – adjusted usb config for dlink dwm-157 D;
*) lte – fixed at chat condition storage;
*) lte – fixed band setting for sxt lte;
*) lte – fixed band unsetting;
*) lte – fixed default channels for dlink dwm-157;
*) lte – fixed ip activation when CREG (circuit switched) state remains in not registered state;
*) lte – fixed setting correct lte band for sxt lte;
*) lte – process initial state change to deregistred, when lockup occurs;
*) lte – reset if sms storage set fails;
*) mpls – fixed memory leak;
*) mpls – fixed vpls throughput issues caused by out-of-order packets;
*) ntp – fixed ntp server when local-clock used (like usb gps module);
*) partitions – added ability to add comments;
*) ppp – use default-route-distance when adding ipv6 default route;
*) ppp,lte – pin is now converted to string argument;
*) pppoe – fixed disconnects by idle timeout when fastpath is used;
*) quickset – added 2GHz-g/n band support;
*) quickset – fixed guest reporting in “home ap dual” mode;
*) quickset – fixed wireless frequency fields in “home ap dual” mode;
*) rb3011 – fixed rare occasions when router would hang while loading kernel;
*) routing – improved kernel performance in setups with large routing tables;
*) sfp – enabled eeprom printout in /interface ethernet monitor;
*) sfp – fixed initial eeprom reading on CCR1036-8G-2S+ and CCR1072-1G-8S+;
*) sfp – removed “sfp-rate-select” as command was not relevant to currently supported hardware;
*) sms – moved incorrectly logged message from async to gsm topic;
*) sms – report error when unsupported modem is being used;
*) snmp – added script table which executes script and returns it’s output on get request; – *Wait…does this mean I can create a system script, and when I SNMP poll it, it will run the script, and return the result? That would be killer, but I can’t find any info on it; doesn’t seem to be anything under system script or ip snmp.
*) snmp – require write permitions for script run table access;
*) snmp – skip forbidden oids on getnext completion;
*) sstp – allow to specify proxy by dns name;
*) sstp – now supports TLS_ECDHE algorithms;
*) supout – fixed bug that could cause enormous size supout.rif files;
*) supout – improved crash report generation for tile architecture;
*) switch – added comment field for CRS switch VLANs;
*) traffic-flow – allow ipv6 src address to be optional;
*) traffic-flow – fixed IPFIX packet timestamp;
*) traffic-flow – fixed IPFIX wrong flow sequence;
*) trafficgen – add per stream packet count setting;
*) trafficgen – show out-of-order packet counters in stats printouts;
*) tunnel – fixed communication via tunnel to router itself if fastpath was active;
*) tunnel – fixed ipv6 link-local address adding for gre;
*) tunnel – increased minimal MRRU to 1500 for PPP interfaces;
*) tunnel – ipv6 link-local address is now generated from tunnel local-address;
*) usb – added support for SMSC95XX USB Ethernet dongle on mipsbe;
*) usermanager – fixed rare crash on paypal payment;
*) users – fixed script policy checking against user policies when running scripts;
*) webfig – do not crash if radius server does not give out encryption keys;
*) webfig – fixed certificate signing;
*) winbox – added auto refresh for BFD neighbors;
*) winbox – added comment field support for switch vlan menu;
*) winbox – added default-authentication parameter for wireless station modes;
*) winbox – added src-address field for traffic-flow target;
*) winbox – adjust on-event field dynamically depending on window size;
*) winbox – adjusted allowed values for http-proxy field;
*) winbox – disabled MRRU by default for PPP interfaces;
*) winbox – display actual-mtu for tunnels in interfaces window;
*) winbox – fixed disconnect when no windows were opened for a while in unsecure mode;
*) winbox – fixed multiline read only fields not displaying new line characters;
*) winbox – fixed raw firewall showing jump targets from filter chains;
*) winbox – hide ethernet flow control settings for interfaces which does not support them;
*) winbox – removed health menu from devices that do not support it;
*) winbox – removed L2MTU field for PPP interfaces;
*) winbox – removed L2MTU field from PPP server binding settings;
*) winbox – removed unset button for L2MTU field;
*) winbox – show firmware-type in routerboard window;
*) wireless – display DFS flag in country info;
*) wireless – improved driver support for RB953, hAP ac, wAP ac;
*) wireless – send deauth to data frames in scan mode.
*) wireless – updated brazil country settings;

Sep 20 / Greg

NANOG 68 Dallas – Are You Going?

I plan to attend my first NANOG…any of you guys going to be there? I figured since I won’t know anyone there I’d try and make some friends ahead of time. Anyone interested in saying hello?

Sep 20 / Greg

CME Auto Dial – The Batphone

I needed to have a simple two phone system where by if a phone was picked up, it would autodial an ATA. This is for an alert system at an airport. The ATA is auto answered by a PA system that sounds an alarm and allows speech to be blasted. If you search on ebay for “Cisco CME”, you will see a myriad of inexpensive preloaded routers running CallManager Express for around $75. With this you pair a cheap phone/ata, and away you go.

For one thing, I always forget the default URL for CallManager Express it is http://IPAddress/ccme.html. Now I will remember it forever!!!

Once you add your phones, check for the “ephone-dn” associated with the handset’s extension. Then you add the trunk command to it using the extension of the ATA.
Phone extension is 201
ATA extension is 301

ephone-dn  10  dual-line
 trunk 301

It’s just that simple. Now when the phone handset is picked up it will auto call the ATA.