Community discussions

MikroTik App

Search found 1118 matches

by R1CH
Fri Mar 22, 2024 5:44 pm
Forum: General
Topic: Loop Dos CVE-2024-2169 Mikrotik
Replies: 3
Views: 567

Re: Loop Dos CVE-2024-2169 Mikrotik

Calling this "new" in 2024... everything old is eventually rediscovered and called new I guess :D. This has been known about since the dawn of the internet. You should not be exposing such services to untrusted networks.
by R1CH
Sat Mar 09, 2024 8:37 pm
Forum: General
Topic: Help! Simple question? Blocking internal rogue IP?
Replies: 8
Views: 698

Re: Help! Simple question? Blocking internal rogue IP?

Remove your "DDoS" rules, they are likely the cause of the problem. Make sure you have blackhole / unreachable routes for private subnets and aren't allowing traffic from the internet to the router.
by R1CH
Fri Mar 08, 2024 5:30 pm
Forum: Announcements
Topic: Newsletter #117 | March 2024
Replies: 22
Views: 18556

Re: Newsletter #117 | March 2024

Yeah, RAM and CPU are mostly meaningless for a switch, it's just for management purposes. The big question is if the switch chip is stable or if it has problems like the other CRS models.
by R1CH
Wed Jan 24, 2024 6:59 pm
Forum: General
Topic: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8
Replies: 428
Views: 122653

Re: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8

It's a rack mount switch, if it can't handle being installed in a rack "covered by other peripherals" then it is defective. So glad I didn't take the gamble on this hardware, it's ridiculous that these are still being sold with so many problems.
by R1CH
Thu Dec 07, 2023 4:46 pm
Forum: General
Topic: switch filter: can a single rule be used for the same TCP and UDP dst-port?
Replies: 7
Views: 1586

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

I would imagine the rule does not function with out specifying the protocols. How would it know where to look for the value?
by R1CH
Tue Dec 05, 2023 5:30 pm
Forum: Wireless Networking
Topic: Wi-Fi 6E devices for an new project
Replies: 10
Views: 3868

Re: Wi-Fi 6E devices for an new project

Wi-Fi 6E will probably be a year+ away still given how long it took to get AX to market. Don't even think about Wi-Fi 7...
by R1CH
Tue Oct 10, 2023 4:30 am
Forum: General
Topic: RB5009 2.5Gbe not working?
Replies: 5
Views: 1293

Re: RB5009 2.5Gbe not working?

The RB5009 CPU should easily be able to handle more than 800mbps though. What's on the other end of the link? Numerous 2.5 GbE cards require firmware updates or similar to function properly, the popular Intel i225/i226 line is pretty much broken for example.
by R1CH
Fri Oct 06, 2023 3:03 am
Forum: General
Topic: IP Hotspot Server HTTPS Redirect
Replies: 1
Views: 688

Re: IP Hotspot Server HTTPS Redirect

It is not possible to redirect HTTPS, HTTP redirect is enough for captive portal detection.
by R1CH
Thu Sep 21, 2023 6:05 pm
Forum: General
Topic: Wireguard handshake doesn't constitute UDP stream
Replies: 4
Views: 1491

Re: Wireguard handshake doesn't constitute UDP stream

One of the first things I do is raise the NAT timeouts, even the Linux default of 30 seconds for UDP is way too low.
by R1CH
Wed Sep 20, 2023 6:40 pm
Forum: RouterBOARD hardware
Topic: RB5009 2,5Gbe problems
Replies: 15
Views: 7266

Re: RB5009 2,5Gbe problems

Flow control for backpressure is not recommended these days, it's better to let packets drop so that the upper level protocols know to slow down. It's especially bad when you have an uplink port that's transmitting to an end device - backpressure from the end device will cause flow control to be sen...
by R1CH
Wed Sep 20, 2023 6:33 pm
Forum: General
Topic: RouterOS default config suffering severe QoS issues on 5G connection while downloading caused by bufferbloat
Replies: 7
Views: 1049

Re: RouterOS default config suffering severe QoS issues on 5G connection while downloading caused by bufferbloat

CAKE forces all traffic through software traffic control which is very slow, you won't be able to use 1gbps connections with Mikrotik hardware if it is on by default.
by R1CH
Tue Sep 19, 2023 6:55 pm
Forum: General
Topic: Wifi access list
Replies: 7
Views: 1896

Re: Wifi access list

Use WPA2/3 only, AES only, long, complex passphrase, disable PMKID, enable PMF.
by R1CH
Sun Sep 17, 2023 5:57 pm
Forum: General
Topic: Mikrotik cAp ax does not have 2.4GHz interface?
Replies: 16
Views: 1637

Re: Mikrotik cAp ax does not have 2.4GHz interface?

Looks broken, I'd RMA.
by R1CH
Fri Sep 15, 2023 3:25 am
Forum: General
Topic: serviced.tdi in my Winbox folder
Replies: 12
Views: 1398

Re: serviced.tdi in my Winbox folder

This has nothing to do with Winbox, the malware picks a random appdata folder to hide in.
by R1CH
Fri Sep 15, 2023 3:22 am
Forum: RouterBOARD hardware
Topic: Failure with hAP AC3 WiFi coverage
Replies: 20
Views: 4537

Re: Failure with hAP AC3 WiFi coverage

Did you power it on without antennas connected? Maybe you burned up the radio.
by R1CH
Sun Sep 10, 2023 7:53 pm
Forum: General
Topic: change software ID in PC
Replies: 9
Views: 1924

Re: change software ID in PC

Contact Mikrotik support.
by R1CH
Wed Sep 06, 2023 9:47 pm
Forum: RouterBOARD hardware
Topic: Why placing DC power port on the front of newest devices ?
Replies: 4
Views: 2814

Re: Why placing DC power port on the front of newest devices ?

I also really dislike this new design. It looks untidy and makes it easier to accidentally dislodge it.
by R1CH
Tue Sep 05, 2023 8:28 pm
Forum: General
Topic: Session limit reached (current license allows only 200 session)
Replies: 11
Views: 3639

Re: Session limit reached (current license allows only 200 session)

Why are you using hotspot if everyone shares the login? You could make an SSID with WPA2/WPA3 and give the guests that password instead. No worries about licenses or session limits.
by R1CH
Mon Sep 04, 2023 2:07 am
Forum: Wireless Networking
Topic: hAP ax3 limits 5GHz TX Power to 8
Replies: 39
Views: 6631

Re: hAP ax3 limits 5GHz TX Power to 8

You're probably getting your frequency changed due to radar detect, and it's selecting a TPC DFS channel which is designed for short range devices. Don't pick DFS channels or use "auto" frequency to avoid this.
by R1CH
Mon Aug 28, 2023 8:45 pm
Forum: General
Topic: Long cable speed drop help needed
Replies: 6
Views: 1174

Re: Long cable speed drop help needed

Some Mikrotik hardware has issues when running ports at 100mbps. If you have any 1gbps devices on the switch try removing them or force all ports to 100mbps.
by R1CH
Mon Aug 28, 2023 7:43 pm
Forum: General
Topic: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]
Replies: 16
Views: 2573

Re: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]

Of course you can use firewall to block whatever you want but the root cause is arp replies from the "wrong" interface. No amount of firewalling in L3 can fix the underlying L2 issue.
by R1CH
Mon Aug 28, 2023 7:38 pm
Forum: General
Topic: Brought two HAP ax3, but different RAM memrories. What is your ax3's RAM size? [SOLVED]
Replies: 19
Views: 2189

Re: Brought two HAP ax3, but different RAM memrories. What is your ax3's RAM size? [SOLVED]

Contact Mikrotik support via email if you want an official answer, this is a user support forum.
by R1CH
Mon Aug 28, 2023 5:26 pm
Forum: General
Topic: Brought two HAP ax3, but different RAM memrories. What is your ax3's RAM size? [SOLVED]
Replies: 19
Views: 2189

Re: Brought two HAP ax3, but different RAM memrories [SOLVED]

There was probably a faulty RAM chip at manufacturing so they disabled it rather than throw the whole package away. It's possibly even something that's detected on a startup memory test but usually that's in the realm of ECC memory. I wouldn't worry about it, 32mb isn't going to make a big differenc...
by R1CH
Mon Aug 28, 2023 1:16 am
Forum: Announcements
Topic: v6.49.10 [long-term] is released!
Replies: 33
Views: 83363

Re: v6.49.10 [stable] is released!

@EdPa

Could you elaborate more what "stability when receiving malformed packets" means?
This almost certainly means DoS / RCE from exposed www service. "Stability" in Mikrotik-speak means crashes.
by R1CH
Wed Aug 16, 2023 10:10 pm
Forum: RouterBOARD hardware
Topic: 60GHz behavior
Replies: 4
Views: 3635

Re: 60GHz behavior

Same issue here on two different products with < 100m links, feels like another case of broken hardware design.
by R1CH
Wed Aug 02, 2023 3:21 am
Forum: General
Topic: Intercept all DNS queries?
Replies: 2
Views: 577

Re: Intercept all DNS queries?

Yes, make a NAT rule. But crafty students will use DoH and you're out of luck.
by R1CH
Mon Jul 31, 2023 7:56 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 292
Views: 225630

Re: NEW FEATURE: Back to Home VPN

Why use a full relay and not STUN? Wireguard runs over UDP so hole punching should work fine with a short enough keepalive.
by R1CH
Thu Jun 29, 2023 8:15 pm
Forum: General
Topic: Interesting DDoS case
Replies: 11
Views: 1066

Re: Interesting DDoS case

There is no protection against DDoS other than having more bandwidth available than the attacker. You absolutely do NOT want complex "anti DDoS" filters with address lists and all that other garbage, you want the junk packets to be discarded as fast as possible with minimal CPU overhead, o...
by R1CH
Mon Jun 19, 2023 3:47 pm
Forum: RouterBOARD hardware
Topic: cAP XL AC and wifiwave2 package
Replies: 14
Views: 3724

Re: cAP XL AC and wifiwave2 package

No, it isn't supported. Flash OpenWrt if you want a wave2 Wi-Fi driver.
by R1CH
Wed Jun 14, 2023 3:57 pm
Forum: General
Topic: Warning: bridge rx looped packet ethertype 0x0004 and ethertype 0x88cc
Replies: 4
Views: 5286

Re: Warning: bridge rx looped packet ethertype 0x0004 and ethertype 0x88cc

Odd, sounds like some kind of weird hardware failure in that case.
by R1CH
Tue Jun 13, 2023 2:40 am
Forum: General
Topic: Warning: bridge rx looped packet ethertype 0x0004 and ethertype 0x88cc
Replies: 4
Views: 5286

Re: Warning: bridge rx looped packet ethertype 0x0004 and ethertype 0x88cc

Those are LLDP packets, presumably whatever device 4c5e is, is broadcasting LLDP packets, they go out ether6 and there's a loop at the unmanaged switch and the packet comes back. Perhaps some user connected the passthrough port of the IP phone to the switch. Either way you probably have a broadcast ...
by R1CH
Mon Jun 05, 2023 10:27 pm
Forum: General
Topic: Desktop SSH Client Error
Replies: 4
Views: 1053

Re: Desktop SSH Client Error

RouterOS SSHD uses weak and outdated algorithms by default, you need to set /ip ssh set strong-crypto=yes
by R1CH
Tue May 16, 2023 5:59 pm
Forum: General
Topic: Has my Mikrotik been hacked?
Replies: 5
Views: 942

Re: Has my Mikrotik been hacked?

Keep in mind routerboot is just another disk partition, while unlikely it's possible for it to be compromised and allow malware to persist post-netinstall. In this case where the scheduler was used, it's more likely that RouterOS itself was compromised rather than the device itself.
by R1CH
Thu May 04, 2023 10:23 pm
Forum: General
Topic: Unexpected and bizarre Firewall Connection for 169.254.x.x address [SOLVED]
Replies: 3
Views: 671

Re: Unexpected and bizarre Firewall Connection for 169.254.x.x address [SOLVED]

This is a UDP broadcast packet. You do not have a blackhole route for 169.254 so the best route is out your gateway, so MT sets up a NAT entry for it.
by R1CH
Thu May 04, 2023 6:20 pm
Forum: Wireless Networking
Topic: Am I aligned?
Replies: 4
Views: 1239

Re: Am I aligned?

I don't know if it's something about the 60 GHz devices or just extra interference from being outdoors, but I've also had a lot of issues with links dropping to 100mbps.
by R1CH
Wed May 03, 2023 1:27 am
Forum: Wireless Networking
Topic: Am I aligned?
Replies: 4
Views: 1239

Re: Am I aligned?

Looks fine, how are you testing the speed? You should test through the devices, not on the devices. And post the config if you still have issues.
by R1CH
Tue May 02, 2023 8:07 pm
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 5
Views: 4288

Re: CCR2004 real routing performance?

Note that a single stream will only usually be processed by a single core, it is unrealistic to expect a TCP connection to hit 25 Gbps (never mind without tuning TCP windows and congestion control algorithms). Try with parallel iperf to see more accurate numbers for maximum throughput. If all you ca...
by R1CH
Fri Apr 28, 2023 7:19 pm
Forum: General
Topic: Firewall and blocking of certain ports
Replies: 5
Views: 508

Re: Firewall and blocking of certain ports

Ditch the pointless anti-DDoS / anti-virus / etc rules, they will only slow down your router and cause problems / open you up to DoS.
by R1CH
Mon Apr 03, 2023 11:54 pm
Forum: General
Topic: I don't know what's going wrong
Replies: 7
Views: 751

Re: I don't know what's going wrong

Your ISP might have wrong geo data about your public IP, only they can fix that.
by R1CH
Mon Apr 03, 2023 11:45 pm
Forum: Announcements
Topic: Newsletter #112 | April 2023
Replies: 66
Views: 11825

Re: Newsletter #112 | April 2023

I would like some more details of this new default password feature. Is this procedurally generated, e.g. from serial number or MAC address? Or is this a serial <-> secure password table that each distributor gets? Please explain how a distributor is able to help you with a forgotten password and th...
by R1CH
Wed Mar 29, 2023 6:57 pm
Forum: General
Topic: ICMP Redirect + IPSec (ROS 6.49.7 and 7.8) - is it a bug or a feature?
Replies: 2
Views: 758

Re: ICMP Redirect + IPSec (ROS 6.49.7 and 7.8) - is it a bug or a feature?

Looks like you have some subnet mask issues. That 172.16.0.0/12 looks suspicious. Check all your routes and IP addresses.
by R1CH
Mon Mar 27, 2023 11:38 pm
Forum: RouterBOARD hardware
Topic: Please provide reverse configurations for enterprise level equipment.
Replies: 12
Views: 1989

Re: Please provide reverse configurations for enterprise level equipment.

Mikrotik is not considered enterprise level equipment. Get proper switches for datacenter use if you need features like reverse airflow.
by R1CH
Fri Mar 24, 2023 2:54 pm
Forum: General
Topic: Block IPv6 Portscans - Rule works for IPv4 but not IPv6
Replies: 10
Views: 1463

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

The idea is this: if some remote host tries to connect to IP/port combination which is not allowed (either it's not DST NATed in IPv4 or is blocked in IPv6), then such remote host is added to black list. Hence forth the same host can not connect to otherwise allowed/open IP/port combination (e.g. H...
by R1CH
Sun Mar 19, 2023 9:12 pm
Forum: RouterBOARD hardware
Topic: AX2 Port issues with fixed speed
Replies: 4
Views: 1286

Re: AX2 Port issues with fixed speed

The gigabit Ethernet spec requires autonegotiation. If it doesn't happen, then generally the cable or port is damaged.
by R1CH
Thu Mar 16, 2023 8:00 pm
Forum: Wireless Networking
Topic: Considerations on antennae design and product selection
Replies: 6
Views: 1470

Re: Considerations on antennae design and product selection

I have a friend who did this with Unifi, hiding them inside cabinets and behind TVs etc. The performance kind of sucks, presumably there's a lot of self-interference from the reflections. I wouldn't recommend it.
by R1CH
Wed Mar 15, 2023 9:29 pm
Forum: General
Topic: How to free up space so I can upgrade to v7?
Replies: 6
Views: 1644

Re: How to free up space so I can upgrade to v7?

Using netinstall is probably safer.
by R1CH
Tue Mar 14, 2023 3:14 am
Forum: Wireless Networking
Topic: Device cannot connect specifically to Mikrotik APs [SOLVED]
Replies: 5
Views: 1595

Re: Device cannot connect specifically to Mikrotik APs [SOLVED]

Try setting more compatible protocols instead of only n / ac. Cheap IOT chipsets sometimes don't even support 802.11n.
by R1CH
Tue Mar 14, 2023 3:11 am
Forum: General
Topic: Fasttrack vs. RAW Firewall rules
Replies: 6
Views: 838

Re: Fasttrack vs. RAW Firewall rules

Note that if you're testing by enabling / disabling the rules while you check the connection, this won't work. As soon as the connection hits fasttrack it will be offloaded to hardware, so it won't hit any more firewall rules. You need to test with a completely new connection every time.
by R1CH
Wed Mar 08, 2023 12:18 am
Forum: General
Topic: Router ISP authentication protocols
Replies: 3
Views: 333

Re: Router ISP authentication protocols

Did you try a reboot after deleting it?
by R1CH
Sun Mar 05, 2023 6:28 pm
Forum: General
Topic: When should I turn off loose TCP tracking? [SOLVED]
Replies: 19
Views: 4358

Re: When should I turn off loose TCP tracking? [SOLVED]

I only have “drop invalid” on input chain. Never in forward chain even if everything is a public /22 (IPv4) and public /32 (IPv6). We've observed it breaks legitimate traffic such as WireGuard (UDP) for the customers. If everyone is on a public IP, then I agree that DROP INVALID in forward is unnec...
by R1CH
Sun Mar 05, 2023 6:09 pm
Forum: General
Topic: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]
Replies: 5
Views: 1956

Re: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]

This is unnecessary, all input on the WAN side should be blocked by default.
by R1CH
Sat Mar 04, 2023 10:23 pm
Forum: General
Topic: When should I turn off loose TCP tracking? [SOLVED]
Replies: 19
Views: 4358

Re: When should I turn off loose TCP tracking? [SOLVED]

The INVALID rule will still function to prevent non-NATted connections from going out. It offers no extra "security" to use strict tracking, it only causes users grief when their valid connections get dropped by over-aggressive timeouts or router reboots. How is a client sending an ACK to ...
by R1CH
Sat Mar 04, 2023 8:02 pm
Forum: General
Topic: Get rid of CPE box and just use MikroTik router
Replies: 2
Views: 418

Re: Get rid of CPE box and just use MikroTik router

Internet + IPTV is usually a very complex setup, requiring a separate subnet, DHCP with specific options, VLANs and IGMP configuration. If the CPE box isn't causing you problems I'd recommend continuing to use it, while you can do IPTV over pure Mikrotik, the setup is complex and differs from ISP to...
by R1CH
Thu Mar 02, 2023 7:35 pm
Forum: General
Topic: Block IPv6 Portscans - Rule works for IPv4 but not IPv6
Replies: 10
Views: 1463

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Why do you have open ports to the internet to begin with? Just drop all inbound traffic rather than slowing down your router with these junk rules.
by R1CH
Thu Mar 02, 2023 7:07 pm
Forum: General
Topic: When should I turn off loose TCP tracking? [SOLVED]
Replies: 19
Views: 4358

Re: When should I turn off loose TCP tracking? [SOLVED]

It's for picking up existing connections. E.g.: User opens connection to tcp.example.com port 22, sends and receives data. Router has NAT entry to handle outbound / inbound packets. Disaster! Router crashes or reboots for some reason. Or the router has NAT timeouts too low and the NAT entry expires ...
by R1CH
Sun Feb 05, 2023 10:10 pm
Forum: RouterBOARD hardware
Topic: Bad wifi with hap ac^3
Replies: 6
Views: 1682

Re: Bad wifi with hap ac^3

40 MHz channel width on 2.4 GHz will certainly lead to bad results. But you need to be specific about what you mean by "Bad wifi", your screenshot does not help.
by R1CH
Thu Jan 12, 2023 8:11 pm
Forum: RouterBOARD hardware
Topic: RB750gr3 bricked after failed upgrade
Replies: 6
Views: 2069

Re: RB750gr3 bricked after failed upgrade

do mikrotik normally reboot if no command / action given when it's in netinstall mode? No, if router successfully enters netinstall mode, it stays in that mode until netinstall "server" (application on your PC) successfully establishes connection. If your router seems to be rebooting, the...
by R1CH
Thu Jan 12, 2023 8:10 pm
Forum: RouterBOARD hardware
Topic: MikroTik cAP ax [cAPGi-5HaxD2HaxD] (r2)
Replies: 114
Views: 24804

Re: MikroTik cAP ax [cAPGi-5HaxD2HaxD] (r2)

Unfortunate that it copied the cAP XL design, I also find it very ugly.
by R1CH
Wed Jan 11, 2023 4:54 pm
Forum: General
Topic: RouterOS can't use ingress port 53 [SOLVED]
Replies: 18
Views: 2340

Re: RouterOS can't use ingress port 53 [SOLVED]

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.
by R1CH
Fri Jan 06, 2023 6:45 pm
Forum: General
Topic: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8
Replies: 428
Views: 122653

Re: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8

Very glad I found this topic 1 year ago, I almost purchased a bunch of these and the issue is still not fixed after a year! It must be broken hardware, very irresponsible to continue shipping it.
by R1CH
Thu Jan 05, 2023 8:08 pm
Forum: General
Topic: Cloud backup no working
Replies: 5
Views: 831

Re: Cloud backup no working

Same issue... I guess Mikrotik hasn't set up any monitoring for this service? :lol:
by R1CH
Tue Jan 03, 2023 12:12 am
Forum: General
Topic: Travel router possible?
Replies: 4
Views: 2241

Re: Travel router possible?

This is definitely possible, I have such a router myself. One thing to watch out for is by blocking non-tunneled traffic, if your hotel hotspot / Wi-Fi session expires you will never be redirected to the captive portal to login again.
by R1CH
Mon Jan 02, 2023 11:09 pm
Forum: General
Topic: Anti-spoofing protection in RouterOS
Replies: 6
Views: 2939

Re: Anti-spoofing protection in RouterOS

Unfortunately there's not a lot in the way of proper anti-spoofing (DHCP snooping, IP source guard, etc) on Mikrotik products. I've generally found these features to cause more problems than they are worth though with various interop issues and bugs.
by R1CH
Fri Dec 30, 2022 2:58 am
Forum: General
Topic: NAT Issues every 10-14 days
Replies: 42
Views: 4409

Re: NAT Issues every 10-14 days

I hope I never have to use such ISPs that mess with the TCP established timeout... 1 day is already significantly lower than the Linux default (5 days). Unless you're actually running out of memory due to conntrack entries, I really don't recommend touching this. Sure, most home users who do simple ...
by R1CH
Mon Dec 26, 2022 11:44 pm
Forum: RouterBOARD hardware
Topic: Does RBGPOE (RBPOE) injectors save for other side hardware? [SOLVED]
Replies: 3
Views: 1903

Re: Does RBGPOE (RBPOE) injectors save for other side hardware? [SOLVED]

The unpowered side is safe to use with any hardware, it's just a standard Ethernet cable. Power only goes out the powered side - make sure you connect that side to ONLY Mikrotik devices, it's non-standardized passive PoE so it is unsafe to use with any 802.3af/at hardware as it constantly supplies v...
by R1CH
Fri Dec 23, 2022 8:59 pm
Forum: RouterBOARD hardware
Topic: Please launch hAP with AX3000 or above
Replies: 9
Views: 2608

Re: Please launch hAP with AX3000 or above

Ah yeah, forgot the original was 3 chain, but the CPU is too weak to actually get more throughput than 2 chains.
by R1CH
Fri Dec 23, 2022 8:48 pm
Forum: General
Topic: WireGuard: packet has invalid nonce
Replies: 12
Views: 2968

Re: WireGuard: packet has invalid nonce

This indicates you are getting duplicated / replayed packets somewhere.
by R1CH
Fri Dec 23, 2022 1:32 pm
Forum: RouterBOARD hardware
Topic: Please launch hAP with AX3000 or above
Replies: 9
Views: 2608

Re: Please launch hAP with AX3000 or above

hAP AC2/3 is also only a two chain device, so it can't possibly be faster - it maxes out at 866mbps. While I would also like to see more chains, most client devices are only two chain so the benefits in real world scenarios are limited.
by R1CH
Thu Nov 24, 2022 4:07 pm
Forum: General
Topic: Question about 802.3ad hardware offloaded
Replies: 12
Views: 2199

Re: Question about 802.3ad hardware offloaded

layer2+3+4 is OK as long as you don't have fragmentation on your network (which you should never have these days due to poor support of fragments on the internet). The router is stateless, so if it sees a fragment then it has no idea what the original packet's TCP/UDP header was so it can no longer ...
by R1CH
Mon Nov 14, 2022 11:54 pm
Forum: General
Topic: Wireguard - Failed Attempts - Logging
Replies: 2
Views: 1961

Re: Wireguard - Failed Attempts - Logging

Wireguard uses public key cryptography - there is nothing to brute force. Either a packet has a valid handshake or it is silently discarded without any state being allocated, making it DoS-resistant. No one can even tell that Wireguard is running unless they are an allowed peer. See https://www.wire...
by R1CH
Fri Oct 28, 2022 2:40 am
Forum: General
Topic: Huge packet loss [SOLVED]
Replies: 6
Views: 2306

Re: Huge packet loss [SOLVED]

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps

Try and set this back to autonegotiation.
by R1CH
Wed Oct 26, 2022 5:11 pm
Forum: RouterBOARD hardware
Topic: hAP ax² dual band Wi-Fi 6 (802.11ax)
Replies: 287
Views: 66737

Re: hAP ax² dual band Wi-Fi 6 (802.11ax)

You can work around it by creating a separate network for such crap, with a separate SSID and authentication configuration. Yeah, I did that. But the interesting thing is that I can't manually configure the same behaviour that auto does: in my case, it seems, Ring cameras want TKIP enabled for some...
by R1CH
Mon Oct 24, 2022 7:03 pm
Forum: Wireless Networking
Topic: Any estimate to update CAP or WAP series?
Replies: 2
Views: 562

Re: Any estimate to update CAP or WAP series?

Both CAP and WAP were updated recently, without name change. New models are based on IPQ4019 and can do ~400-500mbps real world (802.11ac 2x2).
by R1CH
Tue Oct 18, 2022 10:32 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ single stream TCP performance limit with queues
Replies: 33
Views: 11298

Re: CCR1009-7G-1C-1S+ single stream TCP performance limit with queues

I was never able to solve this, it was probably just low per-core speed causing bottlenecking. The hardware was replaced with a Xeon E-2388G based router which has no problem with 3+gbps single connection TCP performance.
by R1CH
Sun Oct 16, 2022 10:03 pm
Forum: Announcements
Topic: v6.49.7 [stable] is released!
Replies: 50
Views: 92348

Re: v6.49.7 [stable] is released!

What exactly was improved? I personally have not experienced any problems with user policies There is a security bug that allows users with limited privileges to elevate them ("become admin"). It requires a specific setup to exist. Why is this not flagged as a security issue with an accom...
by R1CH
Thu Sep 15, 2022 6:16 pm
Forum: General
Topic: Is MT ready for WIFI4EU?
Replies: 2
Views: 462

Re: Is MT ready for WIFI4EU?

No, 802.11r/k/v is required. Mikrotik does not support this.
by R1CH
Tue Sep 13, 2022 2:40 am
Forum: General
Topic: Mikrotik DDOS ICMP with SSDP amplification
Replies: 8
Views: 1162

Re: Mikrotik DDOS ICMP with SSDP amplification

Nothing you can do if your pipe is smaller than the attack bandwidth. Has to be mitigated upstream.
by R1CH
Wed Aug 03, 2022 9:15 pm
Forum: RouterBOARD hardware
Topic: wifi 6E AX11000
Replies: 3
Views: 2087

Re: wifi 6E AX11000

If you want to run docker and kubernetes you should buy a general purpose server, not a router. Mikrotik is designed for home / office / small ISP networks, not datacenters.
by R1CH
Mon Aug 01, 2022 4:20 pm
Forum: General
Topic: Traffic that seems legit is getting dropped (due to conntrack table?)
Replies: 5
Views: 1456

Re: Traffic that seems legit is getting dropped (due to conntrack table?)

Totally normal to see, this is why NAT sucks - implementations of NAT have their own idea of when a connection is "finished" that doesn't match the OSes communicating.
by R1CH
Sat Jul 23, 2022 4:30 pm
Forum: General
Topic: TLS Webfig (www-ssl) PCI DSS compliance - weak ciphers
Replies: 14
Views: 1908

Re: TLS Webfig (www-ssl) PCI DSS compliance - weak ciphers

"Zero trust" is a common model used by serious organizations. You should not assume your management VLAN is secure, if one device is compromised an attacker should not be able to leverage their network position to move to other devices. So even internally-facing devices and open ports need...
by R1CH
Tue Jul 12, 2022 10:17 pm
Forum: General
Topic: TLS Webfig (www-ssl) PCI DSS compliance - weak ciphers
Replies: 14
Views: 1908

Re: TLS Webfig (www-ssl) PCI DSS compliance - weak ciphers

Not gonna hold my breath... just look at the problems with the outdated ssh-rsa public key signature algorithm which Mikrotik have known would be an issue since 2020. Unfortunately things have to break before they will be fixed. Please prove me wrong Mikrotik and release a big crypto update that rem...
by R1CH
Tue Jul 05, 2022 2:18 am
Forum: General
Topic: Port Forwarding 445 & 139
Replies: 4
Views: 3646

Re: Port Forwarding 445 & 139

Many ISPs block these ports since they have typically been exploited by worms (Blaster, Sasser, etc).
by R1CH
Wed Jun 29, 2022 12:21 am
Forum: General
Topic: Openfiber + hap ac2
Replies: 7
Views: 865

Re: Openfiber + hap ac2

Your firewall input drop rule is blocking your phone's DHCP request (and presumably every other device on your LAN). I am not sure why the default firewall rules were deleted as they take care of this. You should add a rule to input, action=accept, in-interface=bridge1 to trust all traffic on your L...
by R1CH
Wed Jun 29, 2022 12:14 am
Forum: General
Topic: CCR2004-16G-2S+PC cooling type ?
Replies: 3
Views: 576

Re: CCR2004-16G-2S+PC cooling type ?

PC in the model name means Passive Cooling.
by R1CH
Tue Jun 28, 2022 12:29 am
Forum: General
Topic: Openfiber + hap ac2
Replies: 7
Views: 865

Re: Openfiber + hap ac2

The accept input rule must be above any default drop rule. I would also suggest avoiding "auto" frequency on 5 GHz and use something like 5180-Ceee. Try to avoid upper bands.
by R1CH
Mon Jun 27, 2022 4:27 pm
Forum: General
Topic: Openfiber + hap ac2
Replies: 7
Views: 865

Re: Openfiber + hap ac2

- Missing country on 5 GHz, probably using channels phone does not support
- Firewall input rules do not have "accept" for established connections, probably why update check is broken
- Fasttrack on PPPOE does not work AFAIK
by R1CH
Sat Jun 18, 2022 12:39 am
Forum: General
Topic: Redirecting Tracert/Traceroute traffic to a specific gateway in a Dual ISP/WAN set-up
Replies: 8
Views: 1373

Re: Redirecting Tracert/Traceroute traffic to a specific gateway in a Dual ISP/WAN set-up

Traceroute works with any protocol, Linux uses UDP for example but you can even use TCP. This whole idea seems shady as hell, like you're hiding what service you're really selling and tricking your customers.
by R1CH
Wed Jun 01, 2022 4:47 pm
Forum: Wireless Networking
Topic: Public hotspot wifi advice needed
Replies: 10
Views: 1510

Re: Public hotspot wifi advice needed

500 clients at 2mbps is not happening on 2.4 GHz. You'll be lucky to get 10-20 clients per channel given the interference. Probe requests alone will probably kill half the frequency.
by R1CH
Tue May 31, 2022 2:34 am
Forum: Wireless Networking
Topic: RB4011iGS wifi speed.
Replies: 11
Views: 3512

Re: RB4011iGS wifi speed.

With the 4011, if you have a 4x4 client in theory the speed should be ~800mbps with a good signal. The Audience also has a 4x4 radio. Keep in mind you'll need the wifiwave2 package to make full use of the radios: https://help.mikrotik.com/docs/display/ROS/WifiWave2 If you want faster, you'll need no...
by R1CH
Fri May 27, 2022 4:34 am
Forum: Wireless Networking
Topic: Only One Tx Stream (1S) on RBcAPGi-5acD2nD cAP ac
Replies: 39
Views: 8252

Re: Only One Tx Stream (1S) on RBcAPGi-5acD2nD cAP ac

Try netbooting the device with OpenWrt and seeing if the same behavior occurs there. This would rule out hardware issues.
by R1CH
Mon Apr 11, 2022 3:24 pm
Forum: Announcements
Topic: v7.2.1 [stable] is released!
Replies: 240
Views: 46180

Re: v7.2.1 [testing] is released!

Doesn't help. I'm guessing this affects only v7 but it would be nice to know for sure, and whether this will be backported. I've lost at least one 6.x device after a failed upgrade.
by R1CH
Mon Apr 11, 2022 3:00 pm
Forum: Announcements
Topic: v7.2.1 [stable] is released!
Replies: 240
Views: 46180

Re: v7.2.1 [testing] is released!

Regarding this particular release - it fixes a very rare situation when a router could brick itself during the upgrade process by removing/corruption filesystem so the device could not read system files anymore. The router had to be get netinstalled. Does this affect all v6.x and v7.x releases? If ...
by R1CH
Mon Apr 11, 2022 12:33 pm
Forum: Announcements
Topic: v7.2.1 [stable] is released!
Replies: 240
Views: 46180

Re: v7.2.1 [testing] is released!

Well this is one of the scariest changelog entries. Is every prior RouterOS version affected by this "filesystem stability and data integrity" issue?
by R1CH
Thu Mar 31, 2022 12:22 am
Forum: General
Topic: Wireless Disconnects on Station Mode - No Beacons Received
Replies: 3
Views: 918

Re: Wireless Disconnects on Station Mode - No Beacons Received

Switch channel on the AP if you can and ideally avoid 2.4 GHz entirely, way too much interference.
by R1CH
Tue Mar 29, 2022 8:26 pm
Forum: General
Topic: What is the best way to prevent internal traffic from leaving? [SOLVED]
Replies: 56
Views: 6782

Re: What is the best way to prevent internal traffic from leaving? [SOLVED]

Hi Rich, restrictive filtering vice the current setting of loose. What penalties does on pay for that approach as there must be a reason mine is on loose, other than I like to match my skin turgor, which at my age is loose. ;-) Loose mode allows asymmetric routing and only drops packets with no val...
by R1CH
Tue Mar 29, 2022 4:56 pm
Forum: General
Topic: What is the best way to prevent internal traffic from leaving? [SOLVED]
Replies: 56
Views: 6782

Re: What is the best way to prevent internal traffic from leaving? [SOLVED]

Then add a blackhole route for 192.168.0.0/16
by R1CH
Tue Mar 29, 2022 4:07 pm
Forum: General
Topic: What is the best way to prevent internal traffic from leaving? [SOLVED]
Replies: 56
Views: 6782

Re: What is the best way to prevent internal traffic from leaving? [SOLVED]

Blackhole route is indeed the correct way to do this. Your more specific local prefixes will take precedence over blackhole.

If you are concerned with private IPs entering your WAN interface, use strict reverse path filtering instead of a firewall rule, it will be more efficient.
by R1CH
Mon Mar 28, 2022 9:04 pm
Forum: General
Topic: Suspicious behaviour in SMB config
Replies: 6
Views: 955

Re: Suspicious behaviour in SMB config

Simply looking at the SMB menu creates this share, it's one of those RouterOS quirks.
by R1CH
Thu Mar 24, 2022 3:13 pm
Forum: General
Topic: Port 514 filtered shell
Replies: 7
Views: 2424

Re: Port 514 filtered shell

Port 514 is https://en.wikipedia.org/wiki/Remote_Shell - your ISP likely filters it to prevent insecure services.

The fact that all your ports aren't filtered though suggests you have an improper firewall setup.
by R1CH
Wed Mar 09, 2022 10:21 pm
Forum: General
Topic: Installing Openwrt problem.
Replies: 4
Views: 762

Re: Installing Openwrt problem.

Did you upgrade bootloader to v7? If so you have to downgrade it.
by R1CH
Wed Mar 09, 2022 4:21 pm
Forum: General
Topic: Blocking fishing sites
Replies: 4
Views: 650

Re: Blocking fishing sites

by R1CH
Thu Feb 24, 2022 6:27 pm
Forum: Announcements
Topic: Newsletter 104
Replies: 54
Views: 25874

Re: Newsletter 104

In that context, it means "over the distance of 2.4km". So basically, it worked at 2.4km "easily", but they didn't try beyond that.
by R1CH
Wed Feb 23, 2022 5:10 pm
Forum: Announcements
Topic: Newsletter 104
Replies: 54
Views: 25874

Re: Newsletter 104

I've been looking forward to 802.11ay for a while so it's great to see devices starting to come out, though I had hoped for at least 10gbps. I hope higher speed links are on the roadmap.
by R1CH
Sat Feb 19, 2022 9:39 pm
Forum: General
Topic: How can I deny .exe file type download
Replies: 8
Views: 1780

Re: How can I deny .exe file type download

Ask yourself, what is the real problem you are trying to solve? Users downloading random .exe files and installing unapproved apps or malware? Then the solution is AppLocker. This shouldn't be something controlled at the network level.
by R1CH
Thu Jan 06, 2022 6:45 pm
Forum: General
Topic: increased CPU use (20-99%) on mikrotik
Replies: 3
Views: 1070

Re: increased CPU use (20-99%) on mikrotik

Tool / Profile
by R1CH
Fri Dec 17, 2021 11:02 pm
Forum: General
Topic: Adapt FTP brute force banning rules for LT2P/IPSEC [SOLVED]
Replies: 5
Views: 1968

Re: Adapt FTP brute force banning rules for LT2P/IPSEC [SOLVED]

Remember UDP is connectionless, the source address can be spoofed. Using this, anyone with knowledge of your blacklist can now force you to blacklist arbitrary IP addresses. If your legit VPN endpoint IPs are discovered your anti-brute-force is now a DoS vector.
by R1CH
Thu Dec 16, 2021 8:36 pm
Forum: General
Topic: Firewall "Established" rule allowing more than I'd expect.
Replies: 11
Views: 2677

Re: Firewall "Established" rule allowing more than I'd expect.

That is expected behavior if the wireguard tunnel terminates on the router. If you want to control what the packets inside the tunnel can reach once they are in your network, you need to set up rules on the forward chain. So you're saying that packets entering through a wireguard interface will alr...
by R1CH
Wed Dec 15, 2021 9:17 pm
Forum: General
Topic: Log4J Exploit firewall filter
Replies: 1
Views: 1305

Re: Log4J Exploit firewall filter

Pretty much impossible with static filters, there are nearly infinite possible ways of writing the exploit so you'd need a logic parser to be able to catch them all.
by R1CH
Wed Dec 15, 2021 3:11 pm
Forum: General
Topic: Firewall "Established" rule allowing more than I'd expect.
Replies: 11
Views: 2677

Re: Firewall "Established" rule allowing more than I'd expect.

That is expected behavior if the wireguard tunnel terminates on the router. If you want to control what the packets inside the tunnel can reach once they are in your network, you need to set up rules on the forward chain.
by R1CH
Mon Dec 13, 2021 5:15 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 27
Views: 37759

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

OpenWRT also works great on older devices if you don't need RouterOS, I have a hAP AC2 and wAP ACs running OpenWRT which gives modern wireless drivers and WPA3, 802.11r, etc.
by R1CH
Sat Dec 11, 2021 7:31 pm
Forum: Announcements
Topic: v6.49.2 [stable] is released!
Replies: 64
Views: 124144

Re: v6.49.2 [stable] is released!

That is talking about switching device mode between enterprise and home, used to lock down configuration to users (eg ISPs limiting what users can do on their router). The flagged config part of device mode seems entirely unrelated to the mode it is in. I don't even know why it's considered part of ...
by R1CH
Fri Dec 10, 2021 6:46 pm
Forum: Announcements
Topic: v6.49.2 [stable] is released!
Replies: 64
Views: 124144

Re: v6.49.2 [stable] is released!

Still nervous to upgrade any device to RouterOS with "device mode" until I know what triggers it. How can RouterOS distinguish my access from a hacker? You need to press a button to accept some changes. How can a hacker do that remote? ? There's nothing in the docs about pressing buttons....
by R1CH
Fri Dec 10, 2021 3:21 am
Forum: Announcements
Topic: v6.49.2 [stable] is released!
Replies: 64
Views: 124144

Re: v6.49.2 [stable] is released!

Still nervous to upgrade any device to RouterOS with "device mode" until I know what triggers it. How can RouterOS distinguish my access from a hacker?
by R1CH
Thu Dec 02, 2021 11:46 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 32
Views: 92441

Re: Newsletter 103

Perhaps the design of the block diagram could be updated to reflect that.
by R1CH
Thu Dec 02, 2021 8:58 pm
Forum: RouterBOARD hardware
Topic: Rapid Rollout of HAP AC3 routers
Replies: 2
Views: 4657

Re: Rapid Rollout of HAP AC3 routers

Netinstall + config script
by R1CH
Thu Dec 02, 2021 8:53 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 32
Views: 92441

Re: Newsletter 103

You don't have to use Adobe's shit reader, there are plenty of PDF readers without such a massive attack surface and it's built in to a lot of modern browsers. And as others have said, please make all links https:// - I couldn't even click it in my email. Also is the 4x10G SFP+ on the CCR2116 really...
by R1CH
Wed Dec 01, 2021 9:15 pm
Forum: General
Topic: Enable TCP ECN for bandwidth efficiency
Replies: 14
Views: 8351

Re: Enable TCP ECN for bandwidth efficiency

BBR is for clients and servers, a router doesn't care.
by R1CH
Sat Nov 27, 2021 1:59 am
Forum: General
Topic: Protection agains Frag attacks
Replies: 8
Views: 2702

Re: Protection agains Frag attacks

Why are you not dropping everything on your WAN interface? If they are targeting a client behind NAT, then that client would have to have initiated the connection in order for the router to forward fragments. If you're using a routed setup then just drop all fragments at the edge, there's no good re...
by R1CH
Thu Nov 25, 2021 4:38 pm
Forum: Wireless Networking
Topic: [SOLVED] => [wifiwave2] for cAP ac, hAP ac2
Replies: 85
Views: 47142

Re: [wifiwave2] for cAP ac, hAP ac2

Yes, it's 802.11ac, Mikrotik do not make any 802.11ax products.
by R1CH
Wed Nov 24, 2021 9:13 pm
Forum: General
Topic: hAP AC3 Netinstall / PXE boot
Replies: 1
Views: 1763

Re: hAP AC3 Netinstall / PXE boot

I did some more testing, netinstall does actually work fine, I just wasn't waiting long enough for the device to show up. There's something about the BOOTP response from tftpd32 the hAP AC3 does not tolerate, yet it works fine on the hAP AC2. I thought the hardware was mostly identical so this is a ...
by R1CH
Tue Nov 23, 2021 11:50 pm
Forum: Wireless Networking
Topic: [SOLVED] => [wifiwave2] for cAP ac, hAP ac2
Replies: 85
Views: 47142

Re: [wifiwave2] for cAP ac, hAP ac2

Yup, I've been running the patched OpenWrt on hAP AC2 for a month now and it's been flawless. Hopefully the PR makes it into the official release soon.
by R1CH
Mon Nov 22, 2021 2:00 am
Forum: General
Topic: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8
Replies: 428
Views: 122653

Re: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8

Well shit, I was about to build my new network with these switches at the core. The lack of response and root cause from Mikrotik sounds like they aren't able to fix this, I guess the Marvel chip is broken and they are trying software workarounds to no avail. Is there anyone at Mikrotik willing to c...
by R1CH
Mon Nov 22, 2021 1:38 am
Forum: General
Topic: CRS3xx VLAN port isolation switch rule [SOLVED]
Replies: 4
Views: 2209

Re: CRS3xx VLAN port isolation switch rule [SOLVED]

This is commonly called private VLAN by other vendors. It's pretty nice if you have a bunch of untrusted devices like IoT sensors and you don't want them having access to anything except the router. This seems to be supported natively with "interface ethernet switch port-isolation" rather ...
by R1CH
Fri Nov 19, 2021 4:53 pm
Forum: General
Topic: IPv4 mode for Winbox
Replies: 8
Views: 1835

Re: IPv4 mode for Winbox

IP Cloud DDNS does not register fake IPv6 addresses, the IPv6 packet reached the IP Cloud Servers at some point. So that router had working IPv6. If it doesn't now, that's another issue. And as stated in numerous places it only requires a Disable / Enable of IP Cloud DDNS. Disable sends a clear rec...
by R1CH
Fri Nov 19, 2021 2:13 am
Forum: General
Topic: IPv4 mode for Winbox
Replies: 8
Views: 1835

Re: IPv4 mode for Winbox

Yeah that's an option, but unfortunately these are dynamic IPs so I'm using the build in Cloud DNS names. Unfortunately the Mikrotik Cloud DNS registers the IPv6 address even if it's in an error state, so there's no way to easily connect to the IPv4 address returned by the name. Give me my happy eye...
by R1CH
Thu Nov 18, 2021 11:51 pm
Forum: General
Topic: IPv4 mode for Winbox
Replies: 8
Views: 1835

IPv4 mode for Winbox

My ISP recently enabled IPv6 and now I'm finally joining the modern internet! Unfortunately Winbox seems to prefer IPv6 addresses when connecting to a multi-homed DNS name, and several of the routers I have saved in my Winbox do not accept connections on IPv6. There is no fallback to IPv4, meaning I...
by R1CH
Wed Nov 17, 2021 7:08 pm
Forum: Announcements
Topic: v6.49.1 [stable] is released!
Replies: 138
Views: 80535

Re: v6.49.1 [stable] is released!

The description for flagged mode is confusing. On one part it says it checks for system files, but on another part it says it checks your configuration. If suspicious configuration is detected, the suspicious configuration will be disabled and the flagged parameter will be set to "yes" Wha...
by R1CH
Mon Nov 15, 2021 5:51 pm
Forum: General
Topic: DoS on HotSpot [SOLVED]
Replies: 2
Views: 1338

Re: DoS on HotSpot [SOLVED]

Where are you seeing a DoS? There is no traffic beyond background noise in your screenshot.
by R1CH
Thu Nov 11, 2021 8:15 pm
Forum: General
Topic: hAP AC3 Netinstall / PXE boot
Replies: 1
Views: 1763

hAP AC3 Netinstall / PXE boot

Anyone having trouble with the hAP AC3 and netinstall / TFTP PXE booting? I can easily get the device into etherboot mode, but it sits there spamming bootp or dhcp requests and ignores the response from my DHCP server, eventually timing out and booting back into RouterOS. I tried upgrading Routerboo...
by R1CH
Thu Nov 11, 2021 6:04 pm
Forum: General
Topic: Public IP blacklisted by BBC Amazon and Netflix
Replies: 20
Views: 3149

Re: Public IP blacklisted by BBC Amazon and Netflix

These "free" VPNs turn your PC / network into a VPN endpoint for other users, which is why you get blocked or receive abuse reports. Best solution is to enforce TOS against such clients, this isn't easily solved on a technical level due to wide array of ports and protocols used to bypass f...
by R1CH
Wed Nov 10, 2021 7:12 pm
Forum: General
Topic: Block torrent downloads
Replies: 10
Views: 8966

Re: Block torrent downloads

It's not realistically possible, the best you can do is block DNS of popular torrents and trackers, but with DHT and PeX it only takes 1 peer to get through for torrents to work. Your best option is to throttle the speed you provide so that torrents don't negatively affect your network.
by R1CH
Thu Oct 28, 2021 12:54 am
Forum: General
Topic: Single TCP Connection issue
Replies: 17
Views: 3275

Re: Single TCP Connection issue

Strange, I've managed about 960mbps through a single TCP connection on a CCR1009. What does tool / profile look like?
by R1CH
Wed Oct 27, 2021 10:06 pm
Forum: General
Topic: Single TCP Connection issue
Replies: 17
Views: 3275

Re: Single TCP Connection issue

Is iperf showing dropped packets / retransmission? If not then it's limited by OS on one of the sides. Have you adjusted buffer sizes and window scaling on the sender / receiver?
by R1CH
Sat Oct 23, 2021 4:37 pm
Forum: General
Topic: Blocked IP?
Replies: 3
Views: 796

Re: Blocked IP?

Port forwarding is a relic of the 00s and not necessary for any modern applications. Only if you want to host a server do you need port forwarding.

Most likely it is blocked by their ISP, cellular connections tend not to work great for anything except simple TCP/IP.
by R1CH
Mon Oct 04, 2021 2:38 pm
Forum: RouterBOARD hardware
Topic: new AP - cAP XL ac - spotted on fcc site
Replies: 19
Views: 9937

Re: new AP - cAP XL ac - spotted on fcc site

Damn, that review does not look good. Wonder how it can be so much worse than the original? Maybe you got a bad model.
by R1CH
Mon Oct 04, 2021 2:13 am
Forum: General
Topic: Blocking Routers
Replies: 11
Views: 2000

Re: Blocking Routers

Your business model will always be able to be subverted by technical means, so further discussion is somewhat pointless.
by R1CH
Wed Sep 29, 2021 7:22 pm
Forum: General
Topic: [OT] Linux equivalent of MT connection-mark=no-mark ? [SOLVED]
Replies: 3
Views: 1412

Re: [OT] Linux equivalent of MT connection-mark=no-mark ? [SOLVED]

The kernel assigns default mark of 0, so "meta mark 0" I would assume.
by R1CH
Wed Sep 29, 2021 7:08 pm
Forum: RouterBOARD hardware
Topic: new AP - cAP XL ac - spotted on fcc site
Replies: 19
Views: 9937

Re: new AP - cAP XL ac - spotted on fcc site

Looking forward to a wAP AC XL too with similar 'internals' I saw a photo of the new wAP AC and it does seem to have changed to PCB antennas, I wonder how much of a difference these are compared to the plate antennas? https://openwrt.org/_media/media/mikrotik/mikrotik_wap_ac_rbwapg-5hacd2hnd_pcb.jpg
by R1CH
Mon Sep 27, 2021 8:58 pm
Forum: Wireless Networking
Topic: [SOLVED] => [wifiwave2] for cAP ac, hAP ac2
Replies: 85
Views: 47142

Re: [wifiwave2] for cAP ac, hAP ac2

FYI hAP ac2 just got official OpenWRT support, this milestone opens the possibility of supporting more Mikrotik IPQ40XX devices such as cAP ac and hAP ac3 in the future. https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=ipq40xx%2Fmikrotik&id=mikrotik_hap-ac2 I finally got aroun...
by R1CH
Thu Sep 23, 2021 1:00 am
Forum: RouterBOARD hardware
Topic: new AP - cAP XL ac - spotted on fcc site
Replies: 19
Views: 9937

Re: new AP - cAP XL ac - spotted on fcc site

Thankfully OpenWRT fixes that.
by R1CH
Sun Sep 19, 2021 7:59 pm
Forum: General
Topic: Randomly resets and can't open some webpages
Replies: 6
Views: 1140

Re: Randomly resets and can't open some webpages

Random reset is usually power related. Check power supply voltage and output power, make sure cable length is not too long.

Webpages not opening may be due to incorrect MSS, need more diagnostics (ping, trace, etc) to confirm.
by R1CH
Sun Sep 19, 2021 7:27 pm
Forum: RouterBOARD hardware
Topic: new AP - cAP XL ac - spotted on fcc site
Replies: 19
Views: 9937

Re: new AP - cAP XL ac - spotted on fcc site

Does the cAP XL ac have a square case option like the original? I couldn't see anything on the product page and most installs I've done prefer the aesthetics of the square case.
by R1CH
Tue Sep 14, 2021 1:50 am
Forum: Useful user articles
Topic: Configuration to block users that tries to access router on non open port(s)
Replies: 86
Views: 24755

Re: 📌 Configuration to block users that tries to access router on non open port(s)

And also makes you extremely vulnerable to simple CPU DoS if someone spoofs IP and fills your blacklist with millions of IPs. Can also do http://your_ip:8291/lol in an image tag and firewall yourself off... these rules do more harm than good in the long run.
by R1CH
Sun Sep 12, 2021 3:59 pm
Forum: Announcements
Topic: Mēris botnet information
Replies: 75
Views: 228748

Re: Mēris botnet information

I wonder if there is some traffic amplification bug in the socks proxy, this doesn't make any sense to use as a DDOS botnet if you still have to originate all the attack traffic. I suppose it makes an attack harder to block when it originates from thousands of infected IPs, but based on volume this ...
by R1CH
Fri Sep 10, 2021 9:32 pm
Forum: Announcements
Topic: Mēris botnet information
Replies: 75
Views: 228748

Re: Mēris botnet information

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration. What native functions in RouterOS support sending pipelined HTTP requests at these kind of rates? I find it unlikely that the attackers are simply proxying their DDoS traffic through infected Mikro...
by R1CH
Fri Sep 10, 2021 3:52 pm
Forum: Announcements
Topic: Mēris botnet information
Replies: 75
Views: 228748

Re: Mēris botnet information

Since these infected users still appear to be upgrading to recent RouterOS versions, can the upgrade process look for non-Mikrotik binaries or other signs of infection and warn the administrator to netinstall? If there was a system exploit to run arbitrary code, simply removing socks and scripts and...
by R1CH
Thu Sep 09, 2021 6:21 pm
Forum: General
Topic: 200k Mikrotik devices involved in DDoS botnet
Replies: 10
Views: 2555

200k Mikrotik devices involved in DDoS botnet

Looks like there is a new DDoS botnet on the loose, comprised of Mikrotik devices. We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale. Several records at the Mikrotik forum indicate that its customers expe...
by R1CH
Wed Sep 08, 2021 3:34 pm
Forum: RouterOS beta
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 49645

Re: v7.1rc3 [development] is released!

Is the Docker support an optional package? I can't imagine many people wanting this, and it introduces massive security implications especially for all those hacked routers. Since privilege escalation is pretty much a given, can we also allow root SSH access to RouterOS directly now? Running a singl...
by R1CH
Mon Sep 06, 2021 1:20 am
Forum: General
Topic: Firewall Check
Replies: 22
Views: 3471

Re: Firewall Check

All those DDoS detect / drop rules actually make you more susceptible to DDoS since your router CPU increases for every rule a packet has to traverse.
by R1CH
Sun Sep 05, 2021 7:21 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 6357

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Given the awful upload performance, are you sure you have MTU / MSS set properly?
by R1CH
Sat Aug 28, 2021 5:00 pm
Forum: General
Topic: DoH Google certificate which one? [SOLVED]
Replies: 3
Views: 4904

Re: DoH Google certificate which one? [SOLVED]

No, just the one that dns.google uses.
by R1CH
Thu Aug 26, 2021 9:07 pm
Forum: General
Topic: DoH Google certificate which one? [SOLVED]
Replies: 3
Views: 4904

Re: DoH Google certificate which one? [SOLVED]

The cacert.pem is the same list that most browsers and operating systems trust. So if you don't trust them, you have a bigger problem :). If you only want to import a specific certificate, inspect the certificate chain of eg https://dns.google/ in your browser and import the relevant root certificate.
by R1CH
Tue Aug 17, 2021 11:51 pm
Forum: General
Topic: DoH doesn't resolve ssl.gstatic.com
Replies: 2
Views: 1085

Re: DoH doesn't resolve ssl.gstatic.com

DoH in RouterOS is still beta-quality IMO, I wouldn't rely on it just yet.
by R1CH
Fri Aug 06, 2021 2:21 pm
Forum: General
Topic: How to drop malware ip and malicious ip? (update list)
Replies: 7
Views: 1665

Re: How to drop malware ip and malicious ip? (update list)

You should be blocking *everything* by default and then open only strictly necessary ports. Use VPN or LAN interface for management. You will need to do a clean reinstall if its been hacked already.
by R1CH
Thu Aug 05, 2021 10:00 pm
Forum: General
Topic: Hap AC2 slow wireless
Replies: 9
Views: 1721

Re: Hap AC2 slow wireless

WMM is about traffic prioritization not speed ... WMM is required for all rates above 54mbps. I don't know how exactly it's implemented on Mikrotik since even with it off you can still see > 54mbps, but the spec requires it for all 802.11n / 802.11ac rates. I think it's ridiculous that it's off and...
by R1CH
Thu Aug 05, 2021 6:24 pm
Forum: General
Topic: Hap AC2 slow wireless
Replies: 9
Views: 1721

Re: Hap AC2 slow wireless

Advanced mode, enable WMM, set indoors installation, set 80 MHz channels. For further speed, install OpenWRT.
by R1CH
Thu Aug 05, 2021 5:48 pm
Forum: General
Topic: Did I miss something? New 4011
Replies: 30
Views: 5007

Re: Did I miss something? New 4011

ROS 7 is a dealbreaker for me, can't put anything into production that's running buggy beta software. And all these new CPUs seem to take a very long time to actually become stable, look at 4011, 2004... I really want to like the hardware but the software just can't keep up.
by R1CH
Tue Aug 03, 2021 3:42 pm
Forum: General
Topic: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?
Replies: 12
Views: 1672

Re: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?

You would need multiple 5 GHz radios to do this, a smartphone in hotspot mode runs as an AP, not a client, so you need a unique radio to connect to each smartphone in client mode. So no, wAP AC cannot do this (in fact, this setup is not really realistic for any Mikrotik product)
by R1CH
Sun Aug 01, 2021 12:56 am
Forum: General
Topic: Flood Protect UDP/TCP and SYN
Replies: 8
Views: 5924

Re: Flood Protect UDP/TCP and SYN

Why did you bump a thread from 2012 ...
by R1CH
Fri Jul 30, 2021 11:20 pm
Forum: General
Topic: Feature request : udpxy
Replies: 3
Views: 2031

Re: Feature request : udpxy

There is already multicast package which does this.
by R1CH
Thu Jun 24, 2021 3:35 pm
Forum: General
Topic: Under flood attack, how resolve this ? [SOLVED]
Replies: 107
Views: 17382

Re: Under flood attack, how resolve this ? [SOLVED]

Get rid of any complicated anti DDoS rules, you want your router to forward the packets as fast as possible to your much more powerful PC that ignores them. Sounds like the real DoS condition is your router CPU being overwhelmed by too many rules, or it's a simple bandwidth exhaustion attack (in whi...
by R1CH
Mon Jun 21, 2021 11:29 pm
Forum: General
Topic: hAP AC2 Wifi fault
Replies: 5
Views: 1031

Re: hAP AC2 Wifi fault

erlinden is entirely correct. Running a residential AP at 30dBm TX power is downright stupid and no wonder people think Wi-Fi sucks when operators do this. You want balanced TX/RX powers to avoid problem shown above, ideally TX power as low as possible to avoid co-interference and encourage client r...
by R1CH
Mon Jun 07, 2021 3:01 pm
Forum: General
Topic: TCP Established and Call of Duty disconnects
Replies: 6
Views: 1227

Re: TCP Established and Call of Duty disconnects

Try disabling fastpath/fasttrack, netfilter timeouts don't update properly for offloaded traffic.
by R1CH
Mon May 17, 2021 6:37 pm
Forum: General
Topic: RouterOS 6.48.2 firewall issue
Replies: 1
Views: 643

Re: RouterOS 6.48.2 firewall issue

The default firewall does not block outbound connections, port 22 is likely filtered further upstream by modem / ISP.
by R1CH
Mon May 17, 2021 6:36 pm
Forum: General
Topic: hAP ac no access, even after reset or netinstall
Replies: 5
Views: 1613

Re: hAP ac no access, even after reset or netinstall

Try winbox mac connection, sometimes you won't have any config after netinstall.
by R1CH
Thu May 13, 2021 12:28 am
Forum: General
Topic: New WiFi Vulnerabilities - Frag Attacks
Replies: 19
Views: 6088

Re: New WiFi Vulnerabilities - Frag Attacks

... Experiments indicate that every Wi-Fi product is affected by at least one vulnerability... (...and that most products are affected by several vulnerabilities...) ... https://www.fragattacks.com/ Nice, fragattacks for say this, has buyed every model of access pont than exist on the world! But re...
by R1CH
Wed May 12, 2021 10:36 pm
Forum: General
Topic: New WiFi Vulnerabilities - Frag Attacks
Replies: 19
Views: 6088

Re: New WiFi Vulnerabilities - Frag Attacks

Did anyone bother to even test a MikroTik device for the said vulnerability? or we're just posting shit on the forums? "Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities." I wasn't able to...
by R1CH
Wed May 12, 2021 12:59 am
Forum: General
Topic: New WiFi Vulnerabilities - Frag Attacks
Replies: 19
Views: 6088

New WiFi Vulnerabilities - Frag Attacks

This looks bad: 11 May 2021 — This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or at...
by R1CH
Sun May 02, 2021 7:19 pm
Forum: General
Topic: connecting intel AX210 module to RouterBoard
Replies: 2
Views: 1174

Re: connecting intel AX210 module to RouterBoard

RouterOS does not support 802.11ax.
by R1CH
Fri Apr 30, 2021 12:10 am
Forum: General
Topic: ICMP Packet loss when WAN is saturated
Replies: 5
Views: 1438

Re: ICMP Packet loss when WAN is saturated

OpenWRT handles saturation much better due to fq_codel / cake schedulers, not yet available on Mikrotik. You have to cap your bandwidth significantly below link saturation point to avoid buffers being flooded.
by R1CH
Sat Apr 24, 2021 9:19 pm
Forum: General
Topic: Blocking LLDP / Protocol 35020
Replies: 4
Views: 2633

Re: Blocking LLDP / Protocol 35020

You can't "block" broadcast traffic, it doesn't get routed. If you don't want it on your network you need to filter it on your switches or disable LLDP on the source devices.
by R1CH
Fri Apr 23, 2021 1:23 am
Forum: General
Topic: FTP with WININET.dll Problem (Visual Foxpro)
Replies: 7
Views: 1463

Re: FTP with WININET.dll Problem (Visual Foxpro)

This is expected as you've disabled the conntrack helper.
/ip firewall service-port
set ftp disabled=yes
by R1CH
Thu Apr 22, 2021 4:29 pm
Forum: General
Topic: FTP with WININET.dll Problem (Visual Foxpro)
Replies: 7
Views: 1463

Re: FTP with WININET.dll Problem (Visual Foxpro)

Probably conntrack FTP helper is turned off or behind dual NAT. Winnet FTP uses active mode (requires open port) by default.
by R1CH
Sat Apr 03, 2021 8:01 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 43
Views: 8710

Re: port 53 open despite firewall rules

Yes, this is exactly what happens. A Mikrotik router does not run "dnsmasq", it is instead home-grown MT DNS server. So an ISP in between the place you are scanning from and your router is intercepting your DNS queries. This is why users should use DoH / DNSCrypt / etc to prevent this kind...
by R1CH
Thu Apr 01, 2021 4:16 pm
Forum: General
Topic: TCP MSS Value
Replies: 2
Views: 1080

Re: TCP MSS Value

If you have a non-1500 MTU, yeah you can clamp it to avoid clients having to do PMTU discovery. But this has no relation to DoS resistance.
by R1CH
Thu Apr 01, 2021 1:37 am
Forum: General
Topic: DoS SSDP
Replies: 2
Views: 976

Re: DoS SSDP

It looks like you have ports in a bridge or a switch that are flooding multicast traffic. Filter or rate limit broadcasts / multicasts from clients from or disable multicast flooding if it isn't necessary. A complete topology of your network would be needed to diagnose further.
by R1CH
Thu Mar 18, 2021 6:21 pm
Forum: General
Topic: Hotspot HTTPS , need help ;(
Replies: 2
Views: 752

Re: Hotspot HTTPS , need help ;(

This is not possible. You can only use HTTPS for your payment / login gateway pages, but not for redirection. If anyone could intercept HTTPS requests it wouldn't be very secure would it?
by R1CH
Sun Mar 07, 2021 4:16 pm
Forum: General
Topic: router for fiber internet + wifi AC speeds question
Replies: 8
Views: 1467

Re: router for fiber internet + wifi AC speeds question

1gbps on AC is an unrealistic expectation, and physically impossible with the 2x2 card you listed. The most you can expect is ~400mbps real-world throughput at 2x2 80 MHz MCS-9. Mikrotik products like hAP AC2/3 and RB4011 can achieve this. I don't think anything supports 160 MHz currently which woul...
by R1CH
Tue Feb 02, 2021 1:55 am
Forum: General
Topic: NAT Slipstreaming v2.0
Replies: 5
Views: 2095

Re: NAT Slipstreaming v2.0

Disabling all service helpers is a good idea, very rarely will they help. Modern SIP phones for example have built-in NAT traversal and FTP commonly uses encryption that makes the helper unable to see the data.
by R1CH
Thu Jan 28, 2021 3:40 am
Forum: General
Topic: NAT Slipstreaming v2.0
Replies: 5
Views: 2095

Re: NAT Slipstreaming v2.0

Yes, ALG is enabled for all protocols in default config.
by R1CH
Thu Jan 21, 2021 2:55 pm
Forum: General
Topic: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]
Replies: 13
Views: 6224

Re: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]

Mikrotik routers are generic CPUs like a PC would be, ASICs you will find in higher end gear like Cisco. A PC router would be faster than most Mikrotik products.

IMO ASIC isn't needed until you get into the 20gb+ line rate.
by R1CH
Fri Jan 08, 2021 8:53 pm
Forum: General
Topic: Howto mark Amazon AWS traffic?
Replies: 13
Views: 4023

Re: Howto mark Amazon AWS traffic?

The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
by R1CH
Wed Dec 30, 2020 3:24 pm
Forum: Wireless Networking
Topic: [SOLVED] => [wifiwave2] for cAP ac, hAP ac2
Replies: 85
Views: 47142

Re: [wifiwave2] for cAP ac, hAP ac2

With OpenWRT on wAP AC (original), I get ~ 350mbps single client TCP throughput at MCS-9, 2x2, 80 MHz, WPA3. Device CPU is very close to 100% though which seems to be the limiting factor. Very happy with stability, every device "just works" and no weird throughput issues like MT wireless h...
by R1CH
Mon Dec 07, 2020 11:51 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 83
Views: 29812

Re: "antenna gain" missing in 6.46.8?

Yes, exactly that. Since it knows the gain of the integrated antenna it uses a hard coded value instead of being set from user input. So if you have any device with integrated antenna, there is no good way to reduce TX power.
by R1CH
Fri Dec 04, 2020 5:22 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 83
Views: 29812

Re: "antenna gain" missing in 6.46.8?

What most people really want is to enter simple value that lowers the gain proportionally for all modulations by a specified number. If I want 5dBm weaker signal, I just enter "5" and I get 5dBm less signal over all modulations and modes. Irregardless of regulation domain settings, MIMO c...
by R1CH
Thu Dec 03, 2020 7:57 pm
Forum: Wireless Networking
Topic: Increase performance of home WiFi
Replies: 18
Views: 15365

Re: Increase performance of home WiFi

2.4 GHz is usually pretty bad except in remote places, way too much interference. You should also enable WMM if you want 802.11n to work.
by R1CH
Thu Dec 03, 2020 3:45 pm
Forum: RouterOS beta
Topic: v7.1beta3 [development] is released!
Replies: 261
Views: 79109

Re: v7.1beta3 [development] is released!

Great to finally see some movement on newer wireless drivers, but also disappointing to see that no currently released AP hardware can use them (especially the just-released wAP AC revision). Wave2 has been around for over four years at this point! There should have been plenty of time to evaluate t...
by R1CH
Tue Dec 01, 2020 4:33 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 3367

Re: Port scanner filling up connection tracking

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP of...
by R1CH
Mon Nov 30, 2020 8:27 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 3367

Re: Port scanner filling up connection tracking

Why do you have connection tracking enabled for those connections to begin with? Sounds like you aren't doing NAT.
by R1CH
Fri Nov 20, 2020 8:59 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 65
Views: 32687

Re: MikroTik newsletter November 2020 (#98)

Correct me if I am wrong, but isn't the new wAP AC now identical to the cAP AC? Except cAP AC has PoE out on the 2nd port and is $20 cheaper. Are we really paying +$20 for a different case?
by R1CH
Tue Nov 17, 2020 2:43 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 65
Views: 32687

Re: MikroTik newsletter November 2020 (#98)

When can we expect to see the new wAP AC at distributors? Thinking of getting one for performance testing. Hopefully they don't co-mingle their stock!
by R1CH
Fri Nov 06, 2020 4:13 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 65
Views: 32687

Re: MikroTik newsletter November 2020 (#98)

I'm still skeptical, the CPU isn't a bottleneck on my current wAP AC (it's just an AP), and my signal strength is also great. Can two chains on a new chipset really outperform three chains on an older one? The Mikrotik wireless driver has traditionally had poor MU-MIMO / Wave2 support as well. I gue...
by R1CH
Fri Nov 06, 2020 3:28 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 65
Views: 32687

Re: MikroTik newsletter November 2020 (#98)

Not really sure I consider the wAP AC an upgrade when it went from 3 chain to 2 chain :(. With more and more devices sharing the same frequency, having good MU-MIMO throughput becomes very important, this seems like a step backwards to me when the competition is selling 4x4 devices. Re-using the nam...
by R1CH
Wed Oct 28, 2020 6:08 pm
Forum: General
Topic: TCP Bottleneck
Replies: 6
Views: 2081

Re: TCP Bottleneck

Bandwidth test through the device, not on the device, or you only test how slow the CPU is at generating traffic. Use iperf3 and your own endpoints.
by R1CH
Wed Oct 07, 2020 12:19 pm
Forum: General
Topic: DDoS detection and blocking [SOLVED]
Replies: 9
Views: 4070

Re: DDoS detection and blocking [SOLVED]

UDP source addresses are trivially spoofed, using rules like this you turn a volumetric DDoS into a computational DDoS as your connection tables fill up and crash the router. There are no magic rules to fix DDoS. If your bandwidth is lower than the incoming traffic then by the time it hits your rout...
by R1CH
Sun Sep 13, 2020 6:32 pm
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 28
Views: 8288

Re: CVE-2020-11881 PATCH [SOLVED]

Very disappointing if this was disclosed to them in April! Luckily SMB is not a feature that should be enabled by most users.
by R1CH
Sun Sep 13, 2020 6:28 pm
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 18789

Re: Expected down time for this forum SEPT 11

Also had to do a reset, made much more difficult when you have to reset by email and not username! My password was also long, autogenerated by password manager. Reset accepted the same one without a problem.
by R1CH
Wed Jul 29, 2020 2:29 pm
Forum: General
Topic: Timeout instead of proxy error page when using https
Replies: 6
Views: 2618

Re: Timeout instead of proxy error page when using https

You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.
by R1CH
Fri Jul 24, 2020 4:11 pm
Forum: General
Topic: Max Throughput of hEX RB750Gr3
Replies: 8
Views: 9352

Re: Max Throughput of hEX RB750Gr3

1gbps should be no problem for this router, I measured about 30% CPU on 1gbps download with fasttrack enabled, though obviously it depends on the complexity of your firewall and other configuration.
by R1CH
Wed Jun 24, 2020 9:57 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 3442

Re: RB750Gr3 (hEX) supports 802.3af PoE?

Injectors certainly can't perform any negotiation, they are dumb devices which just put power onto the cable. There is some kind of proprietary negotiation with passive PoE out on Mikrotik switches, but as I don't know what is on the other end of this cable I have to assume it was an injector or 802...
by R1CH
Wed Jun 24, 2020 3:01 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 3442

Re: RB750Gr3 (hEX) supports 802.3af PoE?

"Real" (802.3af) PoE can be automatic or forced-on, passive PoE as used by Mikrotik supplies the power constantly with no negotiation, so you can fry things that aren't expecting it.
by R1CH
Sat Jun 20, 2020 12:39 am
Forum: General
Topic: Block pornographic pages
Replies: 5
Views: 2569

Re: Block pornographic pages

by R1CH
Mon Jun 15, 2020 7:18 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 3442

Re: RB750Gr3 (hEX) supports 802.3af PoE?

I ended up disconnecting the hEX and used a hAP AC2 instead so I unfortunately can't check that. I don't believe the hAP AC2 powered on from the cable but now I am wondering if perhaps I missed it. I can't say for certain that the other end of the link was 802.3af compliant, the previous device whic...
by R1CH
Mon Jun 15, 2020 12:28 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 3442

RB750Gr3 (hEX) supports 802.3af PoE?

I recently installed a hEX at a client who had 802.3af PoE on their WAN Ethernet link. According to the spec sheet of the RB750Gr3, only passive PoE is supported, so imagine my surprise when I plugged the WAN cable to Ether1 and the hEX powered up... Is this a safe configuration? The supported passi...
by R1CH
Fri May 15, 2020 8:48 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 68
Views: 54282

Re: v6.46.6 [stable] is released!

Just came to update some routers today and also seeing changelog from 2011, what is going on?!

Image
by R1CH
Fri Apr 24, 2020 4:13 pm
Forum: General
Topic: Poor/ absolutely disappointing cAP ac (model: RBcAPGi-5acD2nD)
Replies: 4
Views: 3443

Re: Poor/ absolutely disappointing cAP ac (model: RBcAPGi-5acD2nD)

You should always set country and installation / distance to indoor to ensure the channel configuration matches what the client device is allowed to use. Out of the box, MT devices need quite a bit of configuring to get to a usable state - disable legacy protocols, enable WMM, etc.
by R1CH
Sun Mar 01, 2020 7:53 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 106
Views: 77669

Re: v6.46.4 [stable] is released!

*) system - improved system stability when receiving/sending TCP traffic on multicore devices;

Also requesting more info on this, changes to TCP can affect many things, I would like to know exactly what was changed.
by R1CH
Wed Feb 19, 2020 11:35 pm
Forum: General
Topic: Is this a DDOS/Attack?
Replies: 2
Views: 1772

Re: Is this a DDOS/Attack?

That is the point of tarpit, you attract all the traffic to the tarpit so the resources of the attacker are tied up and unable to affect the rest of the network. It seems you probably want a DROP rule instead.
by R1CH
Fri Feb 07, 2020 1:57 pm
Forum: Wireless Networking
Topic: Hotspot Https
Replies: 20
Views: 5570

Re: Hotspot Https

It is up to the CLIENT DEVICE to detect the hotspot and redirect to the login page. Make sure all HTTP and DNS requests are redirecting to your hotspot, and that's all you can do. Absolutely nothing else on your end can influence that.
by R1CH
Thu Feb 06, 2020 4:49 pm
Forum: General
Topic: New RouterOS / Mikrotik user - A few glaring missing features / bugs...
Replies: 5
Views: 2150

Re: New RouterOS / Mikrotik user - A few glaring missing features / bugs...

Unfortunately most of this is true, mostly due to Mikrotik writing their own proprietary implementations of wireless drivers, OpenVPN protocol, etc, so it isn't as simple as just upgrading to the latest public versions. As a power user myself, I still like Mikrotik simply for ease of use and deploym...
by R1CH
Thu Feb 06, 2020 4:44 pm
Forum: Announcements
Topic: Winbox v3.21 released!
Replies: 55
Views: 40519

Re: Winbox v3.21 released!

*) improved MikroTik signature checking on WinBox update;
I can confirm that this now closes the remote code execution bug possible by a MITM. Using winbox auto update should be safe for now :).

Also as a high DPI user, this release looks beautiful...
by R1CH
Fri Jan 31, 2020 8:00 pm
Forum: General
Topic: Reddit packet marking on address list.
Replies: 1
Views: 1269

Re: Reddit packet marking on address list.

Your reddit.com address list is probably incorrect.
by R1CH
Fri Jan 31, 2020 1:52 am
Forum: General
Topic: Audiophile Level(Low Noise Floor, Silent) Mikrotik vs Ubiquiti Unifi Network Switch
Replies: 31
Views: 8446

Re: Audiophile Level(Low Noise Floor, Silent) Mikrotik vs Ubiquiti Unifi Network Switch

There's a whole industry based around selling "high end audio" versions of digital equipment for 10-100x normal price. There's no point trying to convince audiophiles that digital signals are not distorted like analogue, they'll always say it "sounds better" because they spent mo...
by R1CH
Wed Jan 22, 2020 7:11 pm
Forum: General
Topic: My public IP is getting raped by port scanners - is that normal?
Replies: 24
Views: 6148

Re: My public IP is getting raped by port scanners - is that normal?

You should DROP all unknown traffic on input chain, and especially not log (easy to exhaust the router with a tiny flood). Your current rules that add to address lists (which you then presumably drop) also open you to attacks by an IP spoofing attacker.
by R1CH
Wed Jan 01, 2020 10:44 pm
Forum: General
Topic: How to redirect all website traffic to one website? [SOLVED]
Replies: 1
Views: 1480

Re: How to redirect all website traffic to one website? [SOLVED]

Use hotspot feature. Keep in mind you cannot redirect HTTPS sites (of which the majority of modern sites are).
by R1CH
Wed Dec 25, 2019 1:12 am
Forum: General
Topic: Does anyone know if a fully updated Mikrotik Device is going to be vulnerable to this?
Replies: 9
Views: 3187

Re: Does anyone know if a fully updated Mikrotik Device is going to be vulnerable to this?

This doesn't mention a specific exploit, just a port scan. So there is nothing you're really "vulnerable" to, but if your winbox port is reachable by random users you should expect that to change in the future.
by R1CH
Fri Dec 13, 2019 4:37 pm
Forum: General
Topic: DNS Cache
Replies: 21
Views: 7859

Re: DNS Cache

Why do you have allow-remote-requests turned on if you don't want people using it?
by R1CH
Tue Dec 10, 2019 12:45 pm
Forum: General
Topic: mikrotik.com SSL errors
Replies: 1
Views: 1297

mikrotik.com SSL errors

Seems like there are problems on domains used by mikrotik.com, I can't load the product pages or any others due to SSL errors on half of the hosts for i.mt.lv.

Image
by R1CH
Mon Dec 09, 2019 1:34 pm
Forum: General
Topic: Devices are not reliably responding to ARP requests / Wifi Power Saving
Replies: 11
Views: 5798

Re: Devices are not reliably responding to ARP requests / Wifi Power Saving

Is WMM enabled? This is a pre-requisite for a lot of power saving features, though Mikrotik's proprietary wireless drivers are missing a lot of functionality in this area.
by R1CH
Fri Dec 06, 2019 7:27 pm
Forum: General
Topic: Fix for CVE-2019-14899?
Replies: 9
Views: 3480

Re: Fix for CVE-2019-14899?

If you have untrusted devices on your layer 2 network then they can easily ARP spoof, DNS spoof, etc and do a full MITM on you much more easily than exploiting this vulnerability.
by R1CH
Fri Dec 06, 2019 6:36 pm
Forum: General
Topic: Fix for CVE-2019-14899?
Replies: 9
Views: 3480

Re: Fix for CVE-2019-14899?

I wouldn't worry about this one. This requires a "network adjacent attacker" (layer 2), so why do you have attackers next to your router? If you're seriously worried about this, turn on strict reverse-path filtering and block private IP ranges from WAN interfaces (which is a good practice ...
by R1CH
Wed Oct 30, 2019 12:13 pm
Forum: General
Topic: Why the official Mikrotik.com site does use the Let's Encrypt?
Replies: 9
Views: 2705

Re: Why the official Mikrotik.com site does use the Let's Encrypt?

With certificate transparency being a requirement these days, any state that MITM's their users with trusted certificates will be very quickly discovered and their certificates revoked.
by R1CH
Tue Oct 29, 2019 9:49 pm
Forum: General
Topic: Why the official Mikrotik.com site does use the Let's Encrypt?
Replies: 9
Views: 2705

Re: Why the official Mikrotik.com site does use the Let's Encrypt?

Let's Encrypt is just as good, if not better than any other commercial CA. The short lifetime (3 months) limits the duration that a compromised certificate is useful. Considering the track record of commercial CA's mis-issuing certificates, I would trust Let's Encrypt far more than Comodo and friend...
by R1CH
Tue Oct 29, 2019 12:26 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 69883

Re: v6.45.7 [stable] is released!

At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme. Sigh... who designed this braindead protocol that allows UNAUTHENTICATED USERS to invoke whatever binary they want?! Any programmer could see what a terrible...
by R1CH
Mon Oct 28, 2019 8:32 pm
Forum: General
Topic: When to Upgrade RouterBOARD Firmware / Bootloader?
Replies: 10
Views: 5989

Re: When to Upgrade RouterBOARD Firmware / Bootloader?

You have no idea! I really wish Mikrotik would revert to the old versioning for firmware so you can actually tell when there is an update. I recommend pe1chl's advice.
by R1CH
Mon Oct 28, 2019 8:30 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 69883

Re: v6.45.7 [stable] is released!

!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979); Could you give some more info about the exploitability of this? Are all situations where RouterOS parses a DNS packet vulnerable? Eg router used in typical setup - DNS server for LAN and sends queries to the inte...
by R1CH
Fri Oct 25, 2019 7:38 pm
Forum: General
Topic: CVE-2019-15055
Replies: 16
Views: 4289

Re: CVE-2019-15055

There is a special .npk package you can install that allows you to SSH into a root shell. You can also mount the filesystem offline or use this CVE to do a similar thing, if you have physical access to the router then nothing is really secure.
by R1CH
Wed Oct 23, 2019 5:56 pm
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 3880

Re: DoS Protection [Question]

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to D...
by R1CH
Wed Oct 23, 2019 12:50 pm
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 3880

Re: DoS Protection [Question]

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to Do...
by R1CH
Fri Oct 18, 2019 2:00 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22857

Re: Is there an new exploit going around?

To test some of the theories in this thread, I netinstalled 6.45.6 on a spare board, with default config and then exposed SSH to the internet after setting a strong admin password. So far while there are plenty of brute force attempts, there is no sign of an exploit that can bypass authentication. I...
by R1CH
Thu Oct 17, 2019 8:11 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22857

Re: Is there an new exploit going around?

RouterOS doesn't use web interfaces on top of busybox, it has a custom proprietary protocol. Exploits affecting other devices like the DLINK or Netgear are not going to work on RouterOS.
by R1CH
Thu Oct 17, 2019 6:31 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22857

Re: Is there an new exploit going around?

@NathanA, was SSH the only exposed service? No winbox or API etc?
by R1CH
Thu Oct 17, 2019 5:18 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22857

Re: Is there an new exploit going around?

I'm inclined to agree with normis here. The Linux kernel firewall operates before any user service like SSH or Winbox even sees a packet, so it's extremely doubtful that the exploit can bypass a properly configured firewall. Don't forget your customers / clients can also be infected with malware - o...
by R1CH
Thu Oct 17, 2019 4:28 pm
Forum: General
Topic: defend from large icmp requests
Replies: 4
Views: 1719

Re: defend from large icmp requests

/ip firewall add action=drop chain=input packet-size=200-65535 protocol=icmp
/ip firewall add action=drop chain=forward packet-size=200-65535 protocol=icmp
by R1CH
Thu Oct 17, 2019 2:25 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22857

Re: Is there an new exploit going around?

Seems quite widespread. It intercepts DNS requests and redirects any HTTP requests to https://www.youtube.com/watch?v=MK_VfUErRaY&feature=youtu.be. If you look at the comments you can see lots of affected users wondering what the hell is going on. While this might appear benign, any credentials ...
by R1CH
Wed Oct 16, 2019 12:27 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 57635

Re: Winbox v3.20 released!

*) on update, Winbox will check that code is signed by MikroTik and not somebody else;
Unfortunately this check still seems insecure.

Image
by R1CH
Mon Oct 14, 2019 1:33 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS [SOLVED]
Replies: 17
Views: 9101

Re: [feature request] Blocking a special kind of DDoS [SOLVED]

Is this targeting the router or a service behind the router? If the router, such requests should just be DROP with basic firewall, nothing special needed. If its a service behind the router, then that service should enable syncookies as syn flood is easily countered these days.
by R1CH
Thu Oct 03, 2019 12:22 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 387
Views: 191729

Re: RB4011

Had an odd issue recently, my 4011 seemed to have a thread stuck at 100% CPU. Had to reboot to get it to go away. Anyone else seen this before?

Image
by R1CH
Thu Sep 26, 2019 11:49 pm
Forum: General
Topic: Laptops are trying to hack my router
Replies: 8
Views: 3078

Re: Laptops are trying to hack my router

Time to format it, clearly infected with malware.
by R1CH
Thu Sep 26, 2019 11:48 pm
Forum: General
Topic: Mikrotik automatically changes password
Replies: 6
Views: 3494

Re: Mikrotik automatically changes password

Someone did, since you left an unsecured router accessible!
by R1CH
Wed Sep 25, 2019 3:39 pm
Forum: General
Topic: Router under Ddos atac on port 53 and 389.
Replies: 8
Views: 3553

Re: Router under Ddos atac on port 53 and 389.

If you're experiencing high CPU load then you should remove unnecessary firewall rules (all those port scan detection rules for example are useless if you just drop by default). If you're experiencing bandwidth exhaustion then the attack can only be filtered by your upstream.
by R1CH
Fri Sep 20, 2019 12:53 pm
Forum: RouterOS beta
Topic: Torrent client
Replies: 59
Views: 36237

Re: Torrent client

Please put these kind of features in a external packages. Completely unnecessary for the majority of the users and will only end up as an security issue.

Normal people gets an NAS or mini-server to run torrents.
100% agreed.
by R1CH
Mon Sep 09, 2019 2:16 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 3941

Re: Policy to block website in Mikrotik increase CPU

Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.
by R1CH
Sat Sep 07, 2019 2:23 pm
Forum: General
Topic: SSH and RDP blacklist CPU usage
Replies: 4
Views: 1777

Re: SSH and RDP blacklist CPU usage

You're doing content matching on every outbound packet - of course it's going to be slow! This is a really badly designed firewall, just by writing "530 Login incorrect" in plain text I can trigger your output match rules. And if I was an actual attacker, this rule is useless since I could...
by R1CH
Thu Sep 05, 2019 12:47 am
Forum: General
Topic: winBox access to a wifiranger
Replies: 3
Views: 1703

Re: winBox access to a wifiranger

Judging by their screenshots they are using custom software, not RouterOS.