Community discussions

Search found 22 matches

by petern
Mon Jul 29, 2019 11:12 am
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35924

Re: v6.45.2 [stable] is released!

at 6.45.1, gre tunnels stopped working. Redid all 15 routers on ip tunnels. 3 weeks after the release of 6.45.2, the ip tunnels stopped working .... Exactly the same here ! Upgraded from 6.42.7 to 6.45.2 on a CCR1036 and all the GRE tunnels stopped working. Ok I know that the Mikrotik guys can't te...
by petern
Thu Jul 25, 2019 11:37 am
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35924

Re: v6.45.2 [stable] is released!

[*] it is possible to have two (or more) ROS versions installed in unit has flash storage with size of 64MB or more. In this case, one can partition flash to two halves and run different version of ROS in both partitions. If ROS crashes or fails to boot from one partition, it'll automatically try t...
by petern
Thu Jul 11, 2019 12:32 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34032

Re: v6.44.5 [long-term] is released!

So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?
You can review the changes for 6.44.4 and 6.44.5 to determine if any of them will affect you?
by petern
Wed Jul 10, 2019 6:57 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34032

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
You have set strong-crypto=yes? I think it depends on that setting.
Yes strong-crypto=yes was already set.
by petern
Wed Jul 10, 2019 6:07 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 34032

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
by petern
Tue Jul 02, 2019 5:08 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 70038

Re: v6.45.1 [stable] is released!

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not,...
by petern
Mon May 13, 2019 2:02 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3266

Re: v6.43.15 [long-term] is released!

Hmm, weren't the IPv6 route cache size fixes already in 6.43.14?
by petern
Fri Sep 28, 2018 6:11 pm
Forum: General
Topic: Routing Failover without Scripting
Replies: 3
Views: 559

Routing Failover without Scripting

I've been trying to set up routing failover by following information from here: https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting While the gateway-status of the Host1 route is reachable, however the gateway-status of the default route via Host1 says "Host1 unreachable". 0 S...
by petern
Mon Sep 10, 2018 11:03 am
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28887

Re: v6.43 [current] is released!

Sad to see this still here which is not good for anyone using radius to provide 2FA.
!) radius - use MS-CHAPv2 for "login" service authentication;
by petern
Tue Aug 28, 2018 11:16 am
Forum: General
Topic: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver
Replies: 5
Views: 1236

Re: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver

This is a bug in ESXi 6.5. It should be fixed by upgrading to 6.5 U1.
by petern
Thu Aug 23, 2018 1:24 pm
Forum: General
Topic: No layer7-protocol on ipv6?
Replies: 1
Views: 460

No layer7-protocol on ipv6?

I'm using layer7-protocol filtering on ipv4 and this is working fine, however it is not possible to use with ipv6 yet. Is this on the roadmap and likely to arrive in v6's lifetime?
by petern
Thu Aug 23, 2018 11:16 am
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30970

Re: v6.42.7 [current] is released!

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough :D We will try to find a balance. The issue is you need to provide a little more information please. Adding the CVSS score would be useful, along with information about mitigations (fi...
by petern
Sat Aug 11, 2018 12:33 am
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 510

Re: CCR1036 - 50% cpu usage

Oh wow, that was quick, thanks. This makes sense, only a few weeks ago I changed one of the tunnels to be ikev2. For now I will switch back to ikev1. I suppose it will need a reboot to resolve the problem.
by petern
Fri Aug 10, 2018 11:54 pm
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 510

CCR1036 - 50% cpu usage

I have a pair of CCR1036-12G-4S running for about a year now, running 6.40.8 with firmware 3.41. Today one of them is showing a constant 50% CPU usage instead of the normal 3-4%, but traffic levels are low, currently around 2-4Mbit/s and 500-1000 pps. /tool profile NAME CPU USAGE console 0% firewall...
by petern
Mon Aug 06, 2018 11:56 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113454

Re: v6.43rc [release candidate] is released!

Hi, I'm also using PAP with radius for authentication to support 2FA logins. Using only chap is not helpful. Is feedback here taken on board or is there a more official way to get this heard?
by petern
Tue Jun 26, 2018 3:44 pm
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 6
Views: 3024

Re: IPSec error payload missing: ID_R

I'm getting the same error message connecting to a Checkpoint VPN. Did you find a resolution, digit?
by petern
Thu Jun 21, 2018 1:30 pm
Forum: General
Topic: Mikrotik to Checkpoint IPSec VPN
Replies: 0
Views: 398

Mikrotik to Checkpoint IPSec VPN

Hi, I'm looking to use a Mikrotik to connect to a Checkpoint (9.6(2)) IPSec VPN. The set up will be with dh-group 19 so I plan to use RouterOS 6.42.2 for this as bugfix does not have the ecc dh-groups. Anyone have positive/negative experience trying to tie these two together? I see a couple of negat...
by petern
Tue Feb 20, 2018 6:11 pm
Forum: General
Topic: Feature Request: Logging of all administrator user actions
Replies: 19
Views: 4192

Feature Request: Logging of all administrator user actions

Hi, Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators. The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed. [This is not a key logger! ;...
by petern
Tue Feb 20, 2018 5:57 pm
Forum: General
Topic: Feature Request: Idle timeout for ssh/http(s)/winbox
Replies: 1
Views: 577

Feature Request: Idle timeout for ssh/http(s)/winbox

Hi,

Could we please have the ability to have user login sessions subject to a configurable idle timeout?

PCI DSS Requirements
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
by petern
Fri Jan 19, 2018 6:58 pm
Forum: General
Topic: Feature request - Diffie Hellman groups 19-21
Replies: 6
Views: 2060

Re: Feature request - Diffie Hellman groups 19-21

Great news! :-)

Thanks.
by petern
Wed Dec 13, 2017 6:04 pm
Forum: General
Topic: Feature request - Diffie Hellman groups 19-21
Replies: 6
Views: 2060

Re: Feature request - Diffie Hellman groups 19-21

I have a VPN requirement that specifies that DH19 must be used. Are these ECC modes ever likely to available? Performance is not overly a concern as the data to be transmitted is only small.