Community discussions

Search found 231 matches

by anav
Tue Apr 24, 2018 5:35 am
Forum: Beginner Basics
Topic: Help! Bandwidth Limit Per Interface
Replies: 4
Views: 123

Re: Help! Bandwidth Limit Per Interface

Below is a very good starting point

http://bfy.tw/HAbM
Haha, very entertaining now please explain the token diagram so that I can understand it LOL.
The more I read about how to program queuing, the more I need to drink!! One day, I will brave the waters...............
by anav
Tue Apr 24, 2018 12:33 am
Forum: Beginner Basics
Topic: Port forwarding - please help !
Replies: 20
Views: 557

Re: Port forwarding - please help !

What I find weird is only creating the one rule. On my current router one made a port forward rule (from incoming interface (specific WAN interface) for specific port(s)/service(s) to a specific LANIP. Then a separate FW rule to allow same traffic but delineating the Source IP(s) allowed and destina...
by anav
Tue Apr 24, 2018 12:22 am
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port
Replies: 128
Views: 28119

Re: Advisory: Vulnerability exploiting the Winbox port

I am too new to have discovered or researched netinstall or dude. I did buy and install an SD card which I believe is needed for dude.......
Thats fine if there is a way but I would expect MIKROTIK to publish a specific how to for this episode.
by anav
Mon Apr 23, 2018 10:49 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port
Replies: 128
Views: 28119

Re: Advisory: Vulnerability exploiting the Winbox port

ok, so it seems that the proper firewall rules, dropping winbox and ssh connections from outside my trusted network - saves me for now from big f*up? Not necessarily. If you had left your router open previously how do you know your device is not full of crapware. In other words, the correct thing t...
by anav
Mon Apr 23, 2018 8:57 pm
Forum: Beginner Basics
Topic: Disallow unknown logins from internet access
Replies: 8
Views: 318

Re: Disallow unknown logins from internet access

Suggest use VPN to access the router from external and then use Winbox from the internal side only to do the rest.
by anav
Mon Apr 23, 2018 8:56 pm
Forum: Beginner Basics
Topic: IP Isolation
Replies: 2
Views: 56

Re: IP Isolation

Do you want single user access to single user access blocked or was that only an example and you want the TWO LANS to be isolated from each other. If the latter, the rules implemented above wont work if they are all on the same LAN interface list from my limited understanding. The IP firewall rules ...
by anav
Mon Apr 23, 2018 5:46 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port
Replies: 128
Views: 28119

Re: Advisory: Vulnerability exploiting the Winbox port

The point being is that it appears there are folks out there that seem to understand how this router is coded from the ground up. So either the entire code has been compromised (stolen) or a former employee is disgruntled and is enacting revenge or a current employee is a criminal. I favour the latt...
by anav
Mon Apr 23, 2018 3:57 pm
Forum: Beginner Basics
Topic: WiFi comparison between hAP ac2 and hAP ac
Replies: 4
Views: 185

Re: WiFi comparison between hAP ac2 and hAP ac

Wrong forum,use the wireless forum.
by anav
Mon Apr 23, 2018 3:55 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port
Replies: 128
Views: 28119

Re: Advisory: Vulnerability exploiting the Winbox port

I just added to input specific src address who can access to winbox. I hope it's enough. + Rest input ports will be dropped If one does not have a specific FW rule ALLOWING EXTERNAL to INTERNAL access for the Winbox, then one should not be concerned as the default rules block WAN to LAN traffic, as...
by anav
Mon Apr 23, 2018 3:32 pm
Forum: Beginner Basics
Topic: Load balancing with fail over (again)
Replies: 9
Views: 340

Re: Load balancing with fail over (again)

LAN1 Destination 0.0.0.0 Gateway IP (IP address from ISP1 (not WANIP)) CheckGateway: Ping, Distance = 1 Routing Mark - LAN1_Traffic Destination 0.0.0.0 Gateway IP (IP address from ISP2 (not WANIP)) CheckGateway: Ping, Distance = 2 Routing Mark - LAN1_Traffic LAN2 Destination 0.0.0.0 Gateway IP (IP ...
by anav
Mon Apr 23, 2018 3:26 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port
Replies: 128
Views: 28119

Re: Advisory: Vulnerability exploiting the Winbox port

Concur this is a serious issue and glad Mikrotik is addressing it promptly. However it appears, (not 100% sure) that the failure by an admin to ensure WINBOX is not accessible from the outside is what allows this exploit to be used. Most experienced admins would use vpn to access the router and then...
by anav
Mon Apr 23, 2018 12:06 am
Forum: Beginner Basics
Topic: Load balancing with fail over (again)
Replies: 9
Views: 340

Re: Load balancing with fail over (again)

So basic no load balancing but a. strict routing LAN1 to WAN1 B. LAN2 to WAN2 And failover in case one or the other fails, the other can be used. Perhaps mark routing prerouting IN-Interface LAN, source address list (create 192.168.xx.2-192.168.xx.254) action mark routing new mark LAN1_Traffic mark ...
by anav
Sat Apr 21, 2018 6:57 pm
Forum: Beginner Basics
Topic: 2 WAN same ip to 2 LAN help please
Replies: 14
Views: 361

Re: 2 WAN same ip to 2 LAN help please

What kind of bizarro ISP gives a person two WANs with the same WANIP?
Confused? Is that even legal?
by anav
Sat Apr 21, 2018 6:50 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 912

Re: Mikrotik vulnerability

True enough SOB, but for the lower levers one may easily assume WINBOX is secure enough. This assumption appears false. The fact that there is obviously some sort of bug that allows such a targeted penetration very quickly, so much so it looks like they can do it at will is very alarming. I have not...
by anav
Sat Apr 21, 2018 6:45 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 4183

Re: winbox vulnerable! Unusual login to routers [SOLVED]

Do we even know if mikrotik closed this door with 6.42???
by anav
Sat Apr 21, 2018 6:40 pm
Forum: Beginner Basics
Topic: Please Help: Multiple Networks set Up on Mikrotik [SOLVED]
Replies: 14
Views: 404

Re: Please Help: Multiple Networks set Up on Mikrotik [SOLVED]

I am confused by the diagram. Are you saying that you are behind a router? A WANIP of 192.168.1.x tells me that you are getting an IP from a private router already and the double nat scenario may be horrific??? In any case that should not change as indicated everything behind the router and it shoul...
by anav
Sat Apr 21, 2018 6:17 pm
Forum: Beginner Basics
Topic: Port forwarding on non-interface IP
Replies: 4
Views: 139

Re: Port forwarding on non-interface IP

I am confused by past experience. Typically, one takes the first or ONE of the block of IPs and assigns it to the router. Practically speaking this if for the purposes of establishing a clear WAN to LAN relationship when one has one or more LANs they would like to have private. The other block of IP...
by anav
Sat Apr 21, 2018 6:10 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 912

Re: Mikrotik vulnerability

On which version did you have an original problem? Sounds like the problem which was already resolved a long time ago and recently there was a speciap annoncment from Mikrotik team about that. If I remeber correctly then versions before 6.38.5 were affected. This! We don't have enough information f...
by anav
Sat Apr 21, 2018 6:07 pm
Forum: Beginner Basics
Topic: Load balancing with fail over (again)
Replies: 9
Views: 340

Re: Load balancing with fail over (again)

So to be clear, which is true: 1. you want both LANS to use WAN 2, ONLY if WAN1 is unavailable? 2. you only want Lan1 to only use WAN1 and LAN2 to only use Wan 2? 3. You want both LANS to access either WAN, based on a per session basis - taking turns? (regardless of where the request is coming from,...
by anav
Sat Apr 21, 2018 5:55 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 912

Re: Mikrotik vulnerability

You should not allow login to your router from the internet! Fix your firewall configuration... What if I need ability to login to router from any random address (travelling admin)? Shouldn't non-standard username and super-strong password be secure enough? Disabling everything might be secure, but...
by anav
Sat Apr 21, 2018 5:51 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 912

Re: Mikrotik vulnerability

Perhaps mikrotik should consider building in the use of a rolling code device that works with winbox. Businesses are now using this (rolling code device or RSA app for example, for protection on local within the premises computers and VPN for any external access. Not providing at least the above for...
by anav
Fri Apr 20, 2018 3:10 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 128
Views: 9999

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

I am starting to suspect its a wifi chip problem and the delay for us is the discussion, err raging debate between Mikrotik and the chip vendor. (Which is not our business - but does prevent Mikrotik from saying much until there is a definite path forward - which could be a product recall and a move...
by anav
Mon Apr 16, 2018 11:41 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 128
Views: 9999

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Waiting patiently for good news before making the plunge. Should I instead start a crowd fund me page to buy some other products ubiquitous with satisfied customers? ;-)
by anav
Mon Apr 16, 2018 5:22 am
Forum: Announcements
Topic: Dual band AP for home use, SSID same or different?
Replies: 62
Views: 23699

Re: Dual band AP for home use, SSID same or different?

I am the perfect candidate. I should be a beta tester for mikrotik LOL. New to mikrotik learning to program the hex and wanting to add a touch of security to my home scenario. I have a mix of android boxes, nintendo, appleTV, multiple brand Wifi routers acting as AP/switches, need for guest wifi, Ne...
by anav
Sat Apr 14, 2018 9:54 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request - DNSCrypt support...
Replies: 95
Views: 23818

Re: Feature request - DNSCrypt support...

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments/7owb1s/psa_dnscrypt_is_now_abandoned/ Don't look so sad there Mr Coyote......... In any case one has to follow standards, the RFC bouncing ball. :-) By t...
by anav
Sat Apr 14, 2018 7:26 pm
Forum: Wireless Networking
Topic: Mikrotik CAP AC Performance Review
Replies: 30
Views: 2417

Re: Mikrotik CAP AC Performance Review

Kerbia, if nothing else is changed ref the physical aspect of the device (round vs square) would it be better if this metal ring was not attached upon delivery. In other words, the purchaser would be better off deciding on which cover desired and then attach or add this metal ring??
by anav
Mon Apr 09, 2018 6:03 pm
Forum: Beginner Basics
Topic: I want my Mikrotik to use external DNS but with non-standard Port 53
Replies: 12
Views: 429

Re: I want my Mikrotik to use external DNS but with non-standard Port 53

To funny mkx, you are asking BARTOZ about rules somebody else (poizzon) posted. It seems clear that piozzon was just listing the two often cited/recommended addresses for OPEN DNS. In case the first one was not available the traffic could be sent to the second is I suppose the thinking. The right qu...
by anav
Sun Apr 08, 2018 4:18 am
Forum: Beginner Basics
Topic: downgrading version
Replies: 3
Views: 171

Re: downgrading version

I think you missed the technology train. One is generally not supposed to go back to lesser capable or lesser safe software.............
Why dont you start from defaults...............
by anav
Thu Apr 05, 2018 3:04 pm
Forum: Beginner Basics
Topic: Queue tree beginner's question
Replies: 7
Views: 285

Re: Queue tree beginner's question

Strange ISPs you have in the UK, here they are 150 down and 50 up, as a typical throughput and thus my upload is more limited than my download LOL. Is live streaming or streaming netflix an UPLOAD action??? I mean not everyone is serving up,,,,,,,,,, and I say the majority are downloading, so I dont...
by anav
Thu Apr 05, 2018 5:22 am
Forum: Beginner Basics
Topic: Queue tree beginner's question
Replies: 7
Views: 285

Re: Queue tree beginner's question

Assuming this is upload? Couple of points to mention. If you are doing prioritisation, you don't "really" need to use limits as you are passing off potential spare bandwidth when limits aren't being hit. Max-Limit is max speed you want to go at, limit-at is the amount you don't want speed reducing ...
by anav
Tue Apr 03, 2018 10:41 pm
Forum: General
Topic: Secure DNS client
Replies: 3
Views: 257

Re: Secure DNS client

With the recent posts about 1.1.1.1 and both DNS over TLS and HTTPS, I was actually disappointed that I could not invoke them on the Mikrotik already.
It seems others already have................... https://www.chameth.com/2017/12/17/dns- ... uter-lite/
by anav
Mon Apr 02, 2018 4:41 am
Forum: General
Topic: DST-NAT over two Gateways
Replies: 14
Views: 1338

Re: DST-NAT over two Gateways

Thanks SOB learned something new!
So one cannot Port Forward using Two ISPs in a fail over scenario, but one can when load balancing??
by anav
Sun Apr 01, 2018 5:52 pm
Forum: Beginner Basics
Topic: WAN IP leak
Replies: 12
Views: 509

Re: WAN IP leak

Well make a more direct mangle rule....
all traffic from 10.30.2.5 going to Ether1 Gateway mark.
Route traffic to pfsense.


See if that more direct angle works.........
by anav
Sun Apr 01, 2018 5:02 am
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

Thanks mkx. Moral of the story is use FW rules to ensure separation between interfaces, vlans etc...........
by anav
Sun Apr 01, 2018 5:00 am
Forum: Beginner Basics
Topic: Team Speak 3 Port Opening [SOLVED]
Replies: 13
Views: 437

Re: Team Speak 3 Port Opening [SOLVED]

Okay thanks, I was looking for legitimate reasons for hairpin nat other than being lazy LOL........
by anav
Sat Mar 31, 2018 7:43 pm
Forum: Beginner Basics
Topic: Team Speak 3 Port Opening [SOLVED]
Replies: 13
Views: 437

Re: Team Speak 3 Port Opening [SOLVED]

As I will repeat, if on the LAN use the LANIP to get connect to a server. Why try to do loopback or hairpin nat it adds too much complexity for little value. If I want to see if something is working I use a friend from the outside world,,,,,,,,,, its a good thing!! PS steve your are really slow answ...
by anav
Sat Mar 31, 2018 7:30 pm
Forum: General
Topic: DST-NAT over two Gateways
Replies: 14
Views: 1338

Re: DST-NAT over two Gateways

As per usual the lack of clarity makes it hard to understand what is being asked or explained. The OP has two ADSL connections (two WAN ports). Load Balancing between the two connections is not required, so a more typical USE WAN2 only if WAN1 fails etc.............. should suffice, To me this is a ...
by anav
Sat Mar 31, 2018 7:05 pm
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

I am a bit confused, I thought traffic through a vLAN was already segmented from other vlans and the host network the VLAN was running on. Hence if I attache VLAN15 to my home lan, that traffic is secure from host lan traffic or other vlan traffic. If I simply route the VLAN traffic to the internet,...
by anav
Sat Mar 31, 2018 4:34 pm
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

Okay MX, I get it, separate interface is required (separate bridge and separate LAN) would do the trick for badboys. YOu tweaked my interest when you said VLAN, If I could put badboys on a VLAN running as a separate tunnel on the same lan host network would that do the trick? Would that isolate them...
by anav
Sat Mar 31, 2018 2:19 pm
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

So if I mangle all their traffic and route it to the internet, they would still be able to reach other devices on the LAN??
by anav
Sat Mar 31, 2018 6:31 am
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

Okay so how do I block lan device to lan device connectivity for devices on same LAN??
In other words only allow them internet access I suppose??
(tand remember the devices I want isolated are identified in and address list)
by anav
Sat Mar 31, 2018 6:10 am
Forum: General
Topic: Hex port isolation
Replies: 5
Views: 224

Re: Hex port isolation

Assigning each interface/port as a different bridge isolates them I thought???
by anav
Sat Mar 31, 2018 6:02 am
Forum: Beginner Basics
Topic: How to combine and load balance 3 pppoe in routerboard RB750r2 (hEX lite)
Replies: 4
Views: 186

Re: How to combine and load balance 3 pppoe in routerboard RB750r2 (hEX lite)

The diagram helps clarify for sure but unless the RB750 can magically bond three separate Public IPs from the provider, then my suggestions still stand. (I believe the ISP router has to be working with the RB750 to affect bonding, is this possible with your ISP?) I think all you can hope for is 3 in...
by anav
Sat Mar 31, 2018 3:26 am
Forum: Beginner Basics
Topic: Odds and Ends To Finish Setup
Replies: 15
Views: 467

Re: Odds and Ends To Finish Setup

Okay the ip address list has been converted for leases via vba macro all is good! Now applying firewall rules is next. Requirements 1. Block LAN1 to DMZ (in effect block Home_bridge access to DMZ-bridge) 2. Block DMZ to LAN1 (in effect block DMZ-bridge to Home_bridge). Given I have an address list c...
by anav
Sat Mar 31, 2018 12:44 am
Forum: Beginner Basics
Topic: Forward route
Replies: 59
Views: 1402

Re: Forward route

I would assume its set correctly ie the mikrotik router for all outgoing connections to ISP1 has masquerate applied. Not sure how the 10.30.2.0 packets are getting confused in the mix though.......... I read something about preventing packets leaking out of the LAN but cannot remember where............
by anav
Fri Mar 30, 2018 11:46 pm
Forum: Beginner Basics
Topic: Forward route
Replies: 59
Views: 1402

Re: Forward route

Try narrowing down the mangle rule to 10.30.2.5
although its probably some other cockup in the rules maybe a srcnat situation ???
by anav
Fri Mar 30, 2018 11:04 pm
Forum: Beginner Basics
Topic: Forward route
Replies: 59
Views: 1402

Re: Forward route

Traffic from where is going out the mikrotik??
Are you sure the source is 10.30.2.5
Are you sure this is not lan traffic leaking out the mikrotik or is it traffic intended for the internet??
by anav
Fri Mar 30, 2018 10:42 pm
Forum: Wireless Networking
Topic: Optimal Hardware, Outdoor 1/4mile
Replies: 4
Views: 242

Re: Optimal Hardware, Outdoor 1/4mile

Haiko you are quite right. Best bang for the buck needs to be clarified. Single PC in remote location to connect to an existing network in order to access a database at the location with internet, and in order to browse the internet, send emails etc..... Not a server farm LOL. In summary, ferrari no...
by anav
Fri Mar 30, 2018 9:42 pm
Forum: Beginner Basics
Topic: Forward route
Replies: 59
Views: 1402

Re: Forward route

Thanks, the seas have parted, I am going to cross the ocean bottom to the promised land to MT programming. I hope you can see where I was uncertain................. In your diagram you explicitly stated that 10.30.2.5 internet traffic had to go via the PFSENSE unit but there was no mention of the 10...
by anav
Fri Mar 30, 2018 8:57 pm
Forum: Beginner Basics
Topic: Forward route
Replies: 59
Views: 1402

Re: Forward route

you didnt answer the question directly XCOM. What I needed to hear was a. all non-local traffic from the 10.30.2.0 network (regardless if from 10.30.2.4 or 10.30.2.5) ie needs to go to the internet shall get routed to the PFSENSE device (for eventual TX thru ISP2) b. no traffic from 10.30.2.0 networ...