Community discussions

Search found 144 matches

by squeeze
Tue Oct 23, 2018 4:30 pm
Forum: Beginner Basics
Topic: CAKE or other network algorithms to be used?
Replies: 2
Views: 280

Re: CAKE or other network algorithms to be used?

Mikrotik RouterOS has no modern AQM (Active Queue Management), i.e. modern network queue scheduling algorithms support, unfortunately. RouterOS only supports ancient RED (Random Early Drop) which is magnitudes less effective than modern algorithms and also requires careful tuning to be of any real u...
by squeeze
Thu Aug 30, 2018 12:08 pm
Forum: Wireless Networking
Topic: hAP AC^2 - slow wifi
Replies: 8
Views: 736

Re: hAP AC^2 - slow wifi

You are using an overlapping channel on 2GHz. 2442 MHz = Channel #7. There are only three non-overlapping channels: #1 (2412 MHz), #6 (2437 MHz), #11 (2462 MHz). Choose one after using a WiFi analyzer app to check neighboring channels, to ensure you do not use the same channel as the closest APs. Al...
by squeeze
Sat Aug 25, 2018 8:07 pm
Forum: Beginner Basics
Topic: hAP ac slow ethernet
Replies: 3
Views: 373

Re: hAP ac slow ethernet

Try,

/interface bridge set bridge protocol-mode=none
by squeeze
Sun Aug 12, 2018 12:58 pm
Forum: General
Topic: Best VPN
Replies: 20
Views: 7781

Re: Best VPN

PureVPN is one of the worst possible VPNs you can choose if you care about security and privacy since they are infamous for logging and leaks. I do not understand why people simply do not google a potential new service or product they want to use and type "productservicename bad" / "productservicena...
by squeeze
Sun Aug 05, 2018 2:55 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 1937

PMKID Attack - clientless WPA2/WPA PSK attack

In the past 24h, there has been public information released in the Hashcat forums by one of their administrators of an improvement on brute force, offline dictionary attacks against WPA/WPA2 PSK (Pre-Shared Key) passwords. The specific improvement is that this can take place without the presence of ...
by squeeze
Thu Jul 19, 2018 8:44 pm
Forum: Wireless Networking
Topic: HAP-AC DFS channels
Replies: 1
Views: 309

Re: HAP-AC DFS channels

There is no DFS channels available with the US versions of wireless Mikrotik products. It is hardware locked so I suspect even going out of your way to install other firmware like LEDE will not work. It is also explicitly stated in the product specifications on the Mikrotik website since they list t...
by squeeze
Fri Jul 13, 2018 12:34 pm
Forum: Wireless Networking
Topic: Cap AC, Hap AC2 or UniFi?
Replies: 6
Views: 1764

Re: Cap AC, Hap AC2 or UniFi?

Completely agree with Steve. There are far better (non-point to point) wireless options than Mikrotik.
by squeeze
Fri Jul 06, 2018 6:46 pm
Forum: Beginner Basics
Topic: Google Fiber + Mikrotik hEX
Replies: 3
Views: 437

Re: Google Fiber + Mikrotik hEX

People are probably confused because with the default configuration, it should already just work. The default configuration on SOHO devices is plug and play. There should be a single bridge containing ports 2-5. The bridge should have a dhcp server for 192.168.88.x. The firewall should forward all t...
by squeeze
Tue Jul 03, 2018 2:55 pm
Forum: General
Topic: Untagged VLAN Access port on hEX
Replies: 7
Views: 742

Re: Untagged VLAN Access port on hEX

/interface bridge vlan
add bridge=bridge untagged=bridge,ether5 vlan-ids=10
by squeeze
Mon Jul 02, 2018 5:38 pm
Forum: General
Topic: Full control of DHCP Options
Replies: 3
Views: 254

Re: Full control of DHCP Options

Completely different options and order can be and are sent by different types of DHCP clients. So much so that they can be used for fingerprinting. If such behavior is described in an RFC, then it is a very loose one and therefore not relevant for control of these options.
by squeeze
Mon Jul 02, 2018 4:44 pm
Forum: General
Topic: Full control of DHCP Options
Replies: 3
Views: 254

Full control of DHCP Options

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client States the following options are sent by the RouterOS DHCP Client: option 1 - SUBNET_MASK, option 3 - GATEWAY_LIST, option 6 - TAG_DNS_LIST, option 33 - STATIC_ROUTE, option 42 - NTP_LIST, option 121 - CLASSLESS_ROUTE, Can these be overridden, rem...
by squeeze
Sun Jul 01, 2018 1:35 pm
Forum: Beginner Basics
Topic: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags
Replies: 10
Views: 738

Re: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags

hEX: Why are you using dhcp-relay? Do not add VLAN interfaces, which are logical interface, to bridge ports. They are meant only for physical interfaces Do not add VLAN interfaces to bridge vlan interfaces ("untagged=VLAN140"). Again use physical interfaces only, except for the bridge interface itse...
by squeeze
Sat Jun 30, 2018 2:02 pm
Forum: Beginner Basics
Topic: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags
Replies: 10
Views: 738

Re: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags

Why do you have a DHCP relay and why do you have DNS server (remote requests + cache) enabled on the AP? On the AP, try adding a DHCP Client with interface set to the bridge and add ether1 as a bridge port too since there is no routing. Remember to change the list member of ether1 from WAN to LAN too.
by squeeze
Thu Jun 28, 2018 4:36 pm
Forum: General
Topic: Memory (RAM) used per NAT connection under Connection Tracking
Replies: 0
Views: 137

Memory (RAM) used per NAT connection under Connection Tracking

When Connection Tracking is enabled, IPv4 only (IPv6 disabled), and assume there is at least one non-FastTrack'd firewall filter rule enabled, how much RAM does adding a single (srcnat/masqueraded) connection consume? Are there any other significant resources consumed that scale with connections and...
by squeeze
Wed Jun 27, 2018 11:34 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 10
Views: 5299

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

Looks like very good news from upstream and others regarding WPA3, from customer perspective: https://www.snbforums.com/threads/better-news-about-wpa3-device-support.47434/ Quoting: The WPA3 Certification announced yesterday revealed that only one of the four mechanisms described when WPA3 was first...
by squeeze
Wed Jun 27, 2018 3:42 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 10
Views: 5299

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11ac spectral scan, no 5 GHz TX power, no Wave2 support, no 802.11w support.. there are lots of other wireless protocol improvements that have been missing for a long time. I must be missing something: there's dual...
by squeeze
Wed Jun 27, 2018 3:03 am
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 10
Views: 5299

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

https://www.mathyvanhoef.com/2018/06/wpa3-missed-opportunity.html Well, that's disappointing. WPA3 Certification consists of a grand total of one change to existing handshake called Simultaneous Authentication of Equals (SAE) instead of what most people anticipated as a wholesale dramatic improvemen...
by squeeze
Thu Jun 21, 2018 1:09 am
Forum: General
Topic: getting ip from mikrotik VLAN for ubiquiti UAP
Replies: 7
Views: 524

Re: getting ip from mikrotik VLAN for ubiquiti UAP

Does that mean, in general, if you only have one trunk line and no managed switch that you will need to have a Mikrotik device that supports hybrid ports (afaik only QCA8337, AR8327 switch chips) in order to setup a management VLAN interface on Ubiquiti Unifi access points (APs), assuming you may en...
by squeeze
Thu Jun 21, 2018 12:53 am
Forum: General
Topic: HAP ac ipsec HW acceleration
Replies: 2
Views: 428

Re: HAP ac ipsec HW acceleration

What IPSEC hardware acceleration? There's no mention of that in either hAP ac product's Test Results or the QCA9558 datasheet.
by squeeze
Sun Jun 17, 2018 3:57 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

The recent large security redesigns flowed from the April 0-day. Normis even explicitly stated it, so you are discussing nothing new: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
by squeeze
Sun Jun 17, 2018 3:22 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

In other news, if I understand this correctly, ALL versions pre-6.43 (which is still in Release Candidate stage) are vulnerable to this 0-day WinBox exploit? What are you talking about? What 0-day? There hasn't been a public 0-day since Bugfix 6.40.8, Release 6.42.1, Release Candidate 6.43rc4, all ...
by squeeze
Mon Jun 11, 2018 10:00 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 885

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Always good to know about others experience So hap-ac2 is comparable if not better with 3011 ?? So it should be better than HEX or HEXs ? Or is it quality vs price involved in your comparation ? You can see the Test Results yourself from each Mikrotik product page. Mikrotik are transparent that way...
by squeeze
Mon Jun 11, 2018 8:14 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 885

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Squeeze, What about RB3011 in the list ? Too many bad issues in the past and does not represent as good value for performance as the others anyway. I am not sure why anyone would buy an RB3011 for Internet traffic when for most medium and lower packets outside of fastpath it cannot even compete wit...
by squeeze
Mon Jun 11, 2018 7:44 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 885

Re: Need recommendations on a FAST mikrotik box (1Gb link)

1. hAP ac2 or hEX (RB750Gr3) 2. RB1100AHx4 or Dx4 variant (Dude edition) 3. CCR1009 (CCR1009-7G-1C-1S+PC is passively cooled) Those are affordable Gigabit Ethernet WAN routing options depending on how aggressively you use your connection and the nature of the traffic. All but the RB1100 can be silen...
by squeeze
Mon Jun 11, 2018 7:01 pm
Forum: Beginner Basics
Topic: Basic firewall setup (going off wiki post)
Replies: 8
Views: 764

Re: Basic firewall setup (going off wiki post)

These are the default firewall rules on SOHO Mikrotik devices. They are sufficient for all basic purposes: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="def...
by squeeze
Fri Jun 08, 2018 12:45 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ... The output chain is there f...
by squeeze
Wed Jun 06, 2018 6:01 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

Since the remote exploit targets previously known RouterOS vulnerabilities, then naturally it would have included all RouterOS devices anyway. These Affected Devices lists are more informational than containing any new warnings because they simply show what devices they are seeing being targeted in ...
by squeeze
Tue Jun 05, 2018 6:07 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 333

Re: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

I read the RFC, and it does give a clearer indication of the general process. But it says nothing about queues and also states:
   The exact filters configuration command lines used SHOULD be included
   with the report of the results.
by squeeze
Tue Jun 05, 2018 3:30 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 333

Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

Am I missing something, what exactly are these "25 ip filter rules" and "25 simple queues" that cause such dramatic changes in Test Results of all Mikrotik routers? I can find no further information about them, yet at the same time we seem to be encouraged to perform similar performance testing usin...
by squeeze
Mon Jun 04, 2018 12:07 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

1. If you are running any open ports on your router, then you are unsecured and implicitly accepting ALL the associated risks of remote exploits. That is regardless of the manufacturer. The device and service you choose to run is irrelevant. 2. Scans against any ports, specific or otherwise, mean no...
by squeeze
Sun Jun 03, 2018 9:51 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 279
Views: 40190

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

After some weekend performance testing of Release build 6.42.3 wrt. Mikrotik hAP ac2, I found multiple significant improvements. TL;DR. Apart from a slight worsening in legacy 2.4 GHz @ 20 MHz wireless stability, I believe Mikrotik have largely solved the worst of the hAP ac2 wireless issues. Using ...
by squeeze
Thu May 31, 2018 3:43 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Hex PLUS
Replies: 15
Views: 1325

Re: Hex PLUS

Unless you are an ISP, it makes zero sense to use (large) permanent blacklists. So, this is anything but a common use case for a SOHO device, no matter who you get it from. However, you could get any Ubiquiti Edgerouter, including the similarly priced Edgerouter X. That has 256 MB NAND, full OpenVPN...
by squeeze
Wed May 30, 2018 12:02 am
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 635

Re: Firewall Rule Concept

So if I can be permitted to Squeeze Sob ;-P, Then you are both saying the same thing. If no rules are matched in the SSH chain it is accepted, to the next rule after the initial JUMP rule in firewall filter list. In other words, the packet was not needed after all, in the jump chain, and should go ...
by squeeze
Tue May 29, 2018 8:38 pm
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 635

Re: Firewall Rule Concept

If there's matching rule in ssh-in, processing ends there. In your case, #7 will match anything, so it will never return to original chain. If you didn't have #7 and nothing matched in ssh-in, it would return back to input and would be dropped by #3. Are you sure about that? In the wiki it says : W...
by squeeze
Fri May 25, 2018 4:53 pm
Forum: Virtualization
Topic: OpenWrt for ARM-based RB1100AHx4
Replies: 6
Views: 1308

Re: OpenWrt for ARM-based RB1100AHx4

If you get it working, we'd love to know! I'm looking closely at RB1100 devices as my next Mikrotik. Thanks.
by squeeze
Fri May 25, 2018 4:28 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 61225

Re: VPNfilter official statement

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do. Will I have enough passwords and firmware updates? That´s a fraud/fake call, google for that one that wants you t...
by squeeze
Thu May 24, 2018 4:54 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 89746

Re: v6.43rc [release candidate] is released!

Loving the priority on security improvements. Keep it coming!
by squeeze
Thu May 24, 2018 4:52 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 279
Views: 40190

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

*) wireless - increased stability on hAP ac^2 and cAP ac with legacy data rates;

I am going to wait until something as fundamental as logging in works, then I'll rerun the stability tests. How exciting, I didn't expect Mikrotik to update so fast on these ARM devices!
by squeeze
Sun May 20, 2018 10:24 pm
Forum: General
Topic: Wired connection was flaky with MikroTik hAP ac2.
Replies: 19
Views: 1238

Re: Wired connection was flaky with MikroTik hAP ac2.

Never had any issues with DHCP on hAP ac2 on 6.41.3. I suspect your issues have little to do with the router. We know for a fact that 6.42+ introduced new DHCP issues. So, that may not help you. However, you could either switch to firmware version Bugfix (uses mainly by businesses) or latest Release...
by squeeze
Sat May 19, 2018 1:03 am
Forum: General
Topic: VLANs no switch chip
Replies: 10
Views: 719

Re: VLANs no switch chip

OTOH it makes sense to use common bridge even without having switch chip.
Why?
by squeeze
Wed May 16, 2018 4:02 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 4
Views: 856

Re: hAP ac2 can't connect 5Ghz -N/AC mode

I am connecting with Xiaomi Mi Max and it supports Wi-Fi 802.11 a/b/g/n/ac, dual-band, Wi-Fi Direct, DLNA, hotspot . I have an ASUS router at my workplace and my phone can connect to N and AC for sure. The problem definetely in this hAP ac2 router. I am connecting via a RealTek USB adapter and the ...
by squeeze
Mon May 14, 2018 6:57 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 279
Views: 40190

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Release candidates are not for production in any form of business environment. Nor are they intended as a substitute for basic troubleshooting. Since your posts have nothing whatsover to do with the hAP ac2 (it is not even similar architecture, let alone radios), please refrain from bumping this top...
by squeeze
Mon May 14, 2018 2:05 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 279
Views: 40190

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

@startus With release candidate RouterOS software (6.43rc5+) the hAP ac2 WiFi is good enough for anything for a typical consumer - though I would not recommend its WiFi for low latency applications at the moment, e.g. gaming, but you should be using wired for that anyway in most situations. Since yo...
by squeeze
Fri May 11, 2018 8:06 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 2742

Re: Access Control between VLANs

I cannot actually see any interface called "all-vlan" anywhere in Winbox nor in the online documentation. Would be very convenient if it did exist!
by squeeze
Fri May 11, 2018 7:02 pm
Forum: General
Topic: Netinstall + ubuntu 16.04 [SOLVED]
Replies: 6
Views: 1100

Re: Netinstall + ubuntu 16.04 [SOLVED]

Can you tell us the chipset of the on-board network card or the exact model of the laptop (preferably from a sticker somewhere), please? For the sake of other people in future, or even Mikrotik
by squeeze
Fri May 11, 2018 4:39 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 2742

Re: Access Control between VLANs

I liked your idea Sob, and since I already had implemented Drop By Default on the more security-sensitive Input chain (only allowing DNS and ICMP Echo Request from LAN), I decided to implement it for VLAN interfaces on the Forward chain. Still, I was interested to see if another List method would wo...
by squeeze
Fri May 11, 2018 5:10 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 2742

Re: Access Control between VLANs

/ip firewall address-list add list=VLAN address=192.168.10.0/24 comment="VLAN: 10" add list=VLAN address=192.168.20.0/24 comment="VLAN: 20" add list=VLAN address=192.168.30.0/24 comment="VLAN: 30" /ip firewall filter add chain=forward action="drop" comment="No inter-VLAN routing" \ dst-address-list...
by squeeze
Wed May 09, 2018 4:23 pm
Forum: General
Topic: 6.42.1, hap ac, time sync not working
Replies: 10
Views: 701

Re: 6.42.1, hap ac, time sync not working

/ip cloud set update-time=no
/system ntp client set enabled=yes server-dns-names=0.ru.pool.ntp.org,ru.pool.ntp.org
by squeeze
Tue May 08, 2018 6:04 pm
Forum: Beginner Basics
Topic: Uh, can I think of the hAP ac as a wireless router?
Replies: 40
Views: 1979

Re: Uh, can I think of the hAP ac as a wireless router?

You cannot compare a hAP ac to a hEX. The latter will obliterate the former in Gigabit Ethernet routing and IPSEC. They are designed for different things. Anyway, to answer OP's question: the R7000 was the top ranked 3x3 consumer router for a long time and is still massively popular (how often do yo...
by squeeze
Sun May 06, 2018 10:45 pm
Forum: Beginner Basics
Topic: Preventing MySQL and MSSQL Bruteforce attacks
Replies: 7
Views: 702

Re: Preventing MySQL and MSSQL Bruteforce attacks

Not clear why this is necessary. Either a professional or security conscious technical individual would only ever be either using network segments like VLANs (non-Internet) or a single firewall point of entry on a dedicated edge device (Internet). So, these types of attacks would be all but impossib...