MikroTik

eXS

How can i add to a list and drop at the same rule?

You can't do both with one rule

eXS

how many blacklists do you need? - drop the blacklist(s) themselves after being added to the list instead of repeating everything twice, also consider dropping blacklist on fwd chain, drop blacklist in raw prerouting, both directions - sometimes an outbound connection might come up related

eXS

No one ever seems to talk about TZSP or getting in the weeds a little bit, so I figured I'd share this Disclaimer: I'm not the best at scripting, i'm old and literally started on DOS before Windows, can sometimes pull things off in powershell but sometimes still avoid it. I apologize in advance for ...

eXS

This thread was a disappointing find as I just purchased 2x of these. I just put them in a rack and started configuring last friday, then found this thread. I usually only run Long-term release so how long is it going to take before Testing-release changes show up? If they even fix the issues anyway...

eXS

It would be handy if 'add src to address list' could optionally convert it to a /24 (or whatever), i have 15k+ address book at the moment.

eXS

I've had this problem when windows is confused as to its own routing (multiple NICs, empty gateway on one or whatever etc) Does this windows machine have multiple network cards? Try disabling all NICs with the exception of one (which i'm assuming you'd know which) The alternative being hitting the c...

eXS

viewtopic.php?f=2&t=140245

eXS

The rule /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24 I tried to keep a queue functional by excluding [!] the IP's, similar to above ^, but it would not work. I had to put accept rules with that traffic before th...

eXS

Is using FastTrack at MT router with NAT overrides(disables) Simple Queue for traffic passing that router. In other words - can I use FastTrack AND Simple Queues? Yes, but only if you have an "accept" rule in the firewall to accept the traffic that needs to flow through the simple queue (...

eXS

I never use the built in packet sniffer tool in winbox or the web interface, but i do use mangle rules to "sniff tzsp" (action) to a wireshark box, target port 37008 / "tzsp" in wireshark, since tzsp uses udp it can be tricky/shitty to filter in wireshark for udp but it can be do...

eXS

Today the firewall connections list on one of my 1100x2's in winbox would keep going blank, progressively remaining/becoming more blank the longer the window was left open, despite 300-400 (fluctuating) "items" (bottom of connections window) - for a moment i thought it was because the list...

eXS

Overall i would not say "winbox is hard to use" (comparatively) Winbox makes other gui's seem like garbage. I can get things done a lot faster in winbox compared to others. - but there is certainly room for improvement. Being able to minimize or some form of tabs (as an option) or a differ...

eXS

After upgrade & logging in for the first time the "Check for Updates" dialog was blank & giving an " error could not connect out of streams resources " at the bottom, this error remained despite trying "Check for updates" - by near accident i noticed if i change...

eXS

Throwing guesses out there: @ Bridge Settings [x] Use IP Firewall ? (and others+) [ ] Allow Fast Path? @ Bridge / [x/ ] VLAN Filtering ? @ Ports / Port Settings [ ] Hardware Offload <- (I know this has to be turned off under certain situations) I don't have anything to look at in front of so not sure.

eXS

Bridges involved?

eXS

This seems ridiculous?

In the industry every service isn't passing around plain text usernames?

Not a concern?

eXS

Looking at the Ethernet test results of RB4011 vs RB1100AHx4 - How is the RB4011 pulling better numbers? Where's the difference?

eXS

Are you literally using 1.2.3.0/24 ?

eXS

Sounds like Hulu doesn't like something about your connection (ISP, your IP address, Geolocation) or is detecting an open service on your IP address (or provider) I have users watching Hulu daily, no problems. I have no experience with PS4 but i'm guessing it's lack of PnP related, which no one seem...

eXS

I might agree with that, services are kind of all overish

eXS

Don't be afraid to get out there a little more on ports, ranges and some UDP in there too.

- Although taken to an extreme you may want to make sure you know how to track down inadvertently blocked traffic first :>

eXS

Port 23, among many others, is one that I also monitor & ban on. (add to 'ban' address list)

As indicated, I've also found it to be the most frequently hit port, I get hit constantly.

Disable the service & change the corresponding service port to something (anything) else.

eXS

FWIW i checked my fw's shitlist and found several 185.153.198.* IPs

eXS

Same here

eXS

I've been curious about using packet flags/state to detect port scans but i went the cheap route - I use (input) fw rules to ban IPs trying to connect to ports that aren't in use. With some exceptions anything <= 1024 essentially, using ranges. I also then add many (one-off) ports above that range t...

eXS

i get very specific and 30 rules isn't even worth the post

eXS

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)

I think there's a lot of reasons people wouldn't want to do that though.

eXS

I was thinking maybe he was missing NAT/masq rules or a misconfig there

eXS

Or, uh not that?

eXS

It was less than a month between the increased botnet http vuln (03/28) & the discovery of the winbox vuln (04/23) Can someone confirm VPNfilter exclusively utilizing the http vuln ? A post in the http vuln (03/28) thread: "Also via the winbox port ... We think there is a circular second ex...

eXS

My understanding is that FW rules ( a layer 3 function) do not apply to/within the same LAN subnet ( a layer two entity). In other words, within a LAN, you cannot block IPs from each other using FW rules ??? gotsprings; I block my vlan subnets the long way, i'd be curious of something shorter, i've...

eXS

eXS

It sounds like you have 2 dhcp servers serving up 192.168.1.0/24 ?

Why wouldn't wireless clients be able to get an IP address from the "fibre router" through the MT ? (bridge?)

eXS

Charge tenants more for their own dedicated SSID. Profit.

eXS

I'd never seen this message until after upgrading to 6.41.3 I didn't think much of it because it seemed related to a client disconnecting & choosing a different nearby AP. (1) second before the "own address as source" message being logged i see a client ~"disconnected, registered ...

eXS

Assign cases, not "that's the other problem"

1) Upgrade to 6.38.5 fixes the botnet scanner and removes it. <cite specific article>
2) Upgrade to 6.41.3 fixes SMB vulnerability. <cite specific article>

eXS

I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere. Why doesn't Mikrotik have a site that actively lists established security concerns? People can't be expected to find this forum, this thread & drill halfway down through posts to find answ...

eXS

I think I found my answer on a public list of vulnerabilities, though it might not be complete: https://www.cvedetails.com/vendor/12508/Mikrotik.html I didn't even really know about those 6.38.5 vulnerabilities - although now that i think about it i recall the 2 page thread going back & forth r...

eXS

Maybe like this: ip fire fil add action=drop chain=forward dst-address=192.168.0.0/21 src-address=\ 192.168.0.0/21 This will block the batch from 192.168.0.0 to 192.168.7.254 in both directions, because whoever request a connection, other host have to reply. Does this not also block traffic between...

eXS

Being able to change the order of the columns would be really helpful, and make more visual sense in situations when reading left->right while utilizing lists.

eXS

Has anyone referenced "Step 3" @ http://www.tp-link.com/us/faq-691.html ?

Is it possible the DHCP lease time is too short, or TP-link IP address needs to be static @ the Mikrotik ?

eXS

Curious as to why the x4 has less RAM than the x2 ??

Anyone?

eXS

Not a huge amount of experience on this but as previously mentioned you could bridge ports & under the bridge options "[X] Use IP Firewall" - You may want to start off with turning STP off on the bridge -> Protocol Mode: "[x] none" - You may want to keep track of IP/Settings,...

eXS

Didn't realize you were using multiple NICs, would have suggested the same as here: https://forum.mikrotik.com/viewtopic.php?p=595412#p595412 I'm not sure if its windows or winbox, could be a tossup. The other day wireshark wouldn't detect wired (usb) or wireless NICs on a win10 laptop of mine, re-b...

eXS

If you are able to obtain the RB MAC address via Wireshark (under > "IEEE 802.3 Ethernet" -> "Source: Routerbo_*) - I would attempt to "Connect To <MAC ADDRESS>" - in Winbox

- There's no switch or anything in between, right?

eXS

I'm not sure if this is the same or not.. & i don't know the exact cause... I've had WinBox properly detect neighbor, but fail to connect many times via MAC (same as here) - and my solution was to essentially disable all other NICs in Windows except the one I wanted to connect on. (eventually, m...

eXS

I asked nearly the exact same question - how to TZSP packets on the last drop rules - and was promptly chastised & nearly got into an argument on the mikrotik channel on freenode. Whoever i was talking with acted like i was an idiot for asking, couldn't possibly understand the need, essentially ...

Search found 47 matches