MikroTik

An5teifo

I am using a BGP input filter with following settings: if ( bgp-communities equal-list blackhole ) { set blackhole yes; accept } This imports any routes with this community as blackholed which I guessed would be the same logic as a null route. RPF is set to loose altought I did not see any difference.

An5teifo

Okay, I finally found a solution for me which works like a charme: On my "Mikrotik Util" VM I download various bad IP & network lists and aggregate them. I then announce those routes via Exabgp as "blackhole" community and peer with the nearest Mikrotik router. This router th...

An5teifo

Okay thanks for the info but how can I keep the address-list and the routes in sync?

An5teifo

I already have my own list which I regular update. The thing which I found is that the IPs that are available at /ip/firewall/address-list needs also to be available at /ip/route. So I guess I need to rewrite my script to add/remove the IPs to the firewall address-list as well as the IP routes - rig...

An5teifo

I have now tried to distribute the routes via iBGP but it seems that BGP is somehow broken on 7.18.1?!
Both routers are established but the address-list is not being distributed?!

An5teifo

Yes, exactly that way.

As I haven't created such blackhole routes so far, can you shine some light on how to create them?
I know how to do iBGP in general but not how to tell the receiving router to block them.

An5teifo

Currently I have two routers to manage. The fastest import took around 3 minutes. iBGP is a nice solution - didn't thought about it as I was too focused on scripting. I guess it would make sense to import the list on the fastest device and the share it via iBGP with the other non so performant devic...

An5teifo

@optio: This solutions is the most performant one! My "mikrotik util" VM will download the existing list via REST API from the device, parse the IP adresses & ranges, compares it with my new list and simply create an add or remove command. The command list is being pushed to my git rep...

An5teifo

Thanks, I will give that a try!

An5teifo

So simple add and remove commands would be the most resource saving method to work it?

An5teifo

Hello optio, thanks for your suggestion as this is also my conclusion after a weekend scripting :-) I posted my scripts and the logic here: https://forum.mikrotik.com/viewtopic.php?t=215239 My current workflow is to download lists on a device, aggregate them into a single big file which is being a R...

An5teifo

Hello everyone, my intention was to automatic download, parse and upload lists on my routers. Therefore I created or edited some existing Python scripts which I would like to share here: Downloading and parsing raw IPs & IP ranges import argparse import re import urllib.request import yaml from ...

An5teifo

My intention is/was to minimize attack vectors - e.g. known bots which are trying to install a backdoor on your device.

An5teifo

There is an aggregated list of IPs and IP ranges which may be blocked due to "bad" traffic: https://github.com/stamparm/ipsum
My intention was to import the list and keep it up to date in an easy manner

An5teifo

Thanks but I wanted to explicit use the REST API as GET, POST, and so on are common operations and are easier to understand compared to a dedicated API. I am just curious why there is such a big difference between local script execution with Mikrotiks scripting language vs a REST API (~ 60 % CPU dif...

An5teifo

In general my Python script does three different things: 1) Getting the the current address-list from router via GET https://router/rest/ip/firewall/address-list/?list=blocklist Parsing the JSON and comparing the current addresses list with a new address list. Cost ~30 % CPU Every new IP is being wr...

An5teifo

Thanks @Amm0 for your suggestions. In general deleting works pretty okay for me. My intention was more into uploading a list to the router via the API and wait until he finished with the logic. So far I was able to to get it running at a proper speed but this comes at some costs: Running a list with...

An5teifo

Hello everyone, I am trying to edit my routers firewall address-list via the REST API. So far I have managed to get everything running via PUT & DELETE but those methods are rather slow for adding and removing 180k entries. Can anyone shine a light on how to use the POST command for that? I am s...

An5teifo

Thanks @rplant for your suggestion.
So the only way to do that would be to use some static routes?

Isn't there any chance to get this working via dynamic routing protocols?

An5teifo

This would be my current layout

An5teifo

Servus!

I have attached my two configs and removed the non necessary stuff and also the diagram.

An5teifo

Dear fellow members, I am currently struggeling to steer my traffic and looking for some advise. My current setup is an internet facing CCR2004 which is also the endpoint of several VPN tunnels and does DNAT as well. After that I have placed a firewall for IDS, Layer7 inspection and such things. The...

An5teifo

Okay so scp will work for me.
I have intially created regular folders via "Files" and added my content but then I was not able to start the container with the folders as volume mounts.

An5teifo

Hello there, I wonder how someone could edit various config files for a container with a persistent volume? E.g. I would like to run Knot DNS but for this I would need to create a zone file with my settings. On my regular linux docker machine I could either edit the file directly at the shell (nano ...

An5teifo

I also thought that RouterOS is not affected by this version but it makes sense if any CISO or other IT-related staff got the order to query if any product of MikroTik is vulnerable or not.

That's why it make sense from my point of view to highlight "we are not vulernable".

An5teifo

Great to hear.
Maybe this topic can be pinned somewhere for the next couple of days/weeks if someone else is raising this question?

An5teifo

Can someone confirm if MikroTik devices are vulnerable to the current SSH backdoor?
See here https://openssf.org/blog/2024/03/30/xz- ... 2024-3094/.

Althought the malware scans for .rpm or .deb packages in general it would be a good to know if MikroTiks SSH server relys on liblzma or not.

An5teifo

I think I fixed it by setting different costs for interface pointing to CCR2004 and CCR2116

An5teifo

Hello everyone, I stumbled accross a weird routing behaviour on my network. In general my network is: Mikrotik CCR2004 as internet & VPN router connected to 2x OPNsense which are connected to a Mikrotik CCR2116 as my network router. As a failover my CCR2004 is also direct to CCR2116 but with hig...

An5teifo

I think I found the issue: Your script requires a "total" value after the fetch command. Currently it is not being included at "as-value": downloaded=26;duration=00:00:00;status=finished Hiiiiii, could you share the whole script pls ? thx You can find it here -> https://forum.mi...

An5teifo

It seems that

/tool fetch

does no longer include a "total" value - only "downloaded".
Is this expeded/hidden feature or a bug?

An5teifo

Which script are you have been using? I'm using a modified version of this one https://forum.mikrotik.com/viewtopic.php?p=935938&sid=9a9086e98c872089e19fd57de7aba7ed#p935938 I think I found the issue: Your script requires a "total" value after the fetch command. Currently it is not be...

An5teifo

I have tried the script you've mentioned with the today released 7.14beta8 version - it still does not work. Is there a possibility to debug a script to see where the error occurs? So far I just removed the "nolog" parameter but the only thing I get is Starting import of address-list: spam...

An5teifo

The other, more modern script does not work on me as I get the integer error. I'm skipping v7.13, going see what changes v7.14 and maybe v7.15 bring and then take a look at fixing the script after that, since fetch is mentioned in the beta changelog. v7.12 is fine for my networks, what I needed in ...

An5teifo

It just removes the entries with a specific comment

find where comment=$description dynamic]

The other, more modern script does not work for me as I get the integer error.

An5teifo

I found this script on the forum. It works OK on my hEX S running 7.13.2. The only change I've made was to concentrate all entries on a single "blacklist" and select the entries via the comment field. MH :global readfile do={ :local url $1 :local thefile "" :local filesize ([/to...

An5teifo

Yes, I tried that as well.
I just received the same error messages as you @kevinds

An5teifo

I just upgraded to 7.14beta7 to verify if fetch is working for this but it does not.

An5teifo

Hello forum, after playing around with some virtual router/firewall I would like to step back to have a physical device in case my servers are down due to what ever reason. Some background: I am a prosumer running 10 Gigabit network at home and managing the IT of friends and family - so nothing miss...

An5teifo

Thanks for the info. In general I am already using a CRS312-4C+8XG-RM as my core switch where my Proxmox servers are connected via a LACP bond. So far they work pretty well but as I would need also some firewall rules like DMZ-VLAN is not allowed to access some hosts from other VLANs this switch wou...

An5teifo

So best would be to either leave as it is or get another router for VLAN routing?

An5teifo

The only reason why I need to use OPNsense is IDS/IPS via Suricata and some Geoblocking to keep those Asian bots out of my network

An5teifo

CCR is responsible for my VPN tunnels, NAT/portforwarding, WAN traffic in general.

I am using it as my ISP only allows one MAC address on the interface. OPNsense in HA does not do that and I had troubles with that.

An5teifo

Anyone any idea?
I tried to play around with VRF but unfortunately when enabling any VRF I am no longer able to reach other devices (either devices via VPN or OPNsense itself)

An5teifo

I think I finally found the trouble maker: As I use two OPNsense in HA configuration they syncronise each and every connection state so if a OPNsense goes down the other can take over immediately without any downtime. The setting is called "Synchronize Peer IP" and its default value is dir...

An5teifo

Another interessting fact: Even if I tell iperf3 to only use 1 thread the switch CPU goes up to 100 % PS E:\Users\mmuehlbacher\Downloads\iperf-3.1.3-win64> .\iperf3.exe -P 1 -c db1.hks.lan -t 60 Connecting to host db1.hks.lan, port 5201 [ 4] local 192.168.10.12 port 63031 connected to 192.168.20.97 ...

An5teifo

The switch just discovers some broadcast packages when running at 100 %: [mathias@Switch-CRS312] /tool/sniffer> packet/print Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU # TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU 0 14.692 Mathias-Desktop 192.168.10.12...

An5teifo

With regards to 1/2 bandwith: Initially I do get 6.5 Gbit sometimes.

An5teifo

Thanks for the marvelous packetflow drawing - this is exactly how I imagine it. I was able to check CRS312 hosts database on the bridge interface and both Mathias-Desktop as well as the VMs MAC address are known by the bridge. Unfortunately sniffing packages do not work as the bridge is hw-offloaded...

An5teifo

I have already removed VLAN10 from the port configuration. I had initally added it due to the message the VLAN10 is not a port member of the bridge which was resolved by your last information. In general all interfaces are hardware offloaded: [mathias@Switch-CRS312] > interface/bridge/port/print Fla...

An5teifo

Thanks for the info - I have done that but the CPU goes up to 100 % CPU immediately: [mathias@Switch-CRS312] > /tool/profile Columns: NAME, USAGE NAME USAGE ethernet 5% console 1% ssh 0.5% networking 49.5% winbox 0% management 1.5% routing 0% profiling 0% bridging 36.5% unclassified 6% total 100% So...

An5teifo

I disabled it as I only want to do L2 traffic but I already reenabled it - although result is the same nevertheless if L3 hw offloading is on or off.

An5teifo

Hello everyone, I am using a CRS312-4C+8XG as my main switch. It is connected to two Proxmox servers via LACP. On my Proxmox servers I run an OPNsense appliance for firewalling and intervlan routing. I recently stumbled accross a strange behaviour regarding switching traffic: If I run iperf3 within ...

An5teifo

I already found the issue: QoS - I set an upload limit for 80M as this is my general WAN uplink.
As I added my other VLAN interfaces to the bridge I was not able to bypass the 80M limit.

An5teifo

As a side note: Doing VLAN routing on CCR2004 does not generate 100 % on any CPU core.
One core is usually at around 25 %

An5teifo

The current config would be below. Kindly note that at the moment I am using OPNsense as VLAN router (temporarily) until the low bridge performance on CCR2004 is fixed. # 2023-12-19 10:26:44 by RouterOS 7.13 # software id = 7092-YU0E # # model = CCR2004-16G-2S+ # serial number = ABC123 /interface br...

An5teifo

Hello, I currently testing a CCR2004-16G-S2+ for VLAN routing. The switch is connected via SFP+ ports (trunked) to a CRS326 & CSS326 switch (CRS326 is root bridge). Current CCR2004 config would be: [mathias@IBR] > /interface/bridge/print Flags: X - disabled, R - running 0 R name="bridge1&qu...

An5teifo

Hello there, I am using a CCR2004 router as my main internet router. Right behind it I am running two virtual OPNsense firewalls in HA mode which are also doing my inter VLAN routing. All devices share the network informations via OSPF in a single area (0.0.0.0). As the inter VLAN routing performanc...

An5teifo

I also agree on that and it's important to only open ports to the internet which are needed and to keep any software up-to-date. Nevertheless it's also a good option to have another layer of security (if you have the ressources) to run it. I just thought that I mention it a the useful articles - I d...

An5teifo

Yeah I know that but leaving an SQL port open vs SQL injection via HTTP are two different pairs of topic. If someone leaves something open without any usecase it is not good. But if you have a regular webserver you would need port 80 & 443 open to the web - and there are also the bad guys how tr...

An5teifo

Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?

An5teifo

It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically. Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver. If a bad bot would like to try som...

An5teifo

SELKS is an IDS/IPS while T-Pot is a Honeypot

An5teifo

Unfortunately RC3 still did not solve SUP-107271.

An5teifo

Please note it's not my GitHub repository - I just mentioned it as I used it as a guidline for installing.
From my point of view it looks like that you are using wrong paths and therefore the application cannot find them.

An5teifo

I run mine on Debian 11 - how did you install it?
Just run the easyinstall.sh script?

An5teifo

Which OS are you using?

An5teifo

Have you verified that all containers are up and running? It seems that Suricata is not running. If you enter sudo docker ps it should display something like: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d40a1db11567 jasonish/suricata:master-amd64 "/etc/suricata/new_e…" 10 days ag...

An5teifo

I am having troubles with OSPF IPv6. If I just announce regular routes via a passive interface only a few are being seen by the other routers. Currently I need to stick with redistribute connected. Also packet sniffer slows down my IPv6 speed dramatically (off ~150 Mbit, on ~ some kbits) but only on...

An5teifo

From a quick view I think you messed up with src-nat /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \ ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.0/24 add action=masquerad...

An5teifo

Thank you both.
I completly reworked firewall rules on all of my Mikrotik routers with dedicated chains (which makes more sense if you know this nice feature).

So far everything works well and I haven't seen any issues.

An5teifo

Thanks for clarification!
As I used an OPNsense firewall before I am still learning what is best practice on Mikrotik

An5teifo

Can you also share your current firewall settings?

An5teifo

I would add all untrusted interfaces into a dedicated list e.g. WAN.

An5teifo

Hello there,

as a side note: I am running a virtualized x86 ROS on Proxmox (=KVM/QEMU).
Zerotier addon would be available.

An5teifo

Thanks for clarification.
I think I managed it for IPv6 now thanks to you!

May I additional just ask: Does it make sense to also create a dedicated jump-rule for IPv4 addresses?

An5teifo

Just a further question: Wouldn't it be better to drop any non allowed traffic instead of rejecting it?

An5teifo

Thanks @ConradPino I will start my journey with your suggestions!

An5teifo

Not sure if this is relevant on 7.8 beta but one of my Wireguard peers is not working after a router reboot. I need to disable and reenable the peer manually to get it running.

An5teifo

Because I have several VLANs where I would like to only allow specific hosts/ports.

Mikrotiks default firewall rules are more into WAN/LAN but not for LAN#1 LAN#2 and so on

An5teifo

Hello everyone, I recently tried to implement some proper firewall rules for IPv6 by copying my currently existing and working IPv4 firewall rules. But somehow it's not working really working. My network consists of several VLANs to separate traffic from management LAN, DMZ, IoT and so on and I do o...

An5teifo

1) Centralized firewall management
2) Grouped device management (e.g. multiple devices can be at one group and I only need to create firewall rules for this group)
3) Updates
4) Scripting - either on specific devices or a central API endpoint for REST request.

An5teifo

Dear forum, I am running a CCR2004-16G-2S+ as my main internet router. As my local ISP only provide IPv4 addresses I have some tunnels to other ISPs with different technologies (GRE, SIT, EoIP, VXLAN). So far everything works properly and I get my usual expected up- & download speed (300/40 for ...

An5teifo

Hello there,

yesterday I installed SELKS and connected it with my Mikrotik --> viewtopic.php?t=193417

An5teifo

Its quiet simple: Bridge <-- VLAN <-- VRRP To be more detailed. You create a bridge and VLANs (via interface). On IP/Address you can assign a specific IP address AND network to a VLAN. Additional you need to add the VLAN on the bridge interface as tagged (+ the bridge itself). For a VRRP you need to...

An5teifo

You can do this via RADIUS.
RouterOS has a specific version of it called "User Manager" --> https://help.mikrotik.com/docs/display/ROS/User+Manager

An5teifo

Dear forum, as I recently migrated from OPNsense fully to Mikrotik I had some concerns as there is no IDS/IPS native available on Mikrotik - but luckily the internet has some solutions which I implemented and where I would like to share some tips and tricks with you: I found a GitHub project called ...

An5teifo

It seems I had some misconfiguration/understood the settings wrong. I only set all other VRRP interfaces to the master but I did not configure the master to be itself group master. With this setting it works far better. And I also unticked the "Preemption Mode" setting. So now from a netwo...

An5teifo

Thanks for the information.
In general I am using the group master feature, sync connection state and preemption mode on master.
Additional I am also using a script which adds OSPF costs to 65000 on the backup node so all traffic would be routed via the master router to my main internet router.

An5teifo

Hello everyone, I already raised a ticket at support but would also like to see if anyone has also a clue what could be wrong: I am currently migrating from virtualized OPNsense to virtualized x86 ROS. So far the setup works pretty well but I am struggeling a lot with VRRP. In general I have several...

An5teifo

No in general I only have one ISP but it is only providing my an IPv4 address.
I am connected to several tunnelbroker, vIXP etc. which all uses different types of tunneling (GRE, EoIP, VXLAN, SIT).

So far I did not see any issues on that.

An5teifo

I am just someone who is new to BGP and peering with others.

An5teifo

Behind my Mikrotik I am running a dedicated firewall.
Access to Mikrotik is only granted from a specific IP range.

Why shouldn't there be any additional service running on the router?

An5teifo

Thanks for that. From a firewall perspective I am already pretty solid.
I just recently received my own ASN and try to figure out any best practice rules for peering with others via BGP.

An5teifo

But e.g. on input I do currently have also

if ( dst-len > 48 ) { accept }

rule for IPv6.
With such a rule I would also filter some routable IPv4 ranges - wouldn't I?

If so it would make sense to create to different chains - 1x v4 & 1x v6

An5teifo

So should I create two generell in/output filters?
One for IPv4 and one for IPv6?

An5teifo

Okay from this perspective I agree.

Are there any general recommondation regarding BGP in-filtering as I came accross some input that accepting anything is not always the best solution?

An5teifo

Isn't a bit weird?
If I set a filter the default is being reject anything - if I do not set a filter (leaving it blank) everything would be accepted?!

An5teifo

Hello felixhappy,

I thought that on ROS 7 the default filter mechanism is to deny any?

An5teifo

Hello there, as I am very new to BGP and it's filtering mechanism I would like out to get some help: What would be the right filter for an - input "Any route that you send me I will accept" - output "I only send you my biggest /40 subnet but not the /48 & /64 subnets which I split...

An5teifo

Okay got it

Outbound filter like
if (dst==own address/48) {accept}

An5teifo

Hello everyone, I just took my 1st steps to BGP and want to announce my /48 IPv6 subnet to my BGP peer. So far I only found the ability to announce "connected" which includeds this subnets but also my splitted /64 subnets. Is there any possiblity to announce only the "big" /48 su...

An5teifo

Hello everyone, crossposting my Reddit question also here: as my ISP does not provide any IPv6 connectivity but still wanted to have it I rented a cloud server and deployed a CHR image from Mikrotik. The cloud server provides a /64 public routable address but set the default gateway to fe80::/1 via ...

An5teifo

Seems that this was the issue: I don't know why or how but it seems my HQ acted as a client (and not as the server) for wireguard connection.
Now, after I have removed the preconfigured port from Wireguard peer on MT remote it works as expected.

An5teifo

It seemed that my OPNsense fw has established a connection with my remote side via a NAT.
I removed the prefilled Wireguard listen-port and let it choose a new random one and after that the connection looks like an incoming VPN client-> server connection which I expect.

An5teifo

What is also strange:

On my internet border router (= HQ) I cannot see any connections going to the dst port?!
Althought wireguard VPN is up and running and hosts can ping each other.

It's a bit weird?

An5teifo

Sounds like an HA setup issue. Is there some mac address change somewhere?? If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ??? I am also not sure - from a WAN perspective even the MAC address stays the same as a...

An5teifo

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it...

An5teifo

@anav: May I ask, where to place/use such a script as you have mentioned at para 6?

An5teifo

Hmm maybe something like
"ping 5x" if no ping then restart Wireguard service.

I did not know how to do this via SSH so I just disabled the Wireguard interface and enabled it again but that did not solve my issue.

An5teifo

I am not sure if this might be my reason as I am using a static IP address which is being terminated on my HQ Mikrotik router.
No hostname or dynamic hostnames are being used.

An5teifo

Hello everyone, I recently rebuild my local network and my remote network: HQ: ISP -> Mikrotik (internet border router) -> 2x OPNsense as HA configuration with CARP -> LAN Remote: ISP -> Mikrotik -> LAN On both places I am using Wireguard as VPN connection and so far it works pretty out of the box. ...

An5teifo

Thanks for the advice - I already found help on Reddit.
The thing in general is that I do not need a very high bandwith as only my mobile phone + sometimes a laptop is connected to it.
I just wanted to have a 2.4 & 5 GHz within one device and the regular disk APs were already sold-out on Amazon.

An5teifo

Solved -> viewtopic.php?p=639053#p615844

An5teifo

Hello there, I recently moved from Unifi to Mikrotiks Audience and run the Wifi via CAPsMAN. What is a bit weird to me is, if setup just SSIDs with authentication (like for a home AP) I receive any SSID at 2.4 & 5 GHz. As soon as I create a dedicated channel setting and use it for my SSIDs, I on...

An5teifo

Hello everyone, I recently decided to replace my last bit of network (Unifi) with Mikrotik Audience for WLAN coverage. Currently I am setting up my 10 Gbase-T switch (CRS312-4C+8XG-RM) to act as my CAPsMAN controller for this an probably another WLAN device. So far I created my three different WLAN ...

Search found 116 matches