MikroTik

vecernik87

If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service. All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device. Someone hacked your de...

vecernik87

Yes, it does count system as well.
If you need space just temporary, you can upload your files into root folder, not into "flash". Root folder is actually ramdisk, so it has much more space. However, it gets empty with each restart.

vecernik87

There is no defconf for this purpose. Easiest is to do /system reset-configuration no-defaults=yes WARNING! after this command, your router will restart, disable wifi and lose any IP and password will be blank again. You will need to connect via MAC (either from another mikrotik or with winbox) Then...

vecernik87

When updating from 6.43.2 to 6.43.4 one of my hAP ac2 logged this message (similar to message in this post after update to 6.43.4): oct/19 00:10:46 script,warning DefConf gen: Unable to find wireless interface(s) However all the configuration seems to be intact and this message is NOT logged on sub...

vecernik87

My first guess would be cable. If it is not cable, then second and third guess would be cable again. (or maybe connector) :D Cable can easily cause issues, especially when it is too long or damaged or near source of interference. Now, seriously: 95Mbps sounds exactly like your L1 stuck in 100Mbps ra...

vecernik87

I never opened mesh instead of IP. But every single time (sometime even twice in a row) I open IP instead of IPv6.

vecernik87

using VLAN interface in bridges may be dangerous: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration. Especially if you include EOIP you can very easily end up with loops. From your description it is not really clear if you really have same MAC and what interfaces have same MAC. You can p...

vecernik87

@nichky Best would be to check your detailed logs from both server and client. There will be your "unknown" reason written. It is highly possible that you don't have enabled such logging, so you will need to add logging actions for topics "ipsec" and "l2tp" (one action for each topic) and once your ...

vecernik87

Not a bug: https://forum.mikrotik.com/viewtopic.php?f=21&t=139353&p=688546&hilit=speed%3D100Mbps#p688693 tl;dr: setting is not used if auto-negotiation is enabled . Before 6.43, default value was 100Mbps. Since 6.43 default value is 1Gbps. Export shows only difference between config and default valu...

vecernik87

That yellow marked text will limit your SRC-NAT to match (and translate) only non-IPsec outgoing traffic. There is no reason to do SRC-NAT on IPsec processed packets as they will likely have IP of the router itself.

vecernik87

@axe50397: I must apologize for my previous statement about heat... I realized that my GrooveA 52 has temperature sensor on PCB so I can relatively easy test these conditions.. After all it seems that my fear of overheating was too big and you should have no issues: 2018-10-17_1641.png 10:40 monitor...

vecernik87

Antenna gain directly depends on beamwidth. As the boat rotate (yaw,pitch,roll) your antenna must have enough beamwidth to cover all possible angles, otherwise it will drop your connection. You correctly decided that you need omnidirectional antenna because boat moves around anchor. (i.e. yaw is 0-3...

vecernik87

Me too. No issues at all:

2018-10-17_0748.png

Winbox 3.18 and RouterOS 6.40.2

If you can't connect, it might be infected device... these old versions are vulnerable so unless you have properly blocked access to its winbox/http services, anyone can gain access..

vecernik87

Not sure what is the connection with AP's in hotel room :lol: I guess (based on title of your post) you managed to submit your reply to incorrect thread. anyway, you are not first: https://forum.mikrotik.com/viewtopic.php?t=66469 There are more people who achieved more than 100% CCQ, but only this h...

vecernik87

Do you really need router with 10 ports and wifi? Wouldn't it be easier to have stuff nicely separated? i.e. have router for routing, switch for switching, AP for wifi? For example - router will be probably hidden somewhere. It will never be positioned properly to utilize wifi coverage as much as po...

vecernik87

If i understand it correctly, your government willingly distribute list of child porn websites? :lol: thats really twisted... Anyway, there is not much help unless there are specifications how is it supposed to be done. Typical and easiest way is to simply block DNS (or redirect DNS requests to some...

vecernik87

I think silently allowing jailbreak is the best solution. People who do that will be clearly aware they are doing some non-standard stuff which may or may not work. On the other hand, if we ask mikrotik to support "root", they would have to spend significant amount of resources to make it fool-proof...

vecernik87

what kind of speed test is it? If it is TCP based, how many paralel streams/connections? If only one, it might be the issue as such test is strongly affected by latency. Adding mangle rule is going to introduce slight delay as the packet must be processed in another block of code. Just to make sure ...

vecernik87

plenty of devices now have USB. It requires: - USB - admin access (username+password) so it is not really "vulnerability", just jailbreak (you own the device, you should be able to do whatever you want with it without limitations) You can't misuse it if you don't have admin access. (gonna try it onc...

vecernik87

I think you got almost everything sorted :) Just one note I forgot to mention earlier: There are many PoE standards (or proprietary solutions) and the difference is not just voltage (very common misconception). If you look for PoE phone and you want to daisy-chain it behind AP, it needs to be compat...

vecernik87

Almost correct. Only exception is IP-encapsulated data, which might be forwarded but due to the fact that encapsulation/decapsulation is done by router, encapsulated packet is actually generated/received by router and therefore encapsulated packet must go through input/output chain as well. This is ...

vecernik87

Is it even possible to do table updates in paralel mode without causing some other issues? Why would EVERY manufacturer end up with single-threaded BGP? I saw couple of research papers with experimental implementations of multithreaded BGP, but I am unaware of real implementation by any manufacturer...

vecernik87

I am aware of the fact that postrouting happens after both forward and output chains. But in this case, OP was asking specifically, which chain does his example go through, so I tried to stress out that his examples are not going through input/output chain. Apparently, I should express myself better...

vecernik87

Thanks Emils for quick response in both ticket reply and here. I really appreciate it. I will not pretend that I understand how that protocol works. I can only believe it really is secure against MITM. However, it feels like being against recommended way to secure the router: https://wiki.mikrotik.c...

vecernik87

@normis: thanks for quick reaction. I sent the email with pcap file and description. (And of course I accidentally made a typo in one sentence, where I wrote "plaintext password" instead of "plaintext username". I replied with another email explaining the mistake, please don't laugh too hard :( its ...

vecernik87

Thanks for info! I didnt know as there is "Changes in RouterOS v6" section, I somehow thought is up to date. (and I obviously totally missed note that there is new diagram.. all those years

)
Fortunately, answer is correct even according to new diagram

vecernik87

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow DST-NAT happens in PREROUTING chain which is matched by anything what comes into router. after DST-NAT happens and whole PREROUTING chain ends, it goes to "routing decision" which decide if it is INPUT or FORWARD. As the DST-IP does not match any of ...

vecernik87

Confirming with Winbox 3.18 and RoS 6.43.2 and 6.42.7 (I assume all versions are same)

Not sure if there is some interest in fixing it. Recent change of API caused both username AND PASSWORD to be plaintext which is obvious step backwards (or strong signal to use API-SSL instead of normal API)

vecernik87

Not exactly true. TX power expressed as 0dBm means TX power of 1mW. Yup, you are absolutely right, sorry for that misinformation. Not sure what I was thinking when I wrote it. Maybe I tried to simplify it too much. I was more thinking about the same SSID .... Unfortunately, we have this kind of use...

vecernik87

As I can see you masked your IP now, I will not share it but that also means other people will be unable to come up with some idea if they can't test it. Fact is that previously specified IP is reachable. Even now. If you are sure your device is disconnected (or at least it was disconnected when I o...

vecernik87

I dont see any mistake - it should work.. In addition, your IP is real-world-routable and when I try to ping it, it responds. I can even see open winbox port which is not good at all! You have no firewall rules and such device should not be connected to any untrusted network, especially when your ad...

vecernik87

Thats why I asked Maznu to give bit clearer description. I may not be a blind fanboy but I still believe you guys are doing your best and I find it hard to believe you would leave real reported vulnerability without reaction. If it is just flood attack which overwhelms router and cause restart due t...

vecernik87

Bit of experience: I have seen similar setup in The Sebel (Melbourne Docklands) - each room having own AP with SSID named according to room number. I can definitely recommend such decision as it delivered absolutely best wireless performance I have ever seen in hospitality business: https://www.spee...

vecernik87

Can you please share info about shop, where you got your device? Seems to me you were lured into purchase with incorrect info/specification promoted by your seller. If mikrotik say only "License level 3", it might be confusing for new customers. I fully agree with that. However, official product pag...

vecernik87

Excelent point! That was it!
I didnt really think this way - I expected that when packet-mark is unset, it will simply cover all packets (both marked and unmarked)
Really big thanks. With this knowledge, OP should have no issues to set up queues correctly.

vecernik87

@mducharme: are you sure it will work on interface which is bridged? I tried to set it up and it does not seem to be working (queues are enabled but counters do not increase and limiting does not occur): /interface bridge add fast-forward=no name=bridge-jac /interface bridge port add bridge=bridge-j...

vecernik87

...Meanwhile, I'm still waiting for MikroTik to confirm when Ticket#2018041622003823 (unauthenticated remote crash, does not require any management interface to be open to the attacker) will be fixed. I have no idea what vulnerability is it about and to be honest, I don't want to know. However, if ...

vecernik87

That sounds like fasttrack enabled :) Fasttracked connections are "fast" because they skip firewall, queues, etc... There are still some packets going through the slow way, but it is just small percentage. Due to that, you can't see whole "forward" traffic in your queue. Try to disable firewall rul...

vecernik87

I bet it would work if you exclude LAN range from dst-address in these mangle rules so internal communication does not get marked lan1/lan2

vecernik87

I am unsure but... what if you enable "use-ip-firewall" for those bridges? Thing is, that Simple queue is applied in input/postrouting, which is L3 (see packet flow diagram ). However, when you bridge two interfaces, it will be pure L2 connection. I haven't try that but maybe, maybe... it will work?...

vecernik87

It is not really vendor lock as the same passive POE is used by UBNT and few others. In addition, it is well described and you can practically make DIY injectors with couple of connectors and wires. This simplicity has some advantages. Despite saying that, I would also prefer universal support of 80...

vecernik87

Unfortunately, all these models with 16MB storage end up like this. Just system package alone takes 7.5MB of space, then you have all additional packages like wireless (2MB!), advanced tools, dhcp, routing, security etc etc... In order to get more storage, I usually replace default bundled package w...

vecernik87

@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean t...

vecernik87

@mblfone: You should create separate topic about your routing/switching as it is unrelated to this RouterOS release. Anyway shortly said - CCR1016-12G is router, not switch. It does not have switch chip so you cant see "switch" button and it can't be listed among other switches on "switch chip featu...

vecernik87

1) unsecured graphing which can't be queried using a script anyway If IP whitelist is not enough, you can limit it to VPN via firewall. 2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik Mikrotik has "The Dude" which works well enough as SNMP server. It is not mast...

vecernik87

@czfan: Based on provided description I expected that HEX is supposed to work only as L2 switch which will do the trunk-edge conversion. If he ended up with 4 vlans on Eth1, 4 Eth ports and 4 bridges (each bridge with one vlan and one port), then to me, it clearly signalizes that he wants to separat...

vecernik87

I might be completely wrong, but it seems to me that you are trying to achieve typical trunk-edge scenario with VLANs. (port 1 as trunk with all VLANs tagged and ports 2,3,4 and 5 as edge, each having single specific untagged VLAN) . If that is true, then you can be achieve your setting directly in ...

vecernik87

You should specify if you need Layer 2 or Layer 3 switch. (mikrotik makes only L2 switches) Usually, term "switch" is understood as L2 switch. On the other hand, unless you really need L2 features, it is more common to have L3 backbone network. Otherwise broadcasts might turn it into hell for you. S...

vecernik87

Did you try to boot itt up using backup bootloader?

https://wiki.mikrotik.com/wiki/Manual:R ... up_loaders

it is also possible to use the backup booter by turning on the device, with the RESET button pushed

vecernik87

sFlow requires HW support (switchchip / dedicated ASIC). They clearly state it in their overview. It can't be simply added with software update.

Search found 231 matches