Community discussions

Search found 79 matches

  • 1
  • 2
by robertpenz
Thu Apr 19, 2018 11:40 am
Forum: General
Topic: CHR still communicates with 169.254.169.254
Replies: 7
Views: 256

Re: CHR still communicates with 169.254.169.254

@sid5632: thx, changed it to your version
by robertpenz
Thu Apr 19, 2018 11:39 am
Forum: General
Topic: CHR still communicates with 169.254.169.254
Replies: 7
Views: 256

Re: CHR still communicates with 169.254.169.254

no, the CHR is on our own ESX in our datacenter.
by robertpenz
Thu Apr 19, 2018 11:02 am
Forum: General
Topic: CHR still communicates with 169.254.169.254
Replies: 7
Views: 256

CHR still communicates with 169.254.169.254

I'm seeing on our firewalls that our test CHR is trying to connect to IP 169.254.169.254 with HTTP every few seconds (= over 250.000 connections attempts in 12h) . Google showed some old posts from 2015 where it was described as bug that will be fixed. As we're running 6.41.4, so it seems not. I did...
by robertpenz
Thu Jan 04, 2018 11:08 am
Forum: General
Topic: Meltdown and Spectre Security Vulnerabilities on x86
Replies: 13
Views: 1878

Re: Meltdown and Spectre Security Vulnerabilities on x86

so its not possible to get from a guest down to the host?
by robertpenz
Thu Jan 04, 2018 11:03 am
Forum: General
Topic: Meltdown and Spectre Security Vulnerabilities on x86
Replies: 13
Views: 1878

Re: Meltdown and Spectre Security Vulnerabilities on x86

What about Meta-Router feature? And Spectre is not Intel only, also ARM. https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
by robertpenz
Wed Oct 04, 2017 9:30 am
Forum: General
Topic: RouterOS affected by Dnsmasq security vulnerabilities?
Replies: 1
Views: 300

RouterOS affected by Dnsmasq security vulnerabilities?

Hi! Is RouterOS (and if yes which versions) affected by the CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, CVE-2017-13704 which where released by Google? https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html I'm asking as I fo...
by robertpenz
Thu Feb 09, 2017 3:12 pm
Forum: General
Topic: Weird 129.0.0.x IPs ?
Replies: 30
Views: 3259

Re: Weird 129.0.0.x IPs ?

I've reported that problem in ticket 2017020822000589, and Sergejs has acknowledged a bug with handling tagged packets and they will fix it.
by robertpenz
Wed Feb 08, 2017 12:13 pm
Forum: General
Topic: Weird 129.0.0.x IPs ?
Replies: 30
Views: 3259

Re: Weird 129.0.0.x IPs ?

I see the same problem with 6.37.4. It seems to be a problem on interfaces which have tagged vlans. As I see the same problem on multiple routers which are not on the same subnet it can't be a damaged NIC or wrong configured client. We've also activated reverse path filtering so its not possible tha...
by robertpenz
Sun Nov 27, 2016 6:54 pm
Forum: RouterBOARD hardware
Topic: hEX mode button/switch next to usb port
Replies: 1
Views: 2870

hEX mode button/switch next to usb port

Hi!

What is the purpose of the mode button/switch next to the USB port as seen on this image. Could not find an answer searching.

Image
by robertpenz
Mon Feb 08, 2016 8:35 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Integrate WAN Optimization based on SoloWAN
Replies: 3
Views: 1608

Re: Integrate WAN Optimization based on SoloWAN

With userspace I meant that there is no kernel patching needed as the mikrotik kernel is heavily modified so that would be tricky to apply. A user space program with only a few dependencies should be much easier to integrate. ;-)
by robertpenz
Sun Feb 07, 2016 7:27 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Integrate WAN Optimization based on SoloWAN
Replies: 3
Views: 1608

Integrate WAN Optimization based on SoloWAN

The popular German enterprise IT magazine iX did a big article about WAN optimization in their last issue (2/2016). Part of the article was testing Open Source solutions. The clear winner is SoloWAN (https://github.com/centeropenmiddleware/solowan). They did tests for cifs, nfs, https and http traff...
by robertpenz
Thu Aug 13, 2015 10:03 am
Forum: General
Topic: Now we need RSA support - OpenSSH 7.0 has removed DSA support
Replies: 3
Views: 550

Now we need RSA support - OpenSSH 7.0 has removed DSA support

Hi! I don't understand why Mikrotik keeps DSA, its insecure (yes, also the 2048bit version), and does not support RSA. Anyway yesterday OpenSSH 7.0 has been released and DSA is not longer supported. So please move to RSA and ECC now - Thx! see also: http://it.slashdot.org/story/15/08/11/2340247/open...
by robertpenz
Sat Jul 11, 2015 1:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request: support RSA keys and update DH group support
Replies: 2
Views: 706

Re: Feature request: support RSA keys and update DH group support

RSA would be great for yubi keys to have two factor authentication (ssh key on the yubi key)
by robertpenz
Sat Jun 27, 2015 6:48 pm
Forum: Announcements
Topic: Dual band AP for home use, SSID same or different?
Replies: 62
Views: 25019

Re: Dual band AP for home use, SSID same or different?

Please make it possible to push certain clients from 2,4 to 5ghz if the same SSID is configured (which should the default mode on shipping). Some devices stay on 2,4 even if they support 5, and the air time in the 2,4 space is valuable.
by robertpenz
Tue Feb 24, 2015 10:59 am
Forum: Forwarding Protocols
Topic: What BGP setups need to be optimized
Replies: 58
Views: 18302

Re: What BGP setups need to be optimized

Answer is per router: * how many peers; 10 * how many routes in routing table; /ip route print count-only 1978010 /ipv6 route print count-only 43565 * is there also OSPF,MPLS, VPLS, RIP etc running on the router; OSPF * what are the hardware specs; CCR1036-8G-2S+ * are there routing filters; yes * a...
by robertpenz
Mon Dec 22, 2014 7:20 pm
Forum: Forwarding Protocols
Topic: ECMP OSFP Routes changes between 5.x and 6.x?
Replies: 0
Views: 470

ECMP OSFP Routes changes between 5.x and 6.x?

Hi, We've implemented an OSFP ECMP setup with 5.x and for each tcp connection / flow it has been decided which route it takes. For us it seams that this has been changed with 6.x that the same dst-address (of the flow) of multiple clients stay on the same interface. Is this correct? and how can we c...
by robertpenz
Sat Nov 08, 2014 10:50 am
Forum: RouterOS v7
Topic: Feature request: SNMP v3 AES encryption
Replies: 6
Views: 1966

Re: Feature request: SNMP v3 AES encryption

Using 6.18 with snmpv3 and aes for some weeks now ... no problems. it is stable even if queried a lot.
by robertpenz
Mon Oct 06, 2014 6:36 pm
Forum: General
Topic: License Upgrade Restrictions removed?
Replies: 2
Views: 563

License Upgrade Restrictions removed?

Following text http://wiki.mikrotik.com/index.php?title=Manual:License&curid=1634&diff=26596&oldid=26595 RouterOS upgrade capabilities are not limited by time, but by version, and this depends on the RouterOS license level. For example if you are running RouterOS v5, your license could restrict the ...
by robertpenz
Thu Aug 28, 2014 11:01 pm
Forum: Forwarding Protocols
Topic: BGP4-MIB Support
Replies: 5
Views: 1180

Re: BGP4-MIB Support

+1 also
by robertpenz
Thu Jul 31, 2014 9:24 am
Forum: Forwarding Protocols
Topic: {} in BGP AS paths?
Replies: 2
Views: 711

Re: {} in BGP AS paths?

Is it possible that this are aggregated AS?
by robertpenz
Thu Jul 31, 2014 9:13 am
Forum: Forwarding Protocols
Topic: {} in BGP AS paths?
Replies: 2
Views: 711

{} in BGP AS paths?

I've found AS paths with { } entries ... does someone know what that means? Here a screenshot
by robertpenz
Sat Jul 05, 2014 5:17 pm
Forum: Forwarding Protocols
Topic: Migrate Vyatta BGP to RouterOS BGP
Replies: 14
Views: 3402

Re: Migrate Vyatta BGP to RouterOS BGP

I replaced 2 Vyatta Routers with Mikrotik ones, the setup is the basis for this blog post: http://robert.penz.name/779/howto-setup ... k-routers/
by robertpenz
Tue Jun 10, 2014 2:59 pm
Forum: General
Topic: OPENSSL 5 june bugs
Replies: 11
Views: 2094

Re: OPENSSL 5 june bugs

What I want to know is, if only the administration (HTTPS, Winbox) is vulnerable, which would be not big problem as we're using dedicated management networks, or production service also external user can reach.
by robertpenz
Tue Jun 10, 2014 2:52 pm
Forum: General
Topic: OPENSSL 5 june bugs
Replies: 11
Views: 2094

Re: OPENSSL 5 june bugs

ok only 6.x gets an security update. so switch services are vulnerable? I need this to compare the the security impact against the time and money the update from 5.x costs.
by robertpenz
Tue Jun 10, 2014 2:20 pm
Forum: General
Topic: OPENSSL 5 june bugs
Replies: 11
Views: 2094

Re: OPENSSL 5 june bugs

With my routers running 6.x thats easy. But we've many 5.x still and a upgrade to 6.14 is not that fast done. So I would like to know which services/protocols are affected. If I don't use them I don't need to upgrade. Or will there be a 5.x security release.
by robertpenz
Fri Jun 06, 2014 5:35 pm
Forum: General
Topic: OPENSSL 5 june bugs
Replies: 11
Views: 2094

Re: OPENSSL 5 june bugs

Which services / protocols on the RouterOS are vulnerable?
by robertpenz
Sun Jun 01, 2014 8:42 pm
Forum: General
Topic: Howto on setup a Mikrotik RouterOS with Suricata as IDS
Replies: 3
Views: 1431

Re: Howto on setup a Mikrotik RouterOS with Suricata as IDS

Because I post in my blog not only Mikrotik stuff (in reality it is only a small part) and I want one central place for all my stuff.
by robertpenz
Sun Jun 01, 2014 5:11 pm
Forum: General
Topic: Howto on setup a Mikrotik RouterOS with Suricata as IDS
Replies: 3
Views: 1431

Howto on setup a Mikrotik RouterOS with Suricata as IDS

I've written a howto on combining Suricata and RouterOs (/tool sniffer) for a SOHO setup as IDS (Intrusion detection system). I link it here, as I've read multiple times people asking for it and today I got some time to write everything down. So here is it: http://robert.penz.name/849/howto-setup-a-...
by robertpenz
Mon May 12, 2014 10:03 pm
Forum: General
Topic: Hotspot Feature via Layer 3 not working with VRRP
Replies: 1
Views: 655

Re: Hotspot Feature via Layer 3 not working with VRRP

Is nobody running a Layer 3 hotspot network?
by robertpenz
Sun May 04, 2014 10:48 pm
Forum: RouterOS v7
Topic: Feature Requests for 7.x for improved network security
Replies: 11
Views: 3841

Re: Feature Requests for 7.x for improved network security

For authenticating users to login via ssh access onto the router or something like this you're correct. But for authentication devices for network access via 802.1x RADIUS is the only game in town. And the encryption of data is not so important there as EAP-TLS is mostly used (If security is a conce...
by robertpenz
Thu May 01, 2014 12:08 pm
Forum: General
Topic: Hotspot Feature via Layer 3 not working with VRRP
Replies: 1
Views: 655

Hotspot Feature via Layer 3 not working with VRRP

I have following setup in my lab to reproduce the problem: The Mikrotik has the Internet connection and is running a DHCP Server and Hotspot Server. A layer 3 switch which connects the clients and also provides a DHCP Relay. e.g.: Internet -- Hotspot Mikrotik - (10.0.0.0/24)- Layer3 Switch - (10.0.1...
by robertpenz
Mon Apr 21, 2014 12:45 pm
Forum: RouterOS v7
Topic: Feature Requests for 7.x for improved network security
Replies: 11
Views: 3841

Re: Feature Requests for 7.x for improved network security

What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?
by robertpenz
Sat Apr 19, 2014 8:26 pm
Forum: RouterOS v7
Topic: Feature Requests for 7.x for improved network security
Replies: 11
Views: 3841

Re: Feature Requests for 7.x for improved network security

Zorro: I believe you misunderstood my feature request. If you use the DHCP Server on the Mikrotik it is possible to add the MAC address of the client which got the lease to the ARP table of the router. If you now disabled ARP learning only Clients with DHCP can talk over the router and ARP spoofing ...
by robertpenz
Tue Apr 08, 2014 3:32 pm
Forum: General
Topic: Heartbleed vulnerability OpenSSL [RouterOS IS NOT affected]
Replies: 9
Views: 7680

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Does this mean 6.x have the vulnerability and 5.x don't?
by robertpenz
Sat Mar 22, 2014 2:54 pm
Forum: Forwarding Protocols
Topic: BGP multicore support
Replies: 4
Views: 1319

Re: BGP multicore support

plus 1
by robertpenz
Sat Mar 22, 2014 2:53 pm
Forum: Forwarding Protocols
Topic: Howto on a redundant and secure BGP (full table) setup
Replies: 1
Views: 1041

Howto on a redundant and secure BGP (full table) setup

Hi! I wanted to write this howto for a long time, but never had the time. But now it happened, a howto called "Howto setup a redundant and secure BGP (full table) Internet connection with Mikrotik Routers" and here is the link: http://robert.penz.name/779/howto-setup-a-redundant-and-secure-bgp-full-...
by robertpenz
Fri Feb 28, 2014 11:12 am
Forum: Forwarding Protocols
Topic: show ip bgp summary
Replies: 3
Views: 6352

Re: show ip bgp summary

Big Thx for this script!
by robertpenz
Sat Feb 22, 2014 6:31 pm
Forum: Forwarding Protocols
Topic: BGP4-MIB
Replies: 17
Views: 6546

Re: BGP4-MIB

+1 SNMP Monitoring of BGP
by robertpenz
Sat Feb 22, 2014 6:24 pm
Forum: RouterOS v7
Topic: Feature Requests for 7.x for improved network security
Replies: 11
Views: 3841

Feature Requests for 7.x for improved network security

Hi! I would love following features specially for the CRS. - Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius - Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius - Wired Dual (MAC and 802.1x) Authentication against Radius Following for ...
by robertpenz
Sun Jan 26, 2014 6:38 pm
Forum: Forwarding Protocols
Topic: MIkrotik BGP Monitoring
Replies: 43
Views: 12197

Re: MIkrotik BGP Monitoring

These 3 would be also my favorites .
by robertpenz
Fri Oct 25, 2013 5:21 pm
Forum: General
Topic: Security: Random cypto generator broken in MIPS Kernel
Replies: 3
Views: 726

Re: Security: Random problem in MIPS Kernels

Still no answer? I've also sent a mail to the mikrotik support but also no answer there either ....do I need to consider the ipsec part to be brocken for the future?
by robertpenz
Fri Oct 25, 2013 4:50 pm
Forum: General
Topic: MikroTik News October 2013 (Issue #52)
Replies: 27
Views: 11098

Re: MikroTik News October 2013 (Issue #52)

We are working on a new manual, here is a start http://wiki.mikrotik.com/wiki/Manual:CRS_examples The new CRS looks good from the hardware and cost perspective! But if you want to get also in the small remote offices (currently one needs a router, a switch and access point - with CRS only one devic...
by robertpenz
Sun Sep 29, 2013 5:09 pm
Forum: General
Topic: Security: Random cypto generator broken in MIPS Kernel
Replies: 3
Views: 726

Security: Random cypto generator broken in MIPS Kernel

Some weeks ago a bug in the random function get_cycles() of the Linux kernel for MIPS processors was discovered. e.g. https://lists.openwrt.org/pipermail/openwrt-devel/2013-September/021318.html And 10 days ago a fix was provided for this: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g...
by robertpenz
Tue Sep 10, 2013 12:11 pm
Forum: General
Topic: QoS Piorities and PCQ
Replies: 3
Views: 675

Re: QoS Piorities and PCQ

Ok, Thx for your help.
by robertpenz
Mon Sep 09, 2013 10:46 am
Forum: General
Topic: QoS Piorities and PCQ
Replies: 3
Views: 675

QoS Piorities and PCQ

Hi! I've following queues for my WAN interfaces on both routers and it works as excepted. Now I want to add PCQ to make sure that not one session is filling up the connection if there are other sessions. Where to I need to add the PCQ? with each /queue or is it enough if I set it for the parent? Do ...
by robertpenz
Fri May 31, 2013 12:36 pm
Forum: RouterBOARD hardware
Topic: FAN broken in RB1100AHx2?
Replies: 0
Views: 807

FAN broken in RB1100AHx2?

I've a question about the fan in a RB1100AHx2. Normally the output looks like this: /system health print fan-mode: auto use-fan: main active-fan: main voltage: 12.3V current: 757mA fan-speed: 1952RPM temperature: 25C cpu-temperature: 35C power-consumption: 9.3W But I've one Router which look like th...
by robertpenz
Tue Feb 19, 2013 8:16 am
Forum: RouterBOARD hardware
Topic: CCR - Secondary PSU
Replies: 54
Views: 16688

Re: CCR - Secondary PSU

+1 for the post from SwissWISP ... that and a paid support subscription are the only parts holding us back in using Mikrotiks more and in more critical areas.
by robertpenz
Sun Feb 17, 2013 10:45 pm
Forum: RouterBOARD hardware
Topic: CCR - Secondary PSU
Replies: 54
Views: 16688

Re: CCR - Secondary PSU

It would be nice to buy the CCR with 2 PSUs in the first place. With the CCR you're moving into the data centers where this is standard.
by robertpenz
Sun Feb 10, 2013 7:46 pm
Forum: Forwarding Protocols
Topic: OSPF Design consideration
Replies: 10
Views: 4355

Re: OSPF Design consideration

Yeah, I would also use only one area for this small setup. Remove the complexity!! >500 routers in one area is no problem today ... Use areas to separate devices with bad ospf implementations from the rest. E.g. loadbalancers or mainframes Or for security reasons ( you want all traffic over some spe...
  • 1
  • 2