Mikrotik Script

Here is simple script which sends your IP address to your email, it will save you paying for a fix IP service from your ISP, unless you have a different case.

:global ipadd;
:global extinterface "ether1-gateway"
:local thisip [/ip address get [/ip address find interface=$extinterface ] address];

:if ($ipadd != $thisip) do={
 /tool e-mail send to="youremail@address.org" subject="ip change" body="IP $thisip";
 set ipadd $thisip;

For this you’ll need an email account from where you’re sending the emails, that can be set up here: /tool e-mail

You can find the scripts under /system script and you can schedule them under /system scheduler. For example you can run the script above each morning so you’ll receive the IP while enjoying your coffee. There is so much more that can be done with them, I might cover a few later.

More on scripts here: https://wiki.mikrotik.com/wiki/Manual:Scripting


Mikrotik with NetFlow on FreeBSD

A short how to adding NetFlow to Mikrotik using ntop and FreeBSD. FreeBSD is the best operating system you can go for your server. While Mikrotik is a budget router it is capable of many. I’m covering Ntop not Ntopng. While Ntopng is fancier, requires a probe to collect NetFlow which is not free. Without the probe you can still collect traffic on the server where Ntopng is installed but not from another device. You can buy a NetFlow capable Mikrotik router for less than $50. Of course, if you have the big bucks you can go with a Cisco and Ntopng.

This article assumes you know already how to install FreeBSD and do basic configurations on Mikrotik.

Let’s install Ntop, this can be done using precompiled packages or from source.

Package, using pkg
pkg install ntop
pkg will update automatically it’s repository, however you can can also invoke it manually with pkg update. 
Ready carefully the details, only proceed if you agree with all what the package manager is telling

Source, using ports
Ports however won’t update automatically the ports tree, you have to do it yourself, be sure to do this before installing anything from ports
portsnap fetch
portsnap update

cd /usr/ports/net/ntop
make config-recursive
make install clean

Using config-recursive instead of config will configure all dependencies as well, so you can step away while the source code is compiling, it could take awhile.
Installing software from ports and packages on the same server requires lots of attention, so be careful. Explaining is out of the scope of this article.

After you installed ntop enable it:
sysrc ntop_enable="YES" or carefully add it manually to /etc/rc.conf.
Additional flags can be set, like sysrc ntop_flags="-d --use-syslog=daemon -u nobody -4"

  • -d: run as a demon
  • –use-syslog=daemon: ave the messages into the system log
  • -u nobody: run as user nobody
  • -4: IPv4 only

Now start the service:
# service ntop start
Starting ntop.
Sun Feb 11 16:25:58 2018 Initializing gdbm databases
# service ntop status
ntop is running as pid 4277.

You should see the service running and listening on 3000/tcp:
# sockstat -l|grep ntop
nobody ntop 512 2 tcp4 *:3000 *:*
nobody ntop 512 8 dgram (not connected)

Now go to http://address_of_your_server:3000, voila, there is your Ntop.
Let’s add the NetFlow support.
Go to Plugins-NetFlow-Active

  • Set NetFlow Device – Whatever name you want for your device
  • Local Collector UDP Port – default is 2055
  • Virtual NetFlow Interface Network Address – address_of_your_server


Check if your server is listening
# sockstat -l|grep ntop
nobody ntop 512 2 tcp4 *:3000 *:*
nobody ntop 512 8 dgram (not connected)
nobody ntop 512 15 udp4 *:2055 *:*

Good. Now we can proceed configuring Mikrotik
[user@MikroTik] > ip traffic-flow set active-flow-timeout=1m enabled=yes
[user@MikroTik] > ip traffic-flow target add dst-address=address_of_your_server port=2055 v9-template-timeout=1m

Check if it is there
[user@MikroTik] > ip traffic-flow target print
Flags: X - disabled
0        address_of_your_server   2055       9

Go back to your browser, then Plugins-NetFlow-Statistics, you should see some data.

Of course you can use a Linux distro instead, but why would you use Linux when you can use FreeBSD?
Why do this? To see what really happens on your network and find some amazing details about it.

Some Mikrotik Masquerading

There are plenty of good tutorials how to create a L2TP/IPsec VPN or OpenVPN on Mikrotik, though not many mention what rule you need in your firewall if you wan to be able to access devices on the local network of the VPN server. Some say that you need to enable proxy-arp on the local device, nope, that’s not the proper way. It is worth mentioning that this is on Mikrotik OS 6.37

This is the rule you need to add to your firewall, of course replace the network with yours assigned to VPN clients

ip firewall nat add action=masquerade chain=srcnat dst-address=! src-address=


OS-X – change username/home directory – El Capitan

As you may know when you change your username in OS-X you must change the home directory as well to match the new username (https://support.apple.com/en-us/HT201548).

Now in El Capitan when you change the home directory you get an extra “/” at the end of the username and it is going to be in your $HOME environment variable as well: /Users/myusername/. This information is provided by launchd. It can be changed from .profile or .bash_profile but it won’t take effect everywhere in the system but in terminal.

This doesn’t look like a big issue at the first glance however it might be. Some applications refuse to run if there is a discrepancy between $HOME env variable and value returned by NSHomeDirectory().
I had issues running Tunnelblick. “The checks are performed to help prevent attacks like the Bourne-Again Shell (Bash) Remote Code Execution Vulnerability.”


Luckily there is an easy fix.

  1. Create a new directory under /Users/temporarily
  2. Create a new admin user if you don’t have one already
  3. Sing out from the user with issues and log in to the other user
  4. Go to System Preferences -> Users&Groups -> hit the lock icon -> right click on the troubled user name then Advanced Options
  5. Choose the directory you’ve created in step 1 (/Users/temporarily) -> click OK
  6. Click the lock again to lock it
  7. Right click again on the troubled user name and click Advanced Options -> Type in the correct home directory without the forward slash at the end /Users/username -> click OK
  8. Login with the user you had issues and you should be done, and you can remove /Users/temporarily directory

I want to thank for the help of the Tunnelblick debugging the app and Apple’s customer care who confirmed the bug and helped with the work around. Apple shall come up with a bug fix in their next release.


FreeNAS 10

A pretty nice update for FreeNAS, FeeNAS was already the best storage OS you can get, now with this update got even better.


Incorrect argument handling in sendmsg(2)

To all the FreeBSD users out there, don’t forget to update your systems.

The sendmsg(2) system call allows to send data to a socket.  The data
may be accompanied by optional ancillary data.

For details please visit: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:19.sendmsg.asc


while loop in csh

This made my day, while loop in one line -one liner- under csh

printf “while ( 1 ) \n df -m \n echo ‘remaining space’ \n  sleep 60 \n end” | csh -f

 Of course, you could install bash but that can make our system vulnerable and also we’d loose the fun of using csh & tcsh