MikroTik

vecernik87

@msatter To me Tenable went public to soon. Absolutely agree, however, I wonder why would they do it... This is pure hypothesis : Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided ...

vecernik87

@mkx: I don't think full detail disclosure is necessary. I even agree that it is not wise. (however that is what actually happened) All I ask, is having correct info in changelog which will at least give me info that it might be good to upgrade the router for security reasons. Given current situatio...

vecernik87

@anav Until then, all this rhetoric does is feed trolls --- don't become one ............... There is no troll feeding. @mrz admitted it was fixed so it is confirmed issue. (if there is not and issue, there wouldn't need to be a fix, right?) Page with CVE contains timeline which shows how fast it wa...

vecernik87

... I just finished reading and I am speechless... @op: thanks for sharing @mikrotik: seriously gents? This is not "improvements in connection handling to router with open winbox service" . This is another severe vulnerability! I don't actually mind that there was a vulnerability - stuff happens. Wh...

vecernik87

I think maybe I didn't state this entirely clearly.

Ohh! now it makes way more sense!

thanks heaps for this clarification! you really deserve cookies (or internetz or kudos or whatever currency you like)!

vecernik87

There was a version 6.42.5

vs

It is confirmed that this was another case of hacked router due to a insecure firewall configuration in combination with old RouterOS version

these two statements seems mutually exclusive.. how is that possible?

vecernik87

Personally, I would just run the sniffer which will give all answers: /tool sniffer start interface=ether1-uplink port=68 and after some time (look at logs and wait until you lose and reacquire your IP few times) /tool sniffer save file-name=dhcp.pcap /tool sniffer stop In the file, there will be DH...

vecernik87

"print" is just a list of entries. To get a full config, you need to use an "export" command:

/interface ethernet export
or
/interface ethernet poe export

(I don't have RB with poe available right now so I can't check which one is it)

vecernik87

/caps conf unset [find where name="somethingsomething"] datapath.local-forwarding

vecernik87

that is just syntax error: There is no "interface" parameter for simple queues. You can easily list all available parameters with "TAB" key: [admin@mikrotik] > /queue simple add {[PRESSED TAB KEY]} bucket-size burst-threshold comment disabled limit-at name parent priority time target burst-limit bur...

vecernik87

@ukracer : Well, this config is clearly default one. I wrongly assumed that you did the config reset with "no-defaults" as mentioned in the original text which you quoted: This can be easaly done by resetting the device with no default configuration: viewtopic.php?t=71522 If you start with some con...

vecernik87

@olivier2831: there is nice summary about the bypass function with pictures: https://forum.mikrotik.com/viewtopic.php?t=106092 It even mentions how the user applied bypass, to achieve WAN redundancy - I assume that is very similar to your case. Only single thing worth mentioning myself - if you get ...

vecernik87

@sob: good point. I automatically expected he talks about HTTP because the domain is completely irrelevant in ICMP and most other protocols. @vklpt: Nope. Layer7 communication starts AFTER the L4 is established. And NAT has to occur on first packet of connection. Even the definition of L7 matcher di...

vecernik87

True :( Unfortunately the "Home AP" or "Home AP dual" is not just pure AP but router+AP. This seems to be solved in the "WISP AP" which offers choice between "router" and "bridge" mode (and really adds everything into one bridge) Unfortunately it offers only 5G wifi config within quickset, so user h...

vecernik87

@macsrwe: gosh! I didnt know

i wrongly assumed that any inner instance of curly brackets will inherit all variables from outside.
Thanks for pointing that out. I didn't really want to use "global" variable to avoid messing with rest of system, but I guess there is not much choice, is there?

vecernik87

board looks way smaller than the case: http://km.mk/1533335167_12_mikrotik_rb4011_interbal_view.png From the picture it seems like 215mm, which means you can easily put two boards into one case, next to each other and it will nicely fit! If you believe there is such market potential (which I politel...

vecernik87

Not possible on router due to the way how TCP connection works: When the TCP connection is being established, there is not a single mention of domain/subdomain. So during that, router can't decide, whether it should redirect it or not. Once TCP connection is up and running, client sends HTTP request...

vecernik87

It is actually not that hard, as it may look. Basic knowledge of network is recommended. (I thought there is some basic manual on wiki but I couldn't find one... I assume you are asking for such simple questions that nobody ever thought to write it up...) Create Bridge - well, this literary says wha...

vecernik87

I knew it! It will happen!
... and then the rest of bugs I mentioned plzzzz

vecernik87

That's not true! I personally used MikroTik's OpenVPN over UTP... ... at least Cat 5E and Cat6, also S/FTP and possibly others, various 802.11something, even 10BASE2 coax, I think. And yes, I know it's childish joke. :) You owe me 15 minutes of my life! :D I was looking for post from Normis where h...

vecernik87

I checked it (hey, I practically memorized the whole thing) but dismissed it because it says "This is a workaround that allows to set-up policy routing in mangle chain output". If it is just a workaround, I guess it won't do proper routing decision. I mean - why would they run the same code twice, r...

vecernik87

IP scan does firstly ARP requests which are usually not blocked because that would deny a bit whole purpose of the network. I am sure if you do ARP ping, it will get replies as well, while normal ping won't. Personally, I am pretty confident this is usual Windows firewall issue - When you connected ...

vecernik87

That would make sense. Unless you define the queue (simple or tree) yourself, there won't be any. Personally, I had to always create it from scratch to suit my needs, and as far as I know, there are no predefined/defconf queues. However, even without queues, you can kind-of guess what OID will be us...

vecernik87

FIY, I tried to replicate it and there is following result: 6.42.7 - /queue simple print oid works 6.43.2 - /queue simple print oid works 6.43.8 - /queue simple print oid works 6.44beta61 - /queue simple print oid works All of them have practically same output which looks fine: [admin@mikrotik] > /q...

vecernik87

quoting OP: All platform released that !!!!! vs quoting article which OP linked: But sadly on the Linux front, the kernel bits still have yet to be mainlined. Windows client is still on its way but is taking a while due to writing a new TUN driver for Windows 7 and newer. lets summarize it: Specs ar...

vecernik87

I see.. so whole magic is, that iptables allow DST-NAT/REDIRECT action in OUTPUT chain which is apparently missing in RouterOS. I must admit that it sounds useful. Unfortunately, according to RouterOS' packet-flow diagram , OUTPUT chain happens straight before POSTROUTING, therefore after routing de...

vecernik87

https://wiki.mikrotik.com/wiki/Manual:Peripherals The MC7455 is not mentioned but there are other models (7430, 73xx, 7710 ...), which suggest there is possibility that 7455 will work as well, either as LTE interface or at least as PPP Similarly LM940 is not mentioned but LE910 is. Despite the fact ...

vecernik87

@heizer ... when will this new function be available? [i mean, out of beta]... its a bit OT, but since more people might be interested... It is not that significant improvement as it may seem. It works as an envelope command to usual ping and btest. These commands runs on background and speedtest ju...

vecernik87

I think it is more about the particular way of thinking, instead of how is it implemented: We assume that port scanners are bad, so we try hard to detect them and block them. Now, My way of thinking is this: if you don't have ports open (which you shouldn't have), why would you care about open ports...

vecernik87

@mkx: Interesting! similar happened to me when I tried to limit bandwidth to one particular port via switch menu! Whole unit was disconnecting on regular basis.. I guess the switch in RBD52G is not that good after all

vecernik87

using RAW for this kind of drops is very dangerous. keep in mind that attacker with spoofed address can easily add to the list important addresses like 8.8.8.8 or 1.1.1.1 And due to the fact it is in prerouting, it happens before connection tracking and therefore even connections initiated from your...

vecernik87

I thought that whole idea of CHR was to get rid of driver issues and implement only basic drivers for virtual interfaces...
(I mean thats why the original idea of x86 architecture is not recommended anymore)

vecernik87

I assume if managers/owners want to block something, it will be competition websites. Not porn

I mean... can you imagine hotel blocking porn? They would be doomed to bankrupcy from their very first day

vecernik87

@anav: this pony can kick really hard :lol: @mascrwe: good point! thank you. I actually haven't think this way and it might bite me in the ass later. fixed: /user group add name=temppolicy :local defpolicy [:tostr [/user group get temppolicy value-name=policy]] :local fullpolicy :for i from=0 to=([:...

vecernik87

@Anav is right - there is no buildin HA solution which would take care of everything. VRRP is good example of standartized HA functionality, but it takes care only of IP addresses. It does not sync config etc.. It is possible, to some extent, do almost full-blown HA by yourself with scripts which wi...

vecernik87

Mikrotik employees many times stated that they are not using built-in kernel module for TILE architecture. Instead, they are using their own module developed in cooperation with manufacturer of those CPU. Dropping TILE support from new kernel is not relevant to RouterOS.

vecernik87

And for those of us who have already been doing that for years with an initialization script, MikroTik has just made that even more difficult. :-( Not really. I implemented my init script this way before it was enforced: /user group set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,p...

vecernik87

gosh.. again.. https://forum.mikrotik.com/viewtopic.php?f=2&t=145278&p=714963#p714963 https://forum.mikrotik.com/viewtopic.php?f=2&t=145272&p=714906#p714906 We should start betting how many duplicates are gonna appear in upcoming month. And all that because of someone showing how to hack YOUR OWN ro...

vecernik87

I guess you are looking for this: https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection However, I am not certain whether it will help since it is proprietary algorithm and is supported only by RouterOS devices. (To work, it must be supported by both AP and Client) Unf...

vecernik87

"Bad http response" sounds weird. It is like ROS received unexpected reply. Fortunately, this can be debugged very easily with packet sniffer. If you don't want to dig into that, you can just download the package manually: http://upgrade.mikrotik.com/routeros/6.43.12/routeros-x86-6.43.12.npk or stra...

vecernik87

That is true. ROMON frames are not forwarded by UNIFI. In terms of your magical "-200% packet loss" i have really simple explanation: You are pinging MAC address. Since you did not specify which interface you want to transmit, it will transmit on ALL interfaces. including bridged ethernets or vlans....

vecernik87

Did you at least have a look at the site? There is a link to free "lite" version: https://www.metageek.com/products/inssider/free/ If you want to see history of channel strength but don't want to pay, you can also go for old "home" version which was also free in the past and can be still downloaded ...

vecernik87

* Multiple connections between two devices, why is it limited to one? For example, how to monitor multiple physical etherchannel connections? @Masyanich I have solved this by using "static" element(s) between two devices. That way I can do non-straight lines as well as multiple lines between two de...

vecernik87

@sebastia: rp-filter=strict is not a defence against bogons coming from WAN because, you most likely have 0.0.0.0/0 route there, which will give a green light to any bogon.... @shujanster: we don't want to use drop everything in input. That isn't good approach and I would strongly recommend to recon...

vecernik87

here we go... :) So maybe, just maybe, the ISP is billing more than you really consume... can you find exact billing conditions? what is the smallest billing unit? If your packets are small and sporadic, while smallest billing unit is large enough, then each packet can be billed in separate unit whi...

vecernik87

Another RB1100AHx4 rebooted tonight. ... I need comments from Mikrotik team what we need to do. I always get comment from their support. After crash, there is autosupout.rif file... all you need to do is send it to them and describe your situation. They will likely find the issue and either tell yo...

vecernik87

wow, I don't want to see the interference produced by 1Gbit flowing via non-twisted and non-shielded wiring...
How is it possible that these things even get certification? https://www.youtube.com/watch?v=kyYeTWHUnUk

vecernik87

That sounds like usual hotel scenario for AP+Phone for each room with extra step... Are you sure that those "48 routers" are necessary? Are they gonna work only as PoE splitters and switches or will it really have some routing task? fiy - for example CAP ac can do poe-out (passive only!) so if your ...

vecernik87

This is very long-shot guess but based on the comment in config, I understand your Ether2 might have something to do with VLAN .. can you confirm/deny whether Ether2 receives (and passes to the bridge) tagged frames? If there are VLAN tags involved, where do you add/strip tags? I think that might ch...

vecernik87

I knew the answer would eventually surface! I wrote it earlier but I guess bad words were chosen - I did not specifically mention how to create the static interface, despite the fact I had it in mind the whole time. Anyway, I am happy that it helped at least you :) hopefully @JordanR will confirm t...

Search found 460 matches