Community discussions

Search found 20 matches

by petern
Thu Jul 11, 2019 12:32 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 62
Views: 9216

Re: v6.44.5 [long-term] is released!

So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?
You can review the changes for 6.44.4 and 6.44.5 to determine if any of them will affect you?
by petern
Wed Jul 10, 2019 6:57 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 62
Views: 9216

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
You have set strong-crypto=yes? I think it depends on that setting.
Yes strong-crypto=yes was already set.
by petern
Wed Jul 10, 2019 6:07 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 62
Views: 9216

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
by petern
Tue Jul 02, 2019 5:08 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 55315

Re: v6.45.1 [stable] is released!

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not,...
by petern
Mon May 13, 2019 2:02 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2744

Re: v6.43.15 [long-term] is released!

Hmm, weren't the IPv6 route cache size fixes already in 6.43.14?
by petern
Fri Sep 28, 2018 6:11 pm
Forum: General
Topic: Routing Failover without Scripting
Replies: 3
Views: 440

Routing Failover without Scripting

I've been trying to set up routing failover by following information from here: https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting While the gateway-status of the Host1 route is reachable, however the gateway-status of the default route via Host1 says "Host1 unreachable". 0 S...
by petern
Mon Sep 10, 2018 11:03 am
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 26843

Re: v6.43 [current] is released!

Sad to see this still here which is not good for anyone using radius to provide 2FA.
!) radius - use MS-CHAPv2 for "login" service authentication;
by petern
Tue Aug 28, 2018 11:16 am
Forum: RouterOS v6 RC and v7 BETA
Topic: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver
Replies: 5
Views: 1070

Re: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver

This is a bug in ESXi 6.5. It should be fixed by upgrading to 6.5 U1.
by petern
Thu Aug 23, 2018 1:24 pm
Forum: General
Topic: No layer7-protocol on ipv6?
Replies: 1
Views: 387

No layer7-protocol on ipv6?

I'm using layer7-protocol filtering on ipv4 and this is working fine, however it is not possible to use with ipv6 yet. Is this on the roadmap and likely to arrive in v6's lifetime?
by petern
Thu Aug 23, 2018 11:16 am
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 29235

Re: v6.42.7 [current] is released!

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough :D We will try to find a balance. The issue is you need to provide a little more information please. Adding the CVSS score would be useful, along with information about mitigations (fi...
by petern
Sat Aug 11, 2018 12:33 am
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 443

Re: CCR1036 - 50% cpu usage

Oh wow, that was quick, thanks. This makes sense, only a few weeks ago I changed one of the tunnels to be ikev2. For now I will switch back to ikev1. I suppose it will need a reboot to resolve the problem.
by petern
Fri Aug 10, 2018 11:54 pm
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 443

CCR1036 - 50% cpu usage

I have a pair of CCR1036-12G-4S running for about a year now, running 6.40.8 with firmware 3.41. Today one of them is showing a constant 50% CPU usage instead of the normal 3-4%, but traffic levels are low, currently around 2-4Mbit/s and 500-1000 pps. /tool profile NAME CPU USAGE console 0% firewall...
by petern
Mon Aug 06, 2018 11:56 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 107946

Re: v6.43rc [release candidate] is released!

Hi, I'm also using PAP with radius for authentication to support 2FA logins. Using only chap is not helpful. Is feedback here taken on board or is there a more official way to get this heard?
by petern
Tue Jun 26, 2018 3:44 pm
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 6
Views: 2496

Re: IPSec error payload missing: ID_R

I'm getting the same error message connecting to a Checkpoint VPN. Did you find a resolution, digit?
by petern
Thu Jun 21, 2018 1:30 pm
Forum: General
Topic: Mikrotik to Checkpoint IPSec VPN
Replies: 0
Views: 357

Mikrotik to Checkpoint IPSec VPN

Hi, I'm looking to use a Mikrotik to connect to a Checkpoint (9.6(2)) IPSec VPN. The set up will be with dh-group 19 so I plan to use RouterOS 6.42.2 for this as bugfix does not have the ecc dh-groups. Anyone have positive/negative experience trying to tie these two together? I see a couple of negat...
by petern
Tue Feb 20, 2018 6:11 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: Logging of all administrator user actions
Replies: 17
Views: 2478

Feature Request: Logging of all administrator user actions

Hi, Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators. The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed. [This is not a key logger! ;...
by petern
Tue Feb 20, 2018 5:57 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: Idle timeout for ssh/http(s)/winbox
Replies: 1
Views: 505

Feature Request: Idle timeout for ssh/http(s)/winbox

Hi,

Could we please have the ability to have user login sessions subject to a configurable idle timeout?

PCI DSS Requirements
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
by petern
Wed Dec 13, 2017 6:04 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request - Diffie Hellman groups 19-21
Replies: 6
Views: 1884

Re: Feature request - Diffie Hellman groups 19-21

I have a VPN requirement that specifies that DH19 must be used. Are these ECC modes ever likely to available? Performance is not overly a concern as the data to be transmitted is only small.