Community discussions

Search found 125 matches

by squeeze
Sun Jun 17, 2018 3:57 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The recent large security redesigns flowed from the April 0-day. Normis even explicitly stated it, so you are discussing nothing new: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
by squeeze
Sun Jun 17, 2018 3:22 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

In other news, if I understand this correctly, ALL versions pre-6.43 (which is still in Release Candidate stage) are vulnerable to this 0-day WinBox exploit? What are you talking about? What 0-day? There hasn't been a public 0-day since Bugfix 6.40.8, Release 6.42.1, Release Candidate 6.43rc4, all ...
by squeeze
Mon Jun 11, 2018 10:00 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 490

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Always good to know about others experience So hap-ac2 is comparable if not better with 3011 ?? So it should be better than HEX or HEXs ? Or is it quality vs price involved in your comparation ? You can see the Test Results yourself from each Mikrotik product page. Mikrotik are transparent that way...
by squeeze
Mon Jun 11, 2018 8:14 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 490

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Squeeze, What about RB3011 in the list ? Too many bad issues in the past and does not represent as good value for performance as the others anyway. I am not sure why anyone would buy an RB3011 for Internet traffic when for most medium and lower packets outside of fastpath it cannot even compete wit...
by squeeze
Mon Jun 11, 2018 7:44 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 490

Re: Need recommendations on a FAST mikrotik box (1Gb link)

1. hAP ac2 or hEX (RB750Gr3) 2. RB1100AHx4 or Dx4 variant (Dude edition) 3. CCR1009 (CCR1009-7G-1C-1S+PC is passively cooled) Those are affordable Gigabit Ethernet WAN routing options depending on how aggressively you use your connection and the nature of the traffic. All but the RB1100 can be silen...
by squeeze
Mon Jun 11, 2018 7:01 pm
Forum: Beginner Basics
Topic: Basic firewall setup (going off wiki post)
Replies: 8
Views: 274

Re: Basic firewall setup (going off wiki post)

These are the default firewall rules on SOHO Mikrotik devices. They are sufficient for all basic purposes: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="def...
by squeeze
Fri Jun 08, 2018 12:45 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ... The output chain is there f...
by squeeze
Wed Jun 06, 2018 6:01 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Since the remote exploit targets previously known RouterOS vulnerabilities, then naturally it would have included all RouterOS devices anyway. These Affected Devices lists are more informational than containing any new warnings because they simply show what devices they are seeing being targeted in ...
by squeeze
Tue Jun 05, 2018 6:07 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 175

Re: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

I read the RFC, and it does give a clearer indication of the general process. But it says nothing about queues and also states:
   The exact filters configuration command lines used SHOULD be included
   with the report of the results.
by squeeze
Tue Jun 05, 2018 3:30 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 175

Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

Am I missing something, what exactly are these "25 ip filter rules" and "25 simple queues" that cause such dramatic changes in Test Results of all Mikrotik routers? I can find no further information about them, yet at the same time we seem to be encouraged to perform similar performance testing usin...
by squeeze
Mon Jun 04, 2018 12:07 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

1. If you are running any open ports on your router, then you are unsecured and implicitly accepting ALL the associated risks of remote exploits. That is regardless of the manufacturer. The device and service you choose to run is irrelevant. 2. Scans against any ports, specific or otherwise, mean no...
by squeeze
Sun Jun 03, 2018 9:51 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

After some weekend performance testing of Release build 6.42.3 wrt. Mikrotik hAP ac2, I found multiple significant improvements. TL;DR. Apart from a slight worsening in legacy 2.4 GHz @ 20 MHz wireless stability, I believe Mikrotik have largely solved the worst of the hAP ac2 wireless issues. Using ...
by squeeze
Thu May 31, 2018 3:43 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Hex PLUS
Replies: 15
Views: 899

Re: Hex PLUS

Unless you are an ISP, it makes zero sense to use (large) permanent blacklists. So, this is anything but a common use case for a SOHO device, no matter who you get it from. However, you could get any Ubiquiti Edgerouter, including the similarly priced Edgerouter X. That has 256 MB NAND, full OpenVPN...
by squeeze
Wed May 30, 2018 12:02 am
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 352

Re: Firewall Rule Concept

So if I can be permitted to Squeeze Sob ;-P, Then you are both saying the same thing. If no rules are matched in the SSH chain it is accepted, to the next rule after the initial JUMP rule in firewall filter list. In other words, the packet was not needed after all, in the jump chain, and should go ...
by squeeze
Tue May 29, 2018 8:38 pm
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 352

Re: Firewall Rule Concept

If there's matching rule in ssh-in, processing ends there. In your case, #7 will match anything, so it will never return to original chain. If you didn't have #7 and nothing matched in ssh-in, it would return back to input and would be dropped by #3. Are you sure about that? In the wiki it says : W...
by squeeze
Fri May 25, 2018 4:53 pm
Forum: Virtualization
Topic: OpenWrt for ARM-based RB1100AHx4
Replies: 7
Views: 654

Re: OpenWrt for ARM-based RB1100AHx4

If you get it working, we'd love to know! I'm looking closely at RB1100 devices as my next Mikrotik. Thanks.
by squeeze
Fri May 25, 2018 4:28 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do. Will I have enough passwords and firmware updates? That´s a fraud/fake call, google for that one that wants you t...
by squeeze
Thu May 24, 2018 4:54 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 334
Views: 39435

Re: v6.43rc [release candidate] is released!

Loving the priority on security improvements. Keep it coming!
by squeeze
Thu May 24, 2018 4:52 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

*) wireless - increased stability on hAP ac^2 and cAP ac with legacy data rates;

I am going to wait until something as fundamental as logging in works, then I'll rerun the stability tests. How exciting, I didn't expect Mikrotik to update so fast on these ARM devices!
by squeeze
Sun May 20, 2018 10:24 pm
Forum: General
Topic: Wired connection was flaky with MikroTik hAP ac2.
Replies: 19
Views: 866

Re: Wired connection was flaky with MikroTik hAP ac2.

Never had any issues with DHCP on hAP ac2 on 6.41.3. I suspect your issues have little to do with the router. We know for a fact that 6.42+ introduced new DHCP issues. So, that may not help you. However, you could either switch to firmware version Bugfix (uses mainly by businesses) or latest Release...
by squeeze
Sat May 19, 2018 1:03 am
Forum: General
Topic: VLANs no switch chip
Replies: 10
Views: 482

Re: VLANs no switch chip

OTOH it makes sense to use common bridge even without having switch chip.
Why?
by squeeze
Wed May 16, 2018 4:02 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 4
Views: 328

Re: hAP ac2 can't connect 5Ghz -N/AC mode

I am connecting with Xiaomi Mi Max and it supports Wi-Fi 802.11 a/b/g/n/ac, dual-band, Wi-Fi Direct, DLNA, hotspot . I have an ASUS router at my workplace and my phone can connect to N and AC for sure. The problem definetely in this hAP ac2 router. I am connecting via a RealTek USB adapter and the ...
by squeeze
Mon May 14, 2018 6:57 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Release candidates are not for production in any form of business environment. Nor are they intended as a substitute for basic troubleshooting. Since your posts have nothing whatsover to do with the hAP ac2 (it is not even similar architecture, let alone radios), please refrain from bumping this top...
by squeeze
Mon May 14, 2018 2:05 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

@startus With release candidate RouterOS software (6.43rc5+) the hAP ac2 WiFi is good enough for anything for a typical consumer - though I would not recommend its WiFi for low latency applications at the moment, e.g. gaming, but you should be using wired for that anyway in most situations. Since yo...
by squeeze
Fri May 11, 2018 8:06 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 1216

Re: Access Control between VLANs

I cannot actually see any interface called "all-vlan" anywhere in Winbox nor in the online documentation. Would be very convenient if it did exist!
by squeeze
Fri May 11, 2018 7:02 pm
Forum: General
Topic: Netinstall + ubuntu 16.04 [SOLVED]
Replies: 6
Views: 365

Re: Netinstall + ubuntu 16.04 [SOLVED]

Can you tell us the chipset of the on-board network card or the exact model of the laptop (preferably from a sticker somewhere), please? For the sake of other people in future, or even Mikrotik
by squeeze
Fri May 11, 2018 4:39 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 1216

Re: Access Control between VLANs

I liked your idea Sob, and since I already had implemented Drop By Default on the more security-sensitive Input chain (only allowing DNS and ICMP Echo Request from LAN), I decided to implement it for VLAN interfaces on the Forward chain. Still, I was interested to see if another List method would wo...
by squeeze
Fri May 11, 2018 5:10 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 1216

Re: Access Control between VLANs

/ip firewall address-list add list=VLAN address=192.168.10.0/24 comment="VLAN: 10" add list=VLAN address=192.168.20.0/24 comment="VLAN: 20" add list=VLAN address=192.168.30.0/24 comment="VLAN: 30" /ip firewall filter add chain=forward action="drop" comment="No inter-VLAN routing" \ dst-address-list...
by squeeze
Wed May 09, 2018 4:23 pm
Forum: General
Topic: 6.42.1, hap ac, time sync not working
Replies: 10
Views: 386

Re: 6.42.1, hap ac, time sync not working

/ip cloud set update-time=no
/system ntp client set enabled=yes server-dns-names=0.ru.pool.ntp.org,ru.pool.ntp.org
by squeeze
Tue May 08, 2018 6:04 pm
Forum: Beginner Basics
Topic: Uh, can I think of the hAP ac as a wireless router?
Replies: 40
Views: 1436

Re: Uh, can I think of the hAP ac as a wireless router?

You cannot compare a hAP ac to a hEX. The latter will obliterate the former in Gigabit Ethernet routing and IPSEC. They are designed for different things. Anyway, to answer OP's question: the R7000 was the top ranked 3x3 consumer router for a long time and is still massively popular (how often do yo...
by squeeze
Sun May 06, 2018 10:45 pm
Forum: Beginner Basics
Topic: Preventing MySQL and MSSQL Bruteforce attacks
Replies: 7
Views: 427

Re: Preventing MySQL and MSSQL Bruteforce attacks

Not clear why this is necessary. Either a professional or security conscious technical individual would only ever be either using network segments like VLANs (non-Internet) or a single firewall point of entry on a dedicated edge device (Internet). So, these types of attacks would be all but impossib...
by squeeze
Sun May 06, 2018 6:35 pm
Forum: Beginner Basics
Topic: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]
Replies: 22
Views: 786

Re: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]

Rules 5 and 6 should not exist in your configuration, especially if your WAN is your Internet connection. Remove these entirely: 5 chain=input action=drop protocol=icmp in-interface=ether1 icmp-options=8:0 log=no log-prefix="" 6 chain=input action=accept protocol=icmp log=no log-prefix="" You need n...
by squeeze
Sun May 06, 2018 5:22 pm
Forum: General
Topic: default-configuration and secure wifipassword
Replies: 2
Views: 174

Re: default-configuration and secure wifipassword

Ask in the Scripting section. It should absolutely be possible. You may even be able to use cpu-load and clock time as entropy sources.
by squeeze
Sun May 06, 2018 2:58 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

I decided to adapt morph1's low latency testing approach, but for best case scenario, relative stability tests. These were my results. TL;DR. Mikrotik hAP ac2 has a stability issue with 5 GHz band at 40 MHz channel width (visible also on morph1's results), but all other widths and bands performed we...
by squeeze
Fri May 04, 2018 7:10 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 990

Re: Differences between "Port based" and "bridge based" VLAN

I wanted to permit clients in vlan10 and 20 to see each other, and clinets in vlan 10 and vlan20 should not see clients in the admin LAN (vlan1). You changed your requirements. First you say you wanted vlan10 and vlan20 to talk, then you say you don't. I was going by your original request and only ...
by squeeze
Fri May 04, 2018 1:01 am
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 990

Re: Differences between "Port based" and "bridge based" VLAN

In RouterOS firewall the order of the rules matters. The CPU is going down the list starting from the top. RouterOS Firewall Filtering is Accept-based, i.e. if something does not match it is Accepted. That's why you should always have a Drop rule for any category of filtering, look at the default ru...
by squeeze
Wed May 02, 2018 6:50 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 990

Re: Differences between "Port based" and "bridge based" VLAN

I have several questions of my own. :) Am I missing something, what is your device? This is important because VLAN filtering can be different for different devices and setups like hybrid ports Which of these physical interfaces are trunks to other VLAN-aware switches or routers? Why do you have vlan...
by squeeze
Wed May 02, 2018 2:58 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi [Not]

P.S.: still using the same settings/methods as in my previous post

Thanks for the tests. I don't understand the new bottom scale, compared to your previous ones. Is it still 10ms pings and 60k ping count?
by squeeze
Tue May 01, 2018 2:27 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi [Not]

Listing 1: Download Test on 5G hAP ac^2 with v6.43rc5 RouterOS uisng CHUWI ac interface (Intel Dual-Band Wireless-AC 3165) [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.02 sec 28.9 MBytes 24.2 Mbits/sec 0 sender You get no "Retr" from your TCP reverse tests? Or are you not using the "-R" iperf3...
by squeeze
Tue May 01, 2018 4:50 am
Forum: General
Topic: Should I choose switch or router for simple home VPN setup?
Replies: 3
Views: 193

Re: Should I choose switch or router for simple home VPN setup?

Is this for IPSEC or OpenVPN? I would absolutely not recommend Mikrotik as an OpenVPN client. It is perfectly good for business VPN or site to site VPN that you control, but not for connection to consumer VPNs due to limited OpenVPN support. Since you have many Apple devices and Apple are discontinu...
by squeeze
Mon Apr 30, 2018 2:30 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

@squeeze: Colud you please explain to me how did you, based on your test on distance of 1m, concluded that wireless part is good? On distance of 1m, I would use cable, this is not the type of test that is used for wireless. Put distance of 5m, then 10m, and even if you can 15m between devices. Then...
by squeeze
Mon Apr 30, 2018 6:21 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 251
Views: 24160

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

After some testing this weekend with a Realtek USB AC adapter and a single client device, I found the following trying to get the best I could from the router without heavy tweaking of the Wireless settings: 2.4 GHz: no significant performance difference from RouterOS 6.42.1 to 6.43rc5. Approx. 130 ...
by squeeze
Sun Apr 29, 2018 2:38 am
Forum: General
Topic: Windows Port Knock Application
Replies: 22
Views: 2904

Re: Windows Port Knock Application

The most secure method is VPS, because it does not expose anything directly on the Internet interface, is securely authenticated up front and not subject to replay.

Port knocking is ideally just another backup. Just like, for example, running a Tor Hidden Service ...
by squeeze
Sat Apr 28, 2018 10:05 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 990

Re: Differences between "Port based" and "bridge based" VLAN

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples Note very carefully that in the above link they only use Switch commands when the device supports specific switch chips. If you don't know what you're doing, use VLANs on a single bridge and don't touch any Switch options. Def...
by squeeze
Fri Apr 27, 2018 7:10 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 273
Views: 25138

Re: v6.42.1 [current]

@Xymox Ive spent the morning downgrading all my clients from 6.42.1 to 6.41.4.. Over the last few days ive seen a number of weird things on client systems that are previously reported on this thread. I do not consider 42.1 "stable"... The other BIG deciding factor to revert to 41.4 is Netwatch. Shou...
by squeeze
Fri Apr 27, 2018 6:47 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request: disable LED lights on all SOHO devices
Replies: 1
Views: 192

Feature request: disable LED lights on all SOHO devices

Feature request: the ability to disable all LED lights on all SOHO devices, especially popular ones like the Mikrotik hEX. By definition, SOHO devices are often in workplace environments in direct line of sight visible by all throughout the day or in home living rooms and bedrooms under all types of...
by squeeze
Fri Apr 27, 2018 5:04 pm
Forum: General
Topic: Windows Port Knock Application
Replies: 22
Views: 2904

Re: Windows Port Knock Application

Why not just use AutoIt itself for sending packets since that's what you're using already?